Create project network policies for managed services

This page provides instructions to create project network policies for managed services in Google Distributed Cloud (GDC) air-gapped. A GDC managed service is a service that is built and maintained by Google. It is available by default to all users and can be accessed through the GDC web console or using the command line. Managed services can be either software developed by Google or open-source software that Google has integrated with GDC.

Before you begin

To configure create project network policies for managed services, you must have the following:

• The necessary identity and access roles. For more information, see Prepare predefined roles and access.
• An existing project. For more information, see Create a project.

Create a policy for a managed service

By default, a managed service only allows connections from the project that created the service. An operator can expose the managed service to projects other than the project that created the service by using a project network policy.

You can create a global policy for a managed service that applies to all zones in your organization. For more information on global resources in a GDC universe, see Multi-zone overview.

Create a global policy for a managed service

The following ProjectNetworkPolicy exposes the Database Service (DBS) as a managed service:

kubectl --kubeconfig GLOBAL_API_SERVER apply -f - <<EOF
apiVersion: networking.global.gdc.goog/v1
kind: ProjectNetworkPolicy
metadata:
  namespace: PROJECT_1
  name: allow-inbound-traffic-from-project-2-to-dbs-service
spec:
  subject:
    subjectType: ManagedService
    managedServices:
      matchTypes:
      - 'dbs'
  ingress:
  - from:
    - projectSelector:
        projects:
          matchNames:
          - PROJECT_2
EOF

Replace the following:

• GLOBAL_API_SERVER: the global API server's kubeconfig path. For more information, see Global and zonal API servers. If you have not yet generated a kubeconfig file for the API server, see Sign in for details.
• PROJECT_1: the source project name.
• PROJECT_2 the destination project. After applying the policy, workloads in the PROJECT_2 project can connect to workloads in the DBS managed service.