how do I add a firewall rule to a gke service?

Question

Its not clear to me how to do this.

I create a service for my cluster like this:

kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888

And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.

Answer 1

since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.

you can as well refer as well to Restrict Access For LoadBalancer Service for more control.

Answer 2

loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service

apiVersion: v1
kind: Service
metadata:
  name: na-server-service
spec:
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  loadBalancerSourceRanges:
  - 50.1.1.1/32

Answer 3

I don't think this is currently supported by LoadBalancer services. You can find the annotations currently read by the GCE GLB service provider at https://github.com/kubernetes/kubernetes/blob/1e50c5711346e882a54e833a9931af9678af7a82/pkg/cloudprovider/providers/gce/gce_annotations.go#L35, it's currently just setting the LoadBalancer type, the sharing mode, and the network SLA tier.

You can do this kind of filtering with some Ingress controllers, but I don't think that includes ingress-gce right now, so it would be somewhat funky to set up.