Connecting from Google Kubernetes Engine

This page describes how to set up a connection from an application running in Google Kubernetes Engine to a Cloud SQL instance, using private IP or the Cloud SQL Proxy Docker image.

Introduction

To access a Cloud SQL instance from an application running in Google Kubernetes Engine, you can use either a private IP address or the Cloud SQL Proxy Docker image. Private IP is the easiest way to connect from Google Kubernetes Engine if your cluster meets the requirements.

To connect securely to Cloud SQL from Google Kubernetes Engine using a public IP address, you must use the Cloud SQL Proxy.

Connecting using a private IP address

When you connect using a private IP address, the IP traffic is never exposed to the public internet. For more information about private IP, see Private IP.

Before you begin

To connect to Cloud SQL using private IP, you must have:

  • GKE 1.8 or higher on a VPC-native cluster, with the kubectl command-line tool installed and configured to communicate with the cluster.

    For help getting started with GKE, see the Quickstart.

  • An application container in a pod on the GKE cluster.

  • A Second Generation instance created.

    For help creating a Cloud SQL instance, see Creating Instances.

  • A MySQL user account configured on the instance.

    Your application will use this account to connect to the database.

Connection overview

The steps below outline the general process for connecting to Cloud SQL from GKE using a private IP address.

  1. Create a Secret to provide the MySQL username and password to the database.

    For more information about secrets, see Secret.

  2. Update your pod configuration file with the following items:

    • Provide the Cloud SQL instance's private IP address as the host address your application will use to access your database.
    • Provide the Secret you previously created to enable the application to log into the database.
  3. Bring up your Deployment using the Kubernetes manifest file.

Connecting using the Cloud SQL Proxy Docker image

When you connect using the Cloud SQL Proxy Docker image, the Cloud SQL Proxy is added to your pod using the "sidecar" container pattern—the proxy container is in the same pod as your application, which enables the application to connect to the proxy using localhost, increasing security and performance. Learn more.

For more information about the Cloud SQL Proxy, see About the Cloud SQL Proxy. For more information about working with pods, see Pod Overview in the Kubernetes documentation.

Before you begin

Before you start this procedure, you must have:

  • A GKE cluster running version 1.2 or higher, with the kubectl command-line tool installed and configured to communicate with the cluster.

    For help getting started with GKE, see the Quickstart.

  • An application container in a pod on the GKE cluster.

  • A Second Generation instance created.

    For help creating a Cloud SQL instance, see Creating Instances.

  • A MySQL user account configured on the instance.

    Your application will use this account to connect to the database. For help with creating a user account, see Creating a user.

  • The Cloud SQL Admin API enabled.

  • The location of the key file associated with a service account with the propery privileges for your Cloud SQL instance.

    See Creating a service account for more information.

  • Your Cloud SQL instance connection name.

    The instance connection name is available in the Cloud SQL Instance details page of the GCP Console or from the gcloud sql instances describe command.

Connection overview

The steps below outline the general process for connecting to Cloud SQL from GKE using the Cloud SQL Proxy Docker container.

  1. Create two Secrets: one to provide the MySQL credentials and one to provide the Google credentials (the service account).

    For more information about secrets, see Secret.

  2. Update your pod configuration file with the following items:

    • Provide 127.0.0.1:3306 as the host address your application will use to access your database.
    • Provide the Secret you previously created to enable the application to log into the database.
    • Start the proxy in its own container (in the same pod).

      Here is a sample configuration file for the proxy container:

      - name: cloudsql-proxy
        image: gcr.io/cloudsql-docker/gce-proxy:1.11
        command: ["/cloud_sql_proxy",
                  "-instances=<INSTANCE_CONNECTION_NAME>=tcp:3306",
                  "-credential_file=/secrets/cloudsql/credentials.json"]
        securityContext:
          runAsUser: 2  # non-root user
          allowPrivilegeEscalation: false
        volumeMounts:
          - name: cloudsql-instance-credentials
            mountPath: /secrets/cloudsql
            readOnly: true

  3. Bring up your Deployment using the Kubernetes manifest file.

For a complete sample deployment with the Cloud SQL Proxy in the sidecar pattern, including sample code, see sample Kubernetes Deployment manifest file on GitHub.

Need help? For help troubleshooting the proxy, see Troubleshooting Cloud SQL Proxy connections. Or, see our Cloud SQL Support page.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud SQL for MySQL