If you are installing Anthos Service Mesh on a private cluster, you must open port
15017 in the firewall to get the webhooks used with
automatic sidecar injection (auto-injection) and
configuration validation to work. Depending on your Anthos Service Mesh version, you
might need to open additional ports to get the istioctl version
and
istioctl ps
commands to function properly:
- 1.7.3: The
istioctl version
command requires port 15014 andistioctl ps
requires port 8080. Opening both 15014 and 8080 makesistioctl version
return a response quicker. - 1.8.1: You don't need to open any ports for these commands, but opening
15014 makes
istioctl version
andistioctl ps
return a response quicker.
You can either
add a firewall rule
or update the firewall rule that was created automatically when you created
the private cluster. The following steps describe how to update the firewall
rule. The update command replaces the existing firewall rule, so you need to
include the default ports 443 (HTTPS
) and 10250 (kubelet
) as well as the
new ports that you want to open.
Find the source range (
master-ipv4-cidr
) of the cluster. In the following command, replaceCLUSTER_NAME
with the name of your cluster:gcloud compute firewall-rules list --filter="name~gke-CLUSTER_NAME-[0-9a-z]*-master"
Update the firewall rule. Choose one of the following commands and replace
FIREWALL_RULE_NAME
with the name of the firewall rule from the output of the previous command.If you only want to enable auto-injection, run the following command to open port 15017:
gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017
If you want to enable auto-injection and the
istioctl version
andistioctl ps
commands, run the following command to open ports 15017, 15014, and 8080:gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017,tcp:15014,tcp:8080