To whitelist the GKE cluster in org constraint/compute.vmExternalIpAccess [375182689]

Assigned

Feature Request

Status Update

No update yet.

Description

al...@google.com

created issue #1

Oct 23, 2024 03:55PM

- As per my investigation, I observed the constraint/compute.vmExternalIpAccess allowed to ‘All’ at org level and project level.
- If I have the constraint/compute.vmExternalIpAccess set to DENY at the Organization level. However, at the project level, the policy is set to Allowed to all VM resources [1]. According to [2], setting a policy at the project level overrides the policy at the organization level.
- Therefore, I have been required to set an allowedList/deniedList at the project level to specify which VMs you’d like to have an external IP address [2] [3]. The allowed/denied list of VM instances must be identified by the VM instance name, in the form: projects/PROJECT_ID/zones/ZONE/instances/INSTANCE [4]. For more information see the document [5].
- When I’m trying to create public clusters that got blocked by an organization-level policy that denied external IPs.
- I want to know the way to add the cluster in the allowed list of the constraint. But as the constraint only supports the VM instance name it should be the VM instance name. But the cluster spins up the VM instances with random characters so it is not possible to update the org policy everytime.
- However, we want to whitelist the Cluster (GKE nodes) to create a cluster with external IP, but here the node's name is managed by the GKE itself as it gives unique random characters to its nodes. So we cannot allow all the cluster nodes with the node name.

What is needed to be implemented:

- Need to whitelist the GKE cluster in the organization policy "constraints/compute.vmExternalIpAccess" so it will allow existing nodes as well as newly created nodes to have the public IP address while this org policy is enabled.

[1] Project Level_Define allows external IPs for VM instances

[2] Set the policy at the project level

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#set_the_policy_at_the_project_level

[3] Restricting external IP addresses to specific VMs

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#disableexternalip

[4] Organization policy constraints

https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints#:~:text=The%20allowed/denied%20list%20of%20VM%20instances%20must%20be%20identified%20by%20the%20VM%20instance%20name%2C%20in%20the%20form%3A%20projects/PROJECT_ID/zones/ZONE/instances/INSTANCE

[5] Specifications for restricting external IP addresses

https://cloud.google.com/compute/docs/ip-addresses/reserve-static-external-ip-address#specifications_for_restricting_external_ip_addresses

Comments

ba...@google.com <ba...@google.com> Oct 24, 2024 04:36AM

Assigned to on...@google.com.

on...@google.com <on...@google.com> #2Oct 24, 2024 12:42PM

Reassigned to gc...@google.com.

Hello,

Thank you for reaching out. I'm going to create an internal feature request. Please keep in mind that this feature request has to be analyzed and considered by the product team and I can't provide you ETA for it to be delivered. However, you can keep track of the status by following this thread.

Message last modified on Oct 24, 2024 12:42PM

Issue 375182689

Description

Issue summary

Comments

ba...@google.com <ba...@google.com> Oct 24, 2024 04:36AM

on...@google.com <on...@google.com> #2Oct 24, 2024 12:42PM

Add comment

Issue metadata