K
Q

stackdriver ip range to allow in kubernetes network policy on gke

8/7/2019

We are running some node.js code on gke and are directly logging to stackdriver using googles @google-cloud/logging-winston library - the logging is working, thats not an issue. We are also using kubernetes network-policies to limit traffic to/from our pods.

I cant figure out which ip ranges to allow in the egress policy to get the stackdriver logging working. When I allow all destinations, the logging is working but I would like to narrow down that a bit...

-- Mizaru
google-kubernetes-engine
kubernetes-networkpolicy
stackdriver

Similar Questions

How to configure solace helm chart for use on a kubeadm cluster
Problem ordering a certificate with cert-manager and istio on azure
Helm is not deleting pod after Helm del --purge
Hbase: This server is in the failed servers list
How to copy kubernetes one secrets value to another secretes within same namespace

2 Answers

8/7/2019

The IPs where stackdriver logging API requests are sent can be found using this command:

dig @8.8.8.8 googleapis.com

You should get these following IPs as a result:

googleapis.com.         299     IN      A       74.125.141.147
googleapis.com.         299     IN      A       74.125.141.104
googleapis.com.         299     IN      A       74.125.141.103
googleapis.com.         299     IN      A       74.125.141.99
googleapis.com.         299     IN      A       74.125.141.106
googleapis.com.         299     IN      A       74.125.141.105
-- Milad
Source: StackOverflow
8/8/2019

I'm not sure if using dns answers is a valid approach, as the current dns result is only a part of the truth. depending on the dns server I use, the location my "digging" computer is located at and the time I'm resolving the dns name, I get different answers to the same question:

my pc using my local resolver:

dig googleapis.com +noall +answer

; <<>> DiG 9.10.6 <<>> googleapis.com +noall +answer
;; global options: +cmd
googleapis.com.     261 IN  A   216.58.207.132

my pc using google's dns server:

dig @8.8.8.8 googleapis.com +noall +answer

; <<>> DiG 9.10.6 <<>> @8.8.8.8 googleapis.com +noall +answer
; (1 server found)
;; global options: +cmd
googleapis.com.     106 IN  A   172.217.22.196

running "dig" from a container running in gke environment:

 # dig googleapis.com +noall +answer

; <<>> DiG 9.12.4-P2 <<>> googleapis.com +noall +answer
;; global options: +cmd
googleapis.com.     299 IN  A   172.217.16.196

same gke container, but about 10 mins later:

 # dig googleapis.com +noall +answer

; <<>> DiG 9.12.4-P2 <<>> googleapis.com +noall +answer
;; global options: +cmd
googleapis.com.     299 IN  A   172.217.18.164

Thats why I'm looking for some documentation, thats telling me the ip nets in question... Google owns so much ip nets and only my 4 dig commands already answered with ip's out of 4 different networks...

-- Mizaru
Source: StackOverflow