Menu
Its not clear to me how to do this.
I create a service for my cluster like this:
kubectl expose deployment my-deployment --type=LoadBalancer --port 8888 --target-port 8888
And now my service is accessible from the internet on port 8888. But I dont want that, I only want to make my service accessible from a list of specific public IPs. How do I apply a gcp firewall rule to a specific service? Not clear how this works and why by default the service is accessible publicly from the internet.
729
From the Service type drop-down list, select Cluster IP. Click Expose. When your Service is ready, the Service details page opens, and you can see details about your Service. Under Cluster IP, make a note of the IP address that Kubernetes assigned to your Service.
Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop. In this step, you have to create a firewall rule that allows traffic on HTTP (tcp/80) to any address. In the GCP Console go to Navigation Menu >VPC Network > Firewall. Click Create firewall rule.
since the load balancer is within your network, you can create a ingress firewall rule to deny or allow whatever source IP with a "tag" (assuming that you in mind your authorized IP), after you create your firewall tag in you cluster instance template, which you cluster instance group using modify it by adding the tag to it and roll the update on the instance group, in this case all you node cluster will have the tag to restrict some IPs.
you can as well refer as well to Restrict Access For LoadBalancer Service for more control.
26
loadBalancerSourceRanges seems to work and also updates the dynamically created GCE firewall rules for the service
apiVersion: v1
kind: Service
metadata:
name: na-server-service
spec:
type: LoadBalancer
ports:
- protocol: TCP
port: 80
targetPort: 80
loadBalancerSourceRanges:
- 50.1.1.1/32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With