Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating a private cluster in GKE, terraform vs console

Tags:

google-cloud-platform

google-kubernetes-engine

terraform

I've been trying to setup a terraform module to create private cluster, and I'm struggling with a strange situation.

When creating a cluster with a master authorized network, if I do it through the GCP console, I can create the private cluster just fine. But when I do it with Terraform, I get a strange error: 

 Invalid master authorized networks: network "<cidr>" is not a reserved network, which is required for private endpoints.

The interesting parts of the code are as follows: 

....
master_authorized_networks_config {
  cidr_blocks {
    cidr_block = "<my-network-cidr>"
  }
}

private_cluster_config {
  enable_private_endpoint = true
  enable_private_nodes    = true
  master_ipv4_cidr_block  = "<cidr>"
}
....

Is there something I'm forgetting here?

like image 564
Angel Villalain Avatar asked Aug 18 '19 21:08

Angel Villalain

3 Answers

According to Google Cloud Platform documentation here, it should be possible to have both private and public endpoints, and the master_authorized_networks_config argument should have networks which can reach either of those endpoints.

If setting the enable_private_endpoint argument to false means that the private endpoint is created, but it also creates the public endpoint, then that is a horribly mis-named argument; enable_private_endpoint is actually flipping the public endpoint off and on, not the private one. Apparently, specifying a private_cluster_config is sufficient to enable the private endpoint, and the flag toggles the public endpoint, if reported behavior is to be believed.

That is certainly the experience that I had: specifying my local IP address in the master_authorized_networks_config caused cluster creation to fail when enable_private_endpoint is true. When I set it to false, I get both endpoints and the config. is not rejected.

like image 125
ideasculptor Avatar answered Nov 17 '22 06:11

ideasculptor

 
master_authorized_networks_config {
}

private_cluster_config {
  enable_private_endpoint = true
  enable_private_nodes    = true
  master_ipv4_cidr_block  = "<cidr>"
}

Should create the private_end_point and it won't complain about Invalid master authorized networks. The one you tried, is passing up the external CIDR for the whitelist to access the public endpoint while at the same time you want it to be strictly private.

like image 38
user13248866 Avatar answered Nov 17 '22 07:11

user13248866

I've had the same issue recently.

The solution I found is to set the enable_private_endpoint = false.

In this case the private endpoint created anyway, but you are allowed to add CIDR with external addresses to master authorized networks.

like image 31
dds Avatar answered Nov 17 '22 06:11

dds
Sign in to Comment

Related questions

Google cloud function download file and redirect to bucket storage
Download multiple file from Google cloud storage using Python
Verify HTTP request from Google Cloud Scheduler
BigQuery - No matching signature for operator = for argument types: INT64, STRING
Access external database resource wrapped in service without selector
Google Cloud Free Tier will start charging for static or ephemeral IP Address?
What's the difference between "serverless" and "fully managed"? [closed]
gcloud auth activate-service-account logout / revoke / remove / unset
Authentication in Google Cloud Platform
Unable to connect to Google Container Engine
Google Cloud DNS failed to load
gcloud command to retrieve metadata of a specific key
"Unable to get Filesystem for path" error when training neural network on google cloud
Cannot import com.google.cloud.speech.v1.SpeechGrpc in Android
Google cloud vision not accepting base64 encoded images python
What and how to pass credential using using Python Client Library for gcp compute API
Are the limits for Google Cloud's Always Free on a per-project or per-account basis?
GCP API for getting list of load balancer
Managing Kubernetes cluster from GCP with python api
Unable to enable a private IP for my Postgres Cloud SQL instance

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!