GKE FW rules

[issacg]

I'm curious as to what the suggested approach is for managing FW rules for the specific use case of kubernetes webhooks with the VPC and GKE modules.

In this case, GKE creates a default FW rule to allow traffic from the K8S control plane to the pod network space on specific ports. But the addition of webhooks can require additional ports (for an OSS example, cert-manager requires such a change)

I don't think this makes sense to add to the vpc module FW rules list for two reasons:

1. The preferred operation, I think, is to modify the existing auto-created gke-[cluster-name]-[cluster-hash]-master rule rather than add a new one
2. Regardless, the tags needed for the destination rule won't be available (I think) until the cluster, at least, is provisioned.

Any thoughts?

[cboneti]

Hi Isaac,

I would guess that the best person to answer this question is Nick, and Nick is OOO for 3 weeks, so expect delays.

My intuition is that you are right and that modifying the existing vpc module seems overly specific. Unless we add it as a flag. However, it seems that the lifecycle of the VPC is different than the lifecycle of the cluster, or the node pools, and as such, it would, perhaps, make sense to add another module that adjusts firewall rules.

We currently don't have that in the roadmap for this year, but keep in mind a module can be in a local file system or another git repo, so if such a module existed, one could point to it directly from the yaml.