gke/ERR/2021_014

GKE masters of private clusters can reach the nodes.

Product: Google Kubernetes Engine
Rule class: ERR - Something that is very likely to be wrong

Description

Nodes of private clusters must allow certain connections from the masters (tcp:443 and tcp:10250)

The GKE control plane automatically creates a firewall rule called gke-[cluster-name]-[cluster-hash]-master to allow these connections, but if the connections get blocked, the following could be the reason:

The firewall rules couldn’t be created (for example in a shared VPC scenario)
The firewall rules were disabled or deleted
There is a higher priority firewall rule configured for the VPC
There is a firewall policy at the organization or folder level which blocks these connections.

Remediation

The gcpdiag output should tell you if the connection was blocked by a firewall rule or policy.

Further information

Automatically created firewall rules