Creating a private cluster in GKE, terraform vs console

8/18/2019

I've been trying to setup a terraform module to create private cluster, and I'm struggling with a strange situation.

When creating a cluster with a master authorized network, if I do it through the GCP console, I can create the private cluster just fine. But when I do it with Terraform, I get a strange error:

 Invalid master authorized networks: network "<cidr>" is not a reserved network, which is required for private endpoints.

The interesting parts of the code are as follows:

....
master_authorized_networks_config {
  cidr_blocks {
    cidr_block = "<my-network-cidr>"
  }
}

private_cluster_config {
  enable_private_endpoint = true
  enable_private_nodes    = true
  master_ipv4_cidr_block  = "<cidr>"
}
....

Is there something I'm forgetting here?

-- Angel Villalain
google-cloud-platform
google-kubernetes-engine
terraform

3 Answers

8/19/2019

I was able to figure it out by myself, I guess I should have read the all the documentation on the gcp side in detail.

The problem here is that I'm adding a master authorized network cidr range to enable local network access, that is an external address and from the GCP documentation

You cannot include external IP addresses in the list of master authorized networks, because access to the public endpoint is disabled.

If you are curious, and want know more click here

-- Angel Villalain
Source: StackOverflow

9/6/2019

I've had the same issue recently.

The solution I found is to set the enable_private_endpoint = false.

In this case the private endpoint created anyway, but you are allowed to add CIDR with external addresses to master authorized networks.

-- dds
Source: StackOverflow

10/31/2019

According to google docs (https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters ), it should be possible to have both private and public endpoints, and master_authorized_networks_config should have networks which can reach either of those endpoints.

If setting enable_private_endpoint to false means that the private endpoint is created, but it also creates the public endpoint, then that is a horribly mis-named variable, since it is actually flipping the public endpoint off and on, not the private one. Apparently, specifying a private_cluster_config is sufficient to enable the private endpoint, and the flag toggles the public endpoint, if reported behaviour is to be believed.

That is certainly the experience that I had - specifying my local ip address in the master_authorized_networks_config caused cluster creation to fail when enable_private_endpoint is true. When I set it to false, I get both endpoints and the config is not rejected.

-- ideasculptor
Source: StackOverflow