Cluster Configuration

GKE

Private Clusters

If you are using a private GKE cluster, you are required to create afirewall rule that allows the GKE operated api-server to communicate with theLinkerd control plane. This makes it possible for features such as automaticproxy injection to receive requests directly from the api-server.

In this example, we will use gcloud tosimplify the creation of the said firewall rule.

Setup:

  1. CLUSTER_NAME=your-cluster-name
  2. gcloud config set compute/zone your-zone-or-region

Get the cluster MASTER_IPV4_CIDR:

  1. MASTER_IPV4_CIDR=$(gcloud container clusters describe $CLUSTER_NAME \
  2.   | grep "masterIpv4CidrBlock: " \
  3.   | awk '{print $2}')

Get the cluster NETWORK:

  1. NETWORK=$(gcloud container clusters describe $CLUSTER_NAME \
  2.   | grep "^network: " \
  3.   | awk '{print $2}')

Get the cluster auto-generated NETWORK_TARGET_TAG:

  1. NETWORK_TARGET_TAG=$(gcloud compute firewall-rules list \
  2.   --filter network=$NETWORK --format json \
  3.   | jq ".[] | select(.name | contains(\"$CLUSTER_NAME\"))" \
  4.   | jq -r '.targetTags[0]' | head -1)

The format of the network tag should be something like gke-cluster-name-xxxx-node.

Verify the values:

  1. echo $MASTER_IPV4_CIDR $NETWORK $NETWORK_TARGET_TAG
  3. # example output
  4. 10.0.0.0/28 foo-network gke-foo-cluster-c1ecba83-node

Create the firewall rules for proxy-injector and tap:

  1. gcloud compute firewall-rules create gke-to-linkerd-control-plane \
  2.   --network "$NETWORK" \
  3.   --allow "tcp:8443,tcp:8089" \
  4.   --source-ranges "$MASTER_IPV4_CIDR" \
  5.   --target-tags "$NETWORK_TARGET_TAG" \
  6.   --priority 1000 \
  7.   --description "Allow traffic on ports 8843, 8089 for linkerd control-plane components"

Finally, verify that the firewall is created:

  1. gcloud compute firewall-rules describe gke-to-linkerd-control-plane