how do I add a firewall rule to a gke service?

Its not clear to me how to do this.

I create a service for my cluster like this:

kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888

And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.

asked Nov 24 '18 at 4:41

red888

4,48673887

add a comment |

Its not clear to me how to do this.

I create a service for my cluster like this:

kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888

asked Nov 24 '18 at 4:41

red888

4,48673887

add a comment |

Its not clear to me how to do this.

I create a service for my cluster like this:

kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888

asked Nov 24 '18 at 4:41

red888

4,48673887

Its not clear to me how to do this.

I create a service for my cluster like this:

kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888

kubernetes google-cloud-platform gke

asked Nov 24 '18 at 4:41

red888

4,48673887

asked Nov 24 '18 at 4:41

red888

4,48673887

asked Nov 24 '18 at 4:41

red888

4,48673887

asked Nov 24 '18 at 4:41

red888

4,48673887

asked Nov 24 '18 at 4:41

red888

4,48673887

add a comment |

3 Answers
3

active

oldest

votes

I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

add a comment |

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1

kind: Service

metadata:

  name: na-server-service

spec:

  type: LoadBalancer

  ports:

  - protocol: TCP

    port: 80

    targetPort: 80

  loadBalancerSourceRanges:

  - 50.1.1.1/32

answered Nov 25 '18 at 20:27

red888

4,48673887

add a comment |

since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

add a comment |

Your Answer

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53455197%2fhow-do-i-add-a-firewall-rule-to-a-gke-service%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

3 Answers
3

active

oldest

votes

3 Answers
3

active

oldest

votes

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

add a comment |

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

add a comment |

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

answered Nov 24 '18 at 22:40

coderanger

29.6k32643

add a comment |

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1

kind: Service

metadata:

  name: na-server-service

spec:

  type: LoadBalancer

  ports:

  - protocol: TCP

    port: 80

    targetPort: 80

  loadBalancerSourceRanges:

  - 50.1.1.1/32

answered Nov 25 '18 at 20:27

red888

4,48673887

add a comment |

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1

kind: Service

metadata:

  name: na-server-service

spec:

  type: LoadBalancer

  ports:

  - protocol: TCP

    port: 80

    targetPort: 80

  loadBalancerSourceRanges:

  - 50.1.1.1/32

answered Nov 25 '18 at 20:27

red888

4,48673887

add a comment |

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1

kind: Service

metadata:

  name: na-server-service

spec:

  type: LoadBalancer

  ports:

  - protocol: TCP

    port: 80

    targetPort: 80

  loadBalancerSourceRanges:

  - 50.1.1.1/32

answered Nov 25 '18 at 20:27

red888

4,48673887

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1

kind: Service

metadata:

  name: na-server-service

spec:

  type: LoadBalancer

  ports:

  - protocol: TCP

    port: 80

    targetPort: 80

  loadBalancerSourceRanges:

  - 50.1.1.1/32

answered Nov 25 '18 at 20:27

red888

4,48673887

answered Nov 25 '18 at 20:27

red888

4,48673887

answered Nov 25 '18 at 20:27

red888

4,48673887

answered Nov 25 '18 at 20:27

red888

4,48673887

add a comment |

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

add a comment |

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

add a comment |

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

edited Nov 25 '18 at 20:50

answered Nov 25 '18 at 20:25

Alioua

682110

answered Nov 25 '18 at 20:25

Alioua

682110

answered Nov 25 '18 at 20:25

Alioua

682110

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Btukfyl