gke/ERR/2021_015

GKE connectivity: node to pod communication.

Product: Google Kubernetes Engine
Rule class: ERR - Something that is very likely to be wrong

Description

Agents and host-network pods from a node must be able to communicate with all pods on all nodes.

The GKE control plane automatically creates a firewall rule called gke-[cluster-name]-[cluster-hash]-vms to allow these connections, but if the connections get blocked, the following could be the reason:

The firewall rules couldn’t be created (for example in a shared VPC scenario)
The firewall rules were disabled or deleted
There is a higher priority firewall rule configured for the VPC
There is a firewall policy at the organization or folder level which blocks these connections.

Remediation

The gcpdiag output should tell you if the connection was blocked by a firewall rule or policy.

Further information

Automatically created firewall rules