GKE node connectivity insights

This page describes the Network Analyzer insights for Google Kubernetes Engine (GKE) node connectivity. For information about all the insight types, see Insight groups and types.

Network Analyzer detects connectivity issues caused by configurations when a GKE node initiates a connection to the GKE control plane.

View insights in the Recommender API

To view these insights in the Google Cloud CLI or the Recommender API, use the following insight type:

  • google.networkanalyzer.container.connectivityInsight

You need the following permissions:

  • recommender.networkAnalyzerGkeConnectivityInsights.list
  • recommender.networkAnalyzerGkeConnectivityInsights.get

For more information about using the Recommender API for Network Analyzer insights, see Use the Recommender CLI and API.

GKE node to control plane connectivity blocked by routing issue

Indicates the connections from the GKE nodes to the control plane endpoint are blocked by a routing issue.

In private clusters, the control plane's VPC network is connected to your cluster's VPC network with VPC Network Peering. Traffic is routed to the control plane using a peering subnet route imported by the VPC Network Peering configuration. In public clusters, traffic is routed to the control plane through the control plane endpoint IP using a route to the default internet gateway.

This insight includes the following information:

  • GKE cluster: The name of the GKE cluster.
  • Control plane endpoint: The IP address of the endpoint.
  • Network: The name of the network where the GKE cluster is configured.

For more information, see Control plane in private clusters.

Recommendations

Go to the GKE cluster details and verify VPC peering. If VPC peering is deleted, create the GKE cluster again.

GKE node to control plane connectivity: public endpoint blocked by egress firewall

Indicates the connectivity from GKE nodes to the public endpoint is blocked by an egress firewall.

GKE nodes in a public cluster communicate with the control plane through TCP on port 443. This connection is allowed by default by the implied firewall rules in your Google Cloud project. The firewall rule that is blocking the connection is listed in the insight details.

For more information, see Using firewall rules.

Recommendations

Create an egress firewall rule that allows TCP traffic on port 443 with a destination filter of the cluster's endpoint. This rule should have a higher priority than the blocking firewall rule.

For increased security this rule can be configured with the network tag of your GKE cluster nodes.

GKE node to control plane connectivity: private endpoint blocked by egress firewall

Indicates the connectivity from GKE nodes to the private endpoint is blocked by an egress firewall.

GKE nodes in a public cluster communicate with the control plane through TCP on port 443. This connection is allowed by default by the implied firewall rules in your Google Cloud project. The firewall rule that is blocking the connection is listed in the insight details.

For more information, see Using firewall rules.

Recommendations

Create an egress firewall rule that allows TCP traffic on port 443 with a destination filter of the cluster's control plane address range. This rule should have a higher priority than the blocking firewall rule.

For increased security this rule can be configured with the network tag of your GKE cluster nodes.