gke-networking
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseGKE Networking
GKE 网络配置
This reference covers networking configuration for GKE clusters. The golden path
enforces private, VPC-native clusters with Dataplane V2.
MCP Tools:,get_cluster,update_cluster,apply_k8s_manifestget_k8s_resource
本参考文档涵盖GKE集群的网络配置。推荐路径强制使用私有、VPC原生且搭载Dataplane V2的集群。
MCP 工具:,get_cluster,update_cluster,apply_k8s_manifestget_k8s_resource
Golden Path Networking Defaults
推荐路径网络默认配置
| Setting | Golden Path Value | Day-0/1 | Notes |
|---|---|---|---|
| | Day-0 | Nodes have no public IPs |
| | Day-0 | Control plane only reachable via private endpoint or DNS |
| | Day-0 | Allows DNS-based access from outside VPC |
| | Day-0 | eBPF-based, built-in Network Policy |
| | Day-0 | Managed DNS, more reliable than kube-dns |
| | Day-1 | VPC Flow Logs for intra-node traffic |
| | Day-1 | Gateway API support |
| | Day-0 | Automatic IP range management |
| | Day-0 | Auto-create dedicated subnet |
| | Day-0 | Conservative default; 110 for high density |
| 设置项 | 推荐路径值 | 阶段(Day-0/1) | 说明 |
|---|---|---|---|
| | Day-0 | 节点无公网IP |
| | Day-0 | 控制平面仅可通过私有端点或DNS访问 |
| | Day-0 | 允许从VPC外部通过DNS方式访问 |
| | Day-0 | 基于eBPF,内置Network Policy |
| | Day-0 | 托管式DNS,比kube-dns更可靠 |
| | Day-1 | 节点内流量的VPC流日志 |
| | Day-1 | 支持Gateway API |
| | Day-0 | 自动IP范围管理 |
| | Day-0 | 自动创建专用子网 |
| | Day-0 | 保守默认值;高密度场景可设为110 |
Private Cluster Access Patterns
私有集群访问模式
The golden path creates a private cluster. Users access it via:
- DNS endpoint (default): enables access via the cluster's DNS endpoint from outside the VPC. No VPN required.
allowExternalTraffic: true - Private endpoint: Direct access from within the VPC or via Cloud VPN/Interconnect.
- Authorized networks: Add specific CIDRs to
for IP-based access control.
masterAuthorizedNetworksConfig
bash
undefined推荐路径创建的是私有集群,用户可通过以下方式访问:
- DNS端点(默认):允许从VPC外部通过集群的DNS端点访问,无需VPN。
allowExternalTraffic: true - 私有端点:从VPC内部或通过Cloud VPN/Interconnect直接访问。
- 授权网络:向添加特定CIDR,实现基于IP的访问控制。
masterAuthorizedNetworksConfig
bash
undefinedAccess private cluster via DNS endpoint (golden path default)
Access private cluster via DNS endpoint (golden path default)
gcloud container clusters get-credentials <CLUSTER_NAME>
--region <REGION> --dns-endpoint
--quiet
--region <REGION> --dns-endpoint
--quiet
gcloud container clusters get-credentials <CLUSTER_NAME>
--region <REGION> --dns-endpoint
--quiet
--region <REGION> --dns-endpoint
--quiet
Access via private endpoint (from within VPC)
Access via private endpoint (from within VPC)
gcloud container clusters get-credentials <CLUSTER_NAME>
--region <REGION> --internal-ip
--quiet
--region <REGION> --internal-ip
--quiet
undefinedgcloud container clusters get-credentials <CLUSTER_NAME>
--region <REGION> --internal-ip
--quiet
--region <REGION> --internal-ip
--quiet
undefinedBring-Your-Own VPC/Subnet
自定义VPC/子网(Bring-Your-Own VPC/Subnet)
If the customer has existing network infrastructure:
bash
gcloud container clusters create-auto <CLUSTER_NAME> \
--region <REGION> \
--network <VPC_NAME> \
--subnetwork <SUBNET_NAME> \
--cluster-secondary-range-name <POD_RANGE> \
--services-secondary-range-name <SVC_RANGE> \
--enable-private-nodes \
--enable-master-authorized-networks \
--quietDay-0 Warning: VPC, subnet, and IP ranges cannot be changed after cluster creation.
如果客户已有网络基础设施:
bash
gcloud container clusters create-auto <CLUSTER_NAME> \
--region <REGION> \
--network <VPC_NAME> \
--subnetwork <SUBNET_NAME> \
--cluster-secondary-range-name <POD_RANGE> \
--services-secondary-range-name <SVC_RANGE> \
--enable-private-nodes \
--enable-master-authorized-networks \
--quietDay-0 警告:集群创建后,VPC、子网和IP范围无法修改。
IP Planning
IP规划
| Resource | Golden Path | Notes |
|---|---|---|
| Pod CIDR | | ~32K pod IPs; size based on maxPodsPerNode |
| Service CIDR | | ~4K service IPs |
| Node subnet | auto-created | /20 recommended for growth |
| Max pods/node | 48 | Each node gets a /25 pod range; set to 110 |
| : : : for /24 per node : |
Pod CIDR sizing rule of thumb:
- -> each node uses a
maxPodsPerNode=48(128 IPs) from pod CIDR/25 - -> each node uses a
maxPodsPerNode=110(256 IPs) from pod CIDR/24 - Larger maxPodsPerNode = fewer nodes fit in a given CIDR
| 资源类型 | 推荐路径配置 | 说明 |
|---|---|---|
| Pod CIDR | | 约32K个Pod IP;大小基于maxPodsPerNode配置 |
| Service CIDR | | 约4K个服务IP |
| 节点子网 | 自动创建 | 推荐使用/20以预留扩容空间 |
| 单节点最大Pod数 | 48 | 每个节点分配/25的Pod范围;若设为110则分配/24范围 |
Pod CIDR大小估算准则:
- -> 每个节点从Pod CIDR中使用
maxPodsPerNode=48(128个IP)/25 - -> 每个节点从Pod CIDR中使用
maxPodsPerNode=110(256个IP)/24 - 单节点最大Pod数越大,给定CIDR可容纳的节点数越少
Ingress
入口(Ingress)
Gateway API (golden path, enabled via ):
gatewayApiConfig.channel: CHANNEL_STANDARDyaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: external-http
spec:
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: http
protocol: HTTP
port: 80Alternatives:
- — regional external
gke-l7-regional-external-managed - — internal load balancer
gke-l7-rilb - Istio service mesh — for advanced traffic management, mTLS
Gateway API(推荐路径,通过启用):
gatewayApiConfig.channel:CHANNEL_STANDARDyaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: external-http
spec:
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: http
protocol: HTTP
port: 80替代方案:
- — 区域型外部负载均衡器
gke-l7-regional-external-managed - — 内部负载均衡器
gke-l7-rilb - Istio服务网格 — 用于高级流量管理、mTLS
Egress
出口(Egress)
- Default: nodes use Cloud NAT for outbound internet access (private nodes have no public IPs)
- For static egress IPs: configure Cloud NAT with manual IP allocation
- For restricted egress: route through a firewall appliance via custom routes
- 默认:节点通过Cloud NAT访问外部互联网(私有节点无公网IP)
- 静态出口IP:配置Cloud NAT并手动分配IP
- 受限出口:通过自定义路由将流量导向防火墙设备
Network Policy
Network Policy
Dataplane V2 (golden path) provides built-in Network Policy enforcement — no
additional addon needed. Apply default-deny per namespace, then allow specific
flows.
See theskill for default-deny policy and thegke-securityskill for per-team allow policies.gke-multitenancy
Dataplane V2(推荐路径)提供内置的Network Policy enforcement——无需额外插件。为每个命名空间应用默认拒绝策略,再允许特定流量。
关于默认拒绝策略,请参考技能;关于按团队设置允许策略,请参考gke-security技能。gke-multitenancy
Cloud Armor (Recommended for Public-Facing Services)
Cloud Armor(面向公网服务推荐)
Cloud Armor provides WAF and DDoS protection. Not a golden path default —
recommended for any service with public ingress. Link via :
BackendConfigyaml
undefinedCloud Armor提供WAF和DDoS防护。并非推荐路径默认配置——建议所有带有公网入口的服务使用。通过关联:
BackendConfigyaml
undefined1. Create BackendConfig referencing your Cloud Armor policy
1. Create BackendConfig referencing your Cloud Armor policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backend-config spec: securityPolicy: name: my-cloud-armor-policy
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: my-backend-config spec: securityPolicy: name: my-cloud-armor-policy
2. Annotate your Service
2. Annotate your Service
cloud.google.com/backend-config: '{"default": "my-backend-config"}'
cloud.google.com/backend-config: '{"default": "my-backend-config"}'
undefinedundefinedSSL, Container-Native LB, and PSC
SSL、容器原生负载均衡(Container-Native LB)和PSC
- Google-managed SSL certificates: Use CRD with Gateway API. Auto-provisions and renews.
ManagedCertificate - Container-native LB: Enabled by default on VPC-native clusters (golden
path). Targets pods via NEGs, bypassing iptables. Annotation:
.
cloud.google.com/neg: '{"ingress": true}' - Private Service Connect (PSC): Use CRD to expose services across VPCs without peering.
ServiceAttachment
- 谷歌托管SSL证书:结合Gateway API使用CRD,自动颁发和续期。
ManagedCertificate - 容器原生负载均衡:在VPC原生集群(推荐路径)中默认启用。通过NEG直接指向Pod,绕过iptables。注解:。
cloud.google.com/neg: '{"ingress": true}' - Private Service Connect (PSC):使用CRD跨VPC暴露服务,无需对等连接。
ServiceAttachment