GKE Ingress opening port

1/20/2020

i created a google cloud kubernetes Cluster with some api containers. They are exposed now using a load balancer. But now i need to migrate to a ingress loadbalancer. So i exposed them via nodeport and set up the ingress load balancer.

But now i have the problem, i need to add a firewall rule to open the NodePorts. Otherwise my Ingress healthcheck failes. Did i do something wrong? Or is it the only possibility to add the firewall rule? If yes, is there any possibility to just allow traffic from the ingress/healthcheck? Otherwise i can contact my services through the IP of the nodes.

Thanks

-- fredalex
gke-networking
google-kubernetes-engine
kubernetes-ingress

2 Answers

1/20/2020

In Kubernetes, there are three general approaches to exposing your application:

  1. use a Kubernetes service of type LoadBalancer, which creates an external load balancer that points to a Kubernetes service in your cluster
  2. use a Kubernetes Ingress Resource
  3. using a Kubernetes service of type NodePort, which exposes the application on a port across each of your nodes

A LoadBalancer service is the standard way to expose a service to the internet. On GKE, this will spin up a Network Load Balancer that will give you a single IP address that will forward all traffic to your service.

Ingress is actually NOT a type of service. Instead, it sits in front of multiple services and act as a “smart router” or entrypoint into your cluster. The default GKE ingress controller will spin up a HTTP(S) Load Balancer for you. This will let you do both path based and subdomain based routing to backend services. For example, you can send everything on foo.yourdomain.com to the foo service, and everything under the yourdomain.com/bar/ path to the bar service.

A NodePort service is the most primitive way to get external traffic directly to your service. NodePort, as the name implies, opens a specific port on all the Nodes (the VMs), and any traffic that is sent to this port is forwarded to the service.

More information you can find here and here.

Back to your question, as you can find in the documentation:

You can create HTTP(S) load balancers by using an Ingress resource. HTTP(S) load balancers are designed to terminate HTTP(S) requests and can make better context-aware load balancing decisions. They offer features like customizable URL maps and TLS termination. GKE automatically configures health checks for HTTP(S) load balancers.

and

By default, Ingress performs a periodic health check by making a GET request on the / path to determine health of the application, and expects HTTP 200 response. If you want to check a different path or to expect a different response code, you can use a custom health check path.

In addition, have a look at the available Ingress Controllers, I'd recommend you to check at least NGINX Ingress Controller, Traefik and Istio to find the best one for your project.

If you still have a problem please update your question with .yaml files to make it more clear.

EDIT I tried to follow steps in the documentation and it works for me at my test cluster without any additional configuration of firewall.

-- Serhii Rohoza
Source: StackOverflow

1/20/2020

HTTP(S) Load Balancers' health check is done through a pool of IP addresses that you need to open in your firewall rules.

This is the doc that explains everything. You would just open the traffic for the following IP ranges, and it should work fine:

  • 35.191.0.0/16
  • 130.211.0.0/22
-- suren
Source: StackOverflow