0

I have a Kubernetes cluster running on the Google Cloud Platform. Port 443 is exposed through an Ingress controller. I am trying to use the VPC firewall rules to block access from anything other than a Cloudflare IP. I have the following rules setup (I know they are disabled right now)

Firewall rules

As far as I know this should work, but they don't seem to block anything. Looking at the rules, they are applying to the correct nodes.

Only when applying the 'allow-no-one' rule to all ports does it actually do anything (but I think it breaks the internal communication in the cluster)

Does anyone have a clue why this does not work?

Black Magic
  • 131
  • 1
  • 7

2 Answers2

2

You didn't show if there's a default rule. Assuming there's not, you need both. You need to turn on the all-no-one rule to establish a baseline of no one gets in to the web ports, then make sure that with a higher priority is the allow-only-cloudflare to override that.

If there's other legit traffic between nodes on that vpc, then you should put in another rule for something like "allow local http", and whatever your subnet is, say 10.1.1.0/24, put that in as the source.

If not all nodes need web traffic, then you should probably create that rule with a tag, like "http_allowed", and put that network tag on any nodes you want to get that rule.

Ron Jarrell
  • 146
  • 2
  • There are a few default rules created (I think mostly for the management of the Pods and Pod interconnectivity). The two rules I have are: no-one-allowed (lower prio) and only-cloudflare-allowed (higher prio). Only pods that require outside connectivity are bound with ingress, so no need to block the ports in the Firewall. – Black Magic Sep 23 '20 at 07:12
0

I figured out how to do it a different way, I used Cloud Armor to create a policy which only allowed the cloudflare IPs

Black Magic
  • 131
  • 1
  • 7