GKE Control Plane and Public IPs and Private Service Connect
By default, when you create a public cluster, GKE assigns an external IP address (external endpoint) to the control plane and provisions public nodes. This means that any VM with an external IP address can reach the control plane.
If you configure authorized networks, you can limit the IP address ranges that have access to your cluster control plane, but the cluster control plane is still accessible from Google Cloud-owned IP addresses. For example, any VM with an external IP address assigned in Google Cloud can reach your control plane external IP address. However, a VM without the corresponding credentials cannot reach your nodes.
Use Private Service Connect along with Public Clusters
- On public clusters that use Private Service Connect, you can configure who has access to your public cluster nodes and control plane.
- As a platform administrator, you might need to isolate your control plane, nodes, or both from public access.
Leave a Reply