Firewall rule to allow GKE -> GCR traffic in separate projects

12/15/2017

I am running Kubernetes in GCP and I have the GKE cluster and the container registry in separate projects. I added the GKE service account to my GCR project and everything works great.

Now, I would like to restrict any outgoing traffic from my GKE project at the compute level. I have added an egress firewall rule to drop any traffic going out of my VPC network. As a consequence, GKE can't pull images from the registry anymore. I added another firewall rule to allow egress traffic for the GKE service account, but to get it to work I had to add "0.0.0.0/0 all ports" as destination filter. Is there a better way to do this? Is there an IP address range / port for GCR?

Thanks!

-- fraibacas
google-compute-engine
google-container-registry
google-kubernetes-engine

4 Answers

9/4/2018

little old but you can use a GKE private cluster: https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters

-- Charles Walker
Source: StackOverflow

12/18/2017

GCR does not have a dedicated IP address range. I am unaware of a way to restrict traffic only for GCR.

Sorry.

-- k4leung4
Source: StackOverflow

8/8/2019

I found for some reason gcr.io resolves to aws fqdn, so private google access does not work. In my case the cluster is private, so I had to add a cloud nat and allow 443 out. I was able to pull after the firewall rule was created.

-- fp99
Source: StackOverflow

1/30/2018

There is actually a way to do it.

Create a VPC network and enable the Private Google Access. As you can read in the documentation:

Accessible Services

Google services that you can reach using Private Google access include:

Container registry services, a private Docker image repository on Google Cloud Platform

Then don't allow any connection in the firewall, and it will be blocked by default. With this you will get a GKE cluster that isn't reachable but it will be able to pull images in the GCR.

-- Katie Sinatra
Source: StackOverflow