Create a secured cluster #

Here we create a secured cluster which can only accessable from bastion host.

Create vpc network (my-vpc) and subnet (app) #

Create vpc and a subnet with the range 172.25.0.0/19

gcloud compute networks create my-vpc \
    --subnet-mode custom

gcloud compute networks subnets create app \
    --network my-vpc \
    --range 172.25.0.0/19 \
    --region us-central1 \
    --secondary-range app-services=10.0.32.0/20,app-pods=10.4.0.0/14

Create a bastion host #

gcloud compute instances create my-bastion \
--subnet app \
--zone asia-southeast1-a \
--image-family centos-7 \
--image-project centos-cloud \
--tags my-bastion \
--machine-type n1-standard-1

Create firewall rule for bastion server #

This will allow to ssh to bastion server from outside

gcloud compute firewall-rules create my-bastion-firewall \
--allow tcp:22 \
--source-ranges "0.0.0.0/0" \
--network my-vpc \
--target-tags my-bastion

Create cluster with ‘master authorized networks’ #

Create a cluster in my-vpc and app subnet. You can only access the cluster from a instance in 172.25.0.0/19 range.

gcloud container clusters create <cluster-name>    \
--zone=<zone-of-the-cluster>   \
--enable-ip-alias     \
--network my-vpc     --subnetwork app  \
--enable-master-authorized-networks  --master-authorized-networks=172.25.0.0/19