I have setup my GCP organization using the CFT Terraform "Example foundation" scripts. After creating my own restricted share vpc project using the template provided, I created a private cluster within that project on the restricted shared VPC that has "Private Google access" enabled. I also "deny" traffic to the internet but allow access to Google services using the restricted VIP, including gcr.io. For some reason, I am unable to pull GCR images from within the cluster with a VPC Service perimeter in place for my shared vpc host and service projects. As soon as I remove the perimeter, everything begins working. I have tried adding the SA of the GKE nodes to the "Access Level" of the perimeter, as well as change the scopes of the GKE SA, without success. Any ideas to fix this issue would be greatly appreciated.
Here are the two important snippets. From the GKE project log:
"Request is prohibited by organization's policy. vpcServiceControlsUniqueIdentifier: d8a2eabceb3adcbd"
and from the shared VPC project log:
egressViolations: [
0: {
servicePerimeter: "accessPolicies/904160256446/servicePerimeters/sp_d_shared_restricted_default_perimeter_5493"
source: "projects/956779411422"
sourceType: "Network"
targetResource: "projects/720423819480/buckets/artifacts.google-samples.appspot.com"
}
]
@type: "type.googleapis.com/google.cloud.audit.VpcServiceControlAuditMetadata"
violationReason: "NETWORK_NOT_IN_SAME_SERVICE_PERIMETER"
}
My question is I know the public image I am trying to access is not on a network within the service perimeter because I don't own that project, so how do I add a public container repository project to the perimeter to allow access?
