I am working with GKE gateway API (gatewayClassName: gke-l7-rilb), which created a firewall rule opening a wide range of ports (tcp:0-65535). Although access to the ports is limited to the Google ranges for load balancers as well as any proxy subnet range, I wanted to limit the ports instead opening all.
Going over the official docs (this too) did not help me. Can anyone please help me identify how can I control the opening ports, or if I can stop gateway API creating this firewall rule and create a custom rule on my own? Any help in this regard is very much appreciated.
I am aware of this Warning: Do not modify or delete firewall rules created by GKE, or you might encounter unexpected behaviour in your clusters.
So I just created a Deny Rule for now as a hack but there should be a better solution with positive permission rules.
As mentioned in the GCC forum, we cannot modify the firewall rules managed by GKE directly, we can create our own custom firewalls that will allow us to control which ports to be open and which IP ranges are allowed.
As you required this will provide fine grained control over the network ports. You can keep the auto created firewall rules by GKE as it is and create your custom firewall rule with firewall priority which makes the custom firewall rules overrule the firewall rules created by GKE.
Refer this official GCP firewall priority document to know more about how the firewall priority works and how to change it according to our requirements.
Example steps are as follows:
Navigate to the VPC > Firewall Rule
Click Create Firewall Rule
Mention the Network in which the GKE cluster is created
Set the Priority to a lower number than the auto generated firewall (EX: 990) to make the priority precedence over auto generated rules
Enter the Ports and IP Ranges as per your requirement
Save the rules.
Refer to this GCP official document on VPC Firewall rules creation for more detailed information.