I have two projects on GCP
Project-A
Project-B
I have kubernetes cluster running on Project-A, whose nodes are autoscaled depending on usage. Hence there is no way of knowing (I guess) what IPs the nodes will be assigned to, since the nodes themselves are dynamic.
I want to whitelist all the nodes of this cluster in Project-A in Project-B's firewall rules.
But the constraint is:
Is this possible to do?
I want to whitelist all the nodes of this cluster in Project-A in Project-B's firewall rules.
No, you cannot do it neither by whitelisting their IP addresses (as there is no way to know them in advance) nor by using network tags (which work within one project).
In theory you can assign your GKE nodes with static IP addresses. You can see this option in the console when you go to: Networking -> VPC Network -> External IP addresses. You can change the IP of each node from Ephemeral to Static but it will work only for some time. Every time the node is recreated due to auto-repair or auto-upgrade (typically you don't want to disable those features in your nodepool), it will be assigned with new ephemeral IP and the static one will remain unused.
But all this doesn't apply to your case anyway as you use autoscaling feature and currently there is no way to make it assign to newly created nodes, let's say, only IP addresses from certain reserved pool.
You can use Cloud NAT instead and whitelist only NAT Gateway IP address in Project-B's firewall rules. Take a look at this answer.
