kubernetes - 使用 terraform 将公共(public) GKE 更改为私有(private) GKE 集群

Question

如何将已有的GKE集群改成GKE私有(private)集群？我是否能够根据防火墙规则从 Internet 连接到 Kubectl API，或者我应该有一个堡垒主机吗？我不想实现 Cloud Nat 或 nat gateway。我有一个 squid 代理 VM，可以处理 pod 的互联网访问。我只需要能够连接到 Kubectl 即可应用或修改任何内容。

我不确定如何修改我编写的现有模块以使节点私有(private)化，并且我不确定如果我尝试应用与私有(private) gke 集群相关的新更改是否会删除该集群。

resource "google_container_cluster" "primary" {
  name     = "prod"
  network  = "prod"
  subnetwork = "private-subnet-a"
  location               = "us-west1-a"
  remove_default_node_pool = true
  initial_node_count = 1

  depends_on = [var.depends_on_vpc]
}

resource "google_container_node_pool" "primary_nodes" {
  depends_on = [var.depends_on_vpc]

  name       = "prod-node-pool"
  location   = "us-west1-a"
  cluster    = google_container_cluster.primary.name
  node_count = 2

  node_config {
    preemptible  = false
    machine_type = "n1-standard-2"

    metadata = {
      disable-legacy-endpoints = "true"
    }

    oauth_scopes = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/compute",
    ]
  }
}

Answer 1

回答问题的一部分:

How to change the existing GKE cluster to GKE private cluster?

GKE 设置:Private cluster 是不可变的。 此设置只能在 GKE 集群配置期间设置.

要将集群创建为私有(private)集群，您可以:

• 创建一个新的 GKE 私有(private)集群。
• 复制现有集群并将其设置为私有(private):
  • 此设置在 GCP Cloud Console 中可用 -> Kubernetes Engine -> CLUSTER-NAME -> Duplicate
  • 此设置将克隆您之前集群的基础设施配置，但不会克隆工作负载(Pods、Deployments 等)

Will I be able to connect to the Kubectl API from internet based on firewall rules or should I have a bastion host?

是的，你可以，但这在很大程度上取决于你在 GKE 集群创建过程中选择的配置。

至于连接到您的 GKE 私有(private)集群的能力，有专门的文档介绍:

• Cloud.google.com: Kubernetes Engine: Docs: How to: Private clusters

---

至于如何使用 Terraform 创建私有(private)集群，有专门的站点，其中包含特定于 GKE 的配置选项。还有一些参数负责配置一个private 集群:

• Registry.terraform.io: Providers: Hashicorp: Google: Latest: Docs: Resources: Container cluster

关于使用 Terraform 创建私有(private) GKE 集群的基本示例:

• main.tf

provider "google" {
  project = "INSERT_PROJECT_HERE" 
  region  = "europe-west3"
  zone    = "europe-west3-c"
}

• gke.tf

resource "google_container_cluster" "primary-cluster" {
  name               = "gke-private"
  location           = "europe-west3-c"
  initial_node_count = 1

  private_cluster_config {
    enable_private_nodes = "true"
    enable_private_endpoint = "false" # this option will make your cluster available through public endpoint 
    master_ipv4_cidr_block = "172.16.0.0/28"
  }

  ip_allocation_policy {
    cluster_secondary_range_name = "" 
    services_secondary_range_name = ""
  }

  
  node_config {
    machine_type = "e2-medium"
  }
}

A side note!

I've created a public GKE cluster, modified the .tf responsible for it's creation to support private cluster. After running: $ terraform plan Terraform responded with the information that the cluster will be recreated.