kubectl private GKE cluster via Cloud IAP

private-gke.md

bastion

• https://medium.com/google-cloud/gke-private-cluster-with-a-bastion-host-5480b44793a7

create a private GKE cluster

with only private endpoint

gcloud beta container clusters create "$CLUSTER_NAME" \
  --region ${REGION} \
  --network ${NETWORK} \
  --subnetwork ${SUBNET} \
  --cluster-version "$GKE_VERSION" \
  --machine-type "${GKE_NODE_TYPE}" \
  --num-nodes=1 \
  --enable-autoupgrade \
  --enable-autorepair \
  --preemptible \
  --enable-ip-alias \
  --cluster-secondary-range-name=pod-range \
  --services-secondary-range-name=service-range \
  --enable-private-nodes \
  --enable-private-endpoint \
  --master-ipv4-cidr=172.16.0.64/28

# Get the kubectl credentials for the GKE cluster.
KUBECONFIG=~/.kube/dev gcloud container clusters get-credentials "$CLUSTER_NAME" --region "$REGION"

create a private compute instance "bastion"

with only internal IP

enable and set up Cloud IAP

in GCP console, grant users/group that can access the private instance from the last step

on the laptop, start the SSH forwarding proxy at local port 8443 via CloudIAP tunnel

172.16.0.66 is the private master endpoint, The SSH traffic is tunnelled via Cloud IAP in TLS, then port forwarding to the k8s master API endpoint. gcloud beta compute --project ${PROJECT} ssh --zone ${ZONE} "bastion" --tunnel-through-iap --ssh-flag="-L 8443:172.16.0.66:443"

modify the .kube/dev

kubernetes.default and kubernetes are allowed for port server: https://kubernetes.default:8443

modify the /etc/hosts

Please append the following line 127.0.0.1 kubernetes kubernetes.default

happy kubectl from here.

KUBECONFIG=~/.kube/dev k get po --all-namespaces