This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Can't access gke services subnet from compute engine

Posted on 08-18-2023 08:45 AM
4ndrose
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello everyone, everything good? My first time here. I'm here because I don't know what else to do.

I have a service inside my gke that I need to access from inside a machine on compute engine. Basically I can access this service by the endpoint address that is part of the subnet of pods. But I can't, for example, create a service of type clusterip and access the service from within the compute engine. I've already tested it, created rules releasing all traffic, I've done tcpdump, I've looked in all the documentation, but I didn't find anything. It appears to be a routing issue, although the route to this subnet exists.

If I try to access this clusterip service from within a pod it works normally. This was a test I did.

See, I'm going to modify the networks for confidentiality reasons, but I'm going to try to follow the same idea from cidr to make it clearer. The network in question is a network called "production", this network has the address 10.70.0.0/20 and contains two subnets, 10.26.0.0/20 and 10.22.0.0/14.

This rule was initially created for a gke cluster, but later became the core network for all production resources. So all the production machines I have are inside the 10.70.0.0/20 network. In turn, we have the two subnets 10.26.0.0/20 and 10.22.0.0/14 which are respectively the network for services and the network for GKE pods.

Screenshot_43.png

What I need, as I said at the beginning, is to access a service by clusterip that receives an ip within the services network (10.26.0.0/20) from a machine that has an ip within the network (10.70.0.0/20 ). This access simply does not work. I have routes configured, the rules are released, but it just doesn't work.

If I try to access it from within a pod that is on the 10.22.0.0/14 network, I can access it. I've tried from different machines within the 10.70.0.0/20 network and none of them work. What's funnier is that if I try to access an endpoint directly from the pod described in the service, for example 10.22.3.36:8080, it accesses normally.

Sometimes I think it might be some flag within GKE that blocks this.

Then you ask me, but if you access it through the endpoint of the direct pod, why don't you use it that way? I don't use it that way because every time the pod is restarted it gets a new ip and so I lose access. The only useful way to do this is by consuming the service address as nodeport or clusterip, but it just doesn't work.

Any idea how I can troubleshoot this?

1 0 316
Topic Labels
0 REPLIES 0
Top Labels in this Space