Can't associate a network policy to VPC network

GoogleCloudPlatform / k8s-config-connector

GCP Config Connector, a Kubernetes add-on for managing GCP resources

https://cloud.google.com/config-connector/docs/overview

Apache License 2.0

889 stars 219 forks source link

Can't associate a network policy to VPC network #693

Open cc4i opened 2 years ago

cc4i commented 2 years ago

Checklist

[X] I did not find a related open enhancement request.
[X] I understand that enhancement requests filed in the GitHub repository are by default low priority.
[X] If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Have created "ComputeFirewallPolicy" and associated with folder or organisation through "ComputeFirewallPolicyAssociation", but could not be associated to a VPC network.

Additional information

gcloud and console can do that, for example gcloud:

gcloud compute network-firewall-policies associations create \
    --firewall-policy POLICY_NAME \
    --network NETWORK_NAME \
    [ --name ASSOCIATION_NAME ] \
    --global-firewall-policy

Importance

Blocking the adoption.

mbzomowski commented 2 years ago

Hi @cc4i - looking at the API documentation here, it looks like this would be a new resource which we do not currently support. We've added it to the list of resources we're looking into and will let you know when we have more information.

Please reach out to us via Cloud support to prioritize your request if it is a blocker.

cc4i commented 2 years ago

Appreciated that, thanks

milesarmstrong commented 1 year ago

👋 Hiya @mbzomowski

We've hit this too, do you have any updates on prioritisation? I've opened a Cloud support case for this (#45129983 if that helps).

It looks to me like networkFirewallPolicies.insert would do the right thing, i.e.

Creates a new policy in the specified project using the data included in the request.

mbzomowski commented 1 year ago

Hey @milesarmstrong sorry for the late response; I recently left the Config Connector team, but maybe @maqiuyujoyce can chime in as to its current prioritization.

xofaye commented 1 year ago

The KCC resource and the associated TF resources are poorly named -- this is because Google Cloud previously only had the concept of hierarchical firewall policies and network firewall policies had not been introduced yet.

The resource that you've described here (ComputeFirewallPolicy) is actually for hierarchical firewall policies, which can only be associated to orgs or folders.

The Terraform resource for network firewall policy is here, but the KCC resource for network firewall policy is in the backlog but has not been created yet.

milesarmstrong commented 1 year ago

Thanks @xofaye, any way to bump the priority of this in the backlog?

I opened a Cloud support request and they opened this Issue for me https://issuetracker.google.com/issues/285363992 if that helps.