Failures during Google Kubernetes Engine (GKE) cluster creation can prevent you from
provisioning necessary infrastructure. A common cause for failures is a
violation of the constraints/compute.vmExternalIpAccess policy. Use this page
to help you troubleshoot and resolve cluster creation failures caused by this
organization policy.
This information is important for Platform admins and operators or other users responsible for creating and managing GKE clusters within a Google Cloud organization. For more information about the common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.
For general issues with a Kubernetes cluster, see Troubleshooting Clusters in the Kubernetes documentation.
Error: Constraint constraints/compute.vmExternalIpAccess violated
An error similar to the following can occur when you try to create a public GKE cluster:
Constraint constraints/compute.vmExternalIpAccess violated for project
This only affects public GKE clusters, including GKE Autopilot clusters.
When you create public GKE clusters, the underlying
Compute Engine VMs, which make up the worker nodes of this cluster, have
external IP addresses assigned.
If you configure the organization policy constraint
constraints/compute.vmExternalIpAccess
to Deny All or to restrict external IP addresses to specific VM instances at
the organization, folder, or project level, then the
policy prevents the GKE worker nodes from obtaining external IP
addresses, which results in cluster creation failure.
To find the logs of the cluster creation operation, you can review the GKE Cluster Operations Audit Logs using Logs Explorer with a search query similar to the following:
resource.type="gke_cluster"
logName="projects/test-last-gke-sa/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="google.container.v1beta1.ClusterManager.CreateCluster"
resource.labels.cluster_name="CLUSTER_NAME"
resource.labels.project_id="PROJECT_ID"
Replace the following:
- CLUSTER_NAME: the name of the cluster that wasn't created.
- PROJECT_ID: your project ID.
To resolve this issue, ensure that the effective policy for the constraint
constraints/compute.vmExternalIpAccess is Allow All on the project where you
are trying to create a GKE public cluster. For information on
working with this constraint, see
Restricting external IP addresses to specific VM instances.
After setting the constraint to Allow All, delete the failed cluster and
create a new cluster. This is required because repairing the failed cluster is
not possible.
What's next
- If you can't find a solution to your problem in the documentation, see Get support for further help, including advice on the following topics: - Opening a support case by contacting Cloud Customer Care.
- Getting support from the community by
asking questions on StackOverflow 
and using the google-kubernetes-enginetag to search for similar issues. You can also join the#kubernetes-engineSlack channel for more community support.
- Opening bugs or feature requests by using the public issue tracker.