I want to set up a WireGuard (but Wireguard is not relevant) VPN to make GKE pods&services accessible via that VPN. We have a few clusters, which we want to be accessible via the same VPN connection. E.g.:
*.cluster1.localresolves to GKEcluster-1→*.cluster.local*.cluster2.localresolves to GKEcluster-2→*.cluster.local
In that case, I'll have to create DNS which will rewrite hosts, but I'm just not there yet.
I'm currently stuck because I can't access IPs of those clusters' services and pods (I create an instance with Ubuntu 16 and execute curl http://<some-k8s-service-ip>:<port of that service>/) because of the timeout.
It appears that every cluster is isolated and I basically can't access it outside via Internal IP, even if GCE VPN instance is in the same network as a cluster. For example, I can do, curl http://10.0.26.219:4000/ (this address resolves to a specific k8s service) from inside of a cluster, but I can't do it from the random GCE instance I create (it's in the same network as GKE clusters).
I have set up a firewall rule allowing all ingress&egress traffic to any ports, but it didn't do the trick.
To clarify, everything is located in the same network (eu-north-4) and VPC.
Perhaps anyone had experience with setting such a VPN? Please, let me know if there's information I could provide because there are so many things to consider. Shortly, it's all the defaults except it's private clusters.
curl http://<some-k8s-service-ip>:<port of that service>/from specific GKE node, you are also unable to connect to it, am I right ? So how are you going to make such connection from different GCE instance ? I guess that by<some-k8s-service-ip>you mean it'sClusterIP. If so, you cannot connect to it from outside the cluster. You can expose yourPodse.g. viaNodePortServiceand make them accessible on your node's internal or exteranal IP. – mariocurl http://<service-ip>:<service-port>– blits