GKE 与 Google Cloud 上的 Compute Engine 之间的专用连接

Question

• I have a compute engine instance with persistent file storage that I need outside of my GKE cluster.
• I would like to open a specific TCP port on the Compute Engine instance so that only nodes within the GKE cluster can access it.
• The Compute Engine instance and GKE cluster are in the same GCP project, network, and subnet.
• The GKE cluster is not private and I have an ingress exposing the only service I want exposed to the internet.

I've tried creating firewall rules of three different types that do not work:

• By shared service account on both Compute Engine instance and K8s nodes.
• By network tags - (yes I am using the network tags as explicitly specified on the VM instance page).
• By IP address, where I use network tag for target and private IANA IP ranges 10.0.0.0/8 , 172.16.0.0/12 , and 192.168.0.0/16 for source.

The only thing that works is the last option but using 0.0.0.0/0 for source IP range.

I've looked at a few related questions such as:

• Google App Engine communicate with Compute Engine over internal network
• Can I launch Google Container Engine (GKE) in Private GCP network Subnet?

But I'm not looking to make my GKE cluster private and I have tried to create the firewall rules using network tags to no avail.

What am I missing or is this not possible?

Answer 1

Not sure how I missed this, fairly certain I tried something similar a couple months back but must have had something else misconfigured.

On the GKE cluster Details page, there is a pod address range. Setting the firewall source range to GKE pod address range gave me the the desired outcome.