Skip to content

Firewallrules creation #1538

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Firewallrules creation #1538

wants to merge 3 commits into from
+1,402 −2

Conversation

barbacbd
Copy link
Contributor

What type of PR is this?

/kind feature
/kind /api-change

What this PR does / why we need it:

Currently the basic/default/required firewall rules are created by CAPG.
Users should be given the ability to create the firewall rules associated with
VPC that CAPG will create.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Currently the basic/default/required firewall rules are created by CAPG.
Users should be given the ability to create the firewall rules associated with
VPC that CAPG will create. The information provided by the user will mirror the
parameters for compute.Firewalls.

@barbacbd
CORS-4230: Add a firewall spec and the ability to manage or unmanaged…
14c7b92 
… firewall rule creation

api:

Add API changes to Skip firewall rule creation. When unmanaged, the firewall rules will not be
created. When this is the case, the firewall rules should exist prior to creating the network.
This will allow ServiceAccounts to skip the rules:

compute.firewalls.create

cloud:

Update the services and interfaces. The firewall service will no longer create firewall rules when
the firewall policy is set to unmanaged OR when a shared vpc is used during installation and resource creation.
@barbacbd
Drop
cebbdc3
@barbacbd
Adding the ability for users to specify what firewall rules should be…
226f310 
… created.

** Currently the basic/default/required firewall rules are created by CAPG.
Users should be given the ability to create the firewall rules associated with
VPC that CAPG will create.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Sep 26, 2025
@k8s-ci-robot
Copy link
Contributor

@barbacbd: The label(s) kind//api-change cannot be applied, because the repository doesn't have them.

In response to this:

What type of PR is this?

/kind feature
/kind /api-change

What this PR does / why we need it:

Currently the basic/default/required firewall rules are created by CAPG.
Users should be given the ability to create the firewall rules associated with
VPC that CAPG will create.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Currently the basic/default/required firewall rules are created by CAPG.
Users should be given the ability to create the firewall rules associated with
VPC that CAPG will create. The information provided by the user will mirror the
parameters for compute.Firewalls.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Sep 26, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: barbacbd
Once this PR has been reviewed and has the lgtm label, please assign salasberryfin for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 26, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @barbacbd. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@netlify Netlify
Copy link

netlify bot commented Sep 26, 2025
edited
Loading

Deploy Preview for kubernetes-sigs-cluster-api-gcp ready!

Name Link
🔨 Latest commit 226f310
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-cluster-api-gcp/deploys/68d6def599bba30008840ef9
😎 Deploy Preview https://deploy-preview-1538--kubernetes-sigs-cluster-api-gcp.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 26, 2025
@barbacbd
Copy link
Contributor Author

Note this currently requires #1532 so the commits look a bit wonky. These will be removed when 1532 merges and it should look cleaner.

justinsb
justinsb reviewed Sep 28, 2025
View reviewed changes
api/v1beta1/types.go
// lowercase letter, and all following characters (except for the last
// character) must be a dash, lowercase letter, or digit. The last character
// must be a lowercase letter or digit.
Name *string `json:"name,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking about collisions here - should we use this as a suffix with the cluster name?

@justinsb
Copy link
Contributor

I like this from a functionality and code perspective. Does comparable functionality already exist in (for example) CAPA? If so, we're just "catching up" and that's great, if not we should probably discuss at the CAPI level to make sure we want to include this functionality here.

As an alternative, I believe CAPZ lets you define additional resources using ASO. The GCP equivalent is KCC (and the AWS equivalent in ACK). I work on KCC so I am obviously biased here, but it is a good way to avoid having to reimplement (potentially) every GCP API in our CAPG API.

@barbacbd barbacbd mentioned this pull request Sep 29, 2025
Open
3 tasks
@patrickdillon
Copy link

I like this from a functionality and code perspective. Does comparable functionality already exist in (for example) CAPA? If so, we're just "catching up" and that's great

Yes! CAPA allows you to specify CNIIngressRules and IngressRules for ControlPlane and Compute nodes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims Awaiting requested review from dims

@salasberryfin salasberryfin Awaiting requested review from salasberryfin

1 more reviewer

@justinsb justinsb justinsb left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@barbacbd @k8s-ci-robot @justinsb @patrickdillon