yellowhat
Reputation: 539
GKE node pool tags and firewall rules
I have a GCP project with:
- VPC:
subnet0: cidr10.1.0.0/24subnet1: cidr10.2.0.0/24
- GKE cluster in the
subnet0subnet and:- pods cidr:
172.16.0.0/18 - service cidr:
172.16.64.0/20 - node pool tags:
gke-pool
- pods cidr:
- a VM instance in the
subnet1subnet and tagsagent
I would like to create a firewall rules that would allow pods in the GKE cluster to connect to the VM, so I have created the following firewall rule:
network:VPCdirection:INGRESS- source tags:
gke-pool - target tags:
agent - port: 80/tcp
But it does not work.
Instead if I set the source range to the pods cidr (172.16.0.0/18) it works.
Any suggestions?
Upvotes: 2
Views: 1763
Answers (1)
boredabdel
Reputation: 2140
That's because you are using a VPC Native Cluster. VPC Native clusters are the default mode and they made the Pod IP's visible in the VPC. This means when a pod talks to a destination which is on VPC, the IP of the Pod is NOT Source Nated behind the Node IP.
You have two options:
- Use the Pod CIDR in your firewall rule as you mentionned.
- Use the IP masq Agent to hide the Pod IP's behind the Node IP's.
Upvotes: 3
Related Questions
- GKE Web Application Network Access Control
- How to add an configure GKE node pool access scope
- GKE Mulitple networking
- Kubernetes Ingress Firewall rules
- Adding firewall rule for GKE nodes
- GKE nodes binding to a gateway
- how do I add a firewall rule to a gke service?
- Different Firewall Rules for Kubernetes Cluster
- Firewall at container level in GCP
- GCloud Firewall rules on network load balancer