Undefined field controlPlaneEndpointsConfig & enableCiliumClusterwideNetworkPolicy [385202862]

Assigned

Bug

Status Update

No update yet.

Description

do...@google.com

created issue #1

Dec 19, 2024 10:51PM

What you would like to accomplish: Successfully create a Custom Constraint using GKE resource.

Issue summary:
Reporting custom org policy CEL condition using supported GKE resource[1] reporting "undefined field".

(Unsuccessful) resource.controlPlaneEndpointsConfig.ipEndpointsConfig.enablePublicEndpoint == true "undefined field 'controlPlaneEndpointsConfig'"
(Unsuccessful) resource.networkConfig.enableCiliumClusterwideNetworkPolicy == true "undefined field 'enableCiliumClusterwideNetworkPolicy'"
(Successful) `resource.privateClusterConfig.enablePrivateEndpoint == true``

[1]

https://cloud.google.com/kubernetes-engine/docs/how-to/custom-org-policies#custom-constraints-gke

Reproduction Steps:

1. Cloud console [Org] > IAM and admin > Organization policies > Create custom constraint
2. Display name: Constraint Name
3. Constraint ID: constraintid
4. Resource type:

container.googleapis.com/Cluster
5. Enforcement method: Enforce on create and update
6. Condition:

(Unsuccessful) resource.controlPlaneEndpointsConfig.ipEndpointsConfig.enablePublicEndpoint == true "undefined field 'controlPlaneEndpointsConfig'"
(Unsuccessful) resource.networkConfig.enableCiliumClusterwideNetworkPolicy == true "undefined field 'enableCiliumClusterwideNetworkPolicy'"
(Successful) `resource.privateClusterConfig.enablePrivateEndpoint == true`` (note this is deprecated and the customer is opting to use what documentation is suggesting.

The issue is reproduced using different "Objects" and their respective "fields" even using the documented format [1]

Use cases to resolve:

1.) Trying to check GKE Clusters to ensure they are using Private Endpoint

https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.PrivateClusterConfig

Followed the above documentation and came up with the condition
resource.privateClusterConfig.enablePrivateEndpoint == true
but documentation says its deprecated;
I tried using the alternative provided which is
resource.ControlPlaneEndpointsConfig.IPEndpointsConfig.enablePublicEndpoint == true

but this is not working.

2.) Trying to check to ensure Private nodes are enabled.

resource.PrivateClusterConfig.enablePrivateNodes == true
but documentation says its deprecated;

I tried using the alternative provided which is
resource.NetworkConfig.defaultEnablePrivateNodes == true

but this is not working.

3.) Enable the data path provider for Cilium
tried all these combinations none are working.
resource.enableCiliumClusterwideNetworkPolicy == true
resource.NetworkConfig.CiliumClusterwideNetworkPolicy.disabled == true
resource.CiliumClusterwideNetworkPolicy.NetworkConfig.disabled == true
resource.CiliumClusterwideNetworkPolicy.NetworkConfig.enabled == true
resource.enableCiliumClusterwideNetworkPolicy.disabled == true
resource.CiliumClusterwideNetworkPolicy.disabled == true
resource.NetworkConfig.enableCiliumClusterwideNetworkPolicy.disabled == true
resource.NetworkConfig.CiliumClusterwideNetworkPolicy.disabled == true

Comments

ba...@google.com <ba...@google.com> Dec 20, 2024 04:58AM

Reassigned to ka...@google.com.

ka...@google.com <ka...@google.com> #2Dec 20, 2024 09:54AM

Reassigned to gc...@google.com.

Thanks for the report. I will route this to the appropriate internal team and update this when I hear back from them.

Issue 385202862

Description

Issue summary

Comments

ba...@google.com <ba...@google.com> Dec 20, 2024 04:58AM

ka...@google.com <ka...@google.com> #2Dec 20, 2024 09:54AM

Add comment

Issue metadata