GKE master runs in HA mode and the VM is not visible in VM instances page either. Is it possible to allow traffic on GKE master by opening more ports except 443 which already open for k8s API.
2
votes
Is it a private cluster or public cluster?
– jbielick
If you look at your firewall rules, there will be one for the GKE master instances. You can modify or add to this firewall rule.
– jbielick
Its public cluster. Will check the firewall rules. Will it be good practice to open for master? What will be alternative, Service of type LoadBalancer?
– gagan
What do you want to perform on the master? Why using something else that 443? Is it for CRD?
– guillaume blaquiere
Not on the master, I have exposed services using NodePort. I was curious, if I can access them using <GKE_MASTER_IP>:<NODE_PORT> ? Hence trying to allow ingress traffic.
– gagan
1 Answers
2
votes
GKE is a managed cluster and you cannot perform modifications on master nodes. The control planes is not visible in VM instances and all interactions must be made using kubectl.
The master is the unified endpoint for your cluster. All interactions with the cluster are done via Kubernetes API calls, and the master runs the Kubernetes API Server process to handle those requests. You can make Kubernetes API calls directly via HTTP/gRPC, or indirectly, by running commands from the Kubernetes command-line client (kubectl) or interacting with the UI in the Cloud Console.
In fact, I can't see a reason to change firewall rules in the control planes, since all your workload, including services and ingress will runs in the node pools.
References:
https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture
