GKE Private Cluster NAT and Network Policy

Scenario

• 建立 GKE private cluster，並使用 bastion 以內網私有 ip 連線至 control plane
• 所有主機透過 NAT 對外進行連線
• 使用 GKE network policy 進行連線管制

流程與說明

1. 建立 GKE Private Cluster 與跳板機
2. 設定跳板機，安裝必要套件
3. 建立 CloudNAT 以提供對外網路連線
4. 測試 network policy 連線管理與 NAT 對外功能

執行步驟

建立 GKE Private Cluster 與跳板機

CloudShell

export PROJECT_ID="YOUR_PROJECT_ID"
export NETWORK_NAME="YOUR_NETWORK_NAME"
export SUBNET_NAME="YOUR_SUBNET_NAME"
export REGION="YOUR_REGIOIN"
export ZONE="YOUR_ZONE"
export GKE_CLUSTER_NAME="YOUR_GKE_CLUSTER_NAME"
export BASTION_VM_NAME="YOUR_BASTION_VM_NAME"
export ROUTER_NAME="YOUR_ROUTER_NAME"

# create network
gcloud compute networks create ${NETWORK_NAME} --subnet-mode custom
gcloud compute networks subnets create ${SUBNET_NAME} \
   --network ${NETWORK_NAME} \
   --region ${REGION} \
   --range 192.168.1.0/24
gcloud compute firewall-rules create allow-ssh \
    --network ${NETWORK_NAME} \
    --source-ranges 35.235.240.0/20 \
    --allow tcp:22

# create private cluster
gcloud container clusters create ${GKE_CLUSTER_NAME} \
    --zone ${ZONE} \
    --cluster-version "latest" \
    --machine-type "n2-standard-2" \
    --disk-type "pd-standard" \
    --disk-size "100" \
    --scopes "https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" \
    --num-nodes "1" \
    --enable-private-nodes \
    --enable-private-endpoint \
    --master-ipv4-cidr "172.16.0.0/28" \
    --enable-ip-alias \
    --network "projects/${PROJECT_ID}/global/networks/${NETWORK_NAME}" \
    --subnetwork "projects/${PROJECT_ID}/regions/${REGION}/subnetworks/${SUBNET_NAME}" \
    --max-nodes-per-pool "110" \
    --enable-master-authorized-networks \
    --addons HorizontalPodAutoscaling,HttpLoadBalancing \
    --enable-autoupgrade \
    --enable-autorepair \
    --enable-network-policy

# create bastion
gcloud compute instances create ${BASTION_VM_NAME} \
    --project=${PROJECT_ID} \
    --zone=${ZONE} \
    --machine-type=e2-micro \
    --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=${SUBNET_NAME} \
    --maintenance-policy=MIGRATE \
    --provisioning-model=STANDARD \
    --create-disk=auto-delete=yes,boot=yes,device-name=ricky-bastion,image=projects/ubuntu-os-cloud/global/images/ubuntu-2204-jammy-v20240801,mode=rw,size=10,type=projects/${PROJECT_ID}/zones/${ZONE}/diskTypes/pd-balanced \
    --no-shielded-secure-boot \
    --shielded-vtpm \
    --shielded-integrity-monitoring \
    --labels=goog-ec-src=vm_add-gcloud \
    --reservation-affinity=any
export BASTION_IP=$(gcloud compute instances describe ${BASTION_VM_NAME} --zone ${ZONE} --format='get(networkInterfaces[0].networkIP)')

# add bastion private to GKE authorized networks
gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${ZONE} \
    --enable-master-authorized-networks \
    --master-authorized-networks ${BASTION_IP}/32

設定跳板機

安裝必要套件，會需要等待 5 分鐘左右

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "sudo snap remove google-cloud-cli && \
sudo apt-get update && \
sudo apt-get install apt-transport-https ca-certificates gnupg curl -y && \
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg && \
echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
sudo apt-get update && sudo apt-get install google-cloud-cli kubectl google-cloud-cli-gke-gcloud-auth-plugin -y"

登入跳板機的 gcloud 帳號

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "gcloud auth login"

建立測試用 pod，會針對 test pod 加上 label 以便後續限制對外連線

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "gcloud container clusters get-credentials ${GKE_CLUSTER_NAME} --zone=${ZONE} && \
kubectl get no && \
kubectl run test --image nginx -l net=limited && \
kubectl run test2 --image nginx && \
kubectl get po"

進入 pod 測試確認是否可對外連線

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "kubectl exec -it test -- apt update"

建立 CloudNAT

CloudShell

gcloud compute routers create ${ROUTER_NAME} \
    --network ${NETWORK_NAME} \
    --region ${REGION}
gcloud compute routers nats create nat-config \
    --router-region ${REGION} \
    --router ${ROUTER_NAME} \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips

(Optional) 啟用 GKE Network Policy 功能

如果為既有 GKE cluster 可輸入以下指令進行啟用

CloudShell

gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${ZONE} --update-addons=NetworkPolicy=ENABLED
gcloud container clusters update ${GKE_CLUSTER_NAME} --zone=${ZONE}  --enable-network-policy

測試

對外與對內連線測試

進入 pod 測試確認是否可對外連線

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "kubectl exec -it test -- apt update"

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- 'TEST2_IP=$(kubectl get po test2 -o jsonpath='{.status.podIP}') && \
kubectl exec -it test -- curl ${TEST2_IP} && \
kubectl exec -it test -- curl https://google.com'

預期結果

CloudShell

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

建立 Network Policy 限制 test

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "echo 'apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
  namespace: default
spec:
    podSelector:
      matchLabels:
        net: limited
    policyTypes:
    - Egress
    egress:
      - to:
          - ipBlock:
              cidr: 10.0.0.0/8
          - ipBlock:
              cidr: 172.16.0.0/12
          - ipBlock:
              cidr: 192.168.0.0/16' > deny-all.yaml && \
kubectl apply -f deny-all.yaml"

test pod 對 test2 pod 進行連線測試，可成功連線

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- 'TEST2_IP=$(kubectl get po test2 -o jsonpath='{.status.podIP}') && \
kubectl exec -it test -- curl ${TEST2_IP}'

test pod 對外網進行連線測試，會發現舞法對外

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "kubectl exec -it test -- curl https://google.com"

test2 pod 對外網進行連線測試，但可以正式對外

CloudShell

gcloud compute ssh ${BASTION_VM_NAME} --zone ${ZONE} --tunnel-through-iap -- "kubectl exec -it test2 -- curl https://google.com"

Clean Up

CloudShell

gcloud compute instances delete ${BASTION_VM_NAME} --zone=${ZONE} --quiet
gcloud container clusters delete ${GKE_CLUSTER_NAME} --zone=${ZONE} --quiet
gcloud compute routers delete ${ROUTER_NAME} --region ${REGION} --quiet
gcloud compute firewall-rules delete allow-ssh --quiet
gcloud compute networks subnets delete ${SUBNET_NAME} --region ${REGION} --quiet
gcloud compute networks delete ${NETWORK_NAME} --quiet

REF

• Creating a private cluster
• Use Public NAT with GKE
• Control communication between Pods and Services using network policies