Creating a private cluster in GKE, terraform vs console
According to Google Cloud Platform documentation here, it should be possible to have both private and public endpoints, and the master_authorized_networks_config
argument should have networks which can reach either of those endpoints.
If setting the enable_private_endpoint
argument to false
means that the private endpoint is created, but it also creates the public endpoint, then that is a horribly mis-named argument; enable_private_endpoint
is actually flipping the public endpoint off and on, not the private one. Apparently, specifying a private_cluster_config
is sufficient to enable the private endpoint, and the flag toggles the public endpoint, if reported behavior is to be believed.
That is certainly the experience that I had: specifying my local IP address in the master_authorized_networks_config
caused cluster creation to fail when enable_private_endpoint
is true
. When I set it to false
, I get both endpoints and the config. is not rejected.
I've had the same issue recently.
The solution I found is to set the enable_private_endpoint = false
.
In this case the private endpoint created anyway, but you are allowed to add CIDR with external addresses to master authorized networks.
master_authorized_networks_config {
}
private_cluster_config {
enable_private_endpoint = true
enable_private_nodes = true
master_ipv4_cidr_block = "<cidr>"
}
Should create the private_end_point and it won't complain about Invalid master authorized networks
. The one you tried, is passing up the external CIDR for the whitelist to access the public endpoint while at the same time you want it to be strictly private.