Ryo
Reputation: 595
GKE networkpolicy for cloudsql_proxy
I tried to use NetworkPolicy on GKE.
My pod api has API application and cloudSql proxy
image: myapi
name: myapi
ports:
- containerPort: 3001
- command:
- /cloud_sql_proxy
- -instances=my-project:asia-northeast1:my-instance=tcp:3307
- -ip_address_types=PRIVATE
image: gcr.io/cloudsql-docker/gce-proxy:1.16
name: cloudsql-proxy
I couldn't figure out what kind of egress rule to set. I just tried to set 127.0.0.1:3307, but it must not be; because api -> cloudsql_proxy is 127.0.0.1:3307.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
env: develop
projectid: my-project
name: my-networkpolicy
spec:
egress:
- ports:
- port: 3307
protocol: TCP
to:
- ipBlock:
cidr: 127.0.0.1/32
error
Get https://www.googleapis.com/sql/v1beta4/projects/my-project/instances/my-instance?alt=json&prettyPrint=false: dial tcp: i/o timeout
How can I set NetworkPolicy ?
※ I already figured out if there are no egress rule in NetrowkPolicy, connection worked fine
Upvotes: 0
Views: 233
Answers (1)
Ryo
Reputation: 595
I figured out that UDP:53 must be added for cloudsql-proxy
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
env: develop
projectid: my-project
name: my-networkpolicy
spec:
egress:
- ports:
- port: 443
protocol: TCP
- port: 53
protocol: UDP
to:
- ipBlock:
cidr: 0.0.0.0/0
---
Upvotes: 1
Related Questions
- Kubernetes: initContainer with gce-proxy?
- Connection between Private GKE and Cloud SQL
- Cannot connect to Cloud SQL Proxy through GKE with Workload Identity
- Connecting to public Cloud SQL from a private GKE cluster
- GKE private cluster and cloud sql proxy connection
- How to create CloudSQL Proxy credentials as secrets on GKE
- GKE pod connectivity to Cloud SQL
- cloudsql-proxy on GKE returns "dial tcp: lookup 127.0.0.1:3306: no such host" with a golan app
- GKE pods not connecting to Cloudsql
- cannot fetch token error when using cloudsql-proxy with GKE