Is it possible to run a private GKE cluster(private endpoint and nodes) behind an HTTP proxy?
GKE nodes need an internet connection to pull docker images from public repositories. The problem is, we don't want to login each GKE nodes and configure http_proxy environment variables and repeat this after every cluster upgrades.
Is it possible to automate setting http_proxy environment variable for each node or is there a better way to configure http_proxy on a private GKE cluster?
You can use DaemonSet for deploying ongoing background tasks (automate setting http_proxy) that you need to run on all or certain nodes. Example:
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: startup-script
labels:
app: startup-script
spec:
template:
metadata:
labels:
app: startup-script
spec:
hostPID: true
containers:
- name: startup-script
image: gcr.io/basic-app-with-example/startup-script:v1
imagePullPolicy: Always
securityContext:
privileged: true
env:
- name: STARTUP_SCRIPT
value: |
#! /bin/bash
list of the command that you need to execute in node
export http_proxy='http://<host>:<port>'
And you could use Cloud NAT in GCP to allow your private GKE cluster to reach public repositories.