Checklist
Describe the feature or resource
There seems currently no way to scope a Cloud Armor policy to regional (from global) using KCC.
I believe Terraform have gone down the route of having a separate resource-type for Regional Security Policy, however there is no equivalent here.
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_security_policy
This creates the security-policy in global scope:
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeSecurityPolicy
metadata:
name: allow-all
spec:
description: A permissive policy to allow all traffic
rule:
- description: Rule matching all IPs with priority 2147483647, set to allow.
action: allow
priority: 2147483647
match:
versionedExpr: SRC_IPS_V1
config:
srcIpRanges:
- "*"
The following app will not bind to the allow-all policy if my-app is a regional service:
apiVersion: networking.gke.io/v1
kind: GCPBackendPolicy
metadata:
name: my-app-backend-policy
spec:
default:
securityPolicy: allow-all
targetRef:
group: ""
kind: Service
name: my-app
Checklist
Describe the feature or resource
There seems currently no way to scope a Cloud Armor policy to regional (from global) using KCC.
I believe Terraform have gone down the route of having a separate resource-type for Regional Security Policy, however there is no equivalent here.
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_security_policy
This creates the security-policy in global scope:
The following app will not bind to the allow-all policy if my-app is a regional service: