Internet connectivity for GKE nodes

I created a GKE cluster with the follwing command:

gcloud container clusters create experiment --num-nodes=1 --network default --subnetwork default --enable-private-nodes --enable-private-endpoint --enable-ip-alias --master-ipv4-cidr 172.16.0.16/28 --no-enable-basic-auth --no-issue-client-certificate

By this command you created a private (--enable-private-nodes) GKE cluster.

The official documentation states:

In a private cluster, nodes only have internal IP addresses, which means that nodes and Pods are isolated from the internet by default.

-- Cloud.google.com: Kubernetes Engine: How to: Private clusters

By default you won't have access to site likes amazon.com, microsoft.com etc.

Your node connected successfully to google.com because of the Private Google Access:

VM instances that only have internal IP addresses (no external IP addresses) can use Private Google Access. They can reach the external IP addresses of Google APIs and services. The source IP address of the packet can be the primary internal IP address of the network interface or an address in an alias IP range that is assigned to the interface. If you disable Private Google Access, the VM instances can no longer reach Google APIs and services; they can only send traffic within the VPC network.

-- Cloud.google.com: VPC: Private access options

You can try to create 2 VM's with only internal IP address in 2 separate networks where one of the networks has PGA enabled. You should be able to communicate with google.com from the VM that resides in PGA enabled network (or enable/disable the PGA on a network that has a VM).

As a side note:

You can configure Cloud NAT to allow your private GKE nodes to have access to the Internet:

• Cloud.google.com: NAT: Docs: GKE Example

As for pulling images:

Pulling container images from an image registry

In a private cluster, the container runtime can pull container images from Container Registry; it cannot pull images from any other container image registry on the internet. This is because the nodes in a private cluster do not have external IP addresses, so by default they cannot communicate with services outside of the Google network.

The nodes in a private cluster can communicate with Google services, like Container Registry, if they are on a subnet that has Private Google Access enabled.

The following commands create a Deployment that pulls a sample image from a Google-owned Container Registry repository:

• $ kubectl run hello-deployment --image gcr.io/google-samples/hello-app:2.0

Note: While Container Registry's Docker Hub mirror is accessible from a private cluster, it should not be exclusively relied upon. The mirror is only a cache, so images are periodically removed, and a private cluster is not able to fall back to Docker Hub.

Your ubuntu and nginx images were downloaded from a mirror accessible from private GKE nodes. If you try to download an image that is not in a mirror you will get the following error:

• $ kubectl describe pod

Pulling image "MYOWNPUBLICREPO/ubuntu-test:latest"
  Warning  Failed          13m (x184 over 58m)   kubelet, GKE-CLUSTER-POOL  Error: ImagePullBackOff
  Warning  Failed          8m6s (x14 over 58m)   kubelet, GKE-CLUSTER-POOL  Failed to pull image "MYOWNPUBLICREPO/ubuntu-test:latest": rpc error: code = Unknown desc = Error response from daemon: Get https://registry-1.docker.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

It's recommended to use the Container Registry with private GKE clusters. You can read more about it by following official documentation:

• Cloud.google.com: Container Registry