how do I add a firewall rule to a gke service?
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
add a comment |
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
add a comment |
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
kubernetes google-cloud-platform gke
kubernetes google-cloud-platform gke
asked Nov 24 '18 at 4:41
red888red888
4,48673887
4,48673887
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce
right now, so it would be somewhat funky to set up.
add a comment |
loadBalancerSourceRanges
seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce
right now, so it would be somewhat funky to set up.
add a comment |
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce
right now, so it would be somewhat funky to set up.
add a comment |
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce
right now, so it would be somewhat funky to set up.
I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.
You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce
right now, so it would be somewhat funky to set up.
answered Nov 24 '18 at 22:40
coderangercoderanger
29.6k32643
29.6k32643
add a comment |
add a comment |
loadBalancerSourceRanges
seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
add a comment |
loadBalancerSourceRanges
seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
add a comment |
loadBalancerSourceRanges
seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
loadBalancerSourceRanges
seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
answered Nov 25 '18 at 20:27
red888red888
4,48673887
4,48673887
add a comment |
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
add a comment |
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
edited Nov 25 '18 at 20:50
answered Nov 25 '18 at 20:25
AliouaAlioua
682110
682110
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown