Use network tags to apply firewall rules to nodes

This page shows you how to dynamically apply network tags to nodes in your Google Kubernetes Engine (GKE) Autopilot and Standard clusters without disrupting running workloads.

Overview

Network tags are metadata on Compute Engine virtual machines (VMs) that allow you to make firewall rules and routes applicable to specific VM instances. In GKE, you can use network tags to make firewall rules or routes applicable to the nodes in your cluster.

You can use the GKE API to apply and update network tags on your Autopilot and Standard clusters without disrupting running workloads. Network tags that you specify are also applied to any new nodes that Autopilot provisions, and to new node pools that node auto-provisioning provisions in your Standard clusters.

Command-line options for applying network tags

The following table describes the flags that you can specify using the Google Cloud CLI to apply network tags to your clusters, as well as their use cases.

Flag Mode of operation Level Description
--autoprovisioning-network-tags

  • Autopilot
  • Standard
 Cluster

Applies the specified network tags to all Autopilot nodes and all auto-provisioned Standard node pools.
--tags
  • Standard
 Node pool

Manually applies network tags to specific Standard node pools.

Requirements

Your clusters must run GKE version 1.23.2-gke.300 or later to apply network tags to Autopilot clusters or to auto-provisioned Standard node pools using --autoprovisioning-network-tags.

Limitations

Using --autoprovisioning-network-tags prevents you from using --tags to update the network tags for auto-provisioned Standard node pools.

We recommend that you use --autoprovisioning-network-tags for auto-provisioned node pools, and that you use --tags only for manually-created node pools.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Google Cloud CLI.
  • Set up default Google Cloud CLI settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud CLI to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID: 
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1): 
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c): 
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version: 
      gcloud components update

    By setting default locations, you can avoid errors in gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location.

Add network tags to new clusters

You can add network tags when you create a new Autopilot cluster or a new Standard cluster. For Standard, you can also specify network tags specifically for node auto-provisioning to use.

Autopilot

Run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --autoprovisioning-network-tags=TAG1, TAG2,...

Replace the following:

  • CLUSTER_NAME: the name of your new Autopilot cluster.
  • COMPUTE_REGION: the Compute Engine region for your new cluster.
  • TAG1, TAG2, ...: a comma-separated list of the network tags you want to apply.

Standard

Apply network tags to the default node pool

Run the following command to create a new Standard cluster and apply network tags to the default node pool:

gcloud container clusters create CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --tags=NETWORK_TAG1, NETWORK_TAG2,...

Replace the following:

  • CLUSTER_NAME: the name of your new Standard cluster.
  • COMPUTE_REGION: the Compute Engine region for your new cluster.
  • NETWORK_TAG1, NETWORK_TAG2, ...: a comma-separated list of the network tags that you want to apply.

Apply network tags to auto-provisioned node pools

You can automatically apply network tags to all node pools that are created by node auto-provisioning.

Run the following command:

gcloud container clusters create CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --enable-autoprovisioning \
    --autoprovisioning-network-tags=TAG1, TAG2,...

Replace TAG1, TAG2,... with a comma-separated list of network tags that you want applied to all autoprovisioned node pools.

Update network tags on existing clusters

You can update the network tags on existing Autopilot and Standard clusters.

Autopilot

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=TAG1, TAG2,...

Standard

Update network tags on specific node pools

Run the following command to update the network tags on a specific Standard node pool. You cannot use this command to update auto-provisioned node pools if you used --autoprovisioning-network-tags.

gcloud container node-pools update NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=NETWORK_TAG1, NETWORK_TAG2,...

If --autoprovisioning-network-tags is set for the cluster, this command returns an error.

Update network tags for auto-provisioned node pools

You can update the network tags that node auto-provisioning applies to new and existing auto-provisioned node pools.

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=TAG1, TAG2,...

Add network tags to new Standard node pools

To create a new node pool in a Standard clusters with specific network tags, run the following command:

gcloud container node-pools create NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=NETWORK_TAG1, NETWORK_TAG2,...

Replace NODE_POOL_NAME with the name of the new node pool.

Remove network tags from clusters and node pools

You can remove the network tags from GKE Autopilot and Standard clusters.

Autopilot

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=""

Standard

Remove network tags from auto-provisioned node pools

To remove network tags from all auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=""

This command also restores your ability to use the --tags option to manually specify network tags for auto-provisioned node pools.

Remove network tags from specific node pools

To remove network tags from specific node pools, run the following command:

gcloud container node-pools update NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=""

What's next