How do I use an existing private VPC when creating a new kubernetes cluster using KOPS?

9/9/2018

I have an existing VPC on AWS. In it there are 2 subnets per each availability zone (one private, one public).
Each public subnet has a NAT gateway in it to allow internet access from the private subnet in that availability zone.

All of my servers are in the private subnets, and there's a bastion server in a public subnet to allow access into the private subnets.

There's also a private hosted zone that's configured on the VPC to allow dns hostname resolving.

I want to setup a kubernetes cluster in that VPC, using KOPS but I want all elements of the cluster to reside in the private subnets. I will access the API using a tunnel from the bastion server (I have a Zero Trust/BeyondCorp logic so this is not an issue).

I can't seem to understand how should I create the cluster using KOPS so it'll be created on the existing private subnets, using the existing private hosted zone (or on a subdomain of the existing private hosted zone), without creating a new VPC, subnets, nat gateways, bastion server, etc...

I've read about the public/private topologies, high availability, using a private hosted zone, and using an existing VPC - but I can't seem to glue it it all into a single kops create command.

This is what I got so far, but I'm not sure it's correct and I'm afraid to damage the existing VPC:

export KOPS_STATE_STORE=s3://<somes3bucket>
export CLUSTER_NAME="A_NAME.my.private.hosted.zone.name" ?
export SUBNET_IDS=LIST_OF_IDS_OF_PRIVATE_SUBNETS?_OR_ALL_SUBNETS_IN_VPC?

kops create cluster \
    --vpc vpc-12345678 \
    --zones us-east-1a,us-east-1b,us-east-1c,us-east-1d,us-east-1e \
    --name ${CLUSTER_NAME} \
    --subnets ${SUBNET_IDS} \
    --master-zones us-east-1a,us-east-1b,us-east-1c,us-east-1d,us-east-1e \
    --topology private \
    --dns private \
    --dns-zone my.private.hosted.zone.name \
    --networking calico
  • Am I missing something ?
  • Do the subnets I'm specifying should be only the private subnets (as that's where I want my cluster to reside) or all of the subnets of my vpc ?
  • Does the name of the cluster should end with the private hosted zone domain name?
  • Does the cluster name need to be a resolveable domain name ? Does it need to be the same as the private hosted zone ?
  • Is there a good reason to not use the gossip protocol instead of the DNS ?
-- Doron
amazon-web-services
kops
kubernetes

0 Answers