Cloud Composer v2 GKE Clusters
Concepts​
Cloud Composer is a fully managed workflow orchestration service, enabling you to create, schedule, monitor, and manage workflows that span across clouds and on-premises data centers.
Cloud Composer is built on the popular Apache Airflow open source project and operates using the Python programming language.
Source: https://cloud.google.com/composer/docs/composer-2/composer-overview
From v2.4.2 onwards, the DiscrimiNAT supports filtering traffic egressing from an Autopilot mode VPC-native Google Kubernetes Engine cluster, when Network Tags are applied, in a Composer v2 Private IP architecture environment.
Network tags​
A Composer v2 environment's cluster is an Autopilot mode VPC-native Google Kubernetes Engine cluster. Network Tags to it, however, can be applied at the time of the Composer environment's creation.
When Network Tags are applied to a Composer v2 environment, DiscrimiNAT will apply corresponding Firewall Rules' FQDN allowlists to the entire primary subnetwork. With SNAT enabled in such environments (default), after translation from the Pods, any Internet-bound traffic egresses from the managed Nodes in the primary subnetwork.
This means if you were running any other compute in the same subnetwork, the FQDN allowlist for the Composer v2 environment would apply to it as well. The config logs show the association of such rules to such a compute workload (a VM, for example) too.
Therefore, it is highly recommended to use dedicated primary subnetworks for Composer v2 environments.
Role​
Add the following permissions to DiscrimiNAT's service account's role to allow it to apply corresponding Firewall Rules to the clusters' subnets.
container.clusters.list
compute.subnetworks.get
Also see the Service Account page for other permissions of interest.