This page explains how to perform an IP rotation in Kubernetes Engine.
You can perform an IP rotation to change the IP address that your cluster's Kubernetes master uses to serve requests from the Kubernetes API.
You can use IP rotation to obfuscate the location of your running Kubernetes master. IP rotation also changes the SSL certificate and cluster certificate authority, so there is no externally-visible connection between the previous address and the new one.
How IP rotation works
IP rotation is a multi-step process:
- When you initiate an IP rotation, your cluster master begins serving on the new IP address in addition to the original IP address.
- After you initiate an rotation, you must update your cluster's API clients
(such as development machines using the
kubectlcommand-line interface) to begin communicating with the master over the new IP address.
- When you complete the rotation, the master ceases serving traffic over the previous IP address.
Performing an IP rotation
The following sections explain how to perform an IP rotation.
Initiating the rotation
To initiate an IP rotation, run the following command:
gcloud container clusters update [CLUSTER_NAME] --start-ip-rotation
[CLUSTER_NAME] is the name of the cluster
This command configures the cluster master to serve on two IP addresses, its original address and a new address. This causes brief downtime for the cluster API.
Once the master has been reconfigured, Kubernetes Engine automatically updates your cluster's nodes to use the new IP address. Each node pool is marked as "requires recreation." Kubernetes Engine does not finish the IP rotation until the automatic recreation is complete.
Inspecting the rotation
To monitor the update operation, run the following command:
gcloud container operations list | grep "AUTO_UPGRADE_NODES.*RUNNING"
This command returns the operation ID for the update operation.
To poll the operation, pass the operation ID to the following command:
gcloud container operations wait [OPERATION_ID]
Node pools are recreated one-by-one, and each has its own operation. If you have multiple node pools, you can use the above instructions to poll each operation.
Updating API clients
Once IP rotation has been initiated, you must update all API clients outside of
the cluster (such as
kubectl on developer machines) to point to the new
To update your API clients, run the following command for each client:
gcloud container clusters get-credentials [CLUSTER_NAME]
Completing the rotation
To complete the rotation, run the following command:
gcloud container clusters update [CLUSTER_NAME] --complete-ip-rotation
This command configures the cluster master to serve only on its new IP address. This causes brief downtime for the cluster API.