Information
Create Alias IPs for the node network CIDR range in order to subsequently configure IP-based policies and firewalling for pods. A cluster that uses Alias IPs is called a VPC-native cluster.
Using Alias IPs has several benefits:
- Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources.
- The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.
- Firewall controls for Pods can be applied separately from their nodes.
- Alias IPs allow Pods to directly access hosted services without using a NAT gateway.
Solution
Alias IPs cannot be enabled on an existing cluster. To create a new cluster using Alias IPs, follow the instructions below.
Using Google Cloud Console:
If using Standard configuration mode:
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list
- Click CREATE CLUSTER, and select Standard configuration mode.
- Configure your cluster as desired, then, click Networking under CLUSTER in the navigation pane.
- In the 'VPC-native' section, leave 'Enable VPC-native (using alias IP)' selected
- Click CREATE.
Using Command Line
To enable Alias IP on a new cluster, run the following command:
gcloud container clusters create <cluster_name> --location <location> --enable-ip-alias
Impact:
You cannot currently migrate an existing cluster that uses routes for Pod routing to a cluster that uses Alias IPs.
Cluster IPs for internal services remain only available from within the cluster. If you want to access a Kubernetes Service from within the VPC, but from outside of the cluster, use an internal load balancer.