K
Q

Can we use tags in firewall rules to allow traffic from pods in one gke cluster to pods in another that uses ip aliases?

7/15/2019

I want to allow traffic from pods running on a gke cluster to another cluster (vpc native). Is it possible to do this using node tags? I gave it a try and it doesn't seem to work. It only works with source-ranges. Can someone please confirm this is the case? Or is it that I'm missing something?

I created two clusters (1.12.8-gke.10) one tagged with routing-test and the other tagged with central-cluster.

Using source-tags in the firewall rules won't work, while using source-ranges work.

For example, I have

gcloud container clusters create routing-test-1 --zone us-east1-d \
--no-enable-legacy-authorization --no-enable-basic-auth \
--tags routing-test --num-nodes 1

gcloud container clusters create routing-central --region us-east1 \
--no-enable-legacy-authorization --enable-ip-alias --no-enable-basic-auth \
--tags central-cluster --num-nodes 1

This works:

gcloud compute --project=cicd-clusters firewall-rules create allow-traffic-test-1 \
--direction=INGRESS --priority=1000 --network=default --action=ALLOW \
--rules=tcp:80 --source-ranges=10.16.0.0/14 --target-tags=central-cluster

While this won't work:

gcloud compute --project=cicd-clusters firewall-rules create allow-traffic-test-2 \
--direction=INGRESS --priority=1000 --network=default --action=ALLOW \
--rules=tcp:80 --source-tags=routing-test --target-tags=central-cluster
-- Dima Kassab
firewall
google-kubernetes-engine
networking

Similar Questions

What is the default memory allocated for a pod
Automate starting ssh service after running the container
SFTP server is not accessible when deployed to Kubernetes (GKE)
CoreDNS run on nodes
K8s init container restart itself
Get k8s namespace inside spring boot application?
AWS/Kubernetes - Stickiness options not available for TCP protocols

0 Answers