Access to cluster endpoints
Creating a private cluster
main.tf
provider "google" {
project = "PROJECT_ID"
}
data "google_project" "project" {}
// public
resource "google_container_cluster" "test-gke1" {
name = "test-gke1"
location = "europe-central2-a"
initial_node_count = 1
network = google_compute_network.test-gke1.self_link
subnetwork = google_compute_subnetwork.test-gke11.self_link
ip_allocation_policy {}
private_cluster_config {
enable_private_nodes = true
master_ipv4_cidr_block = "10.255.255.240/28"
}
node_config {
machine_type = "e2-micro"
}
}
// public + authorized networks
resource "google_container_cluster" "test-gke2" {
name = "test-gke2"
location = "europe-central2-a"
initial_node_count = 1
network = google_compute_network.test-gke1.self_link
subnetwork = google_compute_subnetwork.test-gke11.self_link
ip_allocation_policy {}
private_cluster_config {
enable_private_nodes = true
master_ipv4_cidr_block = "10.255.255.224/28"
}
master_authorized_networks_config {
cidr_blocks {
cidr_block = "SOURCE_IP/32"
}
cidr_blocks {
cidr_block = "${google_compute_address.test-gke.address}/32"
}
}
node_config {
machine_type = "e2-micro"
}
}
// private + authorized networks
resource "google_container_cluster" "test-gke3" {
name = "test-gke3"
location = "europe-central2-a"
initial_node_count = 1
network = google_compute_network.test-gke1.self_link
subnetwork = google_compute_subnetwork.test-gke11.self_link
ip_allocation_policy {}
private_cluster_config {
enable_private_nodes = true
master_ipv4_cidr_block = "10.255.255.208/28"
enable_private_endpoint = true
}
master_authorized_networks_config {
cidr_blocks {
cidr_block = "${google_compute_address.test-gke.address}/32"
}
}
node_config {
machine_type = "e2-micro"
}
}
// same subnetwork
resource "google_compute_instance" "test-gke-ce111" {
name = "test-gke-ce111"
machine_type = "e2-small"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "cos-cloud/cos-109-lts"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-gke11.self_link
access_config {}
}
metadata = {
block-project-ssh-keys = true
}
service_account {
email = google_service_account.test-gke.email
scopes = ["cloud-platform"]
}
allow_stopping_for_update = true
}
// other subnetwork (authorized)
resource "google_compute_instance" "test-gke-ce121" {
name = "test-gke-ce121"
machine_type = "e2-small"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "cos-cloud/cos-109-lts"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-gke12.self_link
network_ip = google_compute_address.test-gke.address
access_config {}
}
metadata = {
block-project-ssh-keys = true
}
service_account {
email = google_service_account.test-gke.email
scopes = ["cloud-platform"]
}
allow_stopping_for_update = true
}
// other subnetwork
resource "google_compute_instance" "test-gke-ce122" {
name = "test-gke-ce122"
machine_type = "e2-small"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "cos-cloud/cos-109-lts"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-gke12.self_link
access_config {}
}
metadata = {
block-project-ssh-keys = true
}
service_account {
email = google_service_account.test-gke.email
scopes = ["cloud-platform"]
}
allow_stopping_for_update = true
}
// other network
resource "google_compute_instance" "test-gke-ce211" {
name = "test-gke-ce211"
machine_type = "e2-small"
zone = "europe-central2-a"
boot_disk {
initialize_params {
image = "cos-cloud/cos-109-lts"
}
}
network_interface {
subnetwork = google_compute_subnetwork.test-gke21.self_link
access_config {}
}
metadata = {
block-project-ssh-keys = true
}
service_account {
email = google_service_account.test-gke.email
scopes = ["cloud-platform"]
}
allow_stopping_for_update = true
}
resource "google_compute_address" "test-gke" {
name = "test-gke"
subnetwork = google_compute_subnetwork.test-gke12.id
address_type = "INTERNAL"
region = google_compute_subnetwork.test-gke12.region
}
// same network
resource "google_compute_network" "test-gke1" {
name = "test-gke1"
auto_create_subnetworks = false
}
// same subnetwork
resource "google_compute_subnetwork" "test-gke11" {
name = "test-gke11"
ip_cidr_range = "10.0.0.0/20"
region = "europe-central2"
network = google_compute_network.test-gke1.self_link
}
// other subnetwork
resource "google_compute_subnetwork" "test-gke12" {
name = "test-gke12"
ip_cidr_range = "10.0.16.0/20"
region = "europe-central2"
network = google_compute_network.test-gke1.self_link
}
resource "google_compute_firewall" "test-gke-ssh" {
name = "test-gke-ssh"
network = google_compute_network.test-gke1.name
source_ranges = ["SOURCE_IP"]
allow {
protocol = "tcp"
ports = [22]
}
}
// other network
resource "google_compute_network" "test-gke2" {
name = "test-gke2"
auto_create_subnetworks = false
}
// other subnetwork
resource "google_compute_subnetwork" "test-gke21" {
name = "test-gke21"
ip_cidr_range = "10.0.0.0/20"
region = "europe-central2"
network = google_compute_network.test-gke2.self_link
}
resource "google_compute_firewall" "test-gke2-ssh" {
name = "test-gke2-ssh"
network = google_compute_network.test-gke2.name
source_ranges = ["SOURCE_IP"]
allow {
protocol = "tcp"
ports = [22]
}
}
resource "google_service_account" "test-gke" {
account_id = "test-gke"
}
resource "google_project_iam_member" "test-gke" {
project = data.google_project.project.project_id
role = "roles/container.viewer"
member = "serviceAccount:${google_service_account.test-gke.email}"
}
// replace PROJECT_ID, SOURCE_IP
$ docker run --rm -itv "$PWD:/app" -w /app google/cloud-sdk:457.0.0-alpine
/app # gcloud auth login --update-adc
/app # apk add terraform
/app # terraform init
/app # terraform apply
/app # gcloud components install kubectl
Accessible from anywhere:
/app # gcloud container clusters describe test-gke1 \
--format 'yaml(masterAuthorizedNetworksConfig, privateClusterConfig)' \
--location europe-central2-a --project PROJECT_ID
masterAuthorizedNetworksConfig: {}
privateClusterConfig:
enablePrivateNodes: true
masterIpv4CidrBlock: 10.255.255.240/28
peeringName: gke-nf0e4702d620e42f4782-6874-84fc-peer
privateEndpoint: 10.255.255.242
publicEndpoint: 34.xxx.xx.xxx
// local
/app # curl -sSk https://34.xxx.xx.xxx
{"status": "Failure", ...}
// remote (Hetzner)
$ curl -sSk https://34.xxx.xx.xxx
{"status": "Failure", ...}
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSk https://10.255.255.242' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSk https://34.xxx.xx.xxx' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSk https://10.255.255.242' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSk https://34.xxx.xx.xxx' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSk https://10.255.255.242' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSk https://34.xxx.xx.xxx' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
// other network
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSv https://10.255.255.242' \
--zone europe-central2-a --project PROJECT_ID
* Trying 10.255.255.242:443...
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSk https://34.xxx.xx.xxx' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
+local public
+remote public (Hetzner)
+same subnetwork private
+same subnetwork public
+other subnetwork private
+other subnetwork public
-other network private
+other network public
private - same network
public - anywhere
// local
/app # gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
/app # kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 44m
// remote (Hetzner)
$ gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
$ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 171m
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 45m
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce121 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 45m
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 46m
// other network
/app # gcloud compute ssh me@test-gke-ce211 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke1 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.109.112.1 <none> 443/TCP 46m
Accessible from authorized networks (external ips):
/app # gcloud container clusters describe test-gke2 \
--format 'yaml(masterAuthorizedNetworksConfig, privateClusterConfig)' \
--location europe-central2-a --project PROJECT_ID
masterAuthorizedNetworksConfig:
cidrBlocks:
- cidrBlock: SOURCE_IP/32
enabled: true
privateClusterConfig:
enablePrivateNodes: true
masterIpv4CidrBlock: 10.255.255.224/28
peeringName: gke-nf0e4702d620e42f4782-6874-84fc-peer
privateEndpoint: 10.255.255.226
publicEndpoint: 34.yyy.yy.yyy
// local (authorized)
/app # curl -sSk https://34.yyy.yy.yyy
{"status": "Failure", ...}
// remote (Hetzner)
$ curl -sSk https://34.yyy.yy.yyy
* Trying 34.yyy.yy.yyy:443...
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSk https://10.255.255.226' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSv https://34.yyy.yy.yyy' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.yyy.yy.yyy:443...
// other subnetwork (authorized)
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSk https://10.255.255.226' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSv https://34.yyy.yy.yyy' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.yyy.yy.yyy:443...
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSv https://10.255.255.226' \
--zone europe-central2-a --project PROJECT_ID
* Trying 10.255.255.226:443...
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSv https://34.yyy.yy.yyy' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.yyy.yy.yyy:443...
// other network
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSv https://10.255.255.226' \
--zone europe-central2-a --project PROJECT_ID
* Trying 10.255.255.226:443...
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSv https://34.yyy.yy.yyy' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.yyy.yy.yyy:443...
+local public (authorized)
-remote public (Hetzner)
+same subnetwork private
-same subnetwork public
+other subnetwork private (authorized)
-other subnetwork public (authorized)
-other subnetwork private
-other subnetwork public
-other network private
-other network public
public - authorized
private - same or authorized subnetworks
// local
/app # gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
/app # kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.252.0.1 <none> 443/TCP 66m
// remote (Hetzner)
$ gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
$ kubectl get all
E0331 14:53:22.376135 284 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 14:53:52.377182 284 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 14:54:22.377900 284 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 14:54:52.378993 284 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 14:55:22.379316 284 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
Unable to connect to the server: dial tcp 34.yyy.yy.yyy:443: i/o timeout
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:02:59.460577 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:03:29.462275 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:03:59.463493 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:04:29.464911 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:04:59.466577 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
Unable to connect to the server: dial tcp 34.yyy.yy.yyy:443: i/o timeout
// other subnetwork (authorized)
/app # gcloud compute ssh me@test-gke-ce121 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:06:01.349237 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:06:31.350594 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:07:01.351711 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:07:31.353126 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:08:01.354040 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
Unable to connect to the server: dial tcp 34.yyy.yy.yyy:443: i/o timeout
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:12:06.900370 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:12:36.960392 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:13:06.961763 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:13:36.962936 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:14:06.964038 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
Unable to connect to the server: dial tcp 34.yyy.yy.yyy:443: i/o timeout
// other network
/app # gcloud compute ssh me@test-gke-ce211 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke2 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:15:01.499697 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:15:31.517068 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:16:01.518158 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:16:31.519590 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
E0331 13:17:01.520639 1 memcache.go:265] couldn't get current server API group list:
Get "https://34.yyy.yy.yyy/api?timeout=32s": dial tcp 34.yyy.yy.yyy:443: i/o timeout
Unable to connect to the server: dial tcp 34.yyy.yy.yyy:443: i/o timeout
Accessible from the same or authorized networks (internal ips):
/app # gcloud container clusters describe test-gke3 \
--format 'yaml(masterAuthorizedNetworksConfig, privateClusterConfig)' \
--location europe-central2-a --project PROJECT_ID
masterAuthorizedNetworksConfig:
cidrBlocks:
- cidrBlock: 10.0.16.2/32
enabled: true
privateClusterConfig:
enablePrivateEndpoint: true
enablePrivateNodes: true
masterIpv4CidrBlock: 10.255.255.208/28
peeringName: gke-nf0e4702d620e42f4782-6874-84fc-peer
privateEndpoint: 10.255.255.210
publicEndpoint: 34.zzz.zz.zzz
// local
/app # curl -sSv https://34.zzz.zz.zzz
* Trying 34.zzz.zz.zzz:443...
// remote (Hetzner)
$ curl -sSv https://34.zzz.zz.zzz
* Trying 34.zzz.zz.zzz:443...
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSk https://10.255.255.210' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce111 --command 'curl -sSv https://34.zzz.zz.zzz' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.zzz.zz.zzz:443...
// other subnetwork (authorized)
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSk https://10.255.255.210' \
--zone europe-central2-a --project PROJECT_ID
{"status": "Failure", ...}
/app # gcloud compute ssh me@test-gke-ce121 --command 'curl -sSv https://34.zzz.zz.zzz' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.zzz.zz.zzz:443...
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSv https://10.255.255.210' \
--zone europe-central2-a --project PROJECT_ID
* Trying 10.255.255.210:443...
/app # gcloud compute ssh me@test-gke-ce122 --command 'curl -sSv https://34.zzz.zz.zzz' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.zzz.zz.zzz:443...
// other network
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSv https://10.255.255.210' \
--zone europe-central2-a --project PROJECT_ID
* Trying 10.255.255.210:443...
/app # gcloud compute ssh me@test-gke-ce211 --command 'curl -sSv https://34.zzz.zz.zzz' \
--zone europe-central2-a --project PROJECT_ID
* Trying 34.zzz.zz.zzz:443...
-local public
-remote public (Hetzner)
+same subnetwork private
-same subnetwork public
+other subnetwork private (authorized)
-other subnetwork public (authorized)
-other subnetwork private
-other subnetwork public
-other network private
-other network public
private - same or authorized subnetwork
public - nowhere
// local
/app # gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
/app # kubectl get all
E0331 13:35:33.838630 1137 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:36:03.849174 1137 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:36:33.850596 1137 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:37:03.851827 1137 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:37:33.853477 1137 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
Unable to connect to the server: dial tcp 10.255.255.210:443: i/o timeout
// remote (Hetzner)
$ gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
$ kubectl get all
E0331 14:46:59.598109 238 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 14:47:29.598906 238 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 14:47:59.600154 238 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 14:48:29.601542 238 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 14:48:59.602888 238 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
Unable to connect to the server: dial tcp 10.255.255.210:443: i/o timeout
// same subnetwork
/app # gcloud compute ssh me@test-gke-ce111 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.88.0.1 <none> 443/TCP 104m
// other subnetwork (authorized)
/app # gcloud compute ssh me@test-gke-ce121 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.88.0.1 <none> 443/TCP 105m
// other subnetwork
/app # gcloud compute ssh me@test-gke-ce122 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:39:12.496754 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:39:42.497832 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:40:12.498978 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:40:42.500131 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:41:12.500976 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
Unable to connect to the server: dial tcp 10.255.255.210:443: i/o timeout
// other network
/app # gcloud compute ssh me@test-gke-ce211 \
--command '
docker run --rm google/cloud-sdk:457.0.0-alpine sh -euxc "
gcloud components install kubectl
; gcloud container clusters get-credentials test-gke3 --location europe-central2-a --project PROJECT_ID
; kubectl get all"' \
--zone europe-central2-a --project PROJECT_ID; echo -e '\a'
...
+ kubectl get all
E0331 13:42:07.383183 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:42:37.384186 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:43:07.385282 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:43:37.386223 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
E0331 13:44:07.387211 1 memcache.go:265] couldn't get current server API group list:
Get "https://10.255.255.210/api?timeout=32s": dial tcp 10.255.255.210:443: i/o timeout
Unable to connect to the server: dial tcp 10.255.255.210:443: i/o timeout