From 0b9bc65f2dc089a086f494c3eb4dc58ae3d1758e Mon Sep 17 00:00:00 2001 From: villyes Date: Fri, 22 May 2026 13:02:37 +0200 Subject: [PATCH 1/2] fix(k8s): fix full isolation info MTA-7165 --- .../secure-cluster-with-private-network.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx b/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx index 5ae44d6846..5ee7bf0110 100644 --- a/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx +++ b/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx @@ -38,7 +38,7 @@ Worker node pools with controlled isolation inside a Private Network have both p | Isolation | Controlled isolation
(default) | Full isolation
(optional) | None
(deprecated) | |-------------|-------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------|----------------------------------------------| -| Description | Worker nodes are assigned both private IPs and public IPs.
All inbound traffic on the public interface is dropped by default using Security Groups. | The control plane and worker nodes are set without public IPs (100% private network).
A [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) is required. | Clusters without a Private Network attached.
Nodes have public-only endpoints. | +| Description | Worker nodes are assigned both private IPs and public IPs.
All inbound traffic on the public interface is dropped by default using security groups. | The worker nodes are set without public IPs (100% private network), with the control plane getting a public IP.
A [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) is required. | Clusters without a Private Network attached.
Nodes have public-only endpoints. | | Benefits | 1. Strong security
2. Dynamic public IPs to reach out to external providers while avoiding rate limiting | 1. Maximum security
2. A stable egress IP for secure connection to external providers | n/a | | Notice | Default choice for new clusters. Can be used in combination with pools using full isolation. | Requires a Public Gateway, which incurs additional costs. | Deprecated in October 2023. | @@ -54,11 +54,11 @@ Worker node pools with controlled isolation inside a Private Network have both p ### Can I use a Public Gateway with my Private Network to exit all outgoing traffic from the nodes? -Yes, you are required to attach a Private Gateway when setting up a node pool with [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation). This allows Kapsule nodes with private IPs to route their outgoing traffic through the Public Gateway. For detailed steps on setting up a Public Gateway, refer to our [Public Gateway documentation](/public-gateways/how-to/configure-a-public-gateway/). +Yes, you are required to attach a Public Gateway when setting up a node pool with [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation). This allows Kapsule nodes with private IPs to route their outgoing traffic through the Public Gateway. For detailed steps on setting up a Public Gateway, refer to our [Public Gateway documentation](/public-gateways/how-to/configure-a-public-gateway/). Keep in mind that removing or detaching the Public Gateway from the Private Network can cause a single point of failure in the cluster, preventing fully isolated node pools from accessing the control plane. - To use a Public Gateway with a Private Network on a Kapsule cluster, make sure that + To use a Public Gateway with a Private Network on a Kapsule cluster, make sure that: * The Public Gateway is located in the same region as the Kapsule cluster. * [Dynamic NAT must be activated](/public-gateways/concepts/#nat) (enabled by default). * [Advertise DefaultRoute must be activated](/public-gateways/concepts/#default-route) (enabled by default). @@ -102,7 +102,7 @@ curl --request POST \ - - This action adds a new endpoint. If you want to use it in your environment, you need to update the endpoint in your configuration. + This action adds a new endpoint. If you want to use it in your environment, you need to update the endpoint in your configuration. Refer to the [Managed Database for PostgreSQL and MySQL API documentation](https://www.scaleway.com/en/developers/api/managed-databases-for-postgresql-and-mysql/#path-endpoints-create-a-new-database-instance-endpoint) for further information. @@ -111,7 +111,7 @@ Refer to the [Managed Database for PostgreSQL and MySQL API documentation](https Managed Load Balancers support Private Networks with private backends and public frontends, meaning the traffic is forwarded to your worker nodes through your clusters' Private Network. -Additionally, [private Load Balancers](/load-balancer/concepts/#private-load-balancer) are supported. These Load Balancers have no public IPs in either their back or frontends. +Additionally, [private Load Balancers](/load-balancer/concepts/#private-load-balancer) are supported. These Load Balancers have no public IPs in either their back- or frontends. If you have a trusted IP configured on your ingress controller, note that the request will come from a private IP. @@ -203,5 +203,5 @@ The control plane and worker nodes are located in your cluster's Private Network ## Are there additional options for isolation? -- You can restrict and allow a range of IPs to control who can access the API server of your fully isolated clusters. [Learn how to manage allowed IPs](/kubernetes/how-to/manage-allowed-ips) +- You can restrict and allow a range of IPs to control who can access the API server of your fully isolated clusters. [Learn how to manage allowed IPs](/kubernetes/how-to/manage-allowed-ips). - The CNI’s network policies will restrict/allow a range of IPs or ports to control who can access the API server. \ No newline at end of file From 3e440dbac2e6d0fe4e4f257b65a7497fa979f343 Mon Sep 17 00:00:00 2001 From: villyes Date: Mon, 25 May 2026 13:07:17 +0200 Subject: [PATCH 2/2] fix(k8s): fix full isolation info MTA-7165 --- .../reference-content/secure-cluster-with-private-network.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx b/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx index 5ee7bf0110..9537de49f9 100644 --- a/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx +++ b/pages/kubernetes/reference-content/secure-cluster-with-private-network.mdx @@ -199,7 +199,7 @@ You can find a Terraform/OpenTofu configuration example below: ## Is the control plane also located inside the Private Network? -The control plane and worker nodes are located in your cluster's Private Network. You can reach the control plane for nodes using [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation) by adding a [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) to the cluster. +The control plane and worker nodes are located in your Kubernetes Kapsule cluster's Private Network. You can reach the control plane for nodes using [full isolation](#what-is-the-difference-between-controlled-isolation-and-full-isolation) by adding a [Public Gateway](/public-gateways/how-to/configure-a-public-gateway/) to the cluster. ## Are there additional options for isolation?