The service load balancer on GCP and other clouds creates a health check to the kube-proxy health port on port 10256, and so the port needs to be exposed by the node firewall in order to set up a service load balancer.
Without this service load balancers don't work at all.
Verified this bug with openshift-ansible-3.10.0-0.60.0.git.0.bf95bf8.el7.noarch, and PASS.
[root@qe-smoke310-master-etcd-1 ~]# iptables -L -n|grep 10256
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10256
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.