Can the firewalls with k8s-fw* be deleted in GKE GCP

1
votes

Cloud Platform: GCP

Kubernetes Engine: GKE

For a Kubernetes service with Type=LoadBalanacer, a corresponding automatic firewall gets created to allow from 0.0.0.0/0 and the name of the firewall starts with k8s-fw.*

The more LoadBalancer service we have for a cluster the more automatic firewall gets created.

Is it possible to keep only one firewall rule for a cluster as all the firewall rules are same?

I tested it by deleting a firewall rule of a newly created LoadBalancer service as there was already firewall in place for the other LoadBalancer service and I was able to access application with the new LoadBalancer IP.

Please confirm if this can be done.

1
kubernetesgoogle-cloud-platformgoogle-kubernetes-enginekubernetes-service
Does this generate errors during deletion of the LB? As for the question of if it could be done, maybe if you do it manually but it's loosing the interest of having a managed service and automating your infrastructure using tools. - night-gold
It is not giving any error. We are reaching the Firewall Quota limit. So manually deleting redundant firewall rules will be our ideal solution - k_vishwanath

1 Answers

2
votes

Yes, you can keep one and delete multiple firewall rules (gets created to allow from 0.0.0.0/0 and the name of the firewall starts with k8s-fw.*) for different loadbalancer services for application within the same GKE cluster. But, keep in mind that all the targetPort should be added to the firewall rule that you are keeping to allow from 0.0.0.0/0.