This page explains how to monitor your private cluster including pulling images from Artifact Registry.
Viewing the cluster's subnet and secondary address ranges
After you create a private cluster, you can view the subnet and secondary address ranges that you or GKE provisioned for the cluster.
Console
Go to the VPC networks page in the Google Cloud console.
Click the name of the subnet. For example,
gke-private-cluster-0-subnet-163e3c97
.Under IP address range, you can see the primary address range of your subnet. This is the range used for nodes.
Under Secondary IP ranges, you can see the IP address range for Pods and the range for Services.
gcloud
List all subnets
To list the subnets in your cluster's network, run the following command:
gcloud compute networks subnets list \
--network NETWORK_NAME
Replace NETWORK_NAME
with the private cluster's
network. If you created the cluster with an automatically-created subnet,
use default
.
In the command output, find the name of the cluster's subnet.
View cluster's subnet
Get information about the automatically created subnet:
gcloud compute networks subnets describe SUBNET_NAME
Replace SUBNET_NAME
with the name of the subnet.
The output shows the primary address range for nodes (the first
ipCidrRange
field) and the secondary ranges for Pods and Services (under
secondaryIpRanges
):
...
ipCidrRange: 10.0.0.0/22
kind: compute#subnetwork
name: gke-private-cluster-1-subnet-163e3c97
...
privateIpGoogleAccess: true
...
secondaryIpRanges:
- ipCidrRange: 10.40.0.0/14
rangeName: gke-private-cluster-1-pods-163e3c97
- ipCidrRange: 10.0.16.0/20
rangeName: gke-private-cluster-1-services-163e3c97
...
Viewing a private cluster's endpoints
You can view a private cluster's endpoints using the gcloud CLI or the Google Cloud console.
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
In the cluster list, click the cluster name.
In the Details tab, under Cluster basics, look for the Endpoint field.
gcloud
Run the following command:
gcloud container clusters describe CLUSTER_NAME
The output shows both the private and public endpoints:
...
privateClusterConfig:
enablePrivateEndpoint: true
enablePrivateNodes: true
masterIpv4CidrBlock: 172.16.0.32/28
privateEndpoint: 172.16.0.34
publicEndpoint: 35.239.154.67
Pulling container images from an image registry
In a private cluster, the container runtime can pull container images from Artifact Registry; it cannot pull images from any other container image registry on the internet. This is because the nodes in a private cluster don't have external IP addresses, so by default they cannot communicate with services outside of the Google Cloud network.
The nodes in a private cluster can communicate with Google Cloud services, like Artifact Registry, if they are on a subnet that has Private Google Access enabled.
The following commands create a Deployment that pulls a sample image from an Artifact Registry repository:
kubectl run hello-deployment --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0