Monitor private clusters

This page explains how to monitor your private cluster including pulling images from Artifact Registry.

Viewing the cluster's subnet and secondary address ranges

After you create a private cluster, you can view the subnet and secondary address ranges that you or GKE provisioned for the cluster.

Console

  1. Go to the VPC networks page in the Google Cloud console.

    Go to VPC networks

  2. Click the name of the subnet. For example, gke-private-cluster-0-subnet-163e3c97.

  3. Under IP address range, you can see the primary address range of your subnet. This is the range used for nodes.

  4. Under Secondary IP ranges, you can see the IP address range for Pods and the range for Services.

gcloud

List all subnets

To list the subnets in your cluster's network, run the following command:

gcloud compute networks subnets list \
    --network NETWORK_NAME

Replace NETWORK_NAME with the private cluster's network. If you created the cluster with an automatically-created subnet, use default.

In the command output, find the name of the cluster's subnet.

View cluster's subnet

Get information about the automatically created subnet:

gcloud compute networks subnets describe SUBNET_NAME

Replace SUBNET_NAME with the name of the subnet.

The output shows the primary address range for nodes (the first ipCidrRange field) and the secondary ranges for Pods and Services (under secondaryIpRanges):

...
ipCidrRange: 10.0.0.0/22
kind: compute#subnetwork
name: gke-private-cluster-1-subnet-163e3c97
...
privateIpGoogleAccess: true
...
secondaryIpRanges:
- ipCidrRange: 10.40.0.0/14
  rangeName: gke-private-cluster-1-pods-163e3c97
- ipCidrRange: 10.0.16.0/20
  rangeName: gke-private-cluster-1-services-163e3c97
...

Viewing a private cluster's endpoints

You can view a private cluster's endpoints using the gcloud CLI or the Google Cloud console.

Console

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the cluster list, click the cluster name.

  3. In the Details tab, under Cluster basics, look for the Endpoint field.

gcloud

Run the following command:

gcloud container clusters describe CLUSTER_NAME

The output shows both the private and public endpoints:

...
privateClusterConfig:
enablePrivateEndpoint: true
enablePrivateNodes: true
masterIpv4CidrBlock: 172.16.0.32/28
privateEndpoint: 172.16.0.34
publicEndpoint: 35.239.154.67

Pulling container images from an image registry

In a private cluster, the container runtime can pull container images from Artifact Registry; it cannot pull images from any other container image registry on the internet. This is because the nodes in a private cluster don't have external IP addresses, so by default they cannot communicate with services outside of the Google Cloud network.

The nodes in a private cluster can communicate with Google Cloud services, like Artifact Registry, if they are on a subnet that has Private Google Access enabled.

The following commands create a Deployment that pulls a sample image from an Artifact Registry repository:

kubectl run hello-deployment --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0