kubernetesgoogle-cloud-platformnetworkinggoogle-kubernetes-enginevpc

Can a private Kubernetes Cluster (on a VPC) expose services to the internet via load balancers and ingress?

This is going to be more of a conceptual question.

I'm fairly new to Kubernetes and VPCs, and I'm currently studying in order to take part in designing a Kubernetes Cluster on GCP (Google Cloud Platform), and my role in that would be to address our security concerns.

Recently, I've been introduced to the concept of a "Private Kubernetes Cluster", which runs on a VPC and only allows traffic of allowed agents and from inside the VPC, with the Control Plane being accessible by a Bastion, for instance.

The thing is, I'm not sure if doing this would mean completely air-gapping the Cluster, blocking any access from the internet outside of the VPC or if I'm still able to use this to serve public web services, such as websites and APIs, whilst using the VPC to secure the control plane.

Any insights on that? I would also appreciate some documentation and related articles.

I still haven't got to the implementation part, since I'm trying to make sure I know what I'm doing beforehand.

Edit: According to the documentation, I am able to expose some of my cluster's nodes by using Cloud NAT. But would this defeat the purpose of even having a private cluster?

Solution

  • The thing is, I'm not sure if doing this would mean completely air-gapping the Cluster, blocking any access from the internet outside of the VPC or if I'm still able to use this to serve public web services, such as websites and APIs, whilst using the VPC to secure the control plane.

    Yes, you will be able to Host your web application and you can expose those with the LoadBalancer even if you Cluster is private.

    With a public cluster, your Worker node will be having the External/Public IPs while in private cluster worker nodes won't be having public IP.

    You can create the service type LoadBalancer or use the Ingress to expose the application.

    If public API access is required you can use the NAT gateway. you can configure your firewall rules to allow egress traffic to the specific public API endpoint you want to access.

    Edit: According to the documentation, I am able to expose some of my cluster's nodes by using Cloud NAT. But would this defeat the purpose of even having a private cluster?

    Yes right, The main advantage of Private GKE cluster I am seeing it does not have any Public/External IP address so can't be accessed from outside only accessed from within the VPC network. It can help protect clusters from un-auth access and reduce the surface of attacks on apps also.

    Refer the Github for terraform and other details.