2

My Setup

I have GKE cluster with network policy enabled.

I have a network policy to block all ingress and egress:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all-traffic
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress

In my cluster I have multiple deployments that use google managed services such as Pubsub and Datastore.

I want to allow those connections.

Suggested Solution

Only way I found to do this is by getting all of google ips and allow all of them. Example of how to get those can be found here: https://gist.github.com/n0531m/f3714f6ad6ef738a3b0a

This is problematic for two main reasons:

  1. If those ips change then my cluster will fail to contact google services.
  2. Security wise this is bad because I am allowing here any google ip, including gcp clients and not only the specific google services.

My Question

How can I allow connections to these services using a network policy? What is the best practice in such a case?

Montoya
  • 2,819
  • 3
  • 37
  • 65
  • I would suggest you make sure that gke system workloads still get required access. For example logging/monitoring is quite essential and blocking it may reduce the amount of support you can get. No metrics can also mean that GKE will have a harder time knowing if there is something wrong with your cluster. There are a few of those workloads and I'd recommend excluding them from the policy using labels (most of them are in kube-system). On your original question https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#limitations_and_requirements seems to have a static IP. – kwiesmueller Mar 06 '22 at 03:19

0 Answers0