Private connection between GKE and Compute Engine on Google Cloud
Question
- I have a compute engine instance with persistent file storage that I need outside of my GKE cluster.
- I would like to open a specific TCP port on the Compute Engine instance so that only nodes within the GKE cluster can access it.
- The Compute Engine instance and GKE cluster are in the same GCP project, network, and subnet.
- The GKE cluster is not private and I have an ingress exposing the only service I want exposed to the internet.
I've tried creating firewall rules of three different types that do not work:
- By shared service account on both Compute Engine instance and K8s nodes.
- By network tags - (yes I am using the network tags as explicitly specified on the VM instance page).
- By IP address, where I use network tag for target and private IANA IP ranges
10.0.0.0/8,172.16.0.0/12, and192.168.0.0/16for source.
The only thing that works is the last option but using 0.0.0.0/0 for source IP range.
I've looked at a few related questions such as:
- Google App Engine communicate with Compute Engine over internal network
- Can I launch Google Container Engine (GKE) in Private GCP network Subnet?
But I'm not looking to make my GKE cluster private and I have tried to create the firewall rules using network tags to no avail.
What am I missing or is this not possible?
1 answers
solution1
3 ACCPTED 2020-07-08 05:09:27
Not sure how I missed this, fairly certain I tried something similar a couple months back but must have had something else misconfigured.
On the GKE cluster Details page, there is a pod address range. Setting the firewall source range to GKE pod address range gave me the the desired outcome.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.