When installing Okteto Self-Hosted on a GKE private cluster, with network policies enabled and having a default empty ingress network policy for all pods in the okteto namespace, allowing ingress traffic to a specific component is required.
Okteto ships a Validation/Mutation webhook deployed in a pod inside the okteto namespace, which listens to requests sent by the Kubernetes control plane.
When using a GKE private cluster, the Kubernetes control plane lives in a specific network subnet, and its value is readable with the following command:
gcloud container clusters describe \
--format='get(privateClusterConfig.masterIpv4CidrBlock)' \
${CLUSTER_NAME}
Note: replace ${CLUSTER_NAME} appropriately. Check gcloud container clusters describe --help for additional flags.
The returned value should be similar to 10.127.255.240/28.
Now, create the following network policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: ingress-controlplane-to-webhook
namespace: okteto
spec:
podSelector:
matchLabels:
app.kubernetes.io/component: webhook
app.kubernetes.io/part-of: okteto
ingress:
- ports:
- protocol: TCP
port: 443
from:
- ipBlock:
cidr: GKE_CONTROLPLANE_CIDR
policyTypes:
- Ingress
Note: replace GKE_CONTROLPLANE_CIDR with the value from the previous command. Ingress port must match .Values.webhook.port, which defaults to 443.