Create ingress firewall rule for GKE API

Question

For testing purposes I want to make the GKE API endpoint publicly available. However, I can't seem to be able to create a firewall rule to allow this. I receive the error "source_ranges": conflicts with destination_ranges with the following terraform code to create it.

Any idea why I can't allow internet traffic but filter on destination IP? Thanks.

resource "google_compute_firewall" "gke_api_allow" {
  name        = "gke-${var.cluster_name}-allow-firewall"
  project     = var.project_id
  network     = google_compute_network.gke_cluster_vpc.name
  description = "Main firewall that allows traffic to GKE cluster API public endpoint."

  priority  = 9
  direction = "INGRESS"

  allow {
    ports = [443]
    protocol = "tcp"
  }

  destination_ranges = ["${google_container_cluster.gke_cluster.endpoint}/32"]
  source_ranges = ["0.0.0.0/0"]

  log_config {
    metadata = "INCLUDE_ALL_METADATA"
  }
}

Answer 1

Google Kubernetes Engine (GKE) automatically creates firewall rules in Google Cloud.

Warning: Do not modify or delete firewall rules created by GKE, or you might encounter unexpected behavior in your clusters.

The priority for all automatically created firewall rules is 1000, which is the default value for firewall rules. If you would like more control over firewall behavior, you can create firewall rules with a higher priority. Firewall rules with a higher priority are applied before automatically created firewall rules.

GKE creates the following ingress firewall rule when creating a Service.

Name: k8s-fw-[loadbalancer-hash]

Purpose: Permits ingress traffic to reach a Service.

Source: Specified in the Service manifest. Defaults to 0.0.0.0/0 (any source)

Destination: Node tag

Protocol and ports: TCP and UDP on the ports specified in the Service manifest.

There is a similar issue with a provided workaround.