Adding firewall rule for GKE nodes

0
votes

So I'm trying to achieve the following: - Via Terraform deploy Rancher 2 on GCE - Create K8s Cluster - Add firewall rules so the nodes are able to talk back to the Racher Master Vm.

I was able to add a firewall rule with the External IPs of the Nodes to access the rancher master, but instead of adding the IPs I should be able to use a tag. Google Kubernetes Engine create a compute Engine Instance Group

 gke-c-wlvrt-default-0-5c42eb4e-grp

When I add in the firewall rules:

Target Tag: rancher-master
Source Tag: gke-c-wlvrt-default-0-5c42eb4e-grp

nothing works.

when I change it to: 

Target Tag: rancher-master
Source IP: 35.xx.xx.xx, 35.xx.xx.xx.xx, 35.xx.x.xxx.x

it works.

So to I get the tags for the Kubernetes Nodes working on the firewall rule ?

2
kubernetesgoogle-cloud-platformgoogle-kubernetes-enginerancherterraform-provider-gcp

2 Answers

3
votes

You don't use the correct tag. For knowing it, go to Compute Engine page and click on the detail on a VM. You can see this:

enter image description here

The instance group name is not the same as the network tag name. Use the network tag instead of the instance group name.

You can also see these values when you go to the instance group page, and you go to the instance template detail.

UPDATE

Because you can't (or I don't know how to do) know the network tag applied to the VM, you can use a special trick on GCP.

Start to update your node pool definition with a service account

resource "google_service_account" "sa-node" {
  account_id = "sa-node"
  display_name = "sa-node"
}

resource "google_container_node_pool" "primary_preemptible_nodes" {
  name       = "my-node-pool"
  location   = "us-central1"
  cluster    = google_container_cluster.primary.name
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "n1-standard-1"
    service_account = google_service_account.sa-node.email
....

Then define a firewall rule by using the service account as source, instead of the network tag

resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]
  }

  source_service_accounts = [google_service_account.sa-node.email]
}

Sadly, you can't mix target tag and source service account, but you can use a target service account. Thus, do the same thing on Rancher. Use a specific service account for your rancher deployment and that should work.

Hope this help!

1
votes

I'm not really sure if the problem described here is the same, but you could add another tag to the VMs. (nodes of the GKE)

My issue was that I wanted to add another port to the auto-generated firewall rule of the GKE.

resource "google_container_node_pool" "node_pool" {
...
    tags = [
      module.vpc_network.private
    ]
...
}

resource "google_compute_firewall" "master_webhooks" {
...
  target_tags   = [module.vpc_network.private]
...
}