Private GKE cluster

[mathieu-benoit]

• https://github.com/GoogleCloudPlatform/gke-network-policy-demo/blob/master/terraform/main.tf

• https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#gcloud

• https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks

• https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept#overview

• BinAuthz with VPC Service Control: https://cloud.google.com/binary-authorization/docs/securing-with-vpcsc

• Private Nodes

• Policy Controller

Example with BoA: https://cloud.google.com/architecture/distributed-services-on-gke-private-using-anthos-service-mesh

Other example: https://cloud.google.com/service-mesh/docs/security/egress-gateway-gke-tutorial

[mathieu-benoit]

By default, private clusters do not allow public IPs over the internet to access the control plane endpoint. Using authorized networks in private clusters makes your control plane reachable only by allowed CIDRs, by nodes and Pods within your cluster's VPC, and by Google's internal production jobs that manage your control plane.

[mathieu-benoit]

Master Authorized Network already taken into account there fca5ea0

[mathieu-benoit]

With ASM we need to do that https://cloud.google.com/service-mesh/docs/private-cluster-open-port

[mathieu-benoit]

Other example https://github.com/GoogleCloudPlatform/gke-private-cluster-demo