1
votes
  • I have a compute engine instance with persistent file storage that I need outside of my GKE cluster.
  • I would like to open a specific TCP port on the Compute Engine instance so that only nodes within the GKE cluster can access it.
  • The Compute Engine instance and GKE cluster are in the same GCP project, network, and subnet.
  • The GKE cluster is not private and I have an ingress exposing the only service I want exposed to the internet.

I've tried creating firewall rules of three different types that do not work:

  • By shared service account on both Compute Engine instance and K8s nodes.
  • By network tags - (yes I am using the network tags as explicitly specified on the VM instance page).
  • By IP address, where I use network tag for target and private IANA IP ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 for source.

The only thing that works is the last option but using 0.0.0.0/0 for source IP range.

I've looked at a few related questions such as:

But I'm not looking to make my GKE cluster private and I have tried to create the firewall rules using network tags to no avail.

What am I missing or is this not possible?

1
How do you reach your VM? with private IP? Do you VMs have public IP? Do you have app or addon installed on GKE? Such as Istioguillaume blaquiere
@guillaumeblaquiere From my K8s services, I reach the compute instance via its internal IP. The Compute Engine instance has an ephemeral external IP (come to think of it, it would be sufficient to disable the ephemeral external IP)... I am not using any service mesh app, Istio or otherwise.Eric H.
And you can't reach your VM from your GKE cluster right? What's the IP of the node?guillaume blaquiere
Yes, I can reach my VM from the GKE cluster. The issue is making sure the external IP is closed off to the Internet.Eric H.
Can you share your firewall rules?guillaume blaquiere

1 Answers

3
votes

Not sure how I missed this, fairly certain I tried something similar a couple months back but must have had something else misconfigured.

On the GKE cluster Details page, there is a pod address range. Setting the firewall source range to GKE pod address range gave me the the desired outcome.

enter image description here