terraform-kubestack icon indicating copy to clipboard operation
terraform-kubestack copied to clipboard

Published 20 hours ago verified publisher icon kbst

GKE: Investigate possible firewall issue blocking traffic between control plane and workers

Open pst opened this issue 3 years ago • 3 comments

I encountered two issues that may indicate a network connectivity issue:

  1. kubeseal CLI times out trying to encrypt a secret - under the hood it seems to do a port-forward to talk to the controller to get the cert (workaround is to kubectl get the secret, store the cert locally and use that with kubeseal --cert manually)
  2. nginx ingress admission controller times out after the default 10s deadline when applying ingress resources

These issues may or may not be related. And they may or may not be caused by GKE networking settings.

pst avatar May 11 '21 12:05 pst

https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters#add_firewall_rules

pst avatar May 11 '21 13:05 pst

I found a problem that could be related to this. While trying to implement OPA Gatekeeper the admission controller is not able to reach the webhook. It seems to be a known issue. And the fix described here suggests adding a new firewall rule.

Would be great if we could add these firewall rules trough kbst

elieser1101 avatar May 28 '21 21:05 elieser1101

Bump. Following the kubstack setup guide, NGINX validation webhook fails due to the missing firewall rule.

zpiazza-combocurve avatar Aug 01 '23 12:08 zpiazza-combocurve