Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/kubernetes-engine/docs/how-to/user-managed-firewall-rules below:

User-managed firewall rules for GKE LoadBalancer Services | Google Kubernetes Engine (GKE)

Stay organized with collections Save and categorize content based on your preferences.

This page describes how to disable the ingress allow VPC firewall rules that GKE creates for LoadBalancer Services.

Disabling these automatically created firewall rules for LoadBalancer Services can be useful in the following situations:

• If you have multiple LoadBalancer Services in two or more GKE clusters, managing firewall rules yourself can be more efficient. For example, instead of having GKE create a unique firewall rule for each LoadBalancer Service, your manually created firewall rules can allow inbound traffic for multiple LoadBalancerServices.
• You can use Hierarchical firewall policies, global network firewall policies, or regional network firewall policies instead of VPC firewall rules. Rules in these firewall policies support additional actions, more flexible targets, and features like geolocation, threat intelligence, address groups, and FQDNs.

To disable automatically created firewall rules for LoadBalancer Services, you must specify the --disable-l4-lb-firewall-reconciliation flag when you create or update a cluster. The --disable-l4-lb-firewall-reconciliation flag does not affect other automatically created VPC firewall rules, such as those facilitating communication between nodes or those that permit health checks for your Services.

• To use User-managed firewall rules for LoadBalancer Services, your GKE clusters must use version 1.31.3-gke.105600 or later.

GKE supports disabling the automatic creation of firewall rules for these types of LoadBalancer Services:

• Internal LoadBalancer Services using GKE subsetting
• Backend service-based external LoadBalancer Services

You cannot disable the automatic creation of firewall rules for these types of LoadBalancer Services:

• Internal LoadBalancer Services not using GKE subsetting
• Target pool-based external LoadBalancer Services

Before you start, make sure that you have performed the following tasks:

• Enable the Google Kubernetes Engine API.
Enable Google Kubernetes Engine API
• If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update. Note: For existing gcloud CLI installations, make sure to set the compute/region property. If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Before you disable automatic creation of VPC firewall rules for LoadBalancer Services in your GKE cluster, work with a Security Admin to develop a strategy for configuring firewall rules manually.

1. Decide which type of firewall policy to use: a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy. For steps to create a firewall policy, see:

   • Use hierarchical firewall policies and rules
   • Use global network firewall policies and rules
   • Use regional network firewall policies and rules

   You can also use VPC firewall rules, which don't use any policy.

2. Your manually created firewall rules must be ingress allow rules because the implied deny ingress firewall rule prohibits incoming traffic. When you've disabled the automatic creation of VPC firewall rules, incoming traffic won't reach your nodes unless you've created ingress allow firewall rules that match traffic for your LoadBalancer Services.

   Depending on the firewall rule's parameters, a single ingress allow firewall rule can apply to one or more LoadBalancer Services. For each ingress allow firewall rule you create, define the following parameters:

   • Target parameter: Ensure that the firewall rule at least includes all nodes of the cluster that contains the LoadBalancer Services. Supported targets depend on what type of firewall policy a rule is located in or if you're using a VPC firewall rule. For information about the target parameter of a rule in a firewall policy, see Targets.

   • Protocols and ports: Include all protocols and destination ports used by the LoadBalancer Services to which the firewall rule needs to apply.

   • Destination parameter: You can employ one of the following strategies for the destination parameter:

     • Include the IP addresses of all LoadBalancer Services to which the firewall rule needs to apply in the destination parameter. To find the IP address of a LoadBalancer Service, use the following command:

        kubectl get svc LOADBALANCER_NAME \
           -n NAMESPACE_NAME \
           -o jsonpath='{.status.loadBalancer.ingress[0].ip}
     

     • You can choose to omit the destination parameter. When the destination parameter is omitted, the target parameter defines the destinations implicitly. For more information, see Targets and IP addresses for ingress rules.

   • Source parameter: Specify the sources (for example, IP addresses) used by clients that need to connect to the Load Balancer Serfices to which the firewall rule needs to apply.

   For steps to create firewall rules, see:

   • Create firewall rules in a hierarchical firewall policy
   • Create global network firewall policy rules
   • Create regional network firewall policy rules
   • Create VPC firewall rules

3. To ensure that your manually created firewall rules are working correctly, run a Network Intelligence Center (NIC) Connectivity Test. When running the Connectivity Test:

   • Set the destination to the IP address of the LoadBalancer Service.
   • Set the source to the IP address of the client.

   For more information, see Troubleshoot connectivity issues.

This section describes steps to disable the automatic creation of VPC firewall rules for LoadBalancer Services.

1. To disable the automatically created VPC firewall rules for LoadBalancer Services in a newly created cluster, create the cluster with the --disable-l4-lb-firewall-reconciliation flag:

   Autopilot:

   gcloud container clusters create-auto CLUSTER_NAME \
     --disable-l4-lb-firewall-reconciliation \
     --cluster-version=VERSION
   

   Standard:

   gcloud container clusters create CLUSTER_NAME \
     --disable-l4-lb-firewall-reconciliation \
     --enable-l4-ilb-subsetting \
     --cluster-version=VERSION
   

   Replace the following:

   • CLUSTER_NAME: the name of the new cluster.
   • VERSION: the GKE version.

2. Create an external or internal LoadBalancer Service:

   • Create a backend service-based external load balancer.

   • Create an internal load balancer.

3. Verify that GKE doesn't create an ingress allow firewall rule for the LoadBalancer Service. (Automatically created ingress allow firewall rules have names of the following form: k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]).

   The following command returns a list of firewall rules that contain k8s2:

   gcloud compute firewall-rules list --format="value(name)" | grep "k8s2"
   

   The response should return only the health check firewall rule of the form k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]-fw if the externalTrafficPolicy parameter is set to Local. It uses the TCP port defined by the spec.healthCheckNodePort parameter. If unspecified, the Kubernetes control plane assigns a health check port from the node port range.

   k8s2-rkdld6go-default-ilb-svc-dluvsefq-fw  default  INGRESS  1000  tcp:30868  False
   

   If the externalTrafficPolicy parameter is set to Cluster, the following health check firewall rule is returned instead.

   k8s2-rkdld6go-l4-shared-hc-fw  default  INGRESS  1000  tcp:10256  False
   

   For more information about generated firewall rules for GKE Services, see Automatically created firewall rules.

Before disabling VPC firewall rules creation, note the following points about updating an existing cluster:

• When you update an existing cluster to disable VPC firewall rules creation, GKE doesn't delete any existing firewall rules that GKE automatically created for your LoadBalancer Services.
• GKE stops updating the existing rules and won't create new ones for the new LoadBalancer Services.
• To turn VPC firewall rules creation back on, you can use the --enable-l4-lb-firewall-reconciliation flag with the gcloud_name container clusters update command.

To disable the automatic firewall rule creation on an existing cluster:

1. Update the cluster to disable the automatic creation and management of firewall rules for LoadBalancer Services:

   gcloud container clusters update CLUSTER_NAME \
   --disable-l4-lb-firewall-reconciliation \
   --cluster-version=supported_version
   

   Replace the following:

   • CLUSTER_NAME: the name of the new cluster.
   • VERSION: the GKE version.

2. Create an external or internal LoadBalancer Service:

   • Create a backend service-based external load balancer.

   • Create an internal load balancer.

3. Verify that GKE doesn't create an ingress allow firewall rule for the LoadBalancer Service. (Automatically created ingress allow firewall rules have names of the following form: k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]).

   The following command returns a list of firewall rules that contain k8s2:

   gcloud compute firewall-rules list --format="value(name)" | grep "k8s2"
   

   The response should return only the health check firewall rule of the form k8s2-[cluster-id]-[namespace]-[service-name]-[suffixhash]-fw if the externalTrafficPolicy parameter is set to Local. It uses the TCP port defined by the spec.healthCheckNodePort parameter. If unspecified, the Kubernetes control plane assigns a health check port from the node port range.

   k8s2-rkdld6go-default-ilb-svc-dluvsefq-fw  default  INGRESS  1000  tcp:30868  False
   

   If the externalTrafficPolicy parameter is set to Cluster, the following health check firewall rule is returned instead.

   k8s2-rkdld6go-l4-shared-hc-fw  default  INGRESS  1000  tcp:10256  False
   

   For more information about generated firewall rules for GKE Services, see Automatically created firewall rules.

The following examples illustrate how to use Network Intelligence Center Connectivity Tests to test connectivity to an external LoadBalancer Service:cluster:

• Network Intelligence Center:

  1. In the Google Cloud console, go to the Network Intelligence Center and start a new connectivity test.
  2. From the drop-down menu, choose Any external public IP address as the source and select your load balancer from the destination.
  3. Re-run the connectivity test.

• The gcloud CLI:

  The following example command creates and runs a test with your local workstation's public IP address as the source and the external load balancer's external IP address as the destination:

  gcloud network-management connectivity-tests create TEST_NAME \
  --source-ip-address=SOURCE_IP_ADDRESS \
  --source-network-type=NON_GCP_NETWORK \
  --destination-ip-address=$(kubectl get svc LOADBALANCER_NAME -o jsonpath='{.status.loadBalancer.ingress[0].ip}') \
  --destination-port=$(kubectl get svc LOADBALANCER_NAME -o jsonpath='{.spec.ports[0].targetPort}') \
  --destination-network=projects/PROJECT_ID/global/networks/NETWORK_NAME
  

  Replace the following:

  • TEST_NAME: A name for the connectivity test.
  • SOURCE_IP_ADDRESS: The IP address of the system that needs to connect to the external LoadBalancer Service. For example
  • LOADBALANCER_NAME: The name of the external LoadBalancer Service.
  • PROJECT_ID: The project ID of the project that contains the cluster's VPC network. If your cluster uses a Shared VPC network, use the project ID of the host project.
  • NETWORK_NAME: The name of your cluster's VPC network.

  Check test results:

  gcloud network-management connectivity-tests describe TEST_NAME
  

• Learn more about Firewall policies.
• Read Automatically created firewall rules for an overview of the ingress allow VPC firewall rules that GKE automatically creates by default.
• Read LoadBalancer Service parameters for a description of parameters for LoadBalancer Services.
• Learn about other Pre-populated firewall rules in Google Cloud.
• Learn more about Creating firewall rules in projects that use Shared VPC.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-12 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-12 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4