Restez organisé à l'aide des collections
Enregistrez et classez les contenus selon vos préférences.
Ouvrir des ports sur un cluster privé
Si vous installez Cloud Service Mesh sur un cluster privé, vous devez ouvrir le port 15017 dans le pare-feu pour que les webhooks utilisés pour l'injection side-car automatique (auto-injection) et la validation de la configuration fonctionnent correctement.
Les étapes suivantes décrivent comment ajouter une règle de pare-feu pour inclure les nouveaux ports que vous souhaitez ouvrir.
Recherchez la plage source (master-ipv4-cidr) et les cibles du cluster. Dans la commande suivante, remplacez CLUSTER_NAME par le nom de votre cluster :
CONTROL_PLANE_RANGE : plage d'adresses IP du plan de contrôle du cluster (masterIpv4CidrBlock) que vous avez collectée précédemment.
TARGET: valeur cible (Targets) que vous avez collectée précédemment.
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/04 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/04 (UTC)."],[],[],null,["# Open ports on a private cluster\n===============================\n\n| **Note:** This guide only supports Cloud Service Mesh with Istio APIs and does not support Google Cloud APIs. For more information see, [Cloud Service Mesh overview](/service-mesh/v1.24/docs/overview).\n\nIf you are\n[installing in-cluster Cloud Service Mesh](/service-mesh/v1.24/docs/unified-install/install-anthos-service-mesh)\non a private cluster, you must open port 15017 in the firewall to get the\nwebhooks used with\n[automatic sidecar injection](/service-mesh/v1.24/docs/onboarding/kubernetes-workloads#inject_sidecar_proxies)\n(auto-injection) and configuration validation to work.\n\nThe following steps describe how to [add a firewall rule](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules) to include the new ports that you want to open.\n\n1. Find the source range (`master-ipv4-cidr`) and targets of the cluster. In the\n following command, replace\n \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of your\n cluster:\n\n ```\n gcloud compute firewall-rules list \\\n --filter 'name~gke-CLUSTER_NAME-[0-9a-z]*-master' \\\n --format 'table(\n name,\n network,\n direction,\n sourceRanges.list():label=SRC_RANGES,\n allowed[].map().firewall_rule().list():label=ALLOW,\n targetTags.list():label=TARGET_TAGS\n )'\n ```\n2. Create the firewall rule. Choose from the following commands and replace\n \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of the cluster of the previous command.\n\n - To enable auto-injection, run the following command to\n open port 15017:\n\n ```\n gcloud compute firewall-rules create allow-api-server-to-webhook-CLUSTER_NAME \\\n --action ALLOW \\\n --direction INGRESS \\\n --source-ranges CONTROL_PLANE_RANGE \\\n --rules tcp:15017 \\\n --target-tags TARGET\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of your cluster\n - \u003cvar translate=\"no\"\u003eCONTROL_PLANE_RANGE\u003c/var\u003e: the cluster control plane's IP address range (`masterIpv4CidrBlock`) that you collected previously.\n - \u003cvar translate=\"no\"\u003eTARGET\u003c/var\u003e: the target (`Targets`) value that you collected previously.\n\n | **Note** : To add a firewall rule for a Shared VPC, add the following flags to the command: \n |\n | ```\n | --project HOST_PROJECT_ID\n | --network NETWORK_ID\n | ```\n |\n | For more information on Shared VPC, see\n | [Setting up clusters with Shared VPC](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules).\n - If you also want to enable the `istioctl version`\n and `istioctl ps` commands, run the following command to open ports\n 15014, and 8080:\n\n ```\n gcloud compute firewall-rules create allow-debug-proxy-CLUSTER_NAME \\\n --action ALLOW \\\n --direction INGRESS \\\n --source-ranges CONTROL_PLANE_RANGE \\\n --rules tcp:15014,tcp:8080 \\\n --target-tags TARGET\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of your cluster\n - \u003cvar translate=\"no\"\u003eCONTROL_PLANE_RANGE\u003c/var\u003e: the cluster control plane's IP address range (`masterIpv4CidrBlock`) that you collected previously.\n - \u003cvar translate=\"no\"\u003eTARGET\u003c/var\u003e: the target (`Targets`) value that you collected previously.\n\n | **Note** : To add a firewall rule for a Shared VPC, add the following flags to the command: \n |\n | ```\n | --project HOST_PROJECT_ID\n | --network NETWORK_ID\n | ```\n |\n | For more information on Shared VPC, see\n | [Setting up clusters with Shared VPC](/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules)."]]