GKE control plane connectivity insights

This page describes the Network Analyzer insights for Google Kubernetes Engine (GKE) control plane connectivity. For information about all the insight types, see Insight groups and types.

Network Analyzer detects connectivity issues caused by configurations when the GKE control plane initiates a connection with a GKE node.

View insights in the Recommender API

To view these insights in the Google Cloud CLI or the Recommender API, use the following insight type:

  • google.networkanalyzer.container.connectivityInsight

You need the following permissions:

  • recommender.networkAnalyzerGkeConnectivityInsights.list
  • recommender.networkAnalyzerGkeConnectivityInsights.get

For more information about using the Recommender API for Network Analyzer insights, see Use the Recommender CLI and API.

GKE control plane to node connectivity blocked by routing issue

This insight indicates that the connection from the GKE control plane to the node is blocked by a routing issue. This insight includes the following information:

  • GKE cluster: The name of the GKE cluster.
  • Control plane endpoint: The IP address of the endpoint.
  • Network: The name of the network where the GKE cluster is configured.

In private clusters, the control plane's VPC network is connected to your cluster's VPC network with VPC Network Peering. Traffic is routed to the control plane by using a peering subnet route imported by the VPC Network Peering configuration. This insight shouldn't occur in public clusters.

For more information, see Control plane in private clusters.

Recommendations

Go to the GKE cluster details and verify VPC Network Peering. If VPC Network Peering is deleted, create the GKE cluster again.

GKE control plane to node connectivity blocked by ingress firewall on the node

This insight indicates that the connection from the GKE control plane to the node is blocked by an ingress firewall on the node. This insight includes the following information:

  • GKE cluster: The name of the GKE cluster.
  • Control plane endpoint: The IP address of the GKE control plane.
  • Network: The name of the network where the GKE cluster is configured.
  • Blocking ingress firewall: If the connectivity from the control plane to the node is blocked by an ingress firewall, it shows the name of this firewall; otherwise, this field is not displayed.
  • Ports: The ports on the GKE nodes that have the traffic blocked. For public clusters, the control plane communicates with GKE nodes on port 22. For private clusters, the control plane communicates with the GKE nodes on port 443 and port 10250.

By default, GKE creates firewall rules to allow communication between the control plane and the GKE nodes in your project. This insight indicates that either these default firewall rules have been modified or removed, or that another firewall rule in your VPC network is shadowing the automatically created firewall rules.

For more information, see Automatically created firewall rules and Firewall rules overview.

Recommendations

  • If the automatically created firewall rule is deleted from your VPC network, re-create it.
  • If the automatically created firewall rule exists, then the blocking firewall rule has higher priority. Increase the priority on the automatically created firewall rule.