Deployments to private GKE clusters have always been painful, because of networking challenges. Glady, those days are in the past, because Connect Gateway overcomes these connectivity challenges.
The Pain Of Private GKE Clusters
Everybody wants a secure environment. Therefore, everyone hides the Kubernetes API server from the public internet – a so called private cluster. Without a public IP address, another route is needed to deploy Kubernetes workloads. This route is typically implemented using a bastion host, by configuring hybrid connectivity or by running deployment specific workloads (acting as proxies). These implementations require you to connect to the right server and/or network, before being able to interact with your Kubernetes cluster. An additional step that frequently confuses developers and/or engineers, because they don’t – and don’t want to – know the entire network topology, especially when dealing with multiple Kubernetes clusters.
A Universal Connector For GKE Clusters
The Connect Gateway uses fleets to let you connect and interact with Kubernetes clusters in a simple, consistent and secured way. The Connect Gateway leverages the fleet membership intricacies to connect to the Kubernetes cluster for you. The only thing you need to do, is request a credential for the specific fleet member and run your command.
gcloud container fleet memberships get-credentials member-cluster
kubectl get pods
Beware of the Connect Gateway limitations. The commands
exec
,proxy
,attach
andport-forward
are not supported.
Terraform Private GKE Cluster Deployment
While it’s convenient to interact with a cluster locally. The true power is in automation. The following example deploys an Ubuntu pod to a private GKE cluster using Terraform.
Find the full example on GitHub.
resource "google_gke_hub_membership" "example" {
membership_id = "example"
endpoint {
gke_cluster {
resource_link = google_container_cluster.example.id
}
}
authority {
issuer = "https://container.googleapis.com/v1/${google_container_cluster.example.id}"
}
}
provider "kubernetes" {
host = "https://connectgateway.googleapis.com/v1/projects/${data.google_project.project.number}/locations/global/gkeMemberships/${google_gke_hub_membership.example.membership_id}"
# Assumes a Kubernetes cluster version of 1.26+
exec {
api_version = "client.authentication.k8s.io/v1beta1"
command = "gke-gcloud-auth-plugin"
}
}
resource "kubernetes_pod" "ubuntu" {
metadata {
namespace = "default"
name = "ubuntu"
}
spec {
container {
name = "ubuntu"
image = "ubuntu:latest"
}
}
}
Note that the only configuration change is in the Kubernetes provider. Instead of pointing at the internal Kubernetes API address, the Connect Gateway API is used.
Conclusion
Connecting to your GKE cluster is no longer a pain. Instead of finding the right bastion host, proxy or network configuration yourself, let Connect Gateway connect you.
Image by Jiří Rotrekl from Pixabay
The post How to deploy to private GKE cluster using Connect Gateway appeared first on Xebia.