From a837e7b1bf354b657dd8e3b66cfa61b8520190de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Keusters?= <68340898+JeremyKeustersML6@users.noreply.github.com> Date: Fri, 26 Feb 2021 19:54:20 +0100 Subject: [PATCH] feat: Require actively enabling network policy (#809) BREAKING CHANGE: The `network_policy` variable now defaults to `false`. --- README.md | 4 ++-- autogen/main/README.md | 2 +- autogen/main/variables.tf.tmpl | 2 +- docs/upgrading_to_v14.0.md | 14 ++++++++++++++ .../beta-private-cluster-update-variant/README.md | 4 ++-- .../variables.tf | 2 +- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-private-cluster/variables.tf | 2 +- .../beta-public-cluster-update-variant/README.md | 4 ++-- .../variables.tf | 2 +- modules/beta-public-cluster/README.md | 4 ++-- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 4 ++-- .../private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 4 ++-- modules/private-cluster/variables.tf | 2 +- test/integration/beta_cluster/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../integration/sandbox_enabled/controls/gcloud.rb | 4 +++- .../integration/simple_regional/controls/gcloud.rb | 4 +++- .../simple_regional_private/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- test/integration/simple_zonal/controls/gcloud.rb | 4 +++- .../simple_zonal_private/controls/gcloud.rb | 4 +++- test/integration/stub_domains/controls/gcloud.rb | 4 +++- .../stub_domains_private/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../upstream_nameservers/controls/gcloud.rb | 4 +++- variables.tf | 2 +- 30 files changed, 76 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 5bef0a3bae..4cedbec768 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false node_pools = [ { @@ -164,7 +164,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/autogen/main/README.md b/autogen/main/README.md index c89e2e9ce7..093f7e69b9 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -73,7 +73,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false {% if private_cluster %} enable_private_endpoint = true enable_private_nodes = true diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index f3fea7c602..bd75e20a87 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/docs/upgrading_to_v14.0.md b/docs/upgrading_to_v14.0.md index ea0007a98f..55b6d1ce0d 100644 --- a/docs/upgrading_to_v14.0.md +++ b/docs/upgrading_to_v14.0.md @@ -17,6 +17,20 @@ The `registry_project_id` variable has been replaced with a `registry_project_id } ``` +### network_policy disabled by default +The `network_policy` variable is now `false` by default (instead of `true`). +If you want to keep using the network policy addon for your cluster, make +sure that the `network_policy` variable is set to `true`: +```diff +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google" +- version = "~> 13.0" ++ version = "~> 14.0" + ++ network_policy = true +} +``` + ### ASM default version changed to 1.8 [ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been changed to use ASM v1.8 as default. diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index f065fb3a5e..17f5c204d7 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -68,7 +68,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -217,7 +217,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index cd2487b353..e1045edf1e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9dff5b0e3e..275a613c01 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -46,7 +46,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -195,7 +195,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd2487b353..e1045edf1e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8e632524c0..89d237c620 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -65,7 +65,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false istio = true cloudrun = true dns_cache = false @@ -206,7 +206,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0deb6f32d5..347359ab7a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 39f3535449..ff180acd04 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -43,7 +43,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false istio = true cloudrun = true dns_cache = false @@ -184,7 +184,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0deb6f32d5..347359ab7a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index e5ce667612..67220000a7 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -68,7 +68,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -196,7 +196,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 1d2dde3fc5..7c36d04521 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index b3e82a7a45..9b8a11602a 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -46,7 +46,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -174,7 +174,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 1d2dde3fc5..7c36d04521 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index c7d67591e2..8653bc8d8a 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -57,7 +57,9 @@ }, "kalmConfig" => {}, "configConnectorConfig" => {}, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, "istioConfig" => {"auth"=>"AUTH_MUTUAL_TLS"}, "cloudRunConfig" => including( "loadBalancerType" => "LOAD_BALANCER_TYPE_EXTERNAL", diff --git a/test/integration/private_zonal_with_networking/controls/gcloud.rb b/test/integration/private_zonal_with_networking/controls/gcloud.rb index ef275f21ae..0f0c55dd85 100644 --- a/test/integration/private_zonal_with_networking/controls/gcloud.rb +++ b/test/integration/private_zonal_with_networking/controls/gcloud.rb @@ -63,7 +63,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/sandbox_enabled/controls/gcloud.rb b/test/integration/sandbox_enabled/controls/gcloud.rb index 104c284701..6f042616a1 100644 --- a/test/integration/sandbox_enabled/controls/gcloud.rb +++ b/test/integration/sandbox_enabled/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index ba30021332..eac8fd0ee7 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end diff --git a/test/integration/simple_regional_private/controls/gcloud.rb b/test/integration/simple_regional_private/controls/gcloud.rb index 4d2c88e0b8..0c0592d847 100644 --- a/test/integration/simple_regional_private/controls/gcloud.rb +++ b/test/integration/simple_regional_private/controls/gcloud.rb @@ -58,7 +58,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb index 235f0db26f..23ab5ab602 100644 --- a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb +++ b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional_with_networking/controls/gcloud.rb b/test/integration/simple_regional_with_networking/controls/gcloud.rb index bc92583e82..baaf7502ae 100644 --- a/test/integration/simple_regional_with_networking/controls/gcloud.rb +++ b/test/integration/simple_regional_with_networking/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_zonal/controls/gcloud.rb b/test/integration/simple_zonal/controls/gcloud.rb index 6a39d0eb9c..a9bbbc96b7 100644 --- a/test/integration/simple_zonal/controls/gcloud.rb +++ b/test/integration/simple_zonal/controls/gcloud.rb @@ -55,7 +55,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_zonal_private/controls/gcloud.rb b/test/integration/simple_zonal_private/controls/gcloud.rb index 2cba223155..c42ab33748 100644 --- a/test/integration/simple_zonal_private/controls/gcloud.rb +++ b/test/integration/simple_zonal_private/controls/gcloud.rb @@ -58,7 +58,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains/controls/gcloud.rb b/test/integration/stub_domains/controls/gcloud.rb index 0730274840..8131dc371f 100644 --- a/test/integration/stub_domains/controls/gcloud.rb +++ b/test/integration/stub_domains/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains_private/controls/gcloud.rb b/test/integration/stub_domains_private/controls/gcloud.rb index 90251e9d5c..2efafdb393 100644 --- a/test/integration/stub_domains_private/controls/gcloud.rb +++ b/test/integration/stub_domains_private/controls/gcloud.rb @@ -49,7 +49,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb b/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb index 0730274840..8131dc371f 100644 --- a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb +++ b/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/upstream_nameservers/controls/gcloud.rb b/test/integration/upstream_nameservers/controls/gcloud.rb index 0730274840..8131dc371f 100644 --- a/test/integration/upstream_nameservers/controls/gcloud.rb +++ b/test/integration/upstream_nameservers/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/variables.tf b/variables.tf index c0bd3b6ee0..c75ed61b1d 100644 --- a/variables.tf +++ b/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" {