Checklist

• I did not find a related open enhancement request.
• I understand that enhancement requests filed in the GitHub repository are by default low priority.
• If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

The ContainerCluster resource does not currently support the networkConfig.disableL4LbFirewallReconciliation field. This field is available in the GKE API and the Terraform google_container_cluster resource.

When set to true, GKE stops automatically creating and managing VPC firewall rules for L4 (TCP/UDP) load balancer Services. This is important in shared VPC environments where firewall rules are managed centrally in the host project — typically via network firewall policies or resource manager tag-based rules — and the GKE service account in the service project does not have permission to create firewall rules in the host project.

Without this field, KCC-managed clusters default to false (reconciliation enabled), causing GKE to attempt firewall rule creation in the host project on every L4 Service. This doesn't block Service creation, but generates persistent permission errors on Service status and conflicts with centrally managed firewall policies.

Additional information

GKE API field: cluster.networkConfig.disableL4LbFirewallReconciliation

Terraform equivalent (top-level attribute on google_container_cluster):

resource "google_container_cluster" "example" {
  # ...
  disable_l4_lb_firewall_reconciliation = true
}

gcloud equivalent:

gcloud container clusters create CLUSTER_NAME \
  --disable-l4-lb-firewall-reconciliation

Importance

Not vital. The service can be created anyway it will just create uneccessary firewall rules in air-gapped environments which can be a security risk.