ComputeFirewall

Property Value
Google Cloud Service Name Compute Engine
Google Cloud Service Documentation /compute/docs/
Google Cloud REST Resource Name v1.firewalls
Google Cloud REST Resource Documentation /compute/docs/reference/rest/v1/firewalls
Config Connector Resource Short Names gcpcomputefirewall
gcpcomputefirewalls
computefirewall
Config Connector Service Name compute.googleapis.com
Config Connector Resource Fully Qualified Name computefirewalls.compute.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id

Spec

Schema

  allow:
  - ports:
    - string
    protocol: string
  deny:
  - ports:
    - string
    protocol: string
  description: string
  destinationRanges:
  - string
  direction: string
  disabled: boolean
  enableLogging: boolean
  logConfig:
    metadata: string
  networkRef:
    external: string
    name: string
    namespace: string
  priority: integer
  sourceRanges:
  - string
  sourceServiceAccounts:
  - external: string
    name: string
    namespace: string
  sourceTags:
  - string
  targetServiceAccounts:
  - external: string
    name: string
    namespace: string
  targetTags:
  - string
Fields

allow

Optional

list (object)

The list of ALLOW rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a permitted connection.

allow.[]

Optional

object

allow.[].ports

Optional

list (string)

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

allow.[].ports.[]

Optional

string

allow.[].protocol

Required*

string

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.

deny

Optional

list (object)

The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.

deny.[]

Optional

object

deny.[].ports

Optional

list (string)

An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].

deny.[].ports.[]

Optional

string

deny.[].protocol

Required*

string

The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip, all), or the IP protocol number.

description

Optional

string

An optional description of this resource. Provide this property when you create the resource.

destinationRanges

Optional

list (string)

If destination ranges are specified, the firewall will apply only to traffic that has destination IP address in these ranges. These ranges must be expressed in CIDR format. Only IPv4 is supported.

destinationRanges.[]

Optional

string

direction

Optional

string

Direction of traffic to which this firewall applies; default is INGRESS. Note: For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags. Possible values: ["INGRESS", "EGRESS"]

disabled

Optional

boolean

Denotes whether the firewall rule is disabled, i.e not applied to the network it is associated with. When set to true, the firewall rule is not enforced and the network behaves as if it did not exist. If this is unspecified, the firewall rule will be enabled.

enableLogging

Optional

boolean

DEPRECATED — Deprecated in favor of log_config. This field denotes whether to enable logging for a particular firewall rule. If logging is enabled, logs will be exported to Stackdriver.

logConfig

Optional

object

This field denotes the logging options for a particular firewall rule. If defined, logging is enabled, and logs will be exported to Cloud Logging.

logConfig.metadata

Required*

string

This field denotes whether to include or exclude metadata for firewall logs. Possible values: ["EXCLUDE_ALL_METADATA", "INCLUDE_ALL_METADATA"]

networkRef

Required

object

The network to attach this firewall to.

networkRef.external

Optional

string

The selfLink of a ComputeNetwork.

networkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

networkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

priority

Optional

integer

Priority for this rule. This is an integer between 0 and 65535, both inclusive. When not specified, the value assumed is 1000. Relative priorities determine precedence of conflicting rules. Lower value of priority implies higher precedence (eg, a rule with priority 0 has higher precedence than a rule with priority 1). DENY rules take precedence over ALLOW rules having equal priority.

sourceRanges

Optional

list (string)

If source ranges are specified, the firewall will apply only to traffic that has source IP address in these ranges. These ranges must be expressed in CIDR format. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply. Only IPv4 is supported.

sourceRanges.[]

Optional

string

sourceServiceAccounts

Optional

list (object)

sourceServiceAccounts.[]

Optional

object

If source service accounts are specified, the firewall will apply only to traffic originating from an instance with a service account in this list. Source service accounts cannot be used to control traffic to an instance's external IP address because service accounts are associated with an instance, not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. If both are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP belongs to an instance with service account listed in sourceServiceAccount. The connection does not need to match both properties for the firewall to apply. sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags.

sourceServiceAccounts.[].external

Optional

string

The email of an IAMServiceAccount.

sourceServiceAccounts.[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

sourceServiceAccounts.[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

sourceTags

Optional

list (string)

If source tags are specified, the firewall will apply only to traffic with source IP that belongs to a tag listed in source tags. Source tags cannot be used to control traffic to an instance's external IP address. Because tags are associated with an instance, not an IP address. One or both of sourceRanges and sourceTags may be set. If both properties are set, the firewall will apply to traffic that has source IP address within sourceRanges OR the source IP that belongs to a tag listed in the sourceTags property. The connection does not need to match both properties for the firewall to apply.

sourceTags.[]

Optional

string

targetServiceAccounts

Optional

list (object)

targetServiceAccounts.[]

Optional

object

A list of service accounts indicating sets of instances located in the network that may make network connections as specified in allowed[]. targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. If neither targetServiceAccounts nor targetTags are specified, the firewall rule applies to all instances on the specified network.

targetServiceAccounts.[].external

Optional

string

The email of an IAMServiceAccount.

targetServiceAccounts.[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

targetServiceAccounts.[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

targetTags

Optional

list (string)

A list of instance tags indicating sets of instances located in the network that may make network connections as specified in allowed[]. If no targetTags are specified, the firewall rule applies to all instances on the specified network.

targetTags.[]

Optional

string

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  creationTimestamp: string
  selfLink: string
Fields
conditions

list (object)

Conditions represents the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

creationTimestamp

string

Creation timestamp in RFC3339 text format.

selfLink

string

Sample YAML(s)

Allow Rule Firewall

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeFirewall
  metadata:
    labels:
      label-one: "value-one"
    name: computefirewall-sample-allow
  spec:
    allow:
      - protocol: tcp
        ports:
         - "80"
         - "1000-2000"
    networkRef:
      name: computefirewall-dep-allow
  ---
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeNetwork
  metadata:
    name: computefirewall-dep-allow
  spec:
    routingMode: REGIONAL
    autoCreateSubnetworks: false

Deny Rule Firewall

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeFirewall
  metadata:
    labels:
      label-one: "value-one"
    name: computefirewall-sample-deny
  spec:
    deny:
      - protocol: icmp
    networkRef:
      name: computefirewall-dep-deny
  ---
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeNetwork
  metadata:
    name: computefirewall-dep-deny
  spec:
    routingMode: REGIONAL
    autoCreateSubnetworks: false