ingress-nginx on gke private clusters

wunderio · Mar 8, 2024 · 9c3b9ff · 9c3b9ff
1 parent 1a15566
commit 9c3b9ff
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/docs/vendor-gcs.md b/docs/vendor-gcs.md
@@ -83,3 +83,30 @@ mounts:
 ```
 
 Full example on using the provisioned storageclass in **new and existing** projects [here](gcp_filestore_migration.md)
+
+### ingress-nginx load balancer on GKE private cluster
+
+When using GKE private cluster, [ingress-nginx](https://github.com/kubernetes/ingress-nginx) requires an additional firewall rule that allows control plane connection to nodes on port 8443. 
+Example and solution is borrowed from https://github.com/kubernetes/ingress-nginx/issues/5401
+
+```
+# Control pane range (normally 172.16.0.0/28)
+# gcloud container clusters describe [CLUSTER_NAME] --region europe-north1 --format json | jq -r '.privateClusterConfig.masterIpv4CidrBlock'
+CONTROL_PLANE_RANGE=172.16.0.0/28
+
+# Get cluster tag
+NETWORK_TAGS=$(gcloud compute instances describe \
+    $(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') \
+    --format="value(tags.items[0])")
+
+# Print firewall rule command
+echo gcloud compute firewall-rules create silta-nginx-lb-ingress \
+    --action ALLOW \
+    --direction INGRESS \
+    --source-ranges ${CONTROL_PLANE_RANGE} \
+    --rules tcp:8443 \
+    --target-tags ${NETWORK_TAGS}
+
+```
+Review and execute command printed above.
+