how do I add a firewall rule to a gke service?












0















Its not clear to me how to do this.



I create a service for my cluster like this:



kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888


And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.










share|improve this question



























    0















    Its not clear to me how to do this.



    I create a service for my cluster like this:



    kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888


    And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.










    share|improve this question

























      0












      0








      0








      Its not clear to me how to do this.



      I create a service for my cluster like this:



      kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888


      And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.










      share|improve this question














      Its not clear to me how to do this.



      I create a service for my cluster like this:



      kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888


      And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.







      kubernetes google-cloud-platform gke






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 24 '18 at 4:41









      red888red888

      4,48673887




      4,48673887
























          3 Answers
          3






          active

          oldest

          votes


















          0














          I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.



          You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.






          share|improve this answer































            0














            loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service



            apiVersion: v1
            kind: Service
            metadata:
            name: na-server-service
            spec:
            type: LoadBalancer
            ports:
            - protocol: TCP
            port: 80
            targetPort: 80
            loadBalancerSourceRanges:
            - 50.1.1.1/32





            share|improve this answer































              0














              since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.



              you can as well refer as well to Restrict Access For LoadBalancer Service for more control.






              share|improve this answer

























                Your Answer






                StackExchange.ifUsing("editor", function () {
                StackExchange.using("externalEditor", function () {
                StackExchange.using("snippets", function () {
                StackExchange.snippets.init();
                });
                });
                }, "code-snippets");

                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "1"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                3 Answers
                3






                active

                oldest

                votes








                3 Answers
                3






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                0














                I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.



                You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.






                share|improve this answer




























                  0














                  I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.



                  You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.






                  share|improve this answer


























                    0












                    0








                    0







                    I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.



                    You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.






                    share|improve this answer













                    I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.



                    You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Nov 24 '18 at 22:40









                    coderangercoderanger

                    29.6k32643




                    29.6k32643

























                        0














                        loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service



                        apiVersion: v1
                        kind: Service
                        metadata:
                        name: na-server-service
                        spec:
                        type: LoadBalancer
                        ports:
                        - protocol: TCP
                        port: 80
                        targetPort: 80
                        loadBalancerSourceRanges:
                        - 50.1.1.1/32





                        share|improve this answer




























                          0














                          loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service



                          apiVersion: v1
                          kind: Service
                          metadata:
                          name: na-server-service
                          spec:
                          type: LoadBalancer
                          ports:
                          - protocol: TCP
                          port: 80
                          targetPort: 80
                          loadBalancerSourceRanges:
                          - 50.1.1.1/32





                          share|improve this answer


























                            0












                            0








                            0







                            loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service



                            apiVersion: v1
                            kind: Service
                            metadata:
                            name: na-server-service
                            spec:
                            type: LoadBalancer
                            ports:
                            - protocol: TCP
                            port: 80
                            targetPort: 80
                            loadBalancerSourceRanges:
                            - 50.1.1.1/32





                            share|improve this answer













                            loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service



                            apiVersion: v1
                            kind: Service
                            metadata:
                            name: na-server-service
                            spec:
                            type: LoadBalancer
                            ports:
                            - protocol: TCP
                            port: 80
                            targetPort: 80
                            loadBalancerSourceRanges:
                            - 50.1.1.1/32






                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Nov 25 '18 at 20:27









                            red888red888

                            4,48673887




                            4,48673887























                                0














                                since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.



                                you can as well refer as well to Restrict Access For LoadBalancer Service for more control.






                                share|improve this answer






























                                  0














                                  since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.



                                  you can as well refer as well to Restrict Access For LoadBalancer Service for more control.






                                  share|improve this answer




























                                    0












                                    0








                                    0







                                    since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.



                                    you can as well refer as well to Restrict Access For LoadBalancer Service for more control.






                                    share|improve this answer















                                    since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.



                                    you can as well refer as well to Restrict Access For LoadBalancer Service for more control.







                                    share|improve this answer














                                    share|improve this answer



                                    share|improve this answer








                                    edited Nov 25 '18 at 20:50

























                                    answered Nov 25 '18 at 20:25









                                    AliouaAlioua

                                    682110




                                    682110






























                                        draft saved

                                        draft discarded




















































                                        Thanks for contributing an answer to Stack Overflow!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        A CLEAN and SIMPLE way to add appendices to Table of Contents and bookmarks

                                        Calculate evaluation metrics using cross_val_predict sklearn

                                        Insert data from modal to MySQL (multiple modal on website)