Firewall is missing for mci

[dkassab]

We need a firewall rule to allow health checks to pass from the Cloud Load Balancing to container workloads:

https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-ingress-setup#shared_vpc_deployment

[daniel-cit]

Hi @dkassab There is a firewall rule in the foundation to allow traffic from the load balancers

It requires turning on the flag optional_fw_rules_enabled in step 3-networks and adding the TAG allow-lb to the GCE instances

https://github.com/terraform-google-modules/terraform-example-foundation/blob/ee04cb5c2f4fc3b96ab7881251cf5c0e565a3a3b/3-networks/modules/restricted_shared_vpc/firewall.tf#L133

resource "google_compute_firewall" "allow_lb" {
  count   = var.optional_fw_rules_enabled ? 1 : 0
  name    = "fw-${var.environment_code}-shared-restricted-1000-i-a-all-allow-lb-tcp-80-8080-443"
  network = module.main.network_name
  project = var.project_id

  dynamic "log_config" {
    for_each = var.firewall_enable_logging == true ? [{
      metadata = "INCLUDE_ALL_METADATA"
    }] : []

    content {
      metadata = log_config.value.metadata
    }
  }

  source_ranges = concat(data.google_netblock_ip_ranges.health_checkers.cidr_blocks_ipv4, data.google_netblock_ip_ranges.legacy_health_checkers.cidr_blocks_ipv4)

  // Allow common app ports by default.
  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "443"]
  }

  target_tags = ["allow-lb"]
}

[rutalreja-deloitte]

Hi @dkassab and @daniel-cit Does only the mci cluster need the tag or do all clusters need them. The tag "allow-lb" can be added here for all clusters And here for the bastion host

[dkassab]

We just need it on the GKE clusters