Skip to content

Commit edfe798

Browse files
Google APIscopybara-github
Google APIs
authored and
copybara-github
committed
feat: Add API fields related to GKE Pods and Network Policies
PiperOrigin-RevId: 873925482
1 parent 47e44e0 commit edfe798

2 files changed

Lines changed: 106 additions & 1 deletion

File tree

google/cloud/networkmanagement/v1beta1/networkmanagement_v1beta1.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,15 @@ documentation:
2323
description: Gets information about a location.
2424

2525
- selector: google.cloud.location.Locations.ListLocations
26-
description: Lists information about the supported locations for this service.
26+
description: |-
27+
Lists information about the supported locations for this service.
28+
This method can be called in two ways:
29+
30+
* **List all public locations:** Use the path `GET /v1/locations`.
31+
* **List project-visible locations:** Use the path
32+
`GET /v1/projects/{project_id}/locations`. This may include public
33+
locations as well as private or other locations specifically visible
34+
to the project.
2735
2836
- selector: google.iam.v1.IAMPolicy.GetIamPolicy
2937
description: |-

google/cloud/networkmanagement/v1beta1/trace.proto

Lines changed: 97 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,9 @@ message Step {
180180
// Forwarding state: arriving at a VPC connector.
181181
ARRIVE_AT_VPC_CONNECTOR = 24;
182182

183+
// Forwarding state: arriving at a GKE Pod.
184+
ARRIVE_AT_GKE_POD = 44;
185+
183186
// Forwarding state: for packets originating from a serverless endpoint
184187
// forwarded through Direct VPC egress.
185188
DIRECT_VPC_EGRESS_CONNECTION = 35;
@@ -188,6 +191,10 @@ message Step {
188191
// forwarded through public (external) connectivity.
189192
SERVERLESS_EXTERNAL_CONNECTION = 36;
190193

194+
// Forwarding state: Layer 7 packet inspection by the firewall endpoint
195+
// based on the configured security profile group.
196+
NGFW_PACKET_INSPECTION = 47;
197+
191198
// Transition state: packet header translated. The `nat` field is populated
192199
// with the translation information.
193200
NAT = 14;
@@ -196,6 +203,20 @@ message Step {
196203
// `ip_masquerading_skipped` field is populated with the reason.
197204
SKIP_GKE_POD_IP_MASQUERADING = 40;
198205

206+
// Transition state: GKE Ingress Network Policy is skipped. The
207+
// `gke_network_policy_skipped` field is populated with the reason.
208+
SKIP_GKE_INGRESS_NETWORK_POLICY = 41;
209+
210+
// Transition state: GKE Egress Network Policy is skipped. The
211+
// `gke_network_policy_skipped` field is populated with the reason.
212+
SKIP_GKE_EGRESS_NETWORK_POLICY = 42;
213+
214+
// Config checking state: verify ingress GKE network policy.
215+
APPLY_INGRESS_GKE_NETWORK_POLICY = 45;
216+
217+
// Config checking state: verify egress GKE network policy.
218+
APPLY_EGRESS_GKE_NETWORK_POLICY = 46;
219+
199220
// Transition state: original connection is terminated and a new proxied
200221
// connection is initiated.
201222
PROXY_CONNECTION = 15;
@@ -307,6 +328,13 @@ message Step {
307328
// skipped.
308329
IpMasqueradingSkippedInfo ip_masquerading_skipped = 38;
309330

331+
// Display information of a GKE Network Policy.
332+
GkeNetworkPolicyInfo gke_network_policy = 39;
333+
334+
// Display information of the reason why GKE Network Policy evaluation was
335+
// skipped.
336+
GkeNetworkPolicySkippedInfo gke_network_policy_skipped = 40;
337+
310338
// Display information of a Cloud SQL instance.
311339
CloudSQLInstanceInfo cloud_sql_instance = 19;
312340

@@ -340,6 +368,9 @@ message Step {
340368
// Display information of a Serverless network endpoint group backend. Used
341369
// only for return traces.
342370
ServerlessNegInfo serverless_neg = 29;
371+
372+
// Display information of a layer 7 packet inspection by the firewall.
373+
NgfwPacketInspectionInfo ngfw_packet_inspection = 42;
343374
}
344375
}
345376

@@ -1827,6 +1858,13 @@ message DropInfo {
18271858
// Packet is dropped because no matching route was found in the hybrid
18281859
// subnet.
18291860
HYBRID_SUBNET_NO_ROUTE = 106;
1861+
1862+
// Packet is dropped by GKE Network Policy.
1863+
GKE_NETWORK_POLICY = 108;
1864+
1865+
// Packet is dropped because there is no valid matching route from the
1866+
// network of the Google-managed service to the destination.
1867+
NO_VALID_ROUTE_FROM_GOOGLE_MANAGED_NETWORK_TO_DESTINATION = 110;
18301868
}
18311869

18321870
// Cause that the packet is dropped.
@@ -1931,6 +1969,57 @@ message IpMasqueradingSkippedInfo {
19311969
string non_masquerade_range = 2;
19321970
}
19331971

1972+
// For display only. Metadata associated with a GKE Network Policy.
1973+
message GkeNetworkPolicyInfo {
1974+
// The name of the Network Policy.
1975+
string display_name = 1;
1976+
1977+
// The URI of the Network Policy.
1978+
// Format for a Network Policy in a zonal cluster:
1979+
// `projects/<project_id>/zones/<zone>/clusters/<cluster>/k8s/namespaces/<namespace>/networking.k8s.io/networkpolicies/<networkpolicy>`
1980+
// Format for a Network Policy in a regional cluster:
1981+
// `projects/<project_id>/locations/<location>/clusters/<cluster>/k8s/namespaces/<namespace>/networking.k8s.io/networkpolicies/<networkpolicy>`
1982+
string uri = 2;
1983+
1984+
// Possible values: INGRESS, EGRESS
1985+
string direction = 3;
1986+
1987+
// Possible values: ALLOW, DENY
1988+
string action = 4;
1989+
}
1990+
1991+
// For display only. Contains information about why GKE Network Policy
1992+
// evaluation was skipped.
1993+
message GkeNetworkPolicySkippedInfo {
1994+
enum Reason {
1995+
// Unused default value.
1996+
REASON_UNSPECIFIED = 0;
1997+
1998+
// Network Policy is disabled on the cluster.
1999+
NETWORK_POLICY_DISABLED = 1;
2000+
2001+
// Ingress traffic to a Pod from a source on the same Node is always
2002+
// allowed.
2003+
INGRESS_SOURCE_ON_SAME_NODE = 2;
2004+
2005+
// Egress traffic from a Pod that uses the Node's network namespace is not
2006+
// subject to Network Policy.
2007+
EGRESS_FROM_NODE_NETWORK_NAMESPACE_POD = 3;
2008+
2009+
// Network Policy is not applied to response traffic. This is because GKE
2010+
// Network Policy evaluation is stateful in both GKE Dataplane V2 (eBPF) and
2011+
// legacy (iptables) implementations.
2012+
NETWORK_POLICY_NOT_APPLIED_TO_RESPONSE_TRAFFIC = 4;
2013+
2014+
// Network Policy evaluation is currently not supported for clusters with
2015+
// FQDN Network Policies enabled.
2016+
NETWORK_POLICY_ANALYSIS_UNSUPPORTED = 100;
2017+
}
2018+
2019+
// Reason why Network Policy evaluation was skipped.
2020+
Reason reason = 1;
2021+
}
2022+
19342023
// For display only. Metadata associated with a Cloud SQL instance.
19352024
message CloudSQLInstanceInfo {
19362025
// Name of a Cloud SQL instance.
@@ -2332,3 +2421,11 @@ message ServerlessNegInfo {
23322421
// URI of the serverless network endpoint group.
23332422
string neg_uri = 1;
23342423
}
2424+
2425+
// For display only. Metadata associated with a layer 7 packet inspection by the
2426+
// firewall.
2427+
message NgfwPacketInspectionInfo {
2428+
// URI of the security profile group associated with this firewall packet
2429+
// inspection.
2430+
string security_profile_group_uri = 1;
2431+
}

0 commit comments

Comments
 (0)