GKE node pool tags and firewall rules

Question

I have a GCP project with:

• VPC:
  • subnet0: cidr 10.1.0.0/24
  • subnet1: cidr 10.2.0.0/24
• GKE cluster in the subnet0 subnet and:
  • pods cidr: 172.16.0.0/18
  • service cidr: 172.16.64.0/20
  • node pool tags: gke-pool
• a VM instance in the subnet1 subnet and tags agent

I would like to create a firewall rules that would allow pods in the GKE cluster to connect to the VM, so I have created the following firewall rule:

• network: VPC
• direction: INGRESS
• source tags: gke-pool
• target tags: agent
• port: 80/tcp

But it does not work.

Instead if I set the source range to the pods cidr (172.16.0.0/18) it works.

Any suggestions?

Answer 1

That's because you are using a VPC Native Cluster. VPC Native clusters are the default mode and they made the Pod IP's visible in the VPC. This means when a pod talks to a destination which is on VPC, the IP of the Pod is NOT Source Nated behind the Node IP.

You have two options:

• Use the Pod CIDR in your firewall rule as you mentionned.
• Use the IP masq Agent to hide the Pod IP's behind the Node IP's.