Unable to access the pods after setting up NAT

[ashu210890]

I used the terraform NAT example to setup a NAT gateway for all egress from my GKE cluster. I tried the following ssh command that was given in the readme and it works:

gcloud compute ssh $(gcloud compute instances list --filter=name~nat-gateway-${REGION} --uri) --ssh-flag="-A" -- ssh $(gcloud compute instances list --filter=name~gke-${CLUSTER_NAME}- --limit=1 --format='value(name)') -o StrictHostKeyChecking=no

However, when In try to access the pods using kubectl exec or kubectl attach or kubectl logs , I get the following error:

Get https://10.156.0.7:10250/containerLogs/default/mypod-1538082480-2j4m5/mypod: No SSH tunnels currently open. Were the targets able to accept an ssh-key for user "gke-0d30f9eca605b3f9accd"

I already checked that the ssh forward firewall rule from GKE cluster master IP to to the nodes exists and seems correct. What am I doing wrong here?

[danisla]

That usually happens when the static route to the master IPs has not been created. The example creates this route to preserve behavior like kubectl exec and logs.

[brandentimm]

@danisla are you using a regional cluster? If so, I wasn't able to get this to work when using the endpoint IP as the gke_master_ip. I instead had to a semicolon-delimited list of the zonal master IPs, which I found by looking at the filter list for firewall rule 'gke--ssh'.

[danisla]

@brandentimm, the example works with zonal, regional and private clusters. There is a step in the README.md where it pulls the endpoint IPs from the firewall rule.