Opening ports on a private cluster

If you are installing in-cluster Anthos Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhooks used with automatic sidecar injection (auto-injection) and configuration validation to work.

The following steps describe how to add a firewall rule to include the new ports that you want to open.

  1. Find the source range (master-ipv4-cidr) and targets of the cluster. In the following command, replace CLUSTER_NAME with the name of your cluster:

    gcloud compute firewall-rules list \
        --filter 'name~gke-CLUSTER_NAME-[0-9a-z]*-master' \
        --format 'table(
            name,
            network,
            direction,
            sourceRanges.list():label=SRC_RANGES,
            allowed[].map().firewall_rule().list():label=ALLOW,
            targetTags.list():label=TARGET_TAGS
        )'
    
  2. Create the firewall rule. Choose from the following commands and replace CLUSTER_NAME with the name of the cluster of the previous command.

    • To enable auto-injection, run the following command to open port 15017:

      gcloud compute firewall-rules create allow-api-server-to-webhook-CLUSTER_NAME \
        --action ALLOW \
        --direction INGRESS \
        --source-ranges CONTROL_PLANE_RANGE \
        --rules tcp:15017 \
        --target-tags TARGET
      

      Replace the following:

      • CLUSTER_NAME: the name of your cluster
      • CONTROL_PLANE_RANGE: the cluster control plane's IP address range (masterIpv4CidrBlock) that you collected previously.
      • TARGET: the target (Targets) value that you collected previously.
    • If you also want to enable the istioctl version and istioctl ps commands, run the following command to open ports 15014, and 8080:

      gcloud compute firewall-rules create allow-debug-proxy-CLUSTER_NAME \
        --action ALLOW \
        --direction INGRESS \
        --source-ranges CONTROL_PLANE_RANGE \
        --rules tcp:15014,tcp:8080 \
        --target-tags TARGET
      

      Replace the following:

      • CLUSTER_NAME: the name of your cluster
      • CONTROL_PLANE_RANGE: the cluster control plane's IP address range (masterIpv4CidrBlock) that you collected previously.
      • TARGET: the target (Targets) value that you collected previously.