I want to write a minimal egress NetworkPolicy for a workload running on GKE that needs to talk to the apiserver.
Is there any other way of doing this other than creating the cluster, getting the address of the LB fronting the apiserver(s) and then templating this into a NetworkPolicy? Is there any way of picking an external apiserver IP beforehand that can remain static over cluster recreates? Or, as a last resort, getting some list of CIDRs that GKE will always choose the apiserver LB IP from?
best choice is to use calico by enabling network policy on GKE, check this documentation, and here are some tips to Allow or Denie ingress or engress