How to secure your Kubernetes Cluster in Google Cloud: Keep everything accessible from within a network

[lvthillo]

I have read https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-network-access but I'm still left with some questions.
I'm using Google Cloud and I was able to create a Kubernetes cluster, persistent pods, services, replica sets, ingress LB etc.
I was able to access a pod above which I had created a service + ingress from the internet. On every machine I was able to visit it.

Now I only want this pod to be accessible from one network. But the pod itself need access to the internet. For example a jenkins instance. It's something which companies keep private but it needs  access (maybe through a proxy) to the internet.

What is the best or recommended way to create such a setup in Google Cloud? I can probably do this with firewalling but isn't there a recommended/better/easier way than writing firewall rules?

Will this solution allow me to access the internet from inside the cluster? https://engineering.bitnami.com/articles/creating-private-kubernetes-clusters-on-gke.html

[Itamar O]

Not sure what you mean when you say "I was able to access a pod ... from the Internet" - can you provide more details on your setup?

As they are, pods are not accessible to incoming traffic - you have to front them with a Service in order to expose them to incoming traffic - so if that's the case - what type of Services are you using exactly?

Beyond that, a Service can be routable in higher levels (L7) with Ingress - if you have these, how exactly are they defined?

On Tue, Jan 16, 2018 at 9:46 PM lvthillo <lorenz.v...@gmail.com> wrote:

I have read https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-network-access but I'm still left with some questions.
I'm using Google Cloud and I was able to create a Kubernetes cluster, persistent pods, services, replica sets, ingress LB etc.
I was able to access a pod above which I had created a service + ingress from the internet. On every machine I was able to visit it.

Now I only want this pod to be accessible from one network. But the pod itself need access to the internet. For example a jenkins instance. It's something which companies keep private but it needs  access (maybe through a proxy) to the internet.

What is the best or recommended way to create such a setup in Google Cloud? I can probably do this with firewalling but isn't there a recommended/better/easier way than writing firewall rules?

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

[Timo Reimann]

Maybe Google's internal load balancing (https://cloud.google.com/kubernetes-engine/docs/how-to/internal-load-balancing) can help you. They support white-listing IP ranges through the Service's "loadBalancerSourceRanges" parameter.