Debian Question posted in
The oficial documentation can be found here.

How to Use NodePort in Custom Kubenetes Cluster on GCP – Debian

For training purpose, I’m trying to setup my own cluster on GCP without using GKE.

I hafe successfully created a cluster with kubeadm with 2 nodes. I’m running an nginx app and exposed it with NodePort. All my pods and services are running.

kubectl get nodes -owide

NAME       STATUS   ROLES                  AGE     VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                       KERNEL-VERSION   CONTAINER-RUNTIME
master-1   Ready    control-plane,master   4m43s   v1.20.0   10.132.0.2    <none>        Debian GNU/Linux 9 (stretch)   4.9.0-14-amd64   docker://19.3.14
worker-1   Ready    <none>                 3m9s    v1.20.0   10.132.0.3    <none>        Debian GNU/Linux 9 (stretch)   4.9.0-14-amd64   docker://19.3.14

kubectl get svc -owide

kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        37m   <none>
nginx        NodePort    10.102.241.17   <none>        80:30695/TCP   31m   app=nginx

Here is my google_compute_instance terrafom

resource "google_compute_instance" "default" {
    name = var.vm_name
    machine_type = "e2-standard-2"
    zone = "europe-west1-b"

    boot_disk {
        initialize_params {
            image = "debian-cloud/debian-9"
        }
    }

    network_interface {
        network = var.network
        access_config {
            // Include this section to give the VM an external IP address
        }
    }

    metadata_startup_script = file("./scripts/bootstrap.sh")

    tags = ["node"]
}

Here is my terrafom firewall:

resource "google_compute_network" "vpc_network" {
  name = "k8s-node"
}

resource "google_compute_firewall" "default" {
  name    = "k8s-firewall"
  network = google_compute_network.vpc_network.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "6443", "30000-32767"]
  }

  source_tags = ["node"]
  source_ranges = ["0.0.0.0/0"]
}

With this config, I can not access my instance with http://my-instance-ip:30695 … I have a timeout.

But it’s working when I allow all Protocols and ports in my GCP console for my firewall rules k8s-firewall.
With all protocol and port allowed, I can access my app properly with http://my-instance-ip:30695

What is the issue with my firewall? For me it’s suppose to work when I allow only a range between 30000 and 32767 as k8s uses this range for NodePort services.

Tags:

2

Answers


  1. 0

    It looks like the problem is located in the following line:

      source_tags = ["node"]

    Just look at Source tags definition:

    Traffic is allowed only from sources with these tags. To enter more
    than one, press Return after each tag name.

    When accessing your compute engine VM from any IP you don’t have "node" tag applied on such source IP so your traffic is still filtered out. Your current rule basically says: allow incoming traffic from all IP addresses but also verify if it comes from sources with "node" tag applied. If it does not, deny the traffic.

    Login or Signup to reply.
  2. 0

    source-tags does not control traffic on the external IP address. Therefore the default rule is DENY for traffic that does not arrive from another instance.

    The only traffic that source_tags controls is traffic from other instances.

    The goal of your firewall rule is to control traffic going to tagged instances.

    Solution:

    Change source_tags to target_tags.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search