kops: Lack of Internet Gateway is Fatal Error on Existing Private VPC
Hi,
It would be useful to not require an internet gateway when setting up on a pre-existing VPC, especially if it is intended to be completely internal and not have public IP’s. Currently it fails with:
internetgateway.go:197] ID must be set, if InternetGateway is shared:
*awstasks.InternetGateway
{
"Name":"cluster.mydomain.com",
"ID":null,
"VPC":
{
"Name":"cluster.mydomain.com",
"ID":"vpc-xxxxxxxx",
"CIDR":"10.2.0.0/16",
"EnableDNSHostnames":true,
"EnableDNSSupport":true,
"Shared":true
},
"Shared":true
}
Is there a flag that we can use today to not require it?
Also might be useful option to ensure works when implementing: #428 #694
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 33 (13 by maintainers)
I can give my 2 cents on the issue, even though I don’t have much of an idea how kops works, but I can explain my use case. I’m using direct connect to connect to instances in my VPC and routing all other traffic from the VPC to the virtual private gateway so that it’s only accessible from within the corporate network. Hence internet access from the EC2 instances will be routed through the corporate network and behind the corporate proxy at all times. Like the above examples I’m creating the VPCs and subnets myself and just using kops to setup the Kube cluster.
@fraenkel I know users have a use case where:
@justinsb private container registry, file repository, and HTTP proxies are often used in conjunction with these requirements, but I think @fraenkel is just concerned about the network. I think this requirement could be fulfilled by allowing our new network phase not touch any networking components.
@fraenkel if kops created only IAM and EC2 components, would that fulfill your needs? Also, I assume that we need to not update or delete any networking components as well.
If an internet gateway is required for downloading, can we support egress only internet gateways?