Use network tags to apply firewall rules to nodes


This page shows you how to dynamically apply network tags to nodes in your Google Kubernetes Engine (GKE) clusters without disrupting running workloads.

About network tags

Network tags are metadata on Compute Engine virtual machines (VMs) that allow you to make firewall rules and routes applicable to specific VM instances. In GKE, you can use network tags to make VPC firewall rules or routes applicable to the nodes in your cluster.

You can use the GKE API to apply and update network tags on your GKE clusters without disrupting running workloads. Network tags that you specify are also applied to any new nodes that GKE automatically provisions.

Use Tags instead of network tags

Network tags are simple strings that aren't subject to Identity and Access Management access controls. Anyone with access to your nodes in the GKE API can add network tags to those nodes.

If you use GKE version 1.28 or later, we recommend that you use Tags that have a firewall designation to enforce regional or global network firewall policies, which improve on the capabilities of VPC firewall rules.

Tags are key-value pairs that you attach to Compute Engine VMs. You can use IAM to control who can interact with specific Tags.

Command-line options for applying network tags

The following table describes the flags that you can specify using the Google Cloud CLI to apply network tags to your clusters, as well as their use cases.

Flag Mode of operation Level Description
--autoprovisioning-network-tags
  • Autopilot
  • Standard
Cluster

Applies the specified network tags to all Autopilot nodes and all auto-provisioned Standard node pools.

--tags
  • Standard
Node pool

Manually applies network tags to specific Standard node pools.

Limitations

Using --autoprovisioning-network-tags prevents you from using --tags to update the network tags for auto-provisioned Standard node pools.

We recommend that you use --autoprovisioning-network-tags for auto-provisioned node pools, and that you use --tags only for manually-created node pools.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.

Add network tags to new clusters

You can add network tags when you create a new cluster.

Add network tags to new Autopilot clusters

Run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --location=LOCATION \
    --autoprovisioning-network-tags=TAG1,TAG2,...

Replace the following:

  • CLUSTER_NAME: the name of your new Autopilot cluster.
  • LOCATION: the Compute Engine location for your new cluster.
  • TAG1,TAG2, ...: a comma-separated list of the network tags you want to apply.

Add network tags to new Standard clusters

For Standard, you can also specify network tags specifically for node auto-provisioning to use.

Apply network tags to the default node pool

Run the following command to create a new Standard cluster and apply network tags to the default node pool:

gcloud container clusters create CLUSTER_NAME \
    --location=LOCATION \
    --tags=NETWORK_TAG1,NETWORK_TAG2,...

Replace the following:

  • CLUSTER_NAME: the name of your new Standard cluster.
  • COMPUTE_REGION: the Compute Engine location for your new cluster.
  • NETWORK_TAG1,NETWORK_TAG2, ...: a comma-separated list of the network tags that you want to apply.

Apply network tags to auto-provisioned node pools

You can automatically apply network tags to all node pools that are created by node auto-provisioning.

Run the following command:

gcloud container clusters create CLUSTER_NAME \
    --location=LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-network-tags=TAG1,TAG2,...

Replace TAG1,TAG2,... with a comma-separated list of network tags that you want applied to all autoprovisioned node pools.

Update network tags on existing clusters

You can update the network tags on existing clusters.

Update network tags on existing Autopilot clusters

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=TAG1,TAG2,...

Update network tags on existing Standard clusters

Run the following command to update the network tags on a specific Standard node pool. You cannot use this command to update auto-provisioned node pools if you used --autoprovisioning-network-tags.

gcloud container node-pools update NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=NETWORK_TAG1,NETWORK_TAG2,...

If --autoprovisioning-network-tags is set for the cluster, this command returns an error.

Update network tags for auto-provisioned node pools

You can update the network tags that node auto-provisioning applies to new and existing auto-provisioned node pools.

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=TAG1,TAG2,...

Add network tags to new Standard node pools

To create a new node pool in a Standard clusters with specific network tags, run the following command:

gcloud container node-pools create NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=NETWORK_TAG1,NETWORK_TAG2,...

Replace NODE_POOL_NAME with the name of the new node pool.

View existing network tags

This section shows you how to view your existing network tags.

View existing network tags in Autopilot

Run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --flatten=nodePoolAutoConfig.networkTags

If the cluster has network tags, the output is similar to the following:

---
tags:
- example-tag

View existing network tags in Standard

You can view network tags in auto-provisioned node pools or in node pools that you created.

View network tags in auto-provisioned node pools

Run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --flatten=nodePoolAutoConfig.networkTags

If the cluster has network tags, the output is similar to the following:

---
tags:
- example-tag

View network tags in node pools without node auto-provisioning

To view the network tags for a specific Standard node pool where applied the tags using the --tags flag, run the following command:

gcloud container node-pools describe NODE_POOL_NAME\
    --cluster=CLUSTER_NAME \
    --format='value(config.tags)'

Replace NODE_POOL_NAME with the name of the node pool.

If the node pool has tags, the output is similar to the following:

example-tag

Remove network tags

You can remove the network tags from GKE.

Remove network tags from Autopilot clusters

Run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=""

Remove network tags from Standard clusters and node pools

You can remove tags from all auto-provisioned node pools or from specific node pools.

Remove network tags from auto-provisioned node pools

To remove network tags from all auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --autoprovisioning-network-tags=""

This command also restores your ability to use the --tags option to manually specify network tags for auto-provisioned node pools.

Remove network tags from specific node pools

To remove network tags from specific node pools, run the following command:

gcloud container node-pools update NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --tags=""

What's next