Skip to content

Update doc for PNI in GKE #2073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 19, 2025
Merged

Update doc for PNI in GKE #2073

merged 3 commits into from
Nov 19, 2025

Conversation

@krunalhinguu
Copy link
Contributor

@krunalhinguu krunalhinguu commented Nov 12, 2025
edited
Loading

Fixes #<add_issue_number_if_any>

Description

  • Added a note under Project Network Isolation in the GKE cluster configuration page.
  • Clarifies that for imported GKE clusters, Network Policy (Calico) must be enabled on both master and worker nodes before enabling PNI.

Comments

  • This update improves clarity for users importing GKE clusters with PNI.

@krunalhinguu krunalhinguu changed the title [main] update doc for pni in gke Update doc for PNI in GKE Nov 12, 2025
@LucasSaintarbor LucasSaintarbor added the port/community-product Triggers a GitHub action to file a community sync issue for rancher-product-docs. label Nov 12, 2025
@mitulshah-suse mitulshah-suse added this to the v2.13.0 milestone Nov 13, 2025
btat
btat reviewed Nov 14, 2025
View reviewed changes
...guration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md Outdated
_Mutable: yes_

choose whether to enable or disable inter-project communication. Note that enabling Project Network Isolation will automatically enable Network Policy and Network Policy Config, but not vice versa.
choose whether to enable or disable inter-project communication.
Copy link
Contributor

@btat btat Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
choose whether to enable or disable inter-project communication.
Choose whether to enable or disable inter-project communication.

...guration/rancher-server-configuration/gke-cluster-configuration/gke-cluster-configuration.md Outdated
Comment on lines 68 to 75
:::note

For **imported GKE clusters**, Project Network Isolation (PNI) requires Kubernetes Network Policy to be enabled on the cluster beforehand.
- Rancher will enable Network Policy automatically when creating clusters in Rancher (downstream), so this step is only needed for imported clusters.
- In GKE, enable network policy (Calico) on **both master and worker nodes**: **Networking → Network security and observability → Enable Calico Kubernetes Network Policy**.
- After enabling, import the cluster into Rancher and enable PNI for project-level isolation.

:::
Copy link
Contributor

@btat btat Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
:::note
For **imported GKE clusters**, Project Network Isolation (PNI) requires Kubernetes Network Policy to be enabled on the cluster beforehand.
- Rancher will enable Network Policy automatically when creating clusters in Rancher (downstream), so this step is only needed for imported clusters.
- In GKE, enable network policy (Calico) on **both master and worker nodes**: **Networking → Network security and observability → Enable Calico Kubernetes Network Policy**.
- After enabling, import the cluster into Rancher and enable PNI for project-level isolation.
:::
#### Imported Clusters
For imported clusters, Project Network Isolation (PNI) requires enabling Kubernetes Network Policy on the cluster beforehand. For clusters created by Rancher, Rancher automatically enables Kubernetes Network Policy.
1. In GKE, enable network policy (Calico) on **both master and worker nodes**
1. Select the cluster to enable network policy on.
1. **Networking → Network security and observability → Enable Calico Kubernetes Network Policy**.
1. In Rancher, import the cluster and enable PNI for project-level isolation.

Thoughts on converting it into a subsection so that it can be linked if needed?

Some questions:

  • Is **both master and worker nodes** a field that appears in the GKE console or is it intended to be text telling users they need to do it for both?
  • For the steps done in GKE, are we replicating these instructions? If so, maybe we could link to that to reduce maintenance if upstream changes anything.

Copy link
Contributor Author

@krunalhinguu krunalhinguu Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answering your questions

  1. Both master and worker nodes is not a field in the GKE console. GKE only has one option to enable Network Policy, and when you turn it on, GKE applies it to the whole cluster automatically. I removed that wording to avoid confusion.
  2. agree, we should link instead of duplicating exact UI steps

@btat btat changed the base branch from main to v2.13.0 November 19, 2025 23:12
@btat btat merged commit bd28264 into rancher:v2.13.0 Nov 19, 2025
1 check passed
@github-actions github-actions bot mentioned this pull request Nov 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@btat btat btat approved these changes

@LucasSaintarbor LucasSaintarbor Awaiting requested review from LucasSaintarbor

@pmkovar pmkovar Awaiting requested review from pmkovar

@sunilarjun sunilarjun Awaiting requested review from sunilarjun

Assignees

No one assigned

Labels

port/community-product Triggers a GitHub action to file a community sync issue for rancher-product-docs.

Projects

None yet

Milestone

v2.13.0

Development

Successfully merging this pull request may close these issues.

4 participants

@krunalhinguu @btat @LucasSaintarbor @mitulshah-suse