Checklist
Describe the feature or resource
The ContainerCluster and ContainerNodePool resources do not currently support resource manager tags (resourceManagerTags). The Terraform google_container_cluster resource supports this via node_pool_defaults.node_config_defaults.resource_manager_tags and node_config.resource_manager_tags.
Resource manager tags are distinct from labels — they integrate with IAM conditions and firewall policies, making them critical for network segmentation and policy enforcement in shared VPC environments.
We use resource manager tags on GKE node pools to drive network firewall policy decisions in a shared VPC hub. For example, tagging nodes allows centrally managed firewall policies to match on tags rather than IP ranges or service accounts. This is the Google-recommended approach.
Without KCC support, clusters managed via Config Connector cannot have their firewall tag bindings declared alongside the rest of the cluster spec, forcing a split between KCC-managed cluster config and out-of-band tag management.
Additional information
GKE API reference: NodeConfig.resourceManagerTags
Terraform equivalent:
resource "google_container_cluster" "example" {
node_pool_defaults {
node_config_defaults {
resource_manager_tags = {
"tagKeys/123456" = "tagValues/789012"
}
}
}
}
resource "google_container_node_pool" "example" {
node_config {
resource_manager_tags = {
"tagKeys/123456" = "tagValues/789012"
}
}
}gcloud equivalent:
gcloud container node-pools create POOL_NAME \
--cluster=CLUSTER_NAME \
--resource-manager-tags=tagKeys/123456=tagValues/789012
Importance
We would like to migrate GKE cluster lifecycle management to Config Connector and resource manager tags are a core part of our network policy model in shared VPC environments. Without this, we need to maintain a separate Terraform or gcloud workflow just for tag bindings, which undermines the goal of having a single declarative source of truth via KCC.
Checklist
Describe the feature or resource
The
ContainerClusterandContainerNodePoolresources do not currently support resource manager tags (resourceManagerTags). The Terraformgoogle_container_clusterresource supports this vianode_pool_defaults.node_config_defaults.resource_manager_tagsandnode_config.resource_manager_tags.Resource manager tags are distinct from labels — they integrate with IAM conditions and firewall policies, making them critical for network segmentation and policy enforcement in shared VPC environments.
We use resource manager tags on GKE node pools to drive network firewall policy decisions in a shared VPC hub. For example, tagging nodes allows centrally managed firewall policies to match on tags rather than IP ranges or service accounts. This is the Google-recommended approach.
Without KCC support, clusters managed via Config Connector cannot have their firewall tag bindings declared alongside the rest of the cluster spec, forcing a split between KCC-managed cluster config and out-of-band tag management.
Additional information
GKE API reference:
NodeConfig.resourceManagerTagsTerraform equivalent:
gcloud equivalent:
Importance
We would like to migrate GKE cluster lifecycle management to Config Connector and resource manager tags are a core part of our network policy model in shared VPC environments. Without this, we need to maintain a separate Terraform or gcloud workflow just for tag bindings, which undermines the goal of having a single declarative source of truth via KCC.