@@ -176,6 +176,9 @@ message Step {
176176 // Forwarding state: arriving at a VPC connector.
177177 ARRIVE_AT_VPC_CONNECTOR = 24 ;
178178
179+ // Forwarding state: arriving at a GKE Pod.
180+ ARRIVE_AT_GKE_POD = 44 ;
181+
179182 // Forwarding state: for packets originating from a serverless endpoint
180183 // forwarded through Direct VPC egress.
181184 DIRECT_VPC_EGRESS_CONNECTION = 35 ;
@@ -184,6 +187,10 @@ message Step {
184187 // forwarded through public (external) connectivity.
185188 SERVERLESS_EXTERNAL_CONNECTION = 36 ;
186189
190+ // Forwarding state: Layer 7 packet inspection by the firewall endpoint
191+ // based on the configured security profile group.
192+ NGFW_PACKET_INSPECTION = 47 ;
193+
187194 // Transition state: packet header translated. The `nat` field is populated
188195 // with the translation information.
189196 NAT = 14 ;
@@ -192,6 +199,20 @@ message Step {
192199 // `ip_masquerading_skipped` field is populated with the reason.
193200 SKIP_GKE_POD_IP_MASQUERADING = 40 ;
194201
202+ // Transition state: GKE Ingress Network Policy is skipped. The
203+ // `gke_network_policy_skipped` field is populated with the reason.
204+ SKIP_GKE_INGRESS_NETWORK_POLICY = 41 ;
205+
206+ // Transition state: GKE Egress Network Policy is skipped. The
207+ // `gke_network_policy_skipped` field is populated with the reason.
208+ SKIP_GKE_EGRESS_NETWORK_POLICY = 42 ;
209+
210+ // Config checking state: verify ingress GKE network policy.
211+ APPLY_INGRESS_GKE_NETWORK_POLICY = 45 ;
212+
213+ // Config checking state: verify egress GKE network policy.
214+ APPLY_EGRESS_GKE_NETWORK_POLICY = 46 ;
215+
195216 // Transition state: original connection is terminated and a new proxied
196217 // connection is initiated.
197218 PROXY_CONNECTION = 15 ;
@@ -303,6 +324,13 @@ message Step {
303324 // skipped.
304325 IpMasqueradingSkippedInfo ip_masquerading_skipped = 38 ;
305326
327+ // Display information of a GKE Network Policy.
328+ GkeNetworkPolicyInfo gke_network_policy = 39 ;
329+
330+ // Display information of the reason why GKE Network Policy evaluation was
331+ // skipped.
332+ GkeNetworkPolicySkippedInfo gke_network_policy_skipped = 40 ;
333+
306334 // Display information of a Cloud SQL instance.
307335 CloudSQLInstanceInfo cloud_sql_instance = 19 ;
308336
@@ -336,6 +364,9 @@ message Step {
336364 // Display information of a Serverless network endpoint group backend. Used
337365 // only for return traces.
338366 ServerlessNegInfo serverless_neg = 29 ;
367+
368+ // Display information of a layer 7 packet inspection by the firewall.
369+ NgfwPacketInspectionInfo ngfw_packet_inspection = 42 ;
339370 }
340371}
341372
@@ -1825,6 +1856,13 @@ message DropInfo {
18251856 // Packet is dropped because no matching route was found in the hybrid
18261857 // subnet.
18271858 HYBRID_SUBNET_NO_ROUTE = 106 ;
1859+
1860+ // Packet is dropped by GKE Network Policy.
1861+ GKE_NETWORK_POLICY = 108 ;
1862+
1863+ // Packet is dropped because there is no valid matching route from the
1864+ // network of the Google-managed service to the destination.
1865+ NO_VALID_ROUTE_FROM_GOOGLE_MANAGED_NETWORK_TO_DESTINATION = 110 ;
18281866 }
18291867
18301868 // Cause that the packet is dropped.
@@ -1929,6 +1967,57 @@ message IpMasqueradingSkippedInfo {
19291967 string non_masquerade_range = 2 ;
19301968}
19311969
1970+ // For display only. Metadata associated with a GKE Network Policy.
1971+ message GkeNetworkPolicyInfo {
1972+ // The name of the Network Policy.
1973+ string display_name = 1 ;
1974+
1975+ // The URI of the Network Policy.
1976+ // Format for a Network Policy in a zonal cluster:
1977+ // `projects/<project_id>/zones/<zone>/clusters/<cluster>/k8s/namespaces/<namespace>/networking.k8s.io/networkpolicies/<networkpolicy>`
1978+ // Format for a Network Policy in a regional cluster:
1979+ // `projects/<project_id>/locations/<location>/clusters/<cluster>/k8s/namespaces/<namespace>/networking.k8s.io/networkpolicies/<networkpolicy>`
1980+ string uri = 2 ;
1981+
1982+ // Possible values: INGRESS, EGRESS
1983+ string direction = 3 ;
1984+
1985+ // Possible values: ALLOW, DENY
1986+ string action = 4 ;
1987+ }
1988+
1989+ // For display only. Contains information about why GKE Network Policy
1990+ // evaluation was skipped.
1991+ message GkeNetworkPolicySkippedInfo {
1992+ enum Reason {
1993+ // Unused default value.
1994+ REASON_UNSPECIFIED = 0 ;
1995+
1996+ // Network Policy is disabled on the cluster.
1997+ NETWORK_POLICY_DISABLED = 1 ;
1998+
1999+ // Ingress traffic to a Pod from a source on the same Node is always
2000+ // allowed.
2001+ INGRESS_SOURCE_ON_SAME_NODE = 2 ;
2002+
2003+ // Egress traffic from a Pod that uses the Node's network namespace is not
2004+ // subject to Network Policy.
2005+ EGRESS_FROM_NODE_NETWORK_NAMESPACE_POD = 3 ;
2006+
2007+ // Network Policy is not applied to response traffic. This is because GKE
2008+ // Network Policy evaluation is stateful in both GKE Dataplane V2 (eBPF) and
2009+ // legacy (iptables) implementations.
2010+ NETWORK_POLICY_NOT_APPLIED_TO_RESPONSE_TRAFFIC = 4 ;
2011+
2012+ // Network Policy evaluation is currently not supported for clusters with
2013+ // FQDN Network Policies enabled.
2014+ NETWORK_POLICY_ANALYSIS_UNSUPPORTED = 100 ;
2015+ }
2016+
2017+ // Reason why Network Policy evaluation was skipped. <
4D1C
/div>
2018+ Reason reason = 1 ;
2019+ }
2020+
19322021// For display only. Metadata associated with a Cloud SQL instance.
19332022message CloudSQLInstanceInfo {
19342023 // Name of a Cloud SQL instance.
@@ -2330,3 +2419,11 @@ message ServerlessNegInfo {
23302419 // URI of the serverless network endpoint group.
23312420 string neg_uri = 1 ;
23322421}
2422+
2423+ // For display only. Metadata associated with a layer 7 packet inspection by the
2424+ // firewall.
2425+ message NgfwPacketInspectionInfo {
2426+ // URI of the security profile group associated with this firewall packet
2427+ // inspection.
2428+ string security_profile_group_uri = 1 ;
2429+ }
0 commit comments