Is your feature request related to a problem?
Yes. When managing AWS WAFv2 WebACL resources through ACK, I cannot directly inspect the current computed WebACL capacity (WCU) from the Kubernetes resource.
The ACK WebACL resource currently exposes status fields such as ackResourceMetadata, conditions, id, and lockToken, but it does not expose the Capacity value. At the same time, the AWS WAFv2 GetWebACL API response includes WebACL.Capacity.
Because of this, users need to make separate out-of-band AWS API calls just to understand the effective WCU footprint of a WebACL, even though ACK already reconciles the resource against AWS.
example
aws wafv2 get-web-acl \
--name <webACL_name> \
--scope REGIONAL \
--id <webACL ID> \
--query 'WebACL.Capacity' \
--output text \
--profile <aws_profile>
output
Describe the solution you'd like
I would like ACK WAFv2 to expose the computed WebACL capacity in the status of the WebACL custom resource.
For example, something like:
This would make it possible to inspect current WebACL WCU usage directly from Kubernetes using standard tools such as kubectl get / kubectl describe.
If appropriate, it would also be helpful to expose this value as an additional printer column.
Describe the solution you'd like
The current alternative is to build a custom exporter, sidecar, or controller that periodically calls the AWS WAFv2 GetWebACL API and stores the returned Capacity somewhere else in the cluster, for example in a ConfigMap or a custom CRD.
While this works, it adds operational overhead and duplicates information that is already available through the upstream AWS API and could potentially be surfaced directly by ACK.
This would be especially useful for GitOps and platform teams that want to monitor WAF capacity directly from Kubernetes without introducing additional in-cluster components.
Is your feature request related to a problem?
Yes. When managing AWS WAFv2 WebACL resources through ACK, I cannot directly inspect the current computed WebACL capacity (WCU) from the Kubernetes resource.
The ACK
WebACLresource currently exposes status fields such asackResourceMetadata,conditions,id, andlockToken, but it does not expose theCapacityvalue. At the same time, the AWS WAFv2GetWebACLAPI response includesWebACL.Capacity.Because of this, users need to make separate out-of-band AWS API calls just to understand the effective WCU footprint of a WebACL, even though ACK already reconciles the resource against AWS.
example
output
Describe the solution you'd like
I would like ACK WAFv2 to expose the computed WebACL capacity in the
statusof theWebACLcustom resource.For example, something like:
This would make it possible to inspect current WebACL WCU usage directly from Kubernetes using standard tools such as kubectl get / kubectl describe.
If appropriate, it would also be helpful to expose this value as an additional printer column.
Describe the solution you'd like
The current alternative is to build a custom exporter, sidecar, or controller that periodically calls the AWS WAFv2 GetWebACL API and stores the returned Capacity somewhere else in the cluster, for example in a ConfigMap or a custom CRD.
While this works, it adds operational overhead and duplicates information that is already available through the upstream AWS API and could potentially be surfaced directly by ACK.
This would be especially useful for GitOps and platform teams that want to monitor WAF capacity directly from Kubernetes without introducing additional in-cluster components.