Limit Access to Your GKE Kubernetes Pods on Google Cloud Platform

Limit Access to Your GKE Kubernetes Pods on Google Cloud Platform

Currently, there are 3 ways of applying GCP Firewall rules to your instances:

  • All instances in the network
  • Specified target tags
  • Specified service account

Unfortunately, none of these will work, if you want to allow a certain port of some container to be accessed by a limited number of IPs. I had a case where client’s Prometheus that was being run as a Kubernetes Pod should have been accessed by the main Prometheus instance (used for centralized monitoring) in order to scrape Kubernetes metrics. Public access was provided by an Ingress service (GCE Load Balancer) which did not have an option to whitelist/blacklist IPs, neither did Prometheus itself have any sort of Basic Auth. So, I simply deployed an NGINX container in my Prometheus Pod. NGINX allows you to easily allow access to certain IPs and block access for the rest of the world.

nginx-proxy-config-maps.yml

prometheus-deployment.yml

Comments are closed.