Many cloud providers (e.g. Google Compute Engine) define firewalls that help prevent inadvertent exposure to the internet. When exposing a service to the external world, you may need to open up one or more ports in these firewalls to serve traffic. This document describes this process, as well as any provider specific details that may be necessary.
When using a Service with
spec.type: LoadBalancer, you can specify the IP ranges that are allowed to access the load balancer
spec.loadBalancerSourceRanges. This field takes a list of IP CIDR ranges, which Kubernetes will use to configure firewall exceptions.
This feature is currently supported on Google Compute Engine, Google Container Engine and AWS. This field will be ignored if the cloud provider does not support the feature.
Assuming 10.0.0.0/8 is the internal subnet. In the following example, a load blancer will be created that is only accessible to cluster internal ips. This will not allow clients from outside of your Kubernetes cluster to access the load blancer.
apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - port: 8765 targetPort: 9376 selector: app: example type: LoadBalancer loadBalancerSourceRanges: - 10.0.0.0/8
In the following example, a load blancer will be created that is only accessible to clients with IP addresses from 126.96.36.199 and 188.8.131.52.
apiVersion: v1 kind: Service metadata: name: myapp spec: ports: - port: 8765 targetPort: 9376 selector: app: example type: LoadBalancer loadBalancerSourceRanges: - 184.108.40.206/32 - 220.127.116.11/32
When using a Service with
spec.type: LoadBalancer, the firewall will be
opened automatically. When using
spec.type: NodePort, however, the firewall
is not opened by default.
Google Compute Engine firewalls are documented elsewhere.
You can add a firewall with the
gcloud command line tool:
$ gcloud compute firewall-rules create my-rule --allow=tcp:<port>
Note There is one important security note when using firewalls on Google Compute Engine:
as of Kubernetes v1.0.0, GCE firewalls are defined per-vm, rather than per-ip address. This means that when you open a firewall for a service’s ports, anything that serves on that port on that VM’s host IP address may potentially serve traffic. Note that this is not a problem for other Kubernetes services, as they listen on IP addresses that are different than the host node’s external IP address.
Consequently, please be careful when opening firewalls in Google Compute Engine or Google Container Engine. You may accidentally be exposing other services to the wilds of the internet.
This will be fixed in an upcoming release of Kubernetes.