how do I add a firewall rule to a gke service?
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
asked Nov 24 '18 at 4:41
red888red888
4,55174390
add a comment |
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
asked Nov 24 '18 at 4:41
red888red888
4,55174390
add a comment |
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
asked Nov 24 '18 at 4:41
red888red888
4,55174390
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
kubernetes google-cloud-platform gke
asked Nov 24 '18 at 4:41
red888red888
4,55174390
asked Nov 24 '18 at 4:41
red888red888
4,55174390
asked Nov 24 '18 at 4:41
red888red888
4,55174390
asked Nov 24 '18 at 4:41
red888red888
4,55174390
asked Nov 24 '18 at 4:41
red888red888
4,55174390
4,55174390
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
add a comment |
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,55174390
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
add a comment |
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
add a comment |
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
answered Nov 24 '18 at 22:40
coderangercoderanger
29.8k32743
29.8k32743
add a comment |
add a comment |
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,55174390
add a comment |
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,55174390
add a comment |
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,55174390
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,55174390
answered Nov 25 '18 at 20:27
red888red888
4,55174390
answered Nov 25 '18 at 20:27
red888red888
4,55174390
answered Nov 25 '18 at 20:27
red888red888
4,55174390
4,55174390
add a comment |
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
edited Nov 25 '18 at 20:50
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
answered Nov 25 '18 at 20:25
AliouaAlioua
6951110
6951110
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
