I need to install a plugin on every node in my private-cluster. I've tried to add an external IP with:
gcloud compute instances add-access-config gke-private-cluster-nodename
It works, but then SSH into the node
(IP registered in cluster Authorized networks)
gcloud compute ssh gke-private-cluster
"I get: Operation timed out"
Same when I try in the Compute-engine console but with error:
"We are unable to connect to the VM on port 22"
Is it some firewall rule that has to be enabled? Any hint would be helpful!
You cannot install things on GKE nodes.
GKE nodes use an OS image with a read-only filesystem that doesn't allow you to install things https://cloud.google.com/container-optimized-os/docs/.
Not only it's a bad idea, your nodes are "temporary". When GKE automatically upgrades your Kubernetes node versions, all your VMs will be replaced with new VMs so SSHing them and trying to install things to them one by one just going to work for a few days.
To answer your question, by definition, "private clusters" aren't accessible from the internet. You should have a "bastion node" in that VPC network which you can SSH in then to access the private nodes. https://cloud.google.com/solutions/connecting-securely#bastion