K
Q

CIDR range for --master-ipv4-cidr in GKE private cluster

3/28/2019

Note: There is an existing stackoverflow post which discuss about --master-ipv4-cidr, but it doesn't discuss about the topic which I am asking in the question. Please don't mark this as duplicate.

Problem description I am creating private clusters in GKE and got confused with the --master-ipv4-cidr range. This link, mentions that --master-ipv4-cidr needed CIDR in RFC 1918 range.

"--master-ipv4-cidr 172.16.0.0/28 specifies an RFC 1918 range for the master. This setting is permanent for this cluster."

Since valid RFC 1918 ranges are

 10.0.0.0        -   10.255.255.255  (10/8 prefix)
 172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
 192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

So I tried to create private cluster with following values:

  --master-ipv4-cidr "172.17.0.0/28" 
  --cluster-ipv4-cidr "172.16.128.0/17" 
  --services-ipv4-cidr "192.168.1.0/24"

Since 172.17.0.0/28 is also from RFC 1918 range I thought that cluster will come up. But it resulted in error as mentioned below

172.17.0.0/16 is a reserved GKE IP range and cannot be used for the 'master-ipv4-cidr'.

Then I changed --master-ipv4-cidr to example given in link and cluster created successfully. Below are the successful case values.

  --master-ipv4-cidr "172.16.0.16/28" 
  --cluster-ipv4-cidr "172.16.128.0/17" 
  --services-ipv4-cidr "192.168.1.0/24"

Now my question are

  1. Does --master-ipv4-cidr expects CIDR in 172.16.0.0/28 only and it cannot accept any other range from 10/8 or 192.168/16 or any other range for example 172.17.0.0/28 which I provided earlier?
  2. With an existing cluster --master-ipv4-cidr of 172.16.0.0/28, if I create another cluster in same VPC what should be the --master-ipv4-cidr value? Because creating another cluster with same --master-ipv4-cidr 172.16.0.0/28 fails with below error which is quite expected.

Google Compute Engine: An IP range in the peer network (172.16.0.16/28) overlaps with an IP range (172.16.0.16/28) in an active peer (gke-c2a126697c6fee94c2b8-1e18-f2ff-peer) of the local network. and thats expected because 172.16.0.16/28 already exist in an existing cluster in same vpc to which its getting peered.

  1. I am thinking to manage my cluster pods from 172.16.0.0 range and services from 192.168.0.0 range of RFC 1918 and not use 10/8 network to avoid conflict with existing office network. Since 172.16/12 is a superset of 172.16.0.0/28. How do you make sure that they are separated from each other?

Apologies for asking many question here, but I am just trying to keep the entire context at same place.

-- Neeraj
google-cloud-platform
google-kubernetes-engine

Similar Questions

Resource allocation to pods in Kubernetes
How to connect a google cloud function to cassandra database in kubernetes cluster
Kubernetes volume hostpath with symlink not created
How to convert yaml configmap file to terraform
Kubernetes Services on Google Cloud, cookies are not passed

1 Answer

3/29/2019

I will answer your questions as follows:

1) 172.17.0.0 cannot be used because this is for Docker.

2) You can use any of the following CIDRs 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, 192.168.0.0 – 192.168.255.255 except 172.16 and 172.17. Also this must be /28

3) Supersets or Subnets are not possible therefore you will have to choose a different CIDR range

You can read about the Restrictions and Limitations in the following Google Public doc

-- vaqars
Source: StackOverflow