Support shared VPC in gardener

[toming90]

How to categorize this issue?
/area networking
/kind enhancement
/priority 3
/platform gcp

What would you like to be added: We tried to create gardener cluster using GCP shared VPC, it fails to create the cluster because gardener cannot detect shared-vpc in service project.
Current config of VPC in gardener infrastructure points to a VPC located in local service project, it cannot detect VPCs shared by host project.

Why is this needed:
Shared VPC lets organization administrators delegate administrative responsibilities, such as creating and managing instances, to Service Project Admins while maintaining centralized control over network resources like subnets, routes, and firewalls.
This is also a google recommended way for organization who wants to have more secured network settings and efficient communications.

[kapilraju]

Any update on this feature ask?

We had a discussion on this few months back - #291

[i551110]

Any updates on this?

[dineshraj9]

Is this still a limitation?

[dkistner]

Currently there are no plans to support GCP shared vpcs with Gardener.

There are multiple reasons why. Most important Gardener won't be able to control and reconcile the underlying network layout of a Shoot cluster as with shared vpcs all network configuration need to be done centrally in a host project (where the shared vpc reside). Gardener allows you to bring your own "regular" vpc. With this approach Gardener can at least ensure that required resources (e.g. subnets) and attachments to the vpc and subnet(s) (e.g. security groups, route tables, nat) are available and attached.
Shared vpc would mean for Gardener more or less to support a bring your own infrastructure model which is currently not planned.

[kapilraju]

The workaround is to use VPC peering.

…

On Thu, Apr 20, 2023, 12:26 AM Dominic Kistner ***@***.***> wrote: Currently there are no plans to support GCP shared vpcs with Gardener. There are multiple reasons why. Most important Gardener won't be able to control and reconcile the underlying network layout of a Shoot cluster as with shared vpcs all network configuration need to be done centrally in a host project (where the shared vpc reside). Gardener allows you to bring your own "regular" vpc. With this approach Gardener can at least ensure that required resources (e.g. subnets) and attachments to the vpc and subnet(s) (e.g. security groups, route tables, nat) are available and attached. Shared vpc would mean for Gardener more or less to support a bring your own infrastructure model which is currently not planned. — Reply to this email directly, view it on GitHub <#262 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAMU2FUJC4ZTRZP2H7VKJ5LXCDQKFANCNFSM432VC3GA> . You are receiving this because you commented.Message ID: ***@***.*** com>