If your organization uses an HTTP proxy for internet traffic, you need to configure GKE attached clusters accordingly. This document describes how to perform this configuration.
Before you begin
GKE attached clusters requires connectivity to various Google Cloud services. Make sure your proxy server allows traffic to the following domains:
.gcr.io
cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
oauth2.googleapis.com
securetoken.googleapis.com
storage.googleapis.com
sts.googleapis.com
www.googleapis.com
servicecontrol.googleapis.com
logging.googleapis.com
monitoring.googleapis.com
opsconfigmonitoring.googleapis.com
GCP_LOCATION-gkemulticloud.googleapis.com
Replace GCP_LOCATION
with the Google Cloud region in
which your cluster resides. Specify us-west1
or another
supported region.
Configure proxy support for GKE attached clusters
To configure proxy support for GKE attached clusters, follow these steps:
Create a proxy configuration file which contains values for
httpProxy
,noProxy
, andhttpsProxy
keys:{ "httpProxy": HTTP_PROXY_AUTHENTICATION_URL, "httpsProxy": HTTPS_PROXY_AUTH_URL, "noProxy": NO_PROXY_ADDRESSES }
Replace the following:
HTTP_PROXY_AUTHENTICATION_URL
: the proxy server URL, which consists of a hostname/IP address, and optionally a port, username, and password. For example:http://user:password@192.0.2.0:80
or just198.51.100.255
.HTTPS_PROXY_AUTH_URL
: the proxy URL for encrypted HTTPS traffic, which consists of a hostname/IP address, and optionally a port, username, and password.NO_PROXY_ADDRESSES
: a comma-separated list of URLs, CIDR blocks, and DNS names of resources that can bypass the proxy. This directs GKE attached clusters to avoid using the proxy for the specified resources. Keep in mind the following:- Values can be individual IP addresses, CIDR ranges, domain names, or
even the asterix character (*). Using a single asterix (
*
) in thenoProxy
field tells GKE attached clusters to skip the proxy for all traffic. - A domain leading with a dot, such as
.google.com
, targets all its subdomains. For example,.google.com
includes addresses such asmail.google.com
anddrive.google.com
, but excludesgoogle.com
. - Ensure that you include
kubernetes.default.svc.cluster.local
andkubernetes.default.svc
domains for proper logging. Here's an example:198.51.100.0,192.0.2.0/16,examplepetstore.com,.altostrat.com,kubernetes.default.svc.cluster.local, kubernetes.default.svc
.
- Values can be individual IP addresses, CIDR ranges, domain names, or
even the asterix character (*). Using a single asterix (
When creating the proxy configuration file, adhere to the following guidelines:
- The
httpProxy
andhttpsProxy
fields don't accepthttps://
prefixes. Usehttp://
, even if the real proxy server address begins withhttps://
. For example, representhttps://proxy.example.com:3128
ashttp://proxy.example.com:3128
. - It's compulsory to provide values for all three fields:
httpProxy
,httpsProxy
, andnoProxy
. - Consider appending additional domains, IP addresses, or CIDRs to the
noProxy
list. We recommend that you include the VPC IP range.
Create a Kubernetes Secret, which contains the proxy configuration, by running the following command:
kubectl create secret generic SECRET_NAME \ --from-file=PROXY_CONFIGURATION_FILE
Replace the following:
SECRET_NAME
: the name of the Kubernetes SecretPROXY_CONFIGURATION_FILE
: the path to the proxy configuration you created in step 1.
Mark the Kubernetes Secret as immutable by setting its
immutable
field totrue
:kubectl edit secret SECRET_NAME
Replace
SECRET_NAME
with the name of the Kubernetes Secret.Configure a new or existing cluster to use the proxy:
New cluster
To register a new cluster and apply the proxy configuration, use the
gcloud container attached clusters register
command. Make sure to provide the optional arguments--proxy-secret-name
and--proxy-secret-namespace
:gcloud container attached clusters register CLUSTER_NAME \ --proxy-secret-name=SECRET_NAME \ --proxy-secret-namespace=SECRET_NAMESPACE
Replace the following:
CLUSTER_NAME
: the name of the clusterSECRET_NAME
: the name of the Kubernetes Secret containing the proxy configurationSECRET_NAMESPACE
: the Kubernetes namespace where the Secret is stored
For information about all the arguments you can use when registering a cluster, see the
gcloud container attached clusters register
command.Existing cluster
To update a previously registered cluster with a new proxy configuration, use the
gcloud container attached clusters update
command. Make sure to provide the optional arguments--proxy-secret-name
and--proxy-secret-namespace
:gcloud container attached clusters update CLUSTER_NAME \ --proxy-secret-name=SECRET_NAME \ --proxy-secret-namespace=SECRET_NAMESPACE
Replace the following:
CLUSTER_NAME
: the name of the clusterSECRET_NAME
: the name of the Kubernetes Secret containing the proxy configurationSECRET_NAMESPACE
: the Kubernetes namespace where the Secret is stored
This step is required if your proxy server details have changed, or if an initial cluster registration overlooked proxy requirements.
For information about all the arguments you can use when updating a cluster, see the
gcloud container attached clusters update
command.
After performing these steps, GKE attached clusters processes outbound internet traffic using the proxy server specified in the configuration file.