Opening a port on a private cluster

If you are installing Anthos Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhook used with automatic sidecar injection to work properly. You can either add a firewall rule or update the firewall rule that was created automatically when you created the private cluster, as follows:

  1. Find the source range (master-ipv4-cidr) of the cluster. In the following command, replace CLUSTER_NAME with the name of your cluster:

    gcloud compute firewall-rules list --filter="name~gke-CLUSTER_NAME-[0-9a-z]*-master"
  2. Update the firewall rule with port 15017. In the following command, replace FIREWALL_RULE_NAME with the name of your firewall rule:

    gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017

    The update command is actually a replace, so you need to include the default ports 443 (HTTPS) and 10250 (kubelet) as well as 15017.