Network Policy to access Google Cloud Storage Bucket

8/26/2019

I have a GKE cluster running that hosts an app that needs access to the storage buckets. For that purpose I am making use of gsutils.

The current Network Policy is very restrictive and I only allow access to endpoints that really need it. With my policy in place, if I login to my Pod and run gsutil ls, I get

jenkins@ptbkn:~$ gsutil ls
INFO 0826 18:13:03.702595 retry_util.py] Retrying request, attempt #1...
INFO 0826 18:14:05.556362 retry_util.py] Retrying request, attempt #2...
INFO 0826 18:15:09.331261 retry_util.py] Retrying request, attempt #3...

But the moment I take down the Network Policy, I can see all my buckets.

jenkins@ptbkn:~$ gsutil ls
gs://abc/
gs://xyz/
.
.

Now Im unsure of how can I specify the Network Policy rules. Meaning that Im unaware of what IP ranges / hostnames / Ports should I add to my network policy to whitelist Google Cloud Storage. Can someone help me out with this ?

-- Jason Stanley
google-cloud-platform
google-cloud-storage
google-kubernetes-engine
kubernetes-networkpolicy

1 Answer

8/27/2019

You could try adding dl.google.com and www.googleapis.com this will help for gsutil, also in this Google Documentation the example mentions an IP range 199.36.153.4/30 for Google APIs and Services.

-- Adad O.
Source: StackOverflow