Cluster Configuration


Private Clusters

If you are using a private GKE cluster, you are required to create a Master-to-Node firewall rule to allow GKE to communicate to linkerd-proxy-injector container endpoint port tcp/8443.

In this example, we will use gcloud to simplify the creation of the said firewall rule.


gcloud config set compute/zone your-zone-or-region

Get the cluster MASTER_IPV4_CIDR:

MASTER_IPV4_CIDR=$(gcloud container clusters describe $CLUSTER_NAME \
  | grep "masterIpv4CidrBlock: " \
  | awk '{print $2}')

Get the cluster NETWORK:

NETWORK=$(gcloud container clusters describe $CLUSTER_NAME \
  | grep "^network: " \
  | awk '{print $2}')

Get the cluster auto-generated NETWORK_TARGET_TAG:

NETWORK_TARGET_TAG=$(gcloud compute firewall-rules list \
  --filter network=$NETWORK --format json \
  | jq ".[] | select(.name | contains(\"$CLUSTER_NAME\"))" \
  | jq -r '.targetTags[0]' | head -1)

The format of the network tag should be something like gke-cluster-name-xxxx-node.

Verify the values:


# example output foo-network gke-foo-cluster-c1ecba83-node

Create the firewall rule:

gcloud compute firewall-rules create gke-to-linkerd-proxy-injector-8443 \
  --network "$NETWORK" \
  --allow "tcp:8443" \
  --source-ranges "$MASTER_IPV4_CIDR" \
  --target-tags "$NETWORK_TARGET_TAG" \
  --priority 1000

Finally, verify that the firewall is created:

gcloud compute firewall-rules describe gke-to-linkerd-proxy-injector-8443