I'm planning to use the Jenkins Kubernetes plugin in a setup where an existing Jenkins setup with master and slaves on VMs is split into the master remaining in the current setup and slaves being provisioned dynamically by Google Kubernetes Engine (GKE).

My aim is to reduce costs for the time where slaves can be auto-scaled down to a minimum and provide constant build speed by provisioning a large number of agents at the same time. I'm choosing this approach because it requires a minimum effort.

Afaik I need to forward ports 8080 and 50000 for the JNLP. This is a potential security risk since JNLP isn't protected by any form of encryption and credentials for Jenkins and third party system could be intercepted as well as arbitrary commands being run on the master.

There's the option to enable Slave to master access control, but as far as I understand it's not a protection against interception of credentials.

Is it possible to create an IP or other tunnel inside GKE? The IPs of the master nodes are not predictable and it seems like a lot of overhead to maintain the correct tunnel destination to potentially terminated and recreated node pools.

I'm aware that it's probably not rocket science to move the Jenkins master to Kubernetes as well and let it do it's magic with dynamic provisioning of agents in the contained and wonderful world of k8s. However I need to move it there and I don't want to invest time just to have a nice to look at solution if an easier approach does the job as well.