We're integrating with a new partner that requires us to use VPN when communicating with them (over HTTPS). We're running all of our services in a (non-private) Google Kubernetes Engine (GKE) cluster and it's only a single pod that needs to communicate with the partner's API.

The problem we face is that our partner's VPN provider won't allow us to use the private IP-range provided by GKE, 10.244.0.0/14, because the subnet is too large.

Preferably, we don't want to deploy something outside our GKE cluster, like a Compute Engine instance, that is somehow used to proxy our traffic (we will of course do it if this is the only/best way to proceed). We're hoping that, perhaps, it'll be possible to create a new node pool in the same cluster with a different (smaller) subnet, but so far we haven't found a way to do this. We've also looked briefly at CloudVPN, but if we understand it correctly, it only works with private GKE clusters.

Question:

What's the recommended way to obtain a smaller subnet/IP-range for a pod in an existing (public) GKE cluster to allow it to communicate with a third-party API over VPN?

CodePudding user response：

The problem I see is that you have to maintain your VPN connection within your pod, it is possible but looks like an antipattern.

I would recommend using CloudVPN in a separate GCP project (due to cost separation and security) to establish the connection with a specific and limited VPC and then route that traffic to the pod, that might be in a specific ip range as you mentioned.

Take a look at the docs on how to create the vpn: https://cloud.google.com/network-connectivity/docs/vpn/concepts/overview

Redirect traffic between VPCs: https://cloud.google.com/vpc/docs/vpc-peering

Create the nodepool with an IP range: https://cloud.google.com/sdk/gcloud/reference/container/node-pools/create

Assign your deployment to that nodepool https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector