Troubleshoot cluster creation

Stay organized with collections Save and categorize content based on your preferences.

This page shows you how to resolve issues with creating clusters in Google Kubernetes Engine (GKE).

For general issues with a Kubernetes cluster, see Troubleshooting Clusters in the Kubernetes documentation.

Error: Constraint constraints/compute.vmExternalIpAccess violated

An error similar to the following can occur when you try to create a public GKE cluster:

Constraint constraints/compute.vmExternalIpAccess violated for project

This only affects public GKE clusters, including GKE Autopilot clusters.

When you create public GKE clusters, the underlying Compute Engine VMs, which make up the worker nodes of this cluster, have external IP addresses assigned. If you configure the organization policy constraint constraints/compute.vmExternalIpAccess to Deny All or to restrict external IP addresses to specific VM instances at the organization, folder, or project level, then the policy prevents the GKE worker nodes from obtaining external IP addresses, which results in cluster creation failure.

To find the logs of the cluster creation operation, you can review the GKE Cluster Operations Audit Logs using Logs Explorer with a search query similar to the following:

resource.type="gke_cluster"
logName="projects/test-last-gke-sa/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.methodName="google.container.v1beta1.ClusterManager.CreateCluster"
resource.labels.cluster_name="CLUSTER_NAME"
resource.labels.project_id="PROJECT_ID"

Replace the following:

• CLUSTER_NAME: the name of the cluster that wasn't created.
• PROJECT_ID: your project ID.

To resolve this issue, ensure that the effective policy for the constraint constraints/compute.vmExternalIpAccess is Allow All on the project where you are trying to create a GKE public cluster. For information on working with this constraint, see Restricting external IP addresses to specific VM instances.

After setting the constraint to Allow All, delete the failed cluster and create a new cluster. This is required because repairing the failed cluster is not possible.

What's next

• If you can't find a solution to your problem in the documentation, see Get support for further help, including advice on the following topics:

  • Opening a support case by contacting Cloud Customer Care.
  • Getting support from the community by asking questions on StackOverflow and using the google-kubernetes-engine tag to search for similar issues. You can also join the #kubernetes-engine Slack channel for more community support.
  • Opening bugs or feature requests by using the public issue tracker.