Open in app

Sign in

Write

Sign in

10 GKE networking problems and how to resolve them

Spyros Kyriazatis
Google Cloud - Community
Published in
7 min readSep 3, 2024

Google Kubernetes Engine (GKE) offers a powerful and scalable platform for orchestrating containerized applications. However, like any distributed system, networking complexities can present challenges, leading to connectivity issues that can affect application performance. This guide explores ten common GKE networking problems and provides actionable steps to resolve them.

Understanding GKE Cluster Architecture

A GKE cluster consists of two main components: the control plane and worker nodes. Together, these form the Kubernetes orchestration system:

  • Control Plane: The control plane is responsible for managing the entire cluster. It runs essential processes like the Kubernetes API server, scheduler, and resource controllers. GKE manages the control plane’s lifecycle, including automatic Kubernetes version upgrades, though manual upgrades can be requested for earlier updates.s.
  • A cluster is a collection of nodes that host and manage containerized applications, coordinated by the control plane. In GKE, users can create and manage multiple clusters, each with its own resources like nodes, pods, and services. Clusters are typically used to separate environments such as development, testing, and production or to isolate different applications within an organization for better management and security.
  • Worker Nodes: Nodes are virtual machines that host and manage containerized applications. Each node runs a Kubernetes agent (Kubelet) that communicates with the control plane to manage the containers on that node. Nodes also include components like the container runtime and Kube-proxy, which handle container execution and network routing.
  • Pods and Containers: Pods are the smallest deployable units in Kubernetes, consisting of one or more containers that share the same network namespace, IP address, and storage. Containers are lightweight, standalone software packages that run applications in isolated environments.
  • Services: Services are abstractions that define a logical set of pods and provide a stable endpoint for accessing these pods. Services enable consistent communication within your application.

Ok, that was not as short as I thought. Now that we know the basics of the Kurbenetes architecture we can go back to GKE Connectivity Issues.

Let’s look into GKE Cluster control plane connectivity issues.

Common GKE Networking Issues

  1. Control Plane Connectivity Issues: Nodes or pods can’t reach the GKE control plane (GKE master endpoint). This could be due to network misconfigurations or other issues affecting connectivity between the nodes and the control plane.
  2. External Communication Issues:
    - Pods Can’t Reach External Services:     Internet connectivity issues may prevent pods from accessing external APIs, databases, or other resources.
    - External Services Can’t Reach Pods: Services exposed via GKE Load Balancers might be inaccessible from outside the cluster, disrupting the application’s availability to users.
  3. Cross-VPC and On-Premises Communication:
    - Pods Can’t Communicate Across VPCs:     Connectivity issues may arise when pods need to interact with services in another VPC, whether within the same project or through VPC peering.
    - Pods Can’t Communicate with On-Premises Resources: Connectivity problems can occur when GKE clusters need to interact with on-premises systems, such as those connected via VPN or using Hybrid Connectivity solutions.
  4. Communication Beyond Cluster VPCs:
    - Pods can not communicate with Resources in Other VPCs    : Connectivity issues may occur when pods need to interact with services in another VPC, whether within the same project or via VPC peering. These issues can affect cross-VPC communication essential for multi-cloud or hybrid environments.
    - Pods can not communicate with On-Premises Resources: issues arise when GKE clusters need to communicate with systems located in your company’s data centre, such as when connecting over VPN or using Hybrid Connectivity solutions.

Now we know what the problems could be, let us get to the fun part, troubleshooting.

Optimized Troubleshooting Steps

Step 1: Run Connectivity Tests

Use Google’s Connectivity Tests tool to diagnose and verify network paths between endpoints. This tool analyzes your configuration and can perform live dataplane analysis between endpoints to help identify issues like misconfigured firewall rules or routing problems.

Step 2: Isolate the Issue

Create a Google Compute Engine (GCE) virtual machine (VM) in the same subnet as your GKE cluster and test connectivity from this VM to the external endpoint that your GKE cluster is struggling to access. SSH into the newly created VM and test connectivity to the external endpoint your GKE cluster is having trouble accessing (e.g., use curl to test a web service).

If the VM connects successfully, the issue likely lies within your GKE configuration. If the VM also fails to connect, the problem might be within your VPC networking setup.

Step 3: Address Control Plane Connectivity Issues

Connectivity from nodes to the GKE cluster control plane (GKE master endpoint) depends on the type of GKE cluster (Private/Public/PSC-based Cluster).

  • General Troubleshooting Steps: Most of the steps for checking control plane connectivity are similar to those mentioned for general connectivity issues, such as running connectivity tests to the GKE cluster’s private or public control plane endpoint.
  • Authorized Networks: Ensure that the source is allowed in the control plane authorized networks. If the source is located in a different region than the GKE cluster, ensure that GKE cluster control plane global access is enabled.
  • Private Endpoint Management: If there is a need for routing traffic from outside GKE to reach the control plane via its private endpoint, ensure that the cluster is created with the --enable-private-endpoint option. This setting ensures that the cluster is managed using the private IP address of the control plane API endpoint.
  • Note: Pods and nodes within the same cluster will always attempt to connect to the GKE master on its private endpoint, regardless of whether the public endpoint is enabled.
  • Cross-Cluster Control Plane Access: If you’re accessing the control plane of a GKE cluster (Cluster A) with a public endpoint enabled from another private GKE cluster (Cluster B), note that pods in Cluster B will attempt to connect via the public endpoint of Cluster A. In this scenario, ensure that Cloud NAT is enabled for outside access in Cluster B, and that the Cloud NAT IP ranges are whitelisted in the control plane authorized networks of Cluster A.

Step 4: Review Network Policies

Network policies control the flow of traffic to and from your pods. Review the ingress and egress rules to ensure no unintended blocks are affecting connectivity. If using Dataplane V2, make sure logging is enabled to monitor traffic flow and identify where it might be blocked.

Step 5: Verify Cloud NAT Configuration

For private GKE clusters, proper Cloud NAT configuration is crucial for external connectivity since private clusters do not assign public IP addresses to nodes or pods by default.

Ensure that Cloud NAT is configured to handle traffic from both the pod CIDR and node CIDR.

Verify that Cloud NAT is correctly associated with the relevant subnets, router, and region. List the NAT configurations using gcloud compute routers nats list - router=ROUTER_NAME - region=REGION.

Step 6: Check IP Masquerading

IP Masquerading allows GKE nodes to replace the source IP address of outgoing packets from pods with the node’s IP address, ensuring return traffic reaches the correct pods.

  • Check if IP Masquerading is Enabled: Verify that the ip-masq-agent DaemonSet is running using kubectl get daemonset ip-masq-agent -n kube-system.
  • Inspect the ConfigMap: Review the ConfigMap associated with ip-masq-agent using kubectl get configmap ip-masq-agent -n kube-system -o yaml to ensure correct IP Masquerading behavior.
  • Modify nonMasqueradeCIDRs if Necessary: Adjust the nonMasqueradeCIDRs field in the ConfigMap if traffic is being incorrectly handled. Ensure that destinations within these CIDRs can accept traffic from pod IP ranges.

Modify the ip-masq-agent ConfigMap if required. You can update the ConfigMap with new nonMasqueradeCIDRs or other settings using the command kubectl edit configmap ip-masq-agent -n kube-system.

Roll out changes by restarting the ip-masq-agent DaemonSet using kubectl rollout restart daemonset/ip-masq-agent -n kube-system to ensure the changes take effect.

Step 7: Verify IPtables Configuration

Compare the IPtables configuration on working and non-working nodes to identify discrepancies. Use the command sudo iptables-save to export the IPtables configuration in a parsable format for easy comparison.

Step 8: Address Node-Specific Issues

  • Configuration Comparison: If issues are isolated to specific nodes, compare their configurations with those of functioning nodes. Use kubectl describe node NODE_NAME to view detailed node configurations.
  • Resource Monitoring: Check the node’s CPU and memory usage to ensure it isn’t overcommitted. High resource usage can cause connectivity issues. Additionally, monitor the conntrack table using sudo conntrack -L | wc -l to ensure it’s not full, as this could prevent new connections.
  • Generate a sosreport: A sosreport captures a comprehensive snapshot of the node’s current state, including logs, configurations, and system status. This can be valuable for root cause analysis (RCA). Google Cloud Documentation on sosreport

Step 9: Examine Logs

Analyze logs from the affected node to identify errors or warnings that coincide with the time of the connectivity issues. Use Google Cloud’s Logging service with filters like resource.type="k8s_node" resource.labels.cluster_name="GKE_CLUSTER_NAME" resource.labels.node_name="NODE_NAME" to isolate relevant logs.

  • Common Errors to Look For:
  • Connection timeouts
  • Out Of Memory (OOM) kills (oom_watcher)
  • Kubelet unhealthy status
  • NetworkPluginNotReady

Step 10: Resolve IP Address Conflicts and Load Balancer Issues

Review your IP address assignments to ensure there are no conflicts that might be causing connectivity issues. Conflicts can occur if multiple devices or components attempt to use the same IP address.

If conflicts are detected, reassign IP addresses or adjust CIDR ranges to eliminate overlaps and ensure smooth communication within the network.

Review the configuration of your GKE Load Balancers to ensure they are correctly set up to handle traffic. Incorrect configurations can lead to health check failures, preventing services from reaching the pods.

Investigate health check logs for errors that might indicate why the load balancer is failing to detect healthy pods.

Conclusion

Networking issues in GKE can be complex, but a systematic troubleshooting approach can help you quickly identify and resolve these problems. By understanding the architecture of your GKE cluster, reviewing configurations, monitoring resources, and running targeted tests, you can ensure your applications remain stable and performant. For complex or intermittent.

Networking
Gke
Troubleshooting
Google Cloud Platform
Kubernetes

--

--

Spyros Kyriazatis
Google Cloud - Community

Written by Spyros Kyriazatis

7 Followers
Writer for

IT professional and speaker with over 16+ years of experience. A lead organiser of the GDG Cloud Munich community,

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams