Feature: Private/SNA SKE cluster support with two-stage runner model

[lweberru]

Context

Current end-to-end deployment is stable with network.mode = public for SKE. We intentionally defer private/SNA cluster enablement to a dedicated feature stream.

Problem Statement

Using the Kubernetes provider against private control-plane endpoints requires private network reachability from the execution environment. This adds architectural and operational complexity (runner placement, connectivity, auth, retries, diagnostics).

Goal

Introduce first-class support for private SKE clusters (accessScope = SNA) in stackit-landing-zone with a robust two-stage execution model.

Scope (proposed)

• Add/validate prerequisites for private SKE clusters:
  • SNA membership
  • Routing tables enabled
  • Public DNS resolver requirements for SNA networking
• Define a two-stage pipeline model:
  • Stage A: STACKIT infrastructure provider (public CI possible)
  • Stage B: Kubernetes provider from private-reachable runner
• Add explicit readiness gates/preflight checks:
  • API endpoint reachability
  • auth/token validation
• Improve operational diagnostics:
  • classify network EOF/timeout errors separately from config/drift errors
  • expose actionable logs and trace IDs
• Optional break-glass mode:
  • bastion/tunnel based temporary access with hardened security defaults

Out of Scope (for this issue)

• Immediate rollout of private clusters in current E2E lane
• Permanent bastion-based proxy as primary operating model

Acceptance Criteria

• Private/SNA cluster path can be deployed reproducibly in CI with documented runner requirements.
• Kubernetes resources are applied only from environments with verified private API reachability.
• Documentation includes decision tree: public vs private/SNA cluster operation model.

References

• https://docs.stackit.cloud/products/runtime/kubernetes-engine/how-tos/enable-private-clusters/
• https://docs.stackit.cloud/products/runtime/kubernetes-engine/basics/networking/#private-clusters