Profile applicability: Level 1
Create Alias IPs for the node network CIDR range in order to subsequently configure
IP-based policies and firewalling for pods. A cluster that uses Alias IPs is called
a VPC- native cluster.
Using Alias IPs has several benefits:
- Pod IPs are reserved within the network ahead of time, which prevents conflict with other compute resources.
- The networking layer can perform anti-spoofing checks to ensure that egress traffic is not sent with arbitrary source IPs.
- Firewall controls for Pods can be applied separately from their nodes.
- Alias IPs allow Pods to directly access hosted services without using a NAT gateway.
 |
NoteBy default, VPC-native (using alias IP) is enabled when you create a new cluster.
The exception is clusters created before GKE version 1.21.0-gke.1500 (September 2021)
using the gcloud CLI without --enable-ip-alias."
|
Impact
You cannot currently migrate an existing cluster that uses routes for Pod routing
to a cluster that uses Alias IPs. Cluster IPs for internal services remain only available
from within the cluster. If you want to access a Kubernetes Service from within the
VPC, but from outside of the cluster, use an internal load balancer.
Audit
Using Google Cloud Console:
- Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page.
- From the list of clusters, click on the desired cluster to open the Details page.
- Under the 'Networking' section, make s
ure 'VPC-native traffic routing' is set to 'Enabled'.
Using Command Line:
To check Alias IP is enabled for an existing cluster, first define 3 variables Cluster
Name, Location and Project and then run the following command:
gcloud container clusters describe $CLUSTER_NAME --location $LOCATION --
project $PROJECT_ID --format json | jq '.ipAllocationPolicy.useIpAliases' { "useIpAliases": true } if VPC-native (using alias IP) is enabled. If VPC-native (using alias IP) is disabled, the above command will return null ({ }).
The output of the above command should return the following if VPC-native (using alias
IP) is enabled:
{ "useIpAliases": true }
If VPC-native (using alias IP) is disabled, the above command will return null (
{ }).Remediation
Alias IPs cannot be enabled on an existing cluster. To create a new cluster using
Alias IPs, follow the instructions below.
Using Google Cloud Console:
If using Standard configuration mode:
- Go to Kubernetes Engine by visiting: Google Cloud Console Kubernetes Engine page
- Click CREATE CLUSTER, and select Standard configuration mode.
- Configure your cluster as desired , then, click Networking under CLUSTER in the navigation pane.
- In the 'VPC-native' section, leave 'Enable VPC-native (using alias IP)' selected
- Click CREATE.
Using Command Line
To enable Alias IP on a new cluster, run the following command:
gcloud container clusters create <cluster_name> --location <location> -- enable-ip-alias