How to deploy to private GKE cluster using Connect Gateway

13 Apr, 2023
Xebia Background Header Wave

Deployments to private GKE clusters have always been painful, because of networking challenges. Glady, those days are in the past, because Connect Gateway overcomes these connectivity challenges.

The Pain Of Private GKE Clusters

Everybody wants a secure environment. Therefore, everyone hides the Kubernetes API server from the public internet – a so called private cluster. Without a public IP address, another route is needed to deploy Kubernetes workloads. This route is typically implemented using a bastion host, by configuring hybrid connectivity or by running deployment specific workloads (acting as proxies). These implementations require you to connect to the right server and/or network, before being able to interact with your Kubernetes cluster. An additional step that frequently confuses developers and/or engineers, because they don’t – and don’t want to – know the entire network topology, especially when dealing with multiple Kubernetes clusters.

A Universal Connector For GKE Clusters

The Connect Gateway uses fleets to let you connect and interact with Kubernetes clusters in a simple, consistent and secured way. The Connect Gateway leverages the fleet membership intricacies to connect to the Kubernetes cluster for you. The only thing you need to do, is request a credential for the specific fleet member and run your command.

gcloud container fleet memberships get-credentials member-cluster
kubectl get pods

Beware of the Connect Gateway limitations. The commands exec, proxy, attach and port-forward are not supported.

Terraform Private GKE Cluster Deployment

While it’s convenient to interact with a cluster locally. The true power is in automation. The following example deploys an Ubuntu pod to a private GKE cluster using Terraform.

Find the full example on GitHub.

resource "google_gke_hub_membership" "example" {
  membership_id = "example"

  endpoint {
    gke_cluster {
     resource_link =

  authority {
    issuer = "${}"

provider "kubernetes" {
  host = "${data.google_project.project.number}/locations/global/gkeMemberships/${google_gke_hub_membership.example.membership_id}"

  # Assumes a Kubernetes cluster version of 1.26+
  exec {
    api_version = ""
    command     = "gke-gcloud-auth-plugin"

resource "kubernetes_pod" "ubuntu" {
  metadata {
    namespace = "default"
    name = "ubuntu"

  spec {
    container {
      name  = "ubuntu"
      image = "ubuntu:latest"

Note that the only configuration change is in the Kubernetes provider. Instead of pointing at the internal Kubernetes API address, the Connect Gateway API is used.


Connecting to your GKE cluster is no longer a pain. Instead of finding the right bastion host, proxy or network configuration yourself, let Connect Gateway connect you.

Image by Jiří Rotrekl from Pixabay

Laurens Knoll
As a cloud consultant I enjoy taking software engineering practices to the cloud. Continuously improving the customers systems, tools and processes by focusing on integration and quality.

Get in touch with us to learn more about the subject and related solutions

Explore related posts