Networking setup
# create the vpc for our k8s cluster
gcloud compute networks create k8s-vpc --subnet-mode custom
# add a subnet with 10.240.0.0/24 CIDR in us-west1
gcloud compute networks subnets create k8s-west \
--network k8s-vpc \
--range 10.240.0.0/24 \
--region us-west1
# add a firewall rule to allow all traffic between compute nodes
gcloud compute firewall-rules create k8s-allow-internal \
--allow tcp,udp,icmp \
--network k8s-vpc \
--source-ranges 10.240.0.0/24
# `gcloud compute ssh <node-name>` is used for shell access to private nodes
# create a firewall rule to whitelist GCP IAP range: 35.235.240.0/20
gcloud compute firewall-rules create k8s-allow-ssh \
--network k8s-vpc \
--source-ranges 35.235.240.0/20 \
--allow tcp:22
Setup Cloud NAT
# Cloud NAT requires a cloud router
gcloud compute routers create k8s-router \
--network k8s-vpc \
--region us-west1
# create a NAT gateway for the us-west1 region
# note: you can optionally reserve a static IP for your NAT
gcloud compute routers nats create k8s-nat \
--router-region us-west1 \
--router k8s-router \
--nat-all-subnet-ip-ranges \
--auto-allocate-nat-external-ips
Provision compute instances
# create master nodes
for i in 0 1 2; do
gcloud compute instances create master-${i} \
--async \
--boot-disk-size 100GB \
--can-ip-forward \
--image-family ubuntu-2004-lts \
--image-project ubuntu-os-cloud \
--machine-type e2-medium \
--private-network-ip 10.240.0.1${i} \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet k8s-west \
--tags controller,master \
--no-address
done
# create at least one worker node
gcloud compute instances create worker-0 \
--async \
--boot-disk-size 100GB \
--can-ip-forward \
--image-family ubuntu-2004-lts \
--image-project ubuntu-os-cloud \
--machine-type e2-medium \
--private-network-ip 10.240.0.20 \
--scopes compute-rw,storage-ro,service-management,service-control,logging-write,monitoring \
--subnet k8s-west \
--tags worker \
--no-address
Provision Load Balancer for k8s master
# add firewall rules to allow healthcheck from GCP load balancer
# source: https://cloud.google.com/load-balancing/docs/health-checks#firewall_rules
gcloud compute firewall-rules create fw-allow-network-lb-health-checks \
--network=k8s-vpc \
--action=ALLOW \
--direction=INGRESS \
--source-ranges=35.191.0.0/16,209.85.152.0/22,209.85.204.0/22,130.211.0.0/22 \
--target-tags=allow-network-lb-health-checks \
--rules=tcp
# create an unmanaged instance group and add a master node to it
gcloud compute instance-groups unmanaged create k8s-master \
--zone=us-west1-c
gcloud compute instance-groups unmanaged add-instances k8s-master \
--zone=us-west1-c \
--instances=master-0
# create health check for k8s master. note, we have logging of healthecheck enabled.
# use resource.type="gce_instance_group" filter to see healthcheck logs
# you can disable healtcheck logging with: health-checks update https <name> --no-enable-logging
gcloud compute health-checks create https k8s-controller-hc --check-interval=5 \
--enable-logging \
--request-path=/healthz \
--port=6443 \
--region=us-west1
# crate a backend service
gcloud compute backend-services create k8s-service \
--protocol TCP \
--health-checks k8s-controller-hc \
--health-checks-region us-west1 \
--region us-west1
# add the instance group to your backend service
gcloud compute backend-services add-backend k8s-service \
--instance-group k8s-master \
--instance-group-zone us-west1-c \
--region us-west1
# reserve static IP for network lb
gcloud compute addresses create k8s-lb --region us-west1
# create the load balancer which used the backend service and the static IP
gcloud compute forwarding-rules create k8s-forwarding-rule \
--load-balancing-scheme external \
--region us-west1 \
--ports 6443 \
--address k8s-lb \
--backend-service k8s-service