Opening ports on a private cluster
If you are installing in-cluster Cloud Service Mesh on a private cluster, you must open port 15017 in the firewall to get the webhooks used with automatic sidecar injection (auto-injection) and configuration validation to work.
The following steps describe how to add a firewall rule to include the new ports that you want to open.
- Find the source range ( - master-ipv4-cidr) and targets of the cluster. In the following command, replace- CLUSTER_NAMEwith the name of your cluster:- gcloud compute firewall-rules list \ --filter 'name~gke-CLUSTER_NAME-[0-9a-z]*-master' \ --format 'table( name, network, direction, sourceRanges.list():label=SRC_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, targetTags.list():label=TARGET_TAGS )'
- Create the firewall rule. Choose from the following commands and replace - CLUSTER_NAMEwith the name of the cluster of the previous command.- To enable auto-injection, run the following command to open port 15017: - gcloud compute firewall-rules create allow-api-server-to-webhook-CLUSTER_NAME \ --action ALLOW \ --direction INGRESS \ --source-ranges CONTROL_PLANE_RANGE \ --rules tcp:15017 \ --target-tags TARGET - Replace the following: - CLUSTER_NAME: the name of your cluster
- CONTROL_PLANE_RANGE: the cluster control plane's IP address range (- masterIpv4CidrBlock) that you collected previously.
- TARGET: the target (- Targets) value that you collected previously.
 
- If you also want to enable the - istioctl versionand- istioctl pscommands, run the following command to open ports 15014, and 8080:- gcloud compute firewall-rules create allow-debug-proxy-CLUSTER_NAME \ --action ALLOW \ --direction INGRESS \ --source-ranges CONTROL_PLANE_RANGE \ --rules tcp:15014,tcp:8080 \ --target-tags TARGET - Replace the following: - CLUSTER_NAME: the name of your cluster
- CONTROL_PLANE_RANGE: the cluster control plane's IP address range (- masterIpv4CidrBlock) that you collected previously.
- TARGET: the target (- Targets) value that you collected previously.