I'm using a L7 google LB for my ingress and have it hooked up to use a cloudarmor policy that only allows certain IPs.
I want to setup DDoS protection but the documentation has me confused
Google Cloud Armor security policies are available only for backend services behind an external HTTP(S) load balancer. The load balancer can be in Premium Tier or Standard Tier. DDoS protection is automatically provided for HTTP(S) Load Balancing, SSL Proxy Load Balancing, and TCP Proxy Load Balancing.
Does this mean that all I have to do is apply any (even an empty?) cloud armor policy to a gke L7 LB ingress and I'll get DDoS? Or is it saying the all L7 LBs come with DDoS already and I don't need to do anything with cloudarmor- if say all I'm looking for is DDoS protection?
Google provides broad DDOS protection as part of the L7 LB. Yes, you'll benefit from this broad protection just by creating an ingress with GKE.
The L7LB you access through e.g. GKE Ingresses is a shared service across all of Google and so you're getting considerable power from it. However, it's oriented towards very large scale protections and these may not be as precise|specific as you need.
To add specificity of e.g. IP allow|deny lists (whether your own or provided by commercial services), you'll need to define a security policy and apply it to the backends provided by GKE.