If you are installing Anthos Service Mesh on a private cluster, you must open port
15017 in the firewall to get the webhook used with
automatic sidecar injection (auto-injection) to
work properly. Additionally, for the istioctl version and istioctl ps
commands to properly function, you must open ports 15014 and 8080, respectively.
You can either
add a firewall rule
or update the firewall rule that was created automatically when you created
the private cluster. The following steps describe how to update the firewall
rule. The update command replaces the existing firewall rule, so you need to
include the default ports 443 (HTTPS) and 10250 (kubelet) as well as the
new ports that you want to open.
Find the source range (
master-ipv4-cidr) of the cluster. In the following command, replaceCLUSTER_NAMEwith the name of your cluster:gcloud compute firewall-rules list --filter="name~gke-CLUSTER_NAME-[0-9a-z]*-master"
Update the firewall rule. Choose one of the following commands and replace
FIREWALL_RULE_NAMEwith the name of the firewall rule from the output of the previous command.If you only want to enable auto-injection, run the following command to open port 15017:
gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017
If you want to enable auto-injection and the
istioctl versionandistioctl pscommands, run the following command to open ports 15017, 15014, and 8080:gcloud compute firewall-rules update FIREWALL_RULE_NAME --allow tcp:10250,tcp:443,tcp:15017,tcp:15014,tcp:8080