Open ports on a private cluster
If you are installing in-cluster Cloud Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhooks used with automatic sidecar injection (auto-injection) and configuration validation to work.
The following steps describe how to add a firewall rule to include the new ports that you want to open.
Find the source range (
master-ipv4-cidr) and targets of the cluster. In the following command, replaceCLUSTER_NAMEwith the name of your cluster:gcloud compute firewall-rules list \ --filter 'name~gke-CLUSTER_NAME-[0-9a-z]*-master' \ --format 'table( name, network, direction, sourceRanges.list():label=SRC_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, targetTags.list():label=TARGET_TAGS )'
Create the firewall rule. Choose from the following commands and replace
CLUSTER_NAMEwith the name of the cluster of the previous command.To enable auto-injection, run the following command to open port 15017:
gcloud compute firewall-rules create allow-api-server-to-webhook-CLUSTER_NAME \ --action ALLOW \ --direction INGRESS \ --source-ranges CONTROL_PLANE_RANGE \ --rules tcp:15017 \ --target-tags TARGET
Replace the following:
CLUSTER_NAME: the name of your clusterCONTROL_PLANE_RANGE: the cluster control plane's IP address range (masterIpv4CidrBlock) that you collected previously.TARGET: the target (Targets) value that you collected previously.
If you also want to enable the
istioctl versionandistioctl pscommands, run the following command to open ports 15014, and 8080:gcloud compute firewall-rules create allow-debug-proxy-CLUSTER_NAME \ --action ALLOW \ --direction INGRESS \ --source-ranges CONTROL_PLANE_RANGE \ --rules tcp:15014,tcp:8080 \ --target-tags TARGET
Replace the following:
CLUSTER_NAME: the name of your clusterCONTROL_PLANE_RANGE: the cluster control plane's IP address range (masterIpv4CidrBlock) that you collected previously.TARGET: the target (Targets) value that you collected previously.