Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall change required by network admin #584

Closed
JBodkin-LH opened this issue Dec 17, 2018 · 4 comments
Closed

Firewall change required by network admin #584

JBodkin-LH opened this issue Dec 17, 2018 · 4 comments

Comments

@JBodkin-LH
Copy link

JBodkin-LH commented Dec 17, 2018
edited
Loading

When adding either an internal load balancer (service) or external load balancer (ingress), the events mention that a firewall change needs to be made manually when using a shared vpc. Would it be possible to add the ability to configure the firewall rules in a shared vpc?

Events:
  Type    Reason                    Age   From                Message
  ----    ------                    ----  ----                -------
  Normal  EnsuringLoadBalancer      17m   service-controller  Ensuring load balancer
  Normal  LoadBalancerManualChange  17m   gce-cloudprovider   Firewall change required by network admin: `gcloud compute firewall-rules create a8a48ebdf020011e9bba242010a9a001 --network xxx --description "{\"kubernetes.io/service-name\":\"xxx\", \"kubernetes.io/service-ip\":\"x.x.x.x\"}" --allow tcp:3306 --source-ranges x.x.x.x/16 --target-tags xxx --project xxx`
  Normal  EnsuredLoadBalancer       17m   service-controller  Ensured load balancer
  Normal  UpdatedLoadBalancer       6m    service-controller  Updated load balancer with new hosts

I gave the service account permissions in the parent project to give network and compute admin. I'm successfully able to run the above command inside a pod running in the cluster with gcloud installed.

Cluster Version: 1.11.3-gke.18
@rramkumar1
Copy link
Contributor

rramkumar1 commented Jan 8, 2019
edited
Loading

@JBodkin-LH I'm not sure what the ask is here? The Ingress-GCE controller does not have permissions to configure a firewall rule in the project containing the shared VPC (i.e host project). This is why it needs to be done manually.

@JBodkin-LH
Copy link
Author

I've found out the cause fo the issue here. I was adding the service account that was tied to the node pool (by default, the compute service account). I didn't notice there was a separate service account for the Kubernetes Engine Service Agent. After changing the permissions on the Shared VPC Project to the Kubernetes Engine Service Agent, the ingress was able to create the firewall rules automatically.

@imranzunzani
Copy link

I've found out the cause fo the issue here. I was adding the service account that was tied to the node pool (by default, the compute service account). I didn't notice there was a separate service account for the Kubernetes Engine Service Agent. After changing the permissions on the Shared VPC Project to the Kubernetes Engine Service Agent, the ingress was able to create the firewall rules automatically.

Does this role has to be roles/compute.securityAdmin ?
It doesn't seem to work with a custom role!
There are many permissions which would not be good to grant as the compute.securityAdmin.
Could anyone please confirm the minimum permissions that would suffice?

@prameshj
Copy link
Contributor

prameshj commented Feb 4, 2020

Yes, this should be security admin. Fixing it in #1016

@MartinPetkov MartinPetkov mentioned this issue Jun 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rramkumar1 @imranzunzani @JBodkin-LH @prameshj