Firewall rule to allow GKE -> GCR traffic in separate projects

0
votes

I am running Kubernetes in GCP and I have the GKE cluster and the container registry in separate projects. I added the GKE service account to my GCR project and everything works great.

Now, I would like to restrict any outgoing traffic from my GKE project at the compute level. I have added an egress firewall rule to drop any traffic going out of my VPC network. As a consequence, GKE can't pull images from the registry anymore. I added another firewall rule to allow egress traffic for the GKE service account, but to get it to work I had to add "0.0.0.0/0 all ports" as destination filter. Is there a better way to do this? Is there an IP address range / port for GCR?

Thanks!

4
google-compute-enginegoogle-container-registrygoogle-kubernetes-engine

4 Answers

0
votes

GCR does not have a dedicated IP address range. I am unaware of a way to restrict traffic only for GCR.

Sorry.

0
votes

There is actually a way to do it.

Create a VPC network and enable the Private Google Access. As you can read in the documentation:

Accessible Services

Google services that you can reach using Private Google access include:

Container registry services, a private Docker image repository on Google Cloud Platform

Then don't allow any connection in the firewall, and it will be blocked by default. With this you will get a GKE cluster that isn't reachable but it will be able to pull images in the GCR.

0
votes

I found for some reason gcr.io resolves to aws fqdn, so private google access does not work. In my case the cluster is private, so I had to add a cloud nat and allow 443 out. I was able to pull after the firewall rule was created.