I want to set up a WireGuard (but Wireguard is not relevant) VPN to make GKE pods&services accessible via that VPN. We have a few clusters, which we want to be accessible via the same VPN connection. E.g.:
*.cluster1.local
resolves to GKEcluster-1
→*.cluster.local
*.cluster2.local
resolves to GKEcluster-2
→*.cluster.local
In that case, I'll have to create DNS which will rewrite hosts, but I'm just not there yet.
I'm currently stuck because I can't access IPs of those clusters' services and pods (I create an instance with Ubuntu 16 and execute curl http://<some-k8s-service-ip>:<port of that service>/
) because of the timeout.
It appears that every cluster is isolated and I basically can't access it outside via Internal IP, even if GCE VPN instance is in the same network as a cluster. For example, I can do, curl http://10.0.26.219:4000/
(this address resolves to a specific k8s service) from inside of a cluster, but I can't do it from the random GCE instance I create (it's in the same network as GKE clusters).
I have set up a firewall rule allowing all ingress&egress traffic to any ports, but it didn't do the trick.
To clarify, everything is located in the same network (eu-north-4) and VPC.
Perhaps anyone had experience with setting such a VPN? Please, let me know if there's information I could provide because there are so many things to consider. Shortly, it's all the defaults except it's private clusters.
curl http://<some-k8s-service-ip>:<port of that service>/
from specific GKE node, you are also unable to connect to it, am I right ? So how are you going to make such connection from different GCE instance ? I guess that by<some-k8s-service-ip>
you mean it'sClusterIP
. If so, you cannot connect to it from outside the cluster. You can expose yourPods
e.g. viaNodePort
Service
and make them accessible on your node's internal or exteranal IP. – mariocurl http://<service-ip>:<service-port>
– blits