GKE best practices insights

These insights validate that best practices are being followed for Google Kubernetes Engine (GKE) cluster configurations. An insight from this category suggests areas of improvement and does not indicate active failures. Network Analyzer validates the following conditions:

  • The control plane is able to receive traffic from all IP addresses in the node subnet.
  • Private Google Access is enabled for the private clusters.

GKE cluster needs extended authorized range

The subnet used by a GKE cluster has been expanded with authorized networks enabled. However, the cluster's authorized network hasn't been updated to include the expanded IP address range. The nodes created in the extended subnet range won't be able to communicate with the GKE control plane.

This insight includes the following information:

  • GKE cluster: The name of the GKE cluster.
  • Network: The name of the network where the GKE cluster is configured.
  • Subnet: The name of the subnetwork where the GKE cluster is configured.
  • Subnet range: The primary IP range of the cluster's primary subnet.

For more information, see Authorized network limitations.

Recommendations

Add the cluster's primary subnet range as an authorized network range. For more information, see Add an authorized network to an existing cluster.

Private Google Access disabled on GKE private cluster

Your private GKE cluster is on a subnet that has Private Google Access disabled. Private Google Access provides private nodes and their workloads access to Google Cloud APIs and services over Google's private network.

This insight includes the following information:

  • GKE cluster: The name of the GKE cluster.
  • Network: The name of the network where the GKE cluster is configured.
  • Subnet: The name of the subnetwork where the GKE cluster is configured.

For more information, see Using Private Google Access in private clusters.

Recommendations

Enable Private Google Access on the cluster's primary subnet.

GKE private cluster without routes to Google APIs and services

Your private GKE cluster uses a VPC network that does not meet the routing requirement for connectivity to Google APIs and services. Network Analyzer generates an insight if your VPC network does not meet the routing requirement. But, {nic_analyzer_name}} doesn't validate that the destination IP address ranges match the domain names you have chosen in your DNS configuration. For details about this routing requirement, see Routing options in Configuring Private Google Access.