Merge pull request #41676 from xenolinux/vpc

[WIP][BZ2003276]: Create a "Requirements for using your VPC" section for the GCP page installing onto existing vpc

installing/installing_gcp/installing-gcp-vpc.adoc

@@ -17,6 +17,8 @@ parameters in the `install-config.yaml` file before you install the cluster.
 * If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
 * If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_gcp/manually-creating-iam-gcp.adoc#manually-creating-iam-gcp[manually create and maintain IAM credentials].
 
+include::modules/installation-custom-gcp-vpc.adoc[leveloffset=+1]
+
 include::modules/cluster-entitlements.adoc[leveloffset=+1]
 
 include::modules/ssh-agent-using.adoc[leveloffset=+1]

modules/installation-custom-gcp-vpc.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_gcp/installing-gcp-vpc.adoc
+
+:_content-type: CONCEPT
+[id="installation-custom-gcp-vpc_{context}"]
+= About using a custom VPC
+
+In {product-title} {product-version}, you can deploy a cluster into existing subnets in an existing Virtual Private Cloud (VPC) in Google Cloud Platform (GCP). By deploying {product-title} into an existing GCP VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company's guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option. You must configure networking for the subnets.
+
+[id="installation-custom-gcp-vpc-requirements_{context}"]
+== Requirements for using your VPC
+
+The union of the VPC CIDR block and the machine network CIDR must be non-empty. The subnets must be within the machine network.
+
+The installation program does not create the following components:
+
+* NAT gateways
+* Subnets
+* Route tables
+* VPC network
+
+[id="installation-custom-gcp-vpc-validation_{context}"]
+== VPC validation
+
+To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
+
+* All the subnets that you specify exist.
+* You provide one subnet for control-plane machines and one subnet for compute machines.
+* The subnet's CIDRs belong to the machine CIDR that you specified.
+
+[id="installation-about-custom-gcp-permissions_{context}"]
+== Division of permissions
+
+Some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
+
+[id="installation-custom-gcp-vpc-isolation_{context}"]
+== Isolation between clusters
+
+If you deploy {product-title} to an existing network, the isolation of cluster services is reduced in the following ways:
+
+* You can install multiple {product-title} clusters in the same VPC.
+
+* ICMP ingress is allowed to the entire network.
+
+* TCP 22 ingress (SSH) is allowed to the entire network.
+
+* Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
+
+* Control plane TCP 22623 ingress (MCS) is allowed to the entire network.