Remotely access a private cluster using a bastion ...

zaphod72 · 08-26-2024 09:33 AM

Hello.
I'm following the instructions at https://cloud.google.com/kubernetes-engine/docs/tutorials/private-cluster-bastion

As the VM instance is using the subnet created for the private cluster it has no internet access and running

sudo apt install tinyproxy

fails.

I am not a networking security expert and do not want to guess at how to resolve this.

As this is the only time that the bastion host would need external internet access, I don't think a permanent connection to the internet is needed.

One other (minor) issue with the documentation - if the user is not using the `default` network then the command to "Create a Compute Engine VM" needs to include the network name:

--network-interface=no-address,network-tier=PREMIUM,subnet=<subnet_name>,network=<network_name>

Thanks!

shannduin

hey thanks for the feedback, good catch. I'll check and see how we can update the page. Maybe in the meantime you can download the tinyproxy binary from https://github.com/tinyproxy/tinyproxy/releases and gcloud compute scp it to the VM so that you can install it like that?

https://cloud.google.com/sdk/gcloud/reference/compute/scp

manjunathhuddar

Here’s how you can resolve the issue of no internet access on your VM instance while setting up a bastion host in a private cluster:

Add Temporary Internet Access
Open the Google Cloud Console.
Go to Compute Engine > VM instances.
Find and select your bastion host VM instance.
Click on the VM’s name to view its details.
Click the Edit button.
In the Network interfaces section, change the External IP from None to Ephemeral.
Save your changes.
Install TinyProxy
SSH into your bastion host VM.
Run the following command to update your package list and install TinyProxy:
sudo apt update && sudo apt install tinyproxy

Remove Internet Access
Once TinyProxy is installed, go back to the Google Cloud Console.
Edit your VM instance again.
Change the External IP back to None to remove internet access.
Save your changes.
This method lets you enable internet access just long enough to install TinyProxy and then disable it again to keep your setup secure.

Note on Documentation
When creating a VM in a non-default network, be sure to include the network name in your command. Here’s how the command should look:
gcloud compute instances create bastion-host \
--network-interface=no-address,network-tier=PREMIUM,subnet=<subnet_name>,network=<network_name>

shannduin

Yeah this is also an option, but I was hoping for a solution that didn't require exposing the VM to the internet even for installing tinyproxy 🥲

alim421

if not at all want to have internet access, the best way would be to have
it part of base OS image.
have the package available in the image and install it in the VM using ssh
or may be just install it in the image.

Regards,
Ali M

zaphod72

I don't want to have to keep my Debian base image consistent with whatever GCE uses for VMs

DamianS

Why you couldn't use bucket to upload such RPM and then download file via gsutil on that VM ? 😄

zaphod72

Try installing a local deb package without `apt` trying to reach the internet! 😞

DamianS

Ahh yes, because you are using Debian. With CentOS or RHEL, you could use rpm -iv to package.rpm. What about dpkg ?

Remotely access a private cluster using a bastion host