Documentation
¶
Overview ¶
Package gcpfirewall implements providers.NetworkProvider against GCP Firewall Rules Logging, surfacing DENIED connections for an investigation.
GCP "Firewall Rules Logging" records connections evaluated by VPC firewall rules that have logging enabled into Cloud Logging, under the log "compute.googleapis.com%2Ffirewall", each with a jsonPayload.disposition of ALLOWED or DENIED. This provider queries the Cloud Logging API (entries.list) for the DENIED ones — the GCP analog of Cilium dropped flows / AWS REJECT records. Unlike Cilium Hubble, it is CNI-agnostic: it works on any GCP VPC (including GKE) because firewall logging lives in the cloud control plane, not in the cluster's data path.
Access is read-only and uses Application Default Credentials by default (Workload Identity on GKE, ADC elsewhere); tests inject an HTTP client and endpoint instead.
v1 LIMITATION: firewall logs are IP-based. This provider does NOT resolve a Selector's namespace/pod/name to IP addresses, so the Selector is ignored — every DENIED entry in the window is returned regardless of workload.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Client ¶
type Client struct {
// contains filtered or unexported fields
}
Client queries GCP Firewall Rules Logging via the Cloud Logging API for a single project.
func New ¶
New builds a client for the given GCP project. Extra ClientOptions are passed straight to the Cloud Logging service constructor: production relies on Application Default Credentials (Workload Identity / ADC), while tests inject option.WithHTTPClient + option.WithEndpoint + option.WithoutAuthentication. It returns an error if project is empty or the service cannot be built.
func (*Client) Drops ¶
func (c *Client) Drops(ctx context.Context, _ providers.Selector, w providers.TimeWindow) (providers.LogResult, error)
Drops returns DENIED firewall connections within the window as normalized log lines (newest first), capped at the client's max-events budget.
NOTE: firewall logs are IP-based; v1 does not map the Selector's namespace/pod/name to IPs, so the selector is ignored — all DENIED entries in the window are returned. The window is applied via timestamp filters when set.