From 580393994ed83c0de9faa4951494da5c0b7655da Mon Sep 17 00:00:00 2001 From: barbacbd Date: Fri, 26 Sep 2025 14:37:44 -0400 Subject: [PATCH] Adding the ability for users to specify what firewall rules should be created. ** Currently the basic/default/required firewall rules are created by CAPG. Users should be given the ability to create the firewall rules associated with VPC that CAPG will create. --- api/v1beta1/types.go | 132 +++++++++++- api/v1beta1/zz_generated.deepcopy.go | 121 ++++++++++- cloud/scope/cluster.go | 37 +++- cloud/scope/managedcluster.go | 37 +++- .../compute/firewalls/reconcile_test.go | 147 ++++++++++++- ...tructure.cluster.x-k8s.io_gcpclusters.yaml | 192 ++++++++++++++++- ....cluster.x-k8s.io_gcpclustertemplates.yaml | 193 +++++++++++++++++- ...e.cluster.x-k8s.io_gcpmanagedclusters.yaml | 192 ++++++++++++++++- ...r.x-k8s.io_gcpmanagedclustertemplates.yaml | 193 +++++++++++++++++- 9 files changed, 1234 insertions(+), 10 deletions(-) diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go index 27019aff9..ce251b30b 100644 --- a/api/v1beta1/types.go +++ b/api/v1beta1/types.go @@ -107,6 +107,118 @@ type Network struct { APIInternalForwardingRule *string `json:"apiInternalForwardingRule,omitempty"` } +// FirewallDescriptor describes a GCP firewall rule. +type FirewallDescriptor struct { + // IPProtocol: The IP protocol to which this rule applies. The protocol type is + // required when creating a firewall rule. This value can either be one of the + // following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + // or the IP protocol number. + IPProtocol string `json:"IPProtocol,omitempty"` + // Ports: An optional list of ports to which this rule applies. This field is + // only applicable for the UDP or TCP protocol. Each entry must be either an + // integer or a range. If not specified, this rule applies to connections + // through any port. Example inputs include: ["22"], ["80","443"], and + // ["12345-12349"]. + Ports []string `json:"ports,omitempty"` +} + +// FirewallRule describes a GCP firewall rule. +type FirewallRule struct { + // Allowed: The list of ALLOW rules specified by this firewall. Each rule + // specifies a protocol and port-range tuple that describes a permitted + // connection. + Allowed []*FirewallDescriptor `json:"allowed,omitempty"` + // Denied: The list of DENY rules specified by this firewall. Each rule + // specifies a protocol and port-range tuple that describes a denied + // connection. + Denied []*FirewallDescriptor `json:"denied,omitempty"` + // Description: An optional description of this resource. Provide this field + // when you create the resource. + Description *string `json:"description,omitempty"` + // DestinationRanges: If destination ranges are specified, the firewall rule + // applies only to traffic that has destination IP address in these ranges. + // These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are + // supported. + DestinationRanges []string `json:"destinationRanges,omitempty"` + // Direction: Direction of traffic to which this firewall applies, either + // `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you + // cannot specify the sourceTags fields. + // + // Possible values: + // "EGRESS" - Indicates that firewall should apply to outgoing traffic. + // "INGRESS" - Indicates that firewall should apply to incoming traffic. + // +kubebuilder:validation:Enum=INGRESS;EGRESS + // +kubebuilder:default=INGRESS + // +optional + Direction *FirewallRuleDirection `json:"direction,omitempty"` + // Disabled: Denotes whether the firewall rule is disabled. When set to true, + // the firewall rule is not enforced and the network behaves as if it did not + // exist. If this is unspecified, the firewall rule will be enabled. + Disabled *bool `json:"disabled,omitempty"` + // Name: Name of the resource; provided by the client when the resource is + // created. The name must be 1-63 characters long, and comply with RFC1035. + // Specifically, the name must be 1-63 characters long and match the regular + // expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a + // lowercase letter, and all following characters (except for the last + // character) must be a dash, lowercase letter, or digit. The last character + // must be a lowercase letter or digit. + Name *string `json:"name,omitempty"` + // Priority: Priority for this rule. This is an integer between `0` and + // `65535`, both inclusive. The default value is `1000`. Relative priorities + // determine which rule takes effect if multiple rules apply. Lower values + // indicate higher priority. For example, a rule with priority `0` has higher + // precedence than a rule with priority `1`. DENY rules take precedence over + // ALLOW rules if they have equal priority. Note that VPC networks have implied + // rules with a priority of `65535`. To avoid conflicts with the implied rules, + // use a priority number less than `65535`. + Priority *int64 `json:"priority,omitempty"` + // SourceRanges: If source ranges are specified, the firewall rule applies only + // to traffic that has a source IP address in these ranges. These ranges must + // be expressed in CIDR format. One or both of sourceRanges and sourceTags may + // be set. If both fields are set, the rule applies to traffic that has a + // source IP address within sourceRanges OR a source IP from a resource with a + // matching tag listed in the sourceTags field. The connection does not need to + // match both fields for the rule to apply. Both IPv4 and IPv6 are supported. + SourceRanges []string `json:"sourceRanges,omitempty"` + // SourceServiceAccounts: If source service accounts are specified, the + // firewall rules apply only to traffic originating from an instance with a + // service account in this list. Source service accounts cannot be used to + // control traffic to an instance's external IP address because service + // accounts are associated with an instance, not an IP address. sourceRanges + // can be set at the same time as sourceServiceAccounts. If both are set, the + // firewall applies to traffic that has a source IP address within the + // sourceRanges OR a source IP that belongs to an instance with service account + // listed in sourceServiceAccount. The connection does not need to match both + // fields for the firewall to apply. sourceServiceAccounts cannot be used at + // the same time as sourceTags or targetTags. + SourceServiceAccounts []string `json:"sourceServiceAccounts,omitempty"` + // SourceTags: If source tags are specified, the firewall rule applies only to + // traffic with source IPs that match the primary network interfaces of VM + // instances that have the tag and are in the same VPC network. Source tags + // cannot be used to control traffic to an instance's external IP address, it + // only applies to traffic between instances in the same virtual network. + // Because tags are associated with instances, not IP addresses. One or both of + // sourceRanges and sourceTags may be set. If both fields are set, the firewall + // applies to traffic that has a source IP address within sourceRanges OR a + // source IP from a resource with a matching tag listed in the sourceTags + // field. The connection does not need to match both fields for the firewall to + // apply. + SourceTags []string `json:"sourceTags,omitempty"` + // TargetServiceAccounts: A list of service accounts indicating sets of + // instances located in the network that may make network connections as + // specified in allowed[]. targetServiceAccounts cannot be used at the same + // time as targetTags or sourceTags. If neither targetServiceAccounts nor + // targetTags are specified, the firewall rule applies to all instances on the + // specified network. + TargetServiceAccounts []string `json:"targetServiceAccounts,omitempty"` + // TargetTags: A list of tags that controls which instances the firewall rule + // applies to. If targetTags are specified, then the firewall rule applies only + // to instances in the VPC network that have one of those tags. If no + // targetTags are specified, the firewall rule applies to all instances on the + // specified network. + TargetTags []string `json:"targetTags,omitempty"` +} + // FirewallSpec contains configuration for the firewall. type FirewallSpec struct { // DefaultRulesManagement determines the management policy for the default firewall rules @@ -121,8 +233,24 @@ type FirewallSpec struct { // +optional // +kubebuilder:default:="Managed" DefaultRulesManagement RulesManagementPolicy `json:"defaultRulesManagement,omitempty"` + + // FirewallRules is a list of additional firewall rules to create. + // +optional + FirewallRules []FirewallRule `json:"firewallRules,omitempty"` } +// FirewallRuleDirection is a string enum type for the direction of a firewall rule. +// +kubebuilder:validation:Enum=INGRESS;EGRESS +type FirewallRuleDirection string + +const ( + // FirewallRuleDirectionIngress indicates that the firewall rule applies to incoming traffic. + FirewallRuleDirectionIngress FirewallRuleDirection = "INGRESS" + + // FirewallRuleDirectionEgress indicates that the firewall rule applies to outgoing traffic. + FirewallRuleDirectionEgress FirewallRuleDirection = "EGRESS" +) + // RulesManagementPolicy is a string enum type for managing firewall rules. // +kubebuilder:validation:Enum=Managed;Unmanaged type RulesManagementPolicy string @@ -167,9 +295,9 @@ type NetworkSpec struct { // +optional HostProject *string `json:"hostProject,omitempty"` - // Firewall configuration. + // FirewallSpec contains the firewall configuration associated with this network. // +optional - Firewall FirewallSpec `json:"firewall,omitempty,omitzero"` + FirewallSpec FirewallSpec `json:"firewall,omitempty,omitzero"` // Mtu: Maximum Transmission Unit in bytes. The minimum value for this field is // 1300 and the maximum value is 8896. The suggested value is 1500, which is diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 9f1502661..d8c7cbd14 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -163,9 +163,128 @@ func (in *Filter) DeepCopy() *Filter { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallDescriptor) DeepCopyInto(out *FirewallDescriptor) { + *out = *in + if in.Ports != nil { + in, out := &in.Ports, &out.Ports + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDescriptor. +func (in *FirewallDescriptor) DeepCopy() *FirewallDescriptor { + if in == nil { + return nil + } + out := new(FirewallDescriptor) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *FirewallRule) DeepCopyInto(out *FirewallRule) { + *out = *in + if in.Allowed != nil { + in, out := &in.Allowed, &out.Allowed + *out = make([]*FirewallDescriptor, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(FirewallDescriptor) + (*in).DeepCopyInto(*out) + } + } + } + if in.Denied != nil { + in, out := &in.Denied, &out.Denied + *out = make([]*FirewallDescriptor, len(*in)) + for i := range *in { + if (*in)[i] != nil { + in, out := &(*in)[i], &(*out)[i] + *out = new(FirewallDescriptor) + (*in).DeepCopyInto(*out) + } + } + } + if in.Description != nil { + in, out := &in.Description, &out.Description + *out = new(string) + **out = **in + } + if in.DestinationRanges != nil { + in, out := &in.DestinationRanges, &out.DestinationRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Direction != nil { + in, out := &in.Direction, &out.Direction + *out = new(FirewallRuleDirection) + **out = **in + } + if in.Disabled != nil { + in, out := &in.Disabled, &out.Disabled + *out = new(bool) + **out = **in + } + if in.Name != nil { + in, out := &in.Name, &out.Name + *out = new(string) + **out = **in + } + if in.Priority != nil { + in, out := &in.Priority, &out.Priority + *out = new(int64) + **out = **in + } + if in.SourceRanges != nil { + in, out := &in.SourceRanges, &out.SourceRanges + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SourceServiceAccounts != nil { + in, out := &in.SourceServiceAccounts, &out.SourceServiceAccounts + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.SourceTags != nil { + in, out := &in.SourceTags, &out.SourceTags + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.TargetServiceAccounts != nil { + in, out := &in.TargetServiceAccounts, &out.TargetServiceAccounts + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.TargetTags != nil { + in, out := &in.TargetTags, &out.TargetTags + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallRule. +func (in *FirewallRule) DeepCopy() *FirewallRule { + if in == nil { + return nil + } + out := new(FirewallRule) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec) { *out = *in + if in.FirewallRules != nil { + in, out := &in.FirewallRules, &out.FirewallRules + *out = make([]FirewallRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSpec. @@ -947,7 +1066,7 @@ func (in *NetworkSpec) DeepCopyInto(out *NetworkSpec) { *out = new(string) **out = **in } - out.Firewall = in.Firewall + in.FirewallSpec.DeepCopyInto(&out.FirewallSpec) } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSpec. diff --git a/cloud/scope/cluster.go b/cloud/scope/cluster.go index 6fc3ef4c8..1f6549cb9 100644 --- a/cloud/scope/cluster.go +++ b/cloud/scope/cluster.go @@ -20,6 +20,7 @@ import ( "context" "fmt" "strconv" + "strings" "time" "github.com/pkg/errors" @@ -111,7 +112,7 @@ func (s *ClusterScope) NetworkProject() string { // set to unmanaged or when the cluster will include a shared VPC, the default firewall // rule creation will be skipped. func (s *ClusterScope) SkipFirewallRuleCreation() bool { - return (s.GCPCluster.Spec.Network.Firewall.DefaultRulesManagement == infrav1.RulesManagementUnmanaged) || s.IsSharedVpc() + return (s.GCPCluster.Spec.Network.FirewallSpec.DefaultRulesManagement == infrav1.RulesManagementUnmanaged) || s.IsSharedVpc() } // IsSharedVpc returns true If sharedVPC used else , returns false. @@ -324,6 +325,40 @@ func (s *ClusterScope) FirewallRulesSpec() []*compute.Firewall { }, } + // Add user defined firewall rules. + for _, rule := range s.GCPCluster.Spec.Network.FirewallSpec.FirewallRules { + allowed := []*compute.FirewallAllowed{} + for _, a := range rule.Allowed { + allowed = append(allowed, &compute.FirewallAllowed{ + IPProtocol: a.IPProtocol, + Ports: a.Ports, + }) + } + + denied := []*compute.FirewallDenied{} + for _, d := range rule.Denied { + denied = append(denied, &compute.FirewallDenied{ + IPProtocol: d.IPProtocol, + Ports: d.Ports, + }) + } + + direction := string(ptr.Deref(rule.Direction, infrav1.FirewallRuleDirectionIngress)) + firewallRules = append(firewallRules, &compute.Firewall{ + Name: ptr.Deref(rule.Name, fmt.Sprintf("%s-%s", s.Name(), strings.ToLower(direction))), + Description: ptr.Deref(rule.Description, fmt.Sprintf("Firewall rule %s is created by Cluster API GCP Provider.", s.Name())), + Network: s.NetworkLink(), + Allowed: allowed, + Denied: denied, + Direction: direction, + Priority: ptr.Deref(rule.Priority, int64(1000)), + Disabled: ptr.Deref(rule.Disabled, false), + SourceRanges: rule.SourceRanges, + TargetTags: rule.TargetTags, + SourceTags: rule.SourceTags, + }) + } + return firewallRules } diff --git a/cloud/scope/managedcluster.go b/cloud/scope/managedcluster.go index b3095374c..92e8aa736 100644 --- a/cloud/scope/managedcluster.go +++ b/cloud/scope/managedcluster.go @@ -20,6 +20,7 @@ import ( "context" "fmt" "strconv" + "strings" "github.com/pkg/errors" "google.golang.org/api/compute/v1" @@ -134,7 +135,7 @@ func (s *ManagedClusterScope) NetworkProject() string { // set to unmanaged or when the cluster will include a shared VPC, the default firewall // rule creation will be skipped. func (s *ManagedClusterScope) SkipFirewallRuleCreation() bool { - return (s.GCPManagedCluster.Spec.Network.Firewall.DefaultRulesManagement == infrav1.RulesManagementUnmanaged) || s.IsSharedVpc() + return (s.GCPManagedCluster.Spec.Network.FirewallSpec.DefaultRulesManagement == infrav1.RulesManagementUnmanaged) || s.IsSharedVpc() } // IsSharedVpc returns true If sharedVPC used else , returns false. @@ -308,6 +309,40 @@ func (s *ManagedClusterScope) FirewallRulesSpec() []*compute.Firewall { }, } + // Add user defined firewall rules. + for _, rule := range s.GCPManagedCluster.Spec.Network.FirewallSpec.FirewallRules { + allowed := []*compute.FirewallAllowed{} + for _, a := range rule.Allowed { + allowed = append(allowed, &compute.FirewallAllowed{ + IPProtocol: a.IPProtocol, + Ports: a.Ports, + }) + } + + denied := []*compute.FirewallDenied{} + for _, d := range rule.Denied { + denied = append(denied, &compute.FirewallDenied{ + IPProtocol: d.IPProtocol, + Ports: d.Ports, + }) + } + + direction := string(ptr.Deref(rule.Direction, infrav1.FirewallRuleDirectionIngress)) + firewallRules = append(firewallRules, &compute.Firewall{ + Name: ptr.Deref(rule.Name, fmt.Sprintf("%s-%s", s.Name(), strings.ToLower(direction))), + Description: ptr.Deref(rule.Description, fmt.Sprintf("Firewall rule %s is created by Cluster API GCP Provider.", s.Name())), + Network: s.NetworkLink(), + Allowed: allowed, + Denied: denied, + Direction: direction, + Priority: ptr.Deref(rule.Priority, int64(1000)), + Disabled: ptr.Deref(rule.Disabled, false), + SourceRanges: rule.SourceRanges, + TargetTags: rule.TargetTags, + SourceTags: rule.SourceTags, + }) + } + return firewallRules } diff --git a/cloud/services/compute/firewalls/reconcile_test.go b/cloud/services/compute/firewalls/reconcile_test.go index aa1b080af..89ef2c8fa 100644 --- a/cloud/services/compute/firewalls/reconcile_test.go +++ b/cloud/services/compute/firewalls/reconcile_test.go @@ -127,7 +127,7 @@ var fakeGCPClusterUnmanagedFirewalls = &infrav1.GCPCluster{ Purpose: ptr.To[string]("INTERNAL_HTTPS_LOAD_BALANCER"), }, }, - Firewall: infrav1.FirewallSpec{ + FirewallSpec: infrav1.FirewallSpec{ DefaultRulesManagement: infrav1.RulesManagementUnmanaged, }, }, @@ -137,6 +137,97 @@ var fakeGCPClusterUnmanagedFirewalls = &infrav1.GCPCluster{ }, } +var fakeGCPClusterWithFirewallRules = &infrav1.GCPCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-cluster", + Namespace: "default", + }, + Spec: infrav1.GCPClusterSpec{ + Project: "my-proj", + Region: "us-central1", + Network: infrav1.NetworkSpec{ + Name: ptr.To("my-network"), + Subnets: infrav1.Subnets{ + infrav1.SubnetSpec{ + Name: "workers", + CidrBlock: "10.0.0.1/28", + Region: "us-central1", + Purpose: ptr.To[string]("INTERNAL_HTTPS_LOAD_BALANCER"), + }, + }, + FirewallSpec: infrav1.FirewallSpec{ + FirewallRules: []infrav1.FirewallRule{ + { + Name: ptr.To("custom-fw-rule"), + Description: ptr.To("Custom Firewall Rule Description"), + Allowed: []*infrav1.FirewallDescriptor{ + { + IPProtocol: "tcp", + Ports: []string{"443"}, + }, + }, + Direction: ptr.To(infrav1.FirewallRuleDirectionIngress), + Priority: ptr.To(int64(1000)), + }, + }, + }, + }, + }, + Status: infrav1.GCPClusterStatus{ + Network: infrav1.Network{ + FirewallRules: map[string]string{ + "custom-fw-rule": "test", + }, + }, + }, +} + +var fakeGCPClusterWithFirewallRulesUnmanaged = &infrav1.GCPCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-cluster", + Namespace: "default", + }, + Spec: infrav1.GCPClusterSpec{ + Project: "my-proj", + Region: "us-central1", + Network: infrav1.NetworkSpec{ + Name: ptr.To("my-network"), + Subnets: infrav1.Subnets{ + infrav1.SubnetSpec{ + Name: "workers", + CidrBlock: "10.0.0.1/28", + Region: "us-central1", + Purpose: ptr.To[string]("INTERNAL_HTTPS_LOAD_BALANCER"), + }, + }, + FirewallSpec: infrav1.FirewallSpec{ + FirewallRules: []infrav1.FirewallRule{ + { + Name: ptr.To("custom-fw-rule"), + Description: ptr.To("Custom Firewall Rule Description"), + Allowed: []*infrav1.FirewallDescriptor{ + { + IPProtocol: "tcp", + Ports: []string{"443"}, + }, + }, + Direction: ptr.To(infrav1.FirewallRuleDirectionIngress), + Priority: ptr.To(int64(1000)), + }, + }, + DefaultRulesManagement: infrav1.RulesManagementUnmanaged, + }, + }, + }, + Status: infrav1.GCPClusterStatus{ + Network: infrav1.Network{ + FirewallRules: map[string]string{ + "custom-fw-rule": "test", + }, + }, + }, +} + type testCase struct { name string scope func() Scope @@ -186,6 +277,30 @@ func TestService_Reconcile(t *testing.T) { t.Fatal(err) } + clusterScopeCustomFirewalls, err := scope.NewClusterScope(context.TODO(), scope.ClusterScopeParams{ + Client: fakec, + Cluster: fakeCluster, + GCPCluster: fakeGCPClusterWithFirewallRules, + GCPServices: scope.GCPServices{ + Compute: &compute.Service{}, + }, + }) + if err != nil { + t.Fatal(err) + } + + clusterScopeCustomFirewallsUnmanaged, err := scope.NewClusterScope(context.TODO(), scope.ClusterScopeParams{ + Client: fakec, + Cluster: fakeCluster, + GCPCluster: fakeGCPClusterWithFirewallRulesUnmanaged, + GCPServices: scope.GCPServices{ + Compute: &compute.Service{}, + }, + }) + if err != nil { + t.Fatal(err) + } + tests := []testCase{ { name: "firewall rule does not exist successful create", @@ -261,6 +376,36 @@ func TestService_Reconcile(t *testing.T) { }, }, }, + { + name: "firewall rule does not exist successful create custom user specifiedrule", + scope: func() Scope { return clusterScopeCustomFirewalls }, + mockFirewalls: &cloud.MockFirewalls{ + ProjectRouter: &cloud.SingleProjectRouter{ID: "my-proj"}, + Objects: map[meta.Key]*cloud.MockFirewallsObj{}, + }, + assert: func(ctx context.Context, t testCase) error { + key := meta.GlobalKey("custom-fw-rule") + fwRule, err := t.mockFirewalls.Get(ctx, key) + if err != nil { + return err + } + + if _, ok := fakeGCPClusterWithFirewallRules.Status.Network.FirewallRules[fwRule.Name]; !ok { + return errors.New("firewall rule was created but with wrong values") + } + return nil + }, + }, + { + name: "firewall return no error using unmanaged firewall settings with custom user specified rules", + scope: func() Scope { return clusterScopeCustomFirewallsUnmanaged }, + mockFirewalls: &cloud.MockFirewalls{ + ProjectRouter: &cloud.SingleProjectRouter{ID: "my-proj"}, + Objects: map[meta.Key]*cloud.MockFirewallsObj{ + *meta.GlobalKey("custom-fw-rule"): {}, + }, + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml index 462c714eb..fa4f44c63 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclusters.yaml @@ -180,7 +180,8 @@ spec: Defaults to true. type: boolean firewall: - description: Firewall configuration. + description: FirewallSpec contains the firewall configuration + associated with this network. properties: defaultRulesManagement: default: Managed @@ -198,6 +199,195 @@ spec: - Managed - Unmanaged type: string + firewallRules: + description: FirewallRules is a list of additional firewall + rules to create. + items: + description: FirewallRule describes a GCP firewall rule. + properties: + allowed: + description: |- + Allowed: The list of ALLOW rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a permitted + connection. + items: + description: FirewallDescriptor describes a GCP firewall + rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + denied: + description: |- + Denied: The list of DENY rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a denied + connection. + items: + description: FirewallDescriptor describes a GCP firewall + rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + description: + description: |- + Description: An optional description of this resource. Provide this field + when you create the resource. + type: string + destinationRanges: + description: |- + DestinationRanges: If destination ranges are specified, the firewall rule + applies only to traffic that has destination IP address in these ranges. + These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are + supported. + items: + type: string + type: array + direction: + allOf: + - enum: + - INGRESS + - EGRESS + - enum: + - INGRESS + - EGRESS + default: INGRESS + description: |- + Direction: Direction of traffic to which this firewall applies, either + `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you + cannot specify the sourceTags fields. + + Possible values: + "EGRESS" - Indicates that firewall should apply to outgoing traffic. + "INGRESS" - Indicates that firewall should apply to incoming traffic. + type: string + disabled: + description: |- + Disabled: Denotes whether the firewall rule is disabled. When set to true, + the firewall rule is not enforced and the network behaves as if it did not + exist. If this is unspecified, the firewall rule will be enabled. + type: boolean + name: + description: |- + Name: Name of the resource; provided by the client when the resource is + created. The name must be 1-63 characters long, and comply with RFC1035. + Specifically, the name must be 1-63 characters long and match the regular + expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a + lowercase letter, and all following characters (except for the last + character) must be a dash, lowercase letter, or digit. The last character + must be a lowercase letter or digit. + type: string + priority: + description: |- + Priority: Priority for this rule. This is an integer between `0` and + `65535`, both inclusive. The default value is `1000`. Relative priorities + determine which rule takes effect if multiple rules apply. Lower values + indicate higher priority. For example, a rule with priority `0` has higher + precedence than a rule with priority `1`. DENY rules take precedence over + ALLOW rules if they have equal priority. Note that VPC networks have implied + rules with a priority of `65535`. To avoid conflicts with the implied rules, + use a priority number less than `65535`. + format: int64 + type: integer + sourceRanges: + description: |- + SourceRanges: If source ranges are specified, the firewall rule applies only + to traffic that has a source IP address in these ranges. These ranges must + be expressed in CIDR format. One or both of sourceRanges and sourceTags may + be set. If both fields are set, the rule applies to traffic that has a + source IP address within sourceRanges OR a source IP from a resource with a + matching tag listed in the sourceTags field. The connection does not need to + match both fields for the rule to apply. Both IPv4 and IPv6 are supported. + items: + type: string + type: array + sourceServiceAccounts: + description: |- + SourceServiceAccounts: If source service accounts are specified, the + firewall rules apply only to traffic originating from an instance with a + service account in this list. Source service accounts cannot be used to + control traffic to an instance's external IP address because service + accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the + firewall applies to traffic that has a source IP address within the + sourceRanges OR a source IP that belongs to an instance with service account + listed in sourceServiceAccount. The connection does not need to match both + fields for the firewall to apply. sourceServiceAccounts cannot be used at + the same time as sourceTags or targetTags. + items: + type: string + type: array + sourceTags: + description: |- + SourceTags: If source tags are specified, the firewall rule applies only to + traffic with source IPs that match the primary network interfaces of VM + instances that have the tag and are in the same VPC network. Source tags + cannot be used to control traffic to an instance's external IP address, it + only applies to traffic between instances in the same virtual network. + Because tags are associated with instances, not IP addresses. One or both of + sourceRanges and sourceTags may be set. If both fields are set, the firewall + applies to traffic that has a source IP address within sourceRanges OR a + source IP from a resource with a matching tag listed in the sourceTags + field. The connection does not need to match both fields for the firewall to + apply. + items: + type: string + type: array + targetServiceAccounts: + description: |- + TargetServiceAccounts: A list of service accounts indicating sets of + instances located in the network that may make network connections as + specified in allowed[]. targetServiceAccounts cannot be used at the same + time as targetTags or sourceTags. If neither targetServiceAccounts nor + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + targetTags: + description: |- + TargetTags: A list of tags that controls which instances the firewall rule + applies to. If targetTags are specified, then the firewall rule applies only + to instances in the VPC network that have one of those tags. If no + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + type: object + type: array type: object hostProject: description: HostProject is the name of the project hosting the diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml index 9d82a4e96..535367ad9 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpclustertemplates.yaml @@ -199,7 +199,8 @@ spec: Defaults to true. type: boolean firewall: - description: Firewall configuration. + description: FirewallSpec contains the firewall configuration + associated with this network. properties: defaultRulesManagement: default: Managed @@ -217,6 +218,196 @@ spec: - Managed - Unmanaged type: string + firewallRules: + description: FirewallRules is a list of additional + firewall rules to create. + items: + description: FirewallRule describes a GCP firewall + rule. + properties: + allowed: + description: |- + Allowed: The list of ALLOW rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a permitted + connection. + items: + description: FirewallDescriptor describes + a GCP firewall rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + denied: + description: |- + Denied: The list of DENY rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a denied + connection. + items: + description: FirewallDescriptor describes + a GCP firewall rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + description: + description: |- + Description: An optional description of this resource. Provide this field + when you create the resource. + type: string + destinationRanges: + description: |- + DestinationRanges: If destination ranges are specified, the firewall rule + applies only to traffic that has destination IP address in these ranges. + These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are + supported. + items: + type: string + type: array + direction: + allOf: + - enum: + - INGRESS + - EGRESS + - enum: + - INGRESS + - EGRESS + default: INGRESS + description: |- + Direction: Direction of traffic to which this firewall applies, either + `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you + cannot specify the sourceTags fields. + + Possible values: + "EGRESS" - Indicates that firewall should apply to outgoing traffic. + "INGRESS" - Indicates that firewall should apply to incoming traffic. + type: string + disabled: + description: |- + Disabled: Denotes whether the firewall rule is disabled. When set to true, + the firewall rule is not enforced and the network behaves as if it did not + exist. If this is unspecified, the firewall rule will be enabled. + type: boolean + name: + description: |- + Name: Name of the resource; provided by the client when the resource is + created. The name must be 1-63 characters long, and comply with RFC1035. + Specifically, the name must be 1-63 characters long and match the regular + expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a + lowercase letter, and all following characters (except for the last + character) must be a dash, lowercase letter, or digit. The last character + must be a lowercase letter or digit. + type: string + priority: + description: |- + Priority: Priority for this rule. This is an integer between `0` and + `65535`, both inclusive. The default value is `1000`. Relative priorities + determine which rule takes effect if multiple rules apply. Lower values + indicate higher priority. For example, a rule with priority `0` has higher + precedence than a rule with priority `1`. DENY rules take precedence over + ALLOW rules if they have equal priority. Note that VPC networks have implied + rules with a priority of `65535`. To avoid conflicts with the implied rules, + use a priority number less than `65535`. + format: int64 + type: integer + sourceRanges: + description: |- + SourceRanges: If source ranges are specified, the firewall rule applies only + to traffic that has a source IP address in these ranges. These ranges must + be expressed in CIDR format. One or both of sourceRanges and sourceTags may + be set. If both fields are set, the rule applies to traffic that has a + source IP address within sourceRanges OR a source IP from a resource with a + matching tag listed in the sourceTags field. The connection does not need to + match both fields for the rule to apply. Both IPv4 and IPv6 are supported. + items: + type: string + type: array + sourceServiceAccounts: + description: |- + SourceServiceAccounts: If source service accounts are specified, the + firewall rules apply only to traffic originating from an instance with a + service account in this list. Source service accounts cannot be used to + control traffic to an instance's external IP address because service + accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the + firewall applies to traffic that has a source IP address within the + sourceRanges OR a source IP that belongs to an instance with service account + listed in sourceServiceAccount. The connection does not need to match both + fields for the firewall to apply. sourceServiceAccounts cannot be used at + the same time as sourceTags or targetTags. + items: + type: string + type: array + sourceTags: + description: |- + SourceTags: If source tags are specified, the firewall rule applies only to + traffic with source IPs that match the primary network interfaces of VM + instances that have the tag and are in the same VPC network. Source tags + cannot be used to control traffic to an instance's external IP address, it + only applies to traffic between instances in the same virtual network. + Because tags are associated with instances, not IP addresses. One or both of + sourceRanges and sourceTags may be set. If both fields are set, the firewall + applies to traffic that has a source IP address within sourceRanges OR a + source IP from a resource with a matching tag listed in the sourceTags + field. The connection does not need to match both fields for the firewall to + apply. + items: + type: string + type: array + targetServiceAccounts: + description: |- + TargetServiceAccounts: A list of service accounts indicating sets of + instances located in the network that may make network connections as + specified in allowed[]. targetServiceAccounts cannot be used at the same + time as targetTags or sourceTags. If neither targetServiceAccounts nor + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + targetTags: + description: |- + TargetTags: A list of tags that controls which instances the firewall rule + applies to. If targetTags are specified, then the firewall rule applies only + to instances in the VPC network that have one of those tags. If no + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + type: object + type: array type: object hostProject: description: HostProject is the name of the project hosting diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclusters.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclusters.yaml index b90e5d283..4e3a51ade 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclusters.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclusters.yaml @@ -176,7 +176,8 @@ spec: Defaults to true. type: boolean firewall: - description: Firewall configuration. + description: FirewallSpec contains the firewall configuration + associated with this network. properties: defaultRulesManagement: default: Managed @@ -194,6 +195,195 @@ spec: - Managed - Unmanaged type: string + firewallRules: + description: FirewallRules is a list of additional firewall + rules to create. + items: + description: FirewallRule describes a GCP firewall rule. + properties: + allowed: + description: |- + Allowed: The list of ALLOW rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a permitted + connection. + items: + description: FirewallDescriptor describes a GCP firewall + rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + denied: + description: |- + Denied: The list of DENY rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a denied + connection. + items: + description: FirewallDescriptor describes a GCP firewall + rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + description: + description: |- + Description: An optional description of this resource. Provide this field + when you create the resource. + type: string + destinationRanges: + description: |- + DestinationRanges: If destination ranges are specified, the firewall rule + applies only to traffic that has destination IP address in these ranges. + These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are + supported. + items: + type: string + type: array + direction: + allOf: + - enum: + - INGRESS + - EGRESS + - enum: + - INGRESS + - EGRESS + default: INGRESS + description: |- + Direction: Direction of traffic to which this firewall applies, either + `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you + cannot specify the sourceTags fields. + + Possible values: + "EGRESS" - Indicates that firewall should apply to outgoing traffic. + "INGRESS" - Indicates that firewall should apply to incoming traffic. + type: string + disabled: + description: |- + Disabled: Denotes whether the firewall rule is disabled. When set to true, + the firewall rule is not enforced and the network behaves as if it did not + exist. If this is unspecified, the firewall rule will be enabled. + type: boolean + name: + description: |- + Name: Name of the resource; provided by the client when the resource is + created. The name must be 1-63 characters long, and comply with RFC1035. + Specifically, the name must be 1-63 characters long and match the regular + expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a + lowercase letter, and all following characters (except for the last + character) must be a dash, lowercase letter, or digit. The last character + must be a lowercase letter or digit. + type: string + priority: + description: |- + Priority: Priority for this rule. This is an integer between `0` and + `65535`, both inclusive. The default value is `1000`. Relative priorities + determine which rule takes effect if multiple rules apply. Lower values + indicate higher priority. For example, a rule with priority `0` has higher + precedence than a rule with priority `1`. DENY rules take precedence over + ALLOW rules if they have equal priority. Note that VPC networks have implied + rules with a priority of `65535`. To avoid conflicts with the implied rules, + use a priority number less than `65535`. + format: int64 + type: integer + sourceRanges: + description: |- + SourceRanges: If source ranges are specified, the firewall rule applies only + to traffic that has a source IP address in these ranges. These ranges must + be expressed in CIDR format. One or both of sourceRanges and sourceTags may + be set. If both fields are set, the rule applies to traffic that has a + source IP address within sourceRanges OR a source IP from a resource with a + matching tag listed in the sourceTags field. The connection does not need to + match both fields for the rule to apply. Both IPv4 and IPv6 are supported. + items: + type: string + type: array + sourceServiceAccounts: + description: |- + SourceServiceAccounts: If source service accounts are specified, the + firewall rules apply only to traffic originating from an instance with a + service account in this list. Source service accounts cannot be used to + control traffic to an instance's external IP address because service + accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the + firewall applies to traffic that has a source IP address within the + sourceRanges OR a source IP that belongs to an instance with service account + listed in sourceServiceAccount. The connection does not need to match both + fields for the firewall to apply. sourceServiceAccounts cannot be used at + the same time as sourceTags or targetTags. + items: + type: string + type: array + sourceTags: + description: |- + SourceTags: If source tags are specified, the firewall rule applies only to + traffic with source IPs that match the primary network interfaces of VM + instances that have the tag and are in the same VPC network. Source tags + cannot be used to control traffic to an instance's external IP address, it + only applies to traffic between instances in the same virtual network. + Because tags are associated with instances, not IP addresses. One or both of + sourceRanges and sourceTags may be set. If both fields are set, the firewall + applies to traffic that has a source IP address within sourceRanges OR a + source IP from a resource with a matching tag listed in the sourceTags + field. The connection does not need to match both fields for the firewall to + apply. + items: + type: string + type: array + targetServiceAccounts: + description: |- + TargetServiceAccounts: A list of service accounts indicating sets of + instances located in the network that may make network connections as + specified in allowed[]. targetServiceAccounts cannot be used at the same + time as targetTags or sourceTags. If neither targetServiceAccounts nor + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + targetTags: + description: |- + TargetTags: A list of tags that controls which instances the firewall rule + applies to. If targetTags are specified, then the firewall rule applies only + to instances in the VPC network that have one of those tags. If no + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + type: object + type: array type: object hostProject: description: HostProject is the name of the project hosting the diff --git a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclustertemplates.yaml b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclustertemplates.yaml index 41858bbbf..cfb3bdc4e 100644 --- a/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclustertemplates.yaml +++ b/config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedclustertemplates.yaml @@ -170,7 +170,8 @@ spec: Defaults to true. type: boolean firewall: - description: Firewall configuration. + description: FirewallSpec contains the firewall configuration + associated with this network. properties: defaultRulesManagement: default: Managed @@ -188,6 +189,196 @@ spec: - Managed - Unmanaged type: string + firewallRules: + description: FirewallRules is a list of additional + firewall rules to create. + items: + description: FirewallRule describes a GCP firewall + rule. + properties: + allowed: + description: |- + Allowed: The list of ALLOW rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a permitted + connection. + items: + description: FirewallDescriptor describes + a GCP firewall rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + denied: + description: |- + Denied: The list of DENY rules specified by this firewall. Each rule + specifies a protocol and port-range tuple that describes a denied + connection. + items: + description: FirewallDescriptor describes + a GCP firewall rule. + properties: + IPProtocol: + description: |- + IPProtocol: The IP protocol to which this rule applies. The protocol type is + required when creating a firewall rule. This value can either be one of the + following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp) + or the IP protocol number. + type: string + ports: + description: |- + Ports: An optional list of ports to which this rule applies. This field is + only applicable for the UDP or TCP protocol. Each entry must be either an + integer or a range. If not specified, this rule applies to connections + through any port. Example inputs include: ["22"], ["80","443"], and + ["12345-12349"]. + items: + type: string + type: array + type: object + type: array + description: + description: |- + Description: An optional description of this resource. Provide this field + when you create the resource. + type: string + destinationRanges: + description: |- + DestinationRanges: If destination ranges are specified, the firewall rule + applies only to traffic that has destination IP address in these ranges. + These ranges must be expressed in CIDR format. Both IPv4 and IPv6 are + supported. + items: + type: string + type: array + direction: + allOf: + - enum: + - INGRESS + - EGRESS + - enum: + - INGRESS + - EGRESS + default: INGRESS + description: |- + Direction: Direction of traffic to which this firewall applies, either + `INGRESS` or `EGRESS`. The default is `INGRESS`. For `EGRESS` traffic, you + cannot specify the sourceTags fields. + + Possible values: + "EGRESS" - Indicates that firewall should apply to outgoing traffic. + "INGRESS" - Indicates that firewall should apply to incoming traffic. + type: string + disabled: + description: |- + Disabled: Denotes whether the firewall rule is disabled. When set to true, + the firewall rule is not enforced and the network behaves as if it did not + exist. If this is unspecified, the firewall rule will be enabled. + type: boolean + name: + description: |- + Name: Name of the resource; provided by the client when the resource is + created. The name must be 1-63 characters long, and comply with RFC1035. + Specifically, the name must be 1-63 characters long and match the regular + expression `[a-z]([-a-z0-9]*[a-z0-9])?`. The first character must be a + lowercase letter, and all following characters (except for the last + character) must be a dash, lowercase letter, or digit. The last character + must be a lowercase letter or digit. + type: string + priority: + description: |- + Priority: Priority for this rule. This is an integer between `0` and + `65535`, both inclusive. The default value is `1000`. Relative priorities + determine which rule takes effect if multiple rules apply. Lower values + indicate higher priority. For example, a rule with priority `0` has higher + precedence than a rule with priority `1`. DENY rules take precedence over + ALLOW rules if they have equal priority. Note that VPC networks have implied + rules with a priority of `65535`. To avoid conflicts with the implied rules, + use a priority number less than `65535`. + format: int64 + type: integer + sourceRanges: + description: |- + SourceRanges: If source ranges are specified, the firewall rule applies only + to traffic that has a source IP address in these ranges. These ranges must + be expressed in CIDR format. One or both of sourceRanges and sourceTags may + be set. If both fields are set, the rule applies to traffic that has a + source IP address within sourceRanges OR a source IP from a resource with a + matching tag listed in the sourceTags field. The connection does not need to + match both fields for the rule to apply. Both IPv4 and IPv6 are supported. + items: + type: string + type: array + sourceServiceAccounts: + description: |- + SourceServiceAccounts: If source service accounts are specified, the + firewall rules apply only to traffic originating from an instance with a + service account in this list. Source service accounts cannot be used to + control traffic to an instance's external IP address because service + accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the + firewall applies to traffic that has a source IP address within the + sourceRanges OR a source IP that belongs to an instance with service account + listed in sourceServiceAccount. The connection does not need to match both + fields for the firewall to apply. sourceServiceAccounts cannot be used at + the same time as sourceTags or targetTags. + items: + type: string + type: array + sourceTags: + description: |- + SourceTags: If source tags are specified, the firewall rule applies only to + traffic with source IPs that match the primary network interfaces of VM + instances that have the tag and are in the same VPC network. Source tags + cannot be used to control traffic to an instance's external IP address, it + only applies to traffic between instances in the same virtual network. + Because tags are associated with instances, not IP addresses. One or both of + sourceRanges and sourceTags may be set. If both fields are set, the firewall + applies to traffic that has a source IP address within sourceRanges OR a + source IP from a resource with a matching tag listed in the sourceTags + field. The connection does not need to match both fields for the firewall to + apply. + items: + type: string + type: array + targetServiceAccounts: + description: |- + TargetServiceAccounts: A list of service accounts indicating sets of + instances located in the network that may make network connections as + specified in allowed[]. targetServiceAccounts cannot be used at the same + time as targetTags or sourceTags. If neither targetServiceAccounts nor + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + targetTags: + description: |- + TargetTags: A list of tags that controls which instances the firewall rule + applies to. If targetTags are specified, then the firewall rule applies only + to instances in the VPC network that have one of those tags. If no + targetTags are specified, the firewall rule applies to all instances on the + specified network. + items: + type: string + type: array + type: object + type: array type: object hostProject: description: HostProject is the name of the project hosting