Skip to content

feat: add private nodes support via networkConfig #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pedro-tamandua wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add private nodes support via networkConfig #149

pedro-tamandua wants to merge 1 commit into from

Conversation

@pedro-tamandua
Copy link

@pedro-tamandua pedro-tamandua commented Nov 11, 2025

Add NetworkConfig to GCENodeClass spec to control external IP allocation and subnet selection for provisioned nodes.

Features:

  • Add NetworkConfig struct with enableExternalIPAccess and subnetwork fields
  • Implement resolveAccessConfigs() to conditionally disable external IPs
  • Implement resolveSubnetwork() to allow custom subnet configuration
  • Update CRD with new networkConfig fields
  • Simplify CRD validation rules to meet Kubernetes cost limits
  • Add unit tests for network configuration resolution
  • Add example manifests for private nodes and custom subnets

When enableExternalIPAccess is false, nodes are provisioned without external IP addresses (private nodes), improving security posture.

Usage Example

apiVersion: karpenter.k8s.gcp/v1alpha1
kind: GCENodeClass
metadata:
name: private-nodes
spec:
networkConfig:
enableExternalIPAccess: false
imageSelectorTerms:
- alias: ContainerOptimizedOS@latest## Testing

  • Unit tests added for resolveAccessConfigs and resolveSubnetwork
  • All tests passing (5/5)
  • Manually tested in GKE cluster - nodes provisioned without external IPs

Backward Compatibility

Fully backward compatible. When networkConfig is not specified, behavior remains unchanged (nodes get external IPs by default).

@gitautomator
Copy link
Contributor

gitautomator bot commented Nov 11, 2025

Thanks to your contribution, the maintainers will review it as soon as they can!

@gitautomator
Copy link
Contributor

gitautomator bot commented Nov 11, 2025

The release note is either empty or incomplete, please consider: Add support for private nodes via networkConfig in GCENodeClass to improve security by allowing nodes to be provisioned without external IP addresses. Users can now configure enableExternalIPAccess and subnetwork fields to control network settings.

@gitautomator gitautomator bot added enhancement New feature or request go Pull requests that update go code labels Nov 11, 2025
@pedro-tamandua pedro-tamandua force-pushed the feature/private-nodes-support branch from 09d35f2 to 015529a Compare November 11, 2025 23:08
@jwcesign
Copy link
Contributor

jwcesign commented Nov 12, 2025

Hi, @pedro-tamandua thanks for your contribution, can you help fix the DCO workflow?

@pedro-tamandua
feat: add private nodes support via networkConfig
170b1ad 
Add NetworkConfig to GCENodeClass spec to control external IP allocation
and subnet selection for provisioned nodes.

Features:
- Add NetworkConfig struct with enableExternalIPAccess and subnetwork fields
- Implement resolveAccessConfigs() to conditionally disable external IPs
- Implement resolveSubnetwork() to allow custom subnet configuration
- Update CRD with new networkConfig fields
- Simplify CRD validation rules to meet Kubernetes cost limits
- Add unit tests for network configuration resolution
- Add example manifests for private nodes and custom subnets

When enableExternalIPAccess is false, nodes are provisioned without
external IP addresses (private nodes), improving security posture.

Backward compatible: defaults to existing behavior when networkConfig
is not specified.

RELEASE NOTE:
Add support for private nodes via networkConfig in GCENodeClass to improve security by allowing nodes to be provisioned without external IP addresses. Users can now configure enableExternalIPAccess and subnetwork fields to control network settings.

Signed-off-by: pedro-tamandua <[email protected]>
@pedro-tamandua pedro-tamandua force-pushed the feature/private-nodes-support branch from 015529a to 170b1ad Compare November 12, 2025 12:21
@pedro-tamandua
Copy link
Author

pedro-tamandua commented Nov 12, 2025

DCO workflow fixed.

jwcesign
jwcesign reviewed Nov 13, 2025
View reviewed changes
Copy link
Contributor

@jwcesign jwcesign left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pedro-tamandua
Other lgtm

pkg/apis/v1alpha1/gcenodeclass.go
NetworkTags []string `json:"networkTags,omitempty"`
// NetworkConfig specifies network configuration for instances
// +optional
NetworkConfig *NetworkConfig `json:"networkConfig,omitempty"`
Copy link
Contributor

@jwcesign jwcesign Nov 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on GCE pages:
image

  1. Put NetworkTags into NetworkConfig field
  2. It could have multiple network interface, so, EnableExternalIPAccess and Subnetwork should be array list. Something like:
type xxx struct {
..
  NetworkConfig NetworkConfig
}

type NetworkConfig {
  Tags []string
   NetworkInterfaces []NetworkInterface
}

type NetworkInterface {
  EnableExternalIPAccess bool
  Subnetwork string
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jwcesign jwcesign jwcesign left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pedro-tamandua @jwcesign