Apply annotations for load balancer on GCP for source IP firewall rules on GKE

1
votes

I want to install jenkins using its official helm chart on GKE.

I want to expose the agent service (port 50000) using LoadBalancer (will be hitting it from some remote agents).

Will this annotation

service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8"

also help secure a GCP load balancer, or is it only applicable on AWS?

Will the agents initiated internally in GKE still have to pass through the internet to reach the service, or will they be routed internally to the corresponding agent service?

1
kubernetesfirewallkubernetes-servicekubernetes-networking

1 Answers

2
votes

If you are asking about capability to whitelist firewalls using 'loadBalancerSourceRanges' parameter service.beta.kubernetes.io/load-balancer-source-ranges annotation is supported and often use on GCP.

Here is example Loadbalancer service with defined source-ranges:

apiVersion: v1
kind: Service
metadata:
  name: example-loadbalancer
  annotations:
    service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8"
spec:
  type: LoadBalancer
  ports:
  - protocol: TCP
    port: 8888
    targetPort: 8888

Unlike Network Load Balancing, access to TCP Proxy Load Balancing cannot be controlled by using firewall rules. This is because TCP Proxy Load Balancing is implemented at the edge of the Google Cloud and firewall rules are implemented on instances in the data center. enter image description here Useful documentations: gcp-external-load-balancing, load-balancing.