K
Q

Adding firewall rule for GKE nodes

3/18/2020

So I'm trying to achieve the following: - Via Terraform deploy Rancher 2 on GCE - Create K8s Cluster - Add firewall rules so the nodes are able to talk back to the Racher Master Vm.

I was able to add a firewall rule with the External IPs of the Nodes to access the rancher master, but instead of adding the IPs I should be able to use a tag. Google Kubernetes Engine create a compute Engine Instance Group

 gke-c-wlvrt-default-0-5c42eb4e-grp

When I add in the firewall rules:

Target Tag: rancher-master
Source Tag: gke-c-wlvrt-default-0-5c42eb4e-grp

nothing works.

when I change it to:

Target Tag: rancher-master
Source IP: 35.xx.xx.xx, 35.xx.xx.xx.xx, 35.xx.x.xxx.x

it works.

So to I get the tags for the Kubernetes Nodes working on the firewall rule ?

-- FreshMike
google-cloud-platform
google-kubernetes-engine
kubernetes
rancher
terraform-provider-gcp

Similar Questions

How to create a service account with no permissions in Kubernetes?
Kubernetes + calico + replicaSet
add basic auth with traefik v2 in kubernetes shows 404 page not found
Kubernetes If/Or Statement in Configmap

1 Answer

3/19/2020

You don't use the correct tag. For knowing it, go to Compute Engine page and click on the detail on a VM. You can see this:

enter image description here

The instance group name is not the same as the network tag name. Use the network tag instead of the instance group name.

You can also see these values when you go to the instance group page, and you go to the instance template detail.

UPDATE

Because you can't (or I don't know how to do) know the network tag applied to the VM, you can use a special trick on GCP.

Start to update your node pool definition with a service account

resource "google_service_account" "sa-node" {
  account_id = "sa-node"
  display_name = "sa-node"
}

resource "google_container_node_pool" "primary_preemptible_nodes" {
  name       = "my-node-pool"
  location   = "us-central1"
  cluster    = google_container_cluster.primary.name
  node_count = 1

  node_config {
    preemptible  = true
    machine_type = "n1-standard-1"
    service_account = google_service_account.sa-node.email
....

Then define a firewall rule by using the service account as source, instead of the network tag

resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]
  }

  source_service_accounts = [google_service_account.sa-node.email]
}

Sadly, you can't mix target tag and source service account, but you can use a target service account. Thus, do the same thing on Rancher. Use a specific service account for your rancher deployment and that should work.

Hope this help!

-- guillaume blaquiere
Source: StackOverflow