プライベート Google アクセスが無効になっているサブネット上に、プライベート GKE クラスタが存在します。プライベート Google アクセスにより、プライベート ノードとそのワークロードは Google のプライベート ネットワークを介して Google Cloud APIs とサービスにアクセスできるようになります。
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[],[],null,["# GKE best practices insights\n\nThis page describes the Network Analyzer insights for Google Kubernetes Engine (GKE)\nbest practices. For information about all the insight types, see\n[Insight groups and types](/network-intelligence-center/docs/network-analyzer/insight-groups-types).\n\nGKE best practices insights validate that best\npractices are being followed for GKE cluster\nconfigurations. An insight from this category suggests areas of improvement\nand does not indicate active failures. Network Analyzer validates the\nfollowing conditions:\n\n- The control plane is able to receive traffic from all IP addresses in the node subnet.\n- Private Google Access is enabled for the private clusters.\n\nView insights in the Recommender API\n------------------------------------\n\nTo view these insights in the Google Cloud CLI or the Recommender API, use\nthe following insight type:\n\n- `google.networkanalyzer.container.connectivityInsight`\n\nYou need the following permissions:\n\n- `recommender.networkAnalyzerGkeConnectivityInsights.list`\n- `recommender.networkAnalyzerGkeConnectivityInsights.get`\n\nFor more information about using the Recommender API for\nNetwork Analyzer insights, see [Use the Recommender CLI and API](/network-intelligence-center/docs/network-analyzer/use-cli-recommender-api).\n\nGKE cluster needs extended authorized range\n-------------------------------------------\n\nThe subnet used by a GKE cluster has been expanded with\nauthorized networks enabled. However, the cluster's authorized network hasn't\nbeen updated to include the expanded IP address range. The nodes created in the\nextended subnet range won't be able to communicate with the GKE\ncontrol plane.\n\nThis insight includes the following information:\n\n- **GKE cluster:** The name of the GKE cluster.\n- **Network:** The name of the network where the GKE cluster is configured.\n- **Subnet:** The name of the subnetwork where the GKE cluster is configured.\n- **Subnet range:** The primary IP range of the cluster's primary subnet.\n\n### Related topics\n\nFor more information, see\n[Authorized network limitations](/kubernetes-engine/docs/how-to/authorized-networks#limitations).\n\n### Recommendations\n\nAdd the cluster's primary subnet range as an authorized network range. For more\ninformation, see [Add an authorized network to an existing cluster](/kubernetes-engine/docs/how-to/authorized-networks#add).\n\nPrivate Google Access disabled on GKE private cluster\n-----------------------------------------------------\n\nYour private GKE cluster is on a subnet that has Private Google\nAccess disabled. Private Google Access provides private nodes and their\nworkloads access to Google Cloud APIs and services over Google's private network.\n\nThis insight includes the following information:\n\n- **GKE cluster:** The name of the GKE cluster.\n- **Network:** The name of the network where the GKE cluster is configured.\n- **Subnet:** The name of the subnetwork where the GKE cluster is configured.\n\n### Related topics\n\nFor more information, see\n[Using Private Google Access in private clusters](/kubernetes-engine/docs/concepts/private-cluster-concept#using_in_private_clusters).\n\n### Recommendations\n\n[Enable Private Google Access](/vpc/docs/configure-private-google-access#enabling-pga)\non the cluster's primary subnet.\n\nGKE private cluster without routes to Google APIs and services\n--------------------------------------------------------------\n\nYour private GKE cluster uses a VPC network that\ndoes not meet the routing requirement for connectivity to Google APIs and\nservices. Network Analyzer generates an insight if your VPC\nnetwork does not meet the routing requirement. But, Network Analyzer doesn't\nvalidate that the destination IP address ranges match the domain names you have\nchosen in your DNS configuration. For details about this routing requirement,\nsee [Routing options](/vpc/docs/configure-private-google-access#config-routing) in\nConfiguring Private Google Access."]]