K
Q

Correct Egress rules when using deny-all on Google Container Engine

5/5/2017

I'm trying to figure out what Egress rules must be allowed for the Google Container Engine to function properly.

I am currently using the following rules:

gcloud beta compute firewall-rules create "outbound-deny" \
    --action DENY --rules all --direction "EGRESS" --priority "65531" \
    --network "secure-vpc" --destination-ranges "0.0.0.0/0"
gcloud beta compute firewall-rules create "outbound-internal" \
    --allow all --direction "EGRESS" --priority "65530" \
    --network "secure-vpc" --destination-ranges "10.0.0.0/8"

With these rules in place, creating a cluster in this network will fail. It does create all the machines, network rules, etc. The kubernetes cluster still never reports the nodes as alive.

-- csharptest.net
google-cloud-platform
google-kubernetes-engine
kubernetes
networking

Similar Questions

If I have Kubernetes(or mesos) already, why do I need use Spring Cloud?
Monitoring and alerting on pod status or restart with Google Container Engine (GKE) and Stackdriver
NodePort service is not externally accessible via `port` number
Kube-Aws Kubernetes Controller taints and pod tolerations

1 Answer

7/26/2017

I think you need to permit the traffic to K8s Master. To retrieve it:

MASTER_IP=$(gcloud container clusters describe $CLUSTER --zone $ZONE --format="value(endpoint)")
-- Davide Belloni
Source: StackOverflow