Manifest changes to support GCP blueprints on private GKE. (#1218)

* kubeflow/gcp-blueprints#33 is tracking GCP blueprints on private GKE with VPC-SC * This PR doesn't fully enable that but it includes a lot of necessary changes. * cluster-private-patch.yaml is a cluster patch that turns on a lot of settings to deploy GKE with private GKE * For ease of use we make the master publicly accessible anywhere; users could configure that behavior if desired using patch overlays. * Use kpt setters to name all the networking resources (firewall rules, networks, etc...) * This ensures the names are unique based on the KF deployment name and won't conflict with existing rules. * The setters also ensures that the references get set correctly; e.g. the firewall rules correctly refer the newly created network. * Add a CNRM resource to enable CloudDNS. * Per kubeflow/gcp-blueprints#31 we should probably use CNRM and not AnthosCLI to enable all required services. * Add a kpt setter to control firewall rule logging * Enabling firewall rule logging can be useful to debug why connections are blocked. Enable logging on firewall rules. * Add an extra firewall rule for ISTIO *Per https://istio.io/docs/setup/platform-setup/gke/ we need to manually create an additional firewall rule to allow traffic to the ISTIO pilot webhook port. * Add a NAT to allow outbound internet egress * Egress is still blocked by firewall rules * Per kbueflow/gcp-blueprints#34 this was an attempt to make it possible to pull images from DockerHub and Quay.IO. This was partially succesful; pulling from DockerHub works but for Quay.IO the firewall rules are strill blocking required connections. * Fix the v3 version of the cert-manager package. * #1134 moved the kubeflow issuer into its own package to avoid race conditions * That refactored means that the v3 packages no longer included the actual cert-manager resources * This PR fixes that by having the v3 package pull in the base package
2020-06-01 18:18:14 -07:00 · 2020-06-01 18:18:14 -07:00 · b1654392bc
parent 48624dbcfa
commit b1654392bc
26 changed files with 351 additions and 159 deletions
--- a/cert-manager/cert-manager/v3/kustomization.yaml
+++ b/cert-manager/cert-manager/v3/kustomization.yaml
@ -5,4 +5,5 @@ commonLabels:
 kind: Kustomization
 namespace: cert-manager
 resources:
+- ../base
 - ../overlays/application/application.yaml
--- a/experimental/mirror-images/gcp_template.yaml
+++ b/experimental/mirror-images/gcp_template.yaml
@ -5,5 +5,6 @@ spec:
  - src:
      exclude: gcr.io
    # change to the gcr registry as image replication destination
-    dest: <target_gcr_registry>
+    dest: gcr.io/gcp-private-dev   # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"gcp-private-dev"}]}}
+  # Use the existing public context
  context: gs://kubeflow-examples/image-replicate/replicate-context.tar.gz
--- a/gcp/v2/asm/istio-operator.yaml
+++ b/gcp/v2/asm/istio-operator.yaml
@ -15,7 +15,7 @@
 apiVersion: install.istio.io/v1alpha2
 kind: IstioControlPlane
 metadata:
-  clusterName: "jlewi-dev/us-central1/kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}}
+  clusterName: "project-id/us-central1/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}}
 spec:
  profile: asm
  hub: gcr.io/gke-release/asm
@ -25,14 +25,14 @@ spec:
      istio-ingressgateway:
        type: NodePort
    global:
-      meshID: "jlewi-dev_us-central1_kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}}
-      trustDomain: "jlewi-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"}]}}
+      meshID: "project-id_us-central1_name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}}
+      trustDomain: "project-id.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
      sds:
        token:
-          aud: "jlewi-dev.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"}]}}
+          aud: "project-id.svc.id.goog" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"}]}}
      proxy:
        env:
-          GCP_METADATA: "jlewi-dev|147474701642|asm-cluster|us-central1-c" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"gcloud.project.projectNumber","value":"147474701642"},{"name":"name","value":"asm-cluster"},{"name":"gcloud.compute.zone","value":"us-central1-c"}]}}
+          GCP_METADATA: "project-id|147474701642|name|us-central1-c" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"gcloud.project.projectNumber","value":"147474701642"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-central1-c"}]}}
    nodeagent:
      env:
-        GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/jlewi-dev/locations/us-central1/clusters/kf-bp-0420-002" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"jlewi-dev"},{"name":"name","value":"kf-bp-0420-002"},{"name":"location","value":"us-central1"}]}}
+        GKE_CLUSTER_URL: "https://container.googleapis.com/v1/projects/project-id/locations/us-central1/clusters/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}}
--- a/gcp/v2/cnrm/cluster/cluster.yaml
+++ b/gcp/v2/cnrm/cluster/cluster.yaml
@ -17,10 +17,10 @@
 apiVersion: container.cnrm.cloud.google.com/v1beta1
 kind: ContainerCluster
 metadata:
-  clusterName: "project-id/us-east1-d/kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
+  clusterName: "project-id/us-east1-d/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
  labels:
-    mesh_id: "project-id_us-east1-d_kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
-  name: kf-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"kf-name"}}}
+    mesh_id: "project-id_us-east1-d_name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
  initialNodeCount: 2
  clusterAutoscaling:
@ -31,7 +31,7 @@ spec:
      - https://www.googleapis.com/auth/monitoring
      - https://www.googleapis.com/auth/devstorage.read_only
      serviceAccountRef:
-        name: kf-name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"kf-name"}]}}
+        name: name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"name"}]}}
    resourceLimits:
    - resourceType: cpu
      maximum: 128
@ -51,10 +51,10 @@ spec:
    metadata:
      disable-legacy-endpoints: "true"
    oauthScopes:
-      - https://www.googleapis.com/auth/logging.write
-      - https://www.googleapis.com/auth/monitoring
-      - https://www.googleapis.com/auth/devstorage.read_only
+    - https://www.googleapis.com/auth/logging.write
+    - https://www.googleapis.com/auth/monitoring
+    - https://www.googleapis.com/auth/devstorage.read_only
    serviceAccountRef:
-      name: kf-name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"kf-name"}]}}
+      name: name-vm # {"type":"string","x-kustomize":{"partialSetters":[{"name":"name","value":"name"}]}}
    workloadMetadataConfig:
      nodeMetadata: GKE_METADATA_SERVER
--- a/gcp/v2/cnrm/cluster/kf-vm-policy.yaml
+++ b/gcp/v2/cnrm/cluster/kf-vm-policy.yaml
@ -1,9 +1,9 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/logging.logWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -13,9 +13,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-policy-monitoring # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-policy-monitoring # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.metricWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -25,9 +25,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-policy-meshtelemetry # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-policy-meshtelemetry # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/meshtelemetry.reporter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -37,9 +37,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-policy-cloudtrace # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-policy-cloudtrace # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/cloudtrace.agent
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -49,9 +49,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-policy-monitoring-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-policy-monitoring-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.viewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -61,9 +61,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-vm-policy-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm-policy-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/storage.objectViewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
--- a/gcp/v2/cnrm/cluster/kf-vm-sa.yaml
+++ b/gcp/v2/cnrm/cluster/kf-vm-sa.yaml
@ -15,7 +15,7 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMServiceAccount
 metadata:
-  name: kf-name-vm # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-vm # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
  namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}}
 spec:
  displayName: kubeflow vm service account
--- a/gcp/v2/cnrm/cluster/nodepool.yaml
+++ b/gcp/v2/cnrm/cluster/nodepool.yaml
@ -15,8 +15,8 @@
 apiVersion: container.cnrm.cloud.google.com/v1beta1
 kind: ContainerNodePool
 metadata:
-  clusterName: "project-id/us-east1-d/kf-name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"kf-name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
-  name: kf-name-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  clusterName: "project-id/us-east1-d/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"gcloud.compute.zone","value":"us-east1-d"}]}}
+  name: name-cpu-pool-v1 # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
  namespace: "project-id" # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.core.project","value":"project-id"}}}
 spec:
  initialNodeCount: 2
@ -29,8 +29,8 @@ spec:
    metadata:
      disable-legacy-endpoints: "true"
    serviceAccountRef:
-      name: kf-name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+      name: name-vm@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
    workloadMetadataConfig:
      nodeMetadata: GKE_METADATA_SERVER
  clusterRef:
-    name: kf-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"kf-name"}}}
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
--- a/gcp/v2/cnrm/iam/kf-admin-policy.yaml
+++ b/gcp/v2/cnrm/iam/kf-admin-policy.yaml
@ -1,9 +1,9 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/source.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -13,9 +13,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-servicemanagement # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-servicemanagement # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/servicemanagement.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -25,9 +25,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-network # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-network # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/compute.networkAdmin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -37,9 +37,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/cloudbuild.builds.editor
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -49,9 +49,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/viewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -61,9 +61,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/storage.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -73,9 +73,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/bigquery.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -85,9 +85,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/dataflow.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -97,9 +97,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/ml.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -109,9 +109,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/dataproc.editor
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -121,9 +121,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/cloudsql.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -133,9 +133,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/logging.logWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -145,9 +145,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.metricWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -157,9 +157,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-admin-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-admin@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.viewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
--- a/gcp/v2/cnrm/iam/kf-admin-sa.yaml
+++ b/gcp/v2/cnrm/iam/kf-admin-sa.yaml
@ -15,7 +15,7 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMServiceAccount
 metadata:
-  name: kf-name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-admin # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
  namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}}
 spec:
  displayName: kubeflow admin service account
--- a/gcp/v2/cnrm/iam/kf-user-policy.yaml
+++ b/gcp/v2/cnrm/iam/kf-user-policy.yaml
@ -1,9 +1,9 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-cloudbuild # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/cloudbuild.builds.editor
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -13,9 +13,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-viewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/viewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -25,9 +25,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-source # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/source.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -37,9 +37,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-storage # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/storage.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -49,9 +49,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-bigquery # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/bigquery.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -61,9 +61,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-dataflow # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/dataflow.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -73,9 +73,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-ml # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/ml.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -85,9 +85,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-dataproc # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/dataproc.editor
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -97,9 +97,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-cloudsql # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/cloudsql.admin
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -109,9 +109,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-logging # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/logging.logWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -121,9 +121,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-metricwriter # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.metricWriter
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
@ -133,9 +133,9 @@ spec:
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMPolicyMember
 metadata:
-  name: kf-name-user-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user-monitoringviewer # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
-  member: serviceAccount:kf-name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"},{"name":"gcloud.core.project","value":"project-id"}]}}
+  member: serviceAccount:name-user@project-id.iam.gserviceaccount.com # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"},{"name":"gcloud.core.project","value":"project-id"}]}}
  role: roles/monitoring.viewer
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
--- a/gcp/v2/cnrm/iam/kf-user-sa.yaml
+++ b/gcp/v2/cnrm/iam/kf-user-sa.yaml
@ -15,7 +15,7 @@
 apiVersion: iam.cnrm.cloud.google.com/v1beta1
 kind: IAMServiceAccount
 metadata:
-  name: kf-name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-user # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
  namespace: "project-id" # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.core.project","value":"project-id"}}}
 spec:
  displayName: kubeflow user service account
--- a/gcp/v2/cnrm/ingress/compute-address.yaml
+++ b/gcp/v2/cnrm/ingress/compute-address.yaml
@ -1,7 +1,7 @@
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeAddress
 metadata:
-  name: kf-name-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-ip # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
  labels:
    label-one: "value-one"
 spec:
--- a/gcp/v2/cnrm/kustomization.yaml
+++ b/gcp/v2/cnrm/kustomization.yaml
@ -5,4 +5,4 @@ resources:
 - cluster
 - ingress
 - iam
- pipelines
+- pipelines
--- a/gcp/v2/cnrm/pipelines/disk.yaml
+++ b/gcp/v2/cnrm/pipelines/disk.yaml
@ -1,7 +1,7 @@
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeDisk
 metadata:
-  name: kf-name-storage-metadata-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-storage-metadata-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
  location: us-east1-d # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-east1-d"}}}
  size: 20
@ -9,7 +9,7 @@ spec:
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeDisk
 metadata:
-  name: kf-name-storage-artifact-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"kf-name"}]}}
+  name: name-storage-artifact-store # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"name","value":"name"}]}}
 spec:
  location: us-east1-d # {"type":"string","x-kustomize":{"setBy":"kpt","setter":{"name":"gcloud.compute.zone","value":"us-east1-d"}}}
  size: 200
--- a/gcp/v2/management/cluster/cluster.yaml
+++ b/gcp/v2/management/cluster/cluster.yaml
@ -12,7 +12,7 @@ spec: {}
 apiVersion: container.cnrm.cloud.google.com/v1alpha2
 kind: ContainerCluster
 metadata:
-  name: cluster-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"cluster-name"}}}
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
  # Use a regional cluster. Regional offer higher availability and the cluster management fee is the same.
  location: us-central1-f
--- a/gcp/v2/management/cluster/nodepool.yaml
+++ b/gcp/v2/management/cluster/nodepool.yaml
@ -1,8 +1,8 @@
 apiVersion: container.cnrm.cloud.google.com/v1alpha2
 kind: ContainerNodePool
 metadata:
-  clusterName: "project-id/us-central1-f/cluster-name" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"cluster-name"},{"name":"location","value":"us-central1-f"}]}}
-  name: cluster-name-pool  # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"cluster-name"},{"name":"location","value":"us-central1-f"}]}}
+  clusterName: "project-id/us-central1-f/name" # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1-f"}]}}
+  name: name-pool # {"type":"string","x-kustomize":{"partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1-f"}]}}
 spec:
  autoscaling:
    minNodeCount: 1
@ -25,4 +25,4 @@ spec:
    autoRepair: true
    autoUpgrade: true
  clusterRef:
-    name: cluster-name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"cluster-name"}}}
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
--- a/gcp/v2/privateGKE/README.md
+++ b/gcp/v2/privateGKE/README.md
@ -0,0 +1,4 @@
+# Private GKE Resoruces
+
+* This directory contains CNRM patches and resource definitions in order
+  to deploy Kubeflow on private GKE.
--- a/gcp/v2/privateGKE/cluster-private-patch.yaml
+++ b/gcp/v2/privateGKE/cluster-private-patch.yaml
@ -0,0 +1,39 @@
+# A patch to use private GKE clusters
+apiVersion: container.cnrm.cloud.google.com/v1beta1
+kind: ContainerCluster
+metadata:
+  clusterName: "project-id/us-central1/name" # {"type":"string","x-kustomize":{"setBy":"kpt","partialSetters":[{"name":"gcloud.core.project","value":"project-id"},{"name":"name","value":"name"},{"name":"location","value":"us-central1"}]}}
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+spec:
+  # https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.PrivateClusterConfig
+  # This is the least secure config because it allows access to master from all public IPs.
+  # For alternative options see the above link.
+  privateClusterConfig:
+    enablePrivateNodes: true
+    # We set enablePrivateEndpoint to false because we want a publicly accessible endpoint.
+    enablePrivateEndpoint: false
+    # Keep this in sync with the range specified in the allow-egress to master firewall rule.
+    masterIpv4CidrBlock: 172.16.0.32/28
+  #
+  # TODO(https://github.com/kubeflow/gcp-blueprints/issues/32): Following options don't appear to be supported in CNRM; will private GKE work
+  # without them?
+  ipAllocationPolicy:
+    # Make the cluster VPC Native
+    useIpAliases: true
+    createSubnetwork: false
+    # TODO(jlewi): https://github.com/kubeflow/gcp-blueprints/issues/32 the following fields
+    # Automatic creation of the subnetwork and its secondary ranges doesn't seem to be possible 
+    # with CNRM. We have an explicit CNRM resource for the subnetwork which we reference
+    # in subnetworkRef. The names for the secondary resources listed here should map to those
+    # resources.
+    clusterSecondaryRangeName: pods
+    servicesSecondaryRangeName: services
+    # TODO(jlewi): https://github.com/kubeflow/gcp-blueprints/issues/32 the following fields
+    # don't seem to be included in CNRM 1.9.1
+    #createSubnetwork: true
+    #subnetworkName: gcp-private-0527 # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"gcp-private-0527"}}}
+  # Create the clsuter in the private network we created.
+  networkRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  subnetworkRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
--- a/gcp/v2/privateGKE/compute-network.yaml
+++ b/gcp/v2/privateGKE/compute-network.yaml
@ -1,7 +1,7 @@
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeNetwork
 metadata:
-  name: gke-no-internet-network
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
  routingMode: GLOBAL
  autoCreateSubnetworks: false
@ -10,23 +10,23 @@ spec:
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeSubnetwork
 metadata:
-  name: priv-cluster-01
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
  ipCidrRange: 10.10.10.0/24
-  region: us-central1
+  region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}}
  description: kubeflow private subnet
  privateIpGoogleAccess: true
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
  logConfig:
    aggregationInterval: INTERVAL_10_MIN
    flowSampling: 0.5
    metadata: INCLUDE_ALL_METADATA
  secondaryIpRange:
-    - ipCidrRange: 10.10.11.0/24
-      rangeName: services
-    - ipCidrRange: 10.1.0.0/16
-      rangeName: pods
+  - ipCidrRange: 10.10.11.0/24
+    rangeName: services
+  - ipCidrRange: 10.1.0.0/16
+    rangeName: pods
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeRoute
@ -35,5 +35,5 @@ metadata:
 spec:
  destRange: 199.36.153.4/30
  networkRef:
-    name: gke-no-internet-network
-  nextHopGateway: default-internet-gateway
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  nextHopGateway: default-internet-gateway
--- a/gcp/v2/privateGKE/dns-gcr.yaml
+++ b/gcp/v2/privateGKE/dns-gcr.yaml
@ -8,8 +8,8 @@ spec:
  visibility: private
  privateVisibilityConfig:
    networks:
-      - networkRef:
-          name: gke-no-internet-network
+    - networkRef:
+        name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 ---
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSRecordSet
@ -22,7 +22,7 @@ spec:
  managedZoneRef:
    name: gcr-io
  rrdatas:
-    - "gcr.io."
+  - "gcr.io."
 ---
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSRecordSet
@ -35,7 +35,7 @@ spec:
  managedZoneRef:
    name: gcr-io
  rrdatas:
-    - "199.36.153.4"
-    - "199.36.153.5"
-    - "199.36.153.6"
-    - "199.36.153.7"
+  - "199.36.153.4"
+  - "199.36.153.5"
+  - "199.36.153.6"
+  - "199.36.153.7"
--- a/gcp/v2/privateGKE/dns-google-apis.yaml
+++ b/gcp/v2/privateGKE/dns-google-apis.yaml
@ -8,8 +8,8 @@ spec:
  visibility: private
  privateVisibilityConfig:
    networks:
-      - networkRef:
-          name: gke-no-internet-network
+    - networkRef:
+        name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 ---
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSRecordSet
@ -22,7 +22,7 @@ spec:
  managedZoneRef:
    name: google-apis
  rrdatas:
-    - "restricted.googleapis.com."
+  - "restricted.googleapis.com."
 ---
 apiVersion: dns.cnrm.cloud.google.com/v1beta1
 kind: DNSRecordSet
@ -35,7 +35,7 @@ spec:
  managedZoneRef:
    name: google-apis
  rrdatas:
-    - "199.36.153.4"
-    - "199.36.153.5"
-    - "199.36.153.6"
-    - "199.36.153.7"
+  - "199.36.153.4"
+  - "199.36.153.5"
+  - "199.36.153.6"
+  - "199.36.153.7"
--- a/gcp/v2/privateGKE/enable-services.yaml
+++ b/gcp/v2/privateGKE/enable-services.yaml
@ -0,0 +1,10 @@
+# Enable additional services needed when using cloud DNS
+apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
+kind: Service
+metadata:
+  annotations:
+    # use the deletion policy of abandon to ensure that the pubsub service remains enabled when this resource is deleted.
+    cnrm.cloud.google.com/deletion-policy: "abandon"
+    # this is unnecessary with the deletion-policy of 'abandon', but useful if the abandon policy is removed.
+    cnrm.cloud.google.com/disable-dependent-services: "false"
+  name: dns.googleapis.com
--- a/gcp/v2/privateGKE/firewall.yaml
+++ b/gcp/v2/privateGKE/firewall.yaml
@ -1,95 +1,202 @@
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: deny-egress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Deny all internet traffic by default"
  deny:
-    - protocol: tcp
-      ports:
-        - "0-65535"
+  - protocol: tcp
+    ports:
+    - "0-65535"
  destinationRanges:
-    - 0.0.0.0/0
+  - 0.0.0.0/0
  direction: EGRESS
  priority: 1100
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: allow-healthcheck-ingress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Allow health check ingress"
  allow:
-    - protocol: tcp
-      ports:
-        - "80"
-        - "443"
+  - protocol: tcp
+    ports:
+    - "80"
+    - "443"
+  # Prober address for health checks:
+  # https://cloud.google.com/load-balancing/docs/health-checks
  sourceRanges:
-    - 130.211.0.0/22
-    - 35.191.0.0/16
+  - 130.211.0.0/22
+  - 35.191.0.0/16
  direction: INGRESS
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: allow-healthcheck-egress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Allow health check egress"
  allow:
-    - protocol: tcp
-      ports:
-        - "80"
-        - "443"
+  - protocol: tcp
+    ports:
+    - "80"
+    - "443"
+  # Prober address for health checks:
+  # https://cloud.google.com/load-balancing/docs/health-checks
  destinationRanges:
-    - 130.211.0.0/22
-    - 35.191.0.0/16
+  - 130.211.0.0/22
+  - 35.191.0.0/16
  direction: EGRESS
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: allow-google-apis-egress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Allow egress to google APIs"
  allow:
-    - protocol: tcp
-      ports:
-        - "0-65535"
+  - protocol: tcp
+    ports:
+    - "0-65535"
  destinationRanges:
-    - 199.36.153.4/30
+  - 199.36.153.4/30
  direction: EGRESS
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: allow-master-node-egress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Allow master node egress"
  allow:
-    - protocol: tcp
-      ports:
-        - "443"
-        - "10250"
+  - protocol: tcp
+    ports:
+    - "443"
+    - "10250"
  destinationRanges:
-    - 172.16.0.0/28
+  # Keep this in sync with the masterCidrBlock specified in cluster-private-patch.yaml
+  - 172.16.0.32/28
+  # TODO(jlewi): This was a bit of a hack to try to fix failing health checks during cluster
+  # provisioning. I was seeing packets get blocket.
+  #- 172.217.0.0/28
+
  direction: EGRESS
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
 ---
 apiVersion: compute.cnrm.cloud.google.com/v1beta1
 kind: ComputeFirewall
 metadata:
-  name: allow-internal-egress
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
 spec:
+  description: "Allow traffic to internal ips"
  allow:
-    - protocol: tcp
-      ports:
-        - "0-65535"
+  - protocol: tcp
+    ports:
+    - "0-65535"
  destinationRanges:
-    - 10.0.0.0/8
+  - 10.0.0.0/8
+  # This rule is needed to ensure that any K8s services running within the cluster are accessible
+  - 192.168.0.0/16
  direction: EGRESS
  networkRef:
-    name: gke-no-internet-network
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
+---
+# Per https://istio.io/docs/setup/platform-setup/gke/
+# GKE will not automatically create a rule allowing traffic to the istio side car
+# webhook ports so we need to add that.
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+spec:
+  allow:
+  - protocol: tcp
+    ports:
+    # In ASM 1.4 the port is 9443. Starting in ASM 1.5 the port is 15017
+    - "15017"
+    - "9443"
+  sourceRanges:
+  - 172.16.0.32/28
+  direction: INGRESS
+  networkRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
+---
+# Allow traffic to DockerHub so we can pull docker images.
+#
+# IP addresses can be obtained by running
+# 1. nslookup index.dockerhub.io
+# 2. nslookup dockerhub.io
+# 3. nslookup registry-1.docker.io
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeFirewall
+metadata:
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+spec:
+  description: "Allow egress to dockerhub and quay.io"
+  allow:
+  - protocol: tcp
+    ports:
+    - "443"
+    - "80"
+  destinationRanges:
+  # Keep this in sync with the masterCidrBlock specified in cluster-private-patch.yaml
+  - "3.211.199.249"
+  - "18.232.227.119"
+  - "18.213.137.78"
+  - "23.22.155.84"
+  - "23.202.231.169"
+  - "23.217.138.110"
+  - "52.54.232.21"
+  - "52.72.232.213"
+  - "54.85.107.53"
+  - "54.236.131.166"
+  - "107.23.149.57"
+  - "217.70.184.38"
+  # production.cloudfare.docker.com
+  - "104.18.121.25"
+  - "104.18.122.25"
+  - "104.18.123.25"
+  - "104.18.124.25"
+  - "104.18.125.25"
+  # quay.io
+  - "3.218.162.19"
+  - "18.205.55.240"
+  - "52.202.225.67"
+  - "54.84.167.150"
+  - "13.227.47.39"
+  - "13.227.47.84"
+  - "13.227.47.105"
+  # cdn.quay.io
+  - "13.35.101.24"
+  - "13.35.101.91"
+  - "13.35.101.101"
+  - "13.35.101.104"
+  direction: EGRESS
+  networkRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  # Enable logging to help debugging
+  enableLogging: false # {"type":"bool","x-kustomize":{"setter":{"name":"log-firewalls","value":"false"}}}
--- a/gcp/v2/privateGKE/kustomization.yaml
+++ b/gcp/v2/privateGKE/kustomization.yaml
@ -1,5 +1,12 @@
+# This kustomization defines additional networking resoruces to setup
+# as part of private deployments.
+# For more info see: https://medium.com/google-cloud/completely-private-gke-clusters-with-no-internet-connectivity-945fffae1ccd
+# N.b cluster-private-patch.yaml isn't included because we don't define the clsuter
+# here so we can't patch it.
 resources:
 - compute-network.yaml
+- enable-services.yaml
 - dns-gcr.yaml
 - dns-google-apis.yaml
 - firewall.yaml
+- nat.yaml
--- a/gcp/v2/privateGKE/nat.yaml
+++ b/gcp/v2/privateGKE/nat.yaml
@ -0,0 +1,20 @@
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeRouter
+metadata:
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+spec:
+  description: Router to allow outbound internet access
+  region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}}
+  networkRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+---
+apiVersion: compute.cnrm.cloud.google.com/v1beta1
+kind: ComputeRouterNAT
+metadata:
+  name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+spec:
+  region: us-central1 # {"type":"string","x-kustomize":{"setter":{"name":"gcloud.compute.region","value":"us-central1"}}}
+  routerRef:
+    name: name # {"type":"string","x-kustomize":{"setter":{"name":"name","value":"name"}}}
+  natIpAllocateOption: AUTO_ONLY
+  sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
--- a/tests/Makefile
+++ b/tests/Makefile
@ -31,6 +31,9 @@ all: test
 gcp-reset:
 	kpt cfg set ../gcp/v2/ cluster-name cluster-name
 	kpt cfg set ../gcp/v2/ gcloud.core.project project-id
+	kpt cfg set ../gcp/v2/ gcloud.core.zone ZONE
+	kpt cfg set ../gcp/v2/ gcloud.core.region REGION
+	kpt cfg set ../gcp/v2/ name name

 generate:
 	$(PYTHON_BIN) ../hack/generate_tests.py --all || echo done