Setup a Kubernetes Cluster on GCP with Cloud NAT

Photo by Cameron Venti on Unsplash

This week, one friend told me that after he read our last article about Cloud NAT, he wanted to know how to setup with a Kubernetes cluster.

So here is the step-by-step process. In the first place, we have to setup a NAT gateway (see the steps this article):

To see the IPs assigned to the service, we use the following command (remember that we have to query the associated router to the NAT service):

gcloud beta compute routers get-status <router> --region <region>

Now we are going to setup a new Kubernetes cluster in the same region where we created the NAT gateway

We wait until the cluster is on-line and then connect (it will open a Cloud Shell session and download the associated cluster credentials):

After this, we can test our Internet gateway. To confirm that we are using the Cloud NAT, we are going to use the docker “travelping/nettools” (source) to create a pod and open a session:

kubectl run -it nettools --image=travelping/nettools --rm --restart=Never -- sh

As soon as we connect to the container, we use curl with ifconfig.me to see our external ip:

We can see that this IP is not associated to the NAT service (in our case 35.233.3.163 or 35.205.243.254). The problem is that we are using the external IP linked to the Kubernetes node and, in order to use the NAT service, the Kubernetes node mustn’t have any associated external IP

With this in mind, we are going to recreate our Kubernetes cluster (we can’t use the previous one). We need to expand the advanced options of the cluster and check “Enable VPC-native (using alias IP)”. By using alias IP, the VPC control panel automatically manages routing setup for Pods.

Then we can check the option “Private cluster” and provide the “Master IP range” (the size of the private block for the master cluster must be /28 and it cannot overlap any existing subnet in our VPC). This creates a cluster that runs the nodes with private IPs and the cluster master with a publicly-reachable endpoint. We uncheck the “Enable master authorized networks” to setup an easy connection to our master but it is strongly recommended to restrict access to specified sets of IP addresses in production.

As soon as the cluster is on-line, we are going to repeat the test with the nettools container

And now we are using the Cloud NAT service.

In conclusion, to setup a Kubernetes cluster with Cloud NAT, we need to select the following options:

  • Enable “Enable VPC-native (using alias IP)”
  • Enable “Private cluster”