Kubernetes Clusters have gained a lots of popularity lately. It has become one of the most preferred orchestration frameworks for micro-service development strategies.
As most cloud providers offer Kubernetes as a service: Azure Kubernetes Service (AKS), Google Kubernetes Engine or Amazon Elastic Kubernetes Service, big companies are tempted to migrate their solutions to the cloud.
However, cloud migrations are a big challenge, especially for big companies, as there is a lots of already existing IT security guidelines that just don’t get along too well with cloud migrations.
Luckily, these cloud providers offer the option to provision the private Kubernetes Clusters, which means that the Kubernetes API endpoint is not available through the public, but only from the cloud virtual network it is deployed.
Deploy a private Kubernetes Cluster
Azure Kubernetes Service
Using the Azure cli
az aks create -n <private-cluster-name> \
-g <private-cluster-resource-group> \
--load-balancer-sku standard \
--enable-private-cluster
Azure will create a subnet on which the cluster will be deployed. Only that subnet has access to the Cluster’s API Endpoint.
Google Kubernetes Engine
Using the gcloud cli
gcloud container clusters create private-cluster-0 \
--create-subnetwork name=my-subnet-0 \
--enable-master-authorized-networks \
--enable-ip-alias \
--enable-private-nodes \
--enable-private-endpoint
Only my-subnet-0 will have Access to the Cluster’s API Endpoint.
Amazon Web Service
Using the Amazon Web Service cli
aws eks create-cluster \
--region <region-code> \
--name <my-cluster> \
--kubernetes-version <version> \
--resources-vpc-config endpointPublicAccess=<false>,endpointPrivateAccess=<true>
Amazon will create a subnet on which the cluster will be deployed. Only that subnet has access to the Cluster’s API Endpoint.
Creation of Private clusters increases security, as the only point of access to them is the virtual network on which they are deployed. Per example, we can provision a Jump machine on the same network so as to access to the Kubernetes API from that machine only. Or even more, automate Kubernetes API operations through a service account on that machine.
