If you are installing Anthos Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhook used with automatic sidecar injection to work properly. You can either add a firewall rule or update the firewall rule that was created automatically when you created the private cluster, as follows:
Find the source range (
master-ipv4-cidr) of the cluster. In the following command, replaceCLUSTER_NAMEwith the name of your cluster:gcloud compute firewall-rules list --filter="name~gke-CLUSTER_NAME-[0-9a-z]*-master"
Update the firewall rule with port 15017. In the following command, replace
FIREWALL_RULE_NAMEwith the name of your firewall rule:gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017
The update command is actually a replace, so you need to include the default ports 443 (HTTPS) and 10250 (kubelet) as well as 15017.