'Kubernetes Network Policy - allow Google managed services
My Setup
I have GKE cluster with network policy enabled.
I have a network policy to block all ingress and egress:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all-traffic
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
In my cluster I have multiple deployments that use google managed services such as Pubsub and Datastore.
I want to allow those connections.
Suggested Solution
Only way I found to do this is by getting all of google ips and allow all of them. Example of how to get those can be found here: https://gist.github.com/n0531m/f3714f6ad6ef738a3b0a
This is problematic for two main reasons:
- If those ips change then my cluster will fail to contact google services.
- Security wise this is bad because I am allowing here any google ip, including gcp clients and not only the specific google services.
My Question
How can I allow connections to these services using a network policy? What is the best practice in such a case?
Solution 1:[1]
Option : 1
Ideally, you should be using the service account of GCP with the GKE to give access to the pod.
Workload identity : https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity
Example : https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
Option : 2
You can create a service account and generate JSON key out of it, you can save this Key into the Kubernetes secret and inject it into the deployment, so deployment will have access to that specific service only using the service account key.
Ref : https://blog.realkinetic.com/using-google-cloud-service-accounts-on-gke-e0ca4b81b9a2
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Harsh Manvar |