Ability to configure GCP VPC Flow Logs

[janb-sap]

We need the ability to configure the VPC flow logs on Google Cloud Platform via Gardener to meet security requirements.

Manual configuration of the VPC flow logs is not possible, as it gets overwritten by Gardener on reconciliation.

[vpnachev]

Gardener and GCP extension can deploy shoot clusters into existing VPC https://github.com/gardener/gardener-extensions/blob/master/controllers/provider-gcp/docs/usage-as-end-user.md#infrastructureconfig . In this way it will not overwrite the VPC settings.

[georgi-lozev]

Hey @vpnachev thank you very much for the update.

As far as I understand it this feature will allow us to specify an existing VPC which Gardener will use when deploying shoots. This means that we can enable the functionality that we'd like for an already existing VPC managed by Gardener and it should not be changed after reconciliation.

However, doesn't that mean from then on we won't receive any configuration changes on that VPC from Gardener itself and it's up to us to somehow manage this VPC and keep it in sync with whatever rules or configurations it may require to work in future?

Do you have any example configurations which may fit our use case? Ideally for us we'll have the VPC Flow Logs enabled, but still all network firewall rules or routes will be provisioned and managed by Gardener itself.

[georgi-lozev]

Any updates on this one ?

[rfranzke]

However, doesn't that mean from then on we won't receive any configuration changes on that VPC from Gardener itself and it's up to us to somehow manage this VPC and keep it in sync with whatever rules or configurations it may require to work in future?

Yes, exactly, Gardener would not manage it at all - it would just use it. The configuration of the VPC itself is your responsibility in this case.

Do you have any example configurations which may fit our use case? Ideally for us we'll have the VPC Flow Logs enabled, but still all network firewall rules or routes will be provisioned and managed by Gardener itself.

If you deploy a shoot into an existing VPC then Gardener will still create all the other things: firewall rules, routes, subnets, etc. The only difference is that it doesn't create/update/touch/delete the VPC - it just uses it.

However, I guess this issue is more to allow the configuration of VPC flow logs even for Gardener-managed VPCs. According to https://cloud.google.com/vpc/docs/using-flow-logs the flow logs are not configured on the VPC/network level but on the subnetwork level. The subnets are always managed by Gardener, be it an already existing VPC or a Gardener-managed one.

Hence, what this issue targets is to have a new field flowLogs (or sth similar) in the GCP InfrastructureConfig that allows controlling this feature. The needed changes are similar to https://github.com/gardener/gardener-extensions/pull/520. In the end, https://github.com/gardener/gardener-extensions/blob/master/controllers/provider-gcp/charts/internal/gcp-infra/templates/main.tf#L27-L32 must be touched. According to https://www.terraform.io/docs/providers/google/r/compute_subnetwork.html#log_config there are a few configuration options, so a possible flowLogs field could look like this:

apiVersion: gcp.provider.extensions.gardener.cloud/v1alpha1
kind: InfrastructureConfig
networks:
  ...
  flowLogs:
    aggregationInterval: 0.5
    flowSampling: 0.2
    metadata: INCLUDE_ALL_METADATA

I don't know when/whether @DockToFuture will work on it, so if you like to contribute here then this would be very welcome @georgi-lozev :) gardener/gardener-extensions#520 should be a good reference.

[georgi-lozev]

Thank you @rfranzke.

From my POV it will be beneficial for everyone to have control over Flow Logs since it's a very common security best practice. I hope @DockToFuture will be able to prioritise it accordingly.

Please get back to us what are your plans for implementing this in the upstream, if it ends up not suitable for our timelines, we're open to make contribution.

[zanetworker]

@georgi-lozev this is definitely on our priority radar, @DockToFuture plans to work on it soon. However, we also love contributions, so if you wish to work on it and need help let us know.