From 33542057d8c648d585e81afbe72eec0ca84a4fee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Keusters?= <68340898+JeremyKeustersML6@users.noreply.github.com> Date: Fri, 26 Feb 2021 19:54:20 +0100 Subject: [PATCH] feat: Require actively enabling network policy (#809) BREAKING CHANGE: The `network_policy` variable now defaults to `false`. --- README.md | 4 ++-- autogen/main/README.md | 2 +- autogen/main/variables.tf.tmpl | 2 +- docs/upgrading_to_v14.0.md | 14 ++++++++++++++ .../beta-private-cluster-update-variant/README.md | 4 ++-- .../variables.tf | 2 +- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-private-cluster/variables.tf | 2 +- .../beta-public-cluster-update-variant/README.md | 4 ++-- .../variables.tf | 2 +- modules/beta-public-cluster/README.md | 4 ++-- modules/beta-public-cluster/variables.tf | 2 +- modules/private-cluster-update-variant/README.md | 4 ++-- .../private-cluster-update-variant/variables.tf | 2 +- modules/private-cluster/README.md | 4 ++-- modules/private-cluster/variables.tf | 2 +- test/integration/beta_cluster/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../integration/sandbox_enabled/controls/gcloud.rb | 4 +++- .../integration/simple_regional/controls/gcloud.rb | 4 +++- .../simple_regional_private/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- test/integration/simple_zonal/controls/gcloud.rb | 4 +++- .../simple_zonal_private/controls/gcloud.rb | 4 +++- test/integration/stub_domains/controls/gcloud.rb | 4 +++- .../stub_domains_private/controls/gcloud.rb | 4 +++- .../controls/gcloud.rb | 4 +++- .../upstream_nameservers/controls/gcloud.rb | 4 +++- variables.tf | 2 +- 30 files changed, 76 insertions(+), 36 deletions(-) diff --git a/README.md b/README.md index 5bef0a3ba..4cedbec76 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false node_pools = [ { @@ -164,7 +164,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/autogen/main/README.md b/autogen/main/README.md index c89e2e9ce..093f7e69b 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -73,7 +73,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false {% if private_cluster %} enable_private_endpoint = true enable_private_nodes = true diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index f3fea7c60..bd75e20a8 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/docs/upgrading_to_v14.0.md b/docs/upgrading_to_v14.0.md index ea0007a98..55b6d1ce0 100644 --- a/docs/upgrading_to_v14.0.md +++ b/docs/upgrading_to_v14.0.md @@ -17,6 +17,20 @@ The `registry_project_id` variable has been replaced with a `registry_project_id } ``` +### network_policy disabled by default +The `network_policy` variable is now `false` by default (instead of `true`). +If you want to keep using the network policy addon for your cluster, make +sure that the `network_policy` variable is set to `true`: +```diff +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google" +- version = "~> 13.0" ++ version = "~> 14.0" + ++ network_policy = true +} +``` + ### ASM default version changed to 1.8 [ASM submodule](https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/asm) has been changed to use ASM v1.8 as default. diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index f065fb3a5..17f5c204d 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -68,7 +68,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -217,7 +217,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index cd2487b35..e1045edf1 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 9dff5b0e3..275a613c0 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -46,7 +46,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -195,7 +195,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd2487b35..e1045edf1 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 8e632524c..89d237c62 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -65,7 +65,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false istio = true cloudrun = true dns_cache = false @@ -206,7 +206,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0deb6f32d..347359ab7 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 39f353544..ff180acd0 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -43,7 +43,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false istio = true cloudrun = true dns_cache = false @@ -184,7 +184,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0deb6f32d..347359ab7 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index e5ce66761..67220000a 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -68,7 +68,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -196,7 +196,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 1d2dde3fc..7c36d0452 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index b3e82a7a4..9b8a11602 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -46,7 +46,7 @@ module "gke" { ip_range_services = "us-central1-01-gke-01-services" http_load_balancing = false horizontal_pod_autoscaling = true - network_policy = true + network_policy = false enable_private_endpoint = true enable_private_nodes = true master_ipv4_cidr_block = "10.0.0.0/28" @@ -174,7 +174,7 @@ Then perform the following commands on the root folder: | monitoring\_service | The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none | `string` | `"monitoring.googleapis.com/kubernetes"` | no | | name | The name of the cluster (required) | `string` | n/a | yes | | network | The VPC network to host the cluster in (required) | `string` | n/a | yes | -| network\_policy | Enable network policy addon | `bool` | `true` | no | +| network\_policy | Enable network policy addon | `bool` | `false` | no | | network\_policy\_provider | The network policy provider. | `string` | `"CALICO"` | no | | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no | | node\_metadata | Specifies how node metadata is exposed to the workload running on the node | `string` | `"GKE_METADATA_SERVER"` | no | diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 1d2dde3fc..7c36d0452 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" { diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index c7d67591e..8653bc8d8 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -57,7 +57,9 @@ }, "kalmConfig" => {}, "configConnectorConfig" => {}, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, "istioConfig" => {"auth"=>"AUTH_MUTUAL_TLS"}, "cloudRunConfig" => including( "loadBalancerType" => "LOAD_BALANCER_TYPE_EXTERNAL", diff --git a/test/integration/private_zonal_with_networking/controls/gcloud.rb b/test/integration/private_zonal_with_networking/controls/gcloud.rb index ef275f21a..0f0c55dd8 100644 --- a/test/integration/private_zonal_with_networking/controls/gcloud.rb +++ b/test/integration/private_zonal_with_networking/controls/gcloud.rb @@ -63,7 +63,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/sandbox_enabled/controls/gcloud.rb b/test/integration/sandbox_enabled/controls/gcloud.rb index 104c28470..6f042616a 100644 --- a/test/integration/sandbox_enabled/controls/gcloud.rb +++ b/test/integration/sandbox_enabled/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index ba3002133..eac8fd0ee 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end diff --git a/test/integration/simple_regional_private/controls/gcloud.rb b/test/integration/simple_regional_private/controls/gcloud.rb index 4d2c88e0b..0c0592d84 100644 --- a/test/integration/simple_regional_private/controls/gcloud.rb +++ b/test/integration/simple_regional_private/controls/gcloud.rb @@ -58,7 +58,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb index 235f0db26..23ab5ab60 100644 --- a/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb +++ b/test/integration/simple_regional_with_kubeconfig/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_regional_with_networking/controls/gcloud.rb b/test/integration/simple_regional_with_networking/controls/gcloud.rb index bc92583e8..baaf7502a 100644 --- a/test/integration/simple_regional_with_networking/controls/gcloud.rb +++ b/test/integration/simple_regional_with_networking/controls/gcloud.rb @@ -50,7 +50,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_zonal/controls/gcloud.rb b/test/integration/simple_zonal/controls/gcloud.rb index 6a39d0eb9..a9bbbc96b 100644 --- a/test/integration/simple_zonal/controls/gcloud.rb +++ b/test/integration/simple_zonal/controls/gcloud.rb @@ -55,7 +55,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/simple_zonal_private/controls/gcloud.rb b/test/integration/simple_zonal_private/controls/gcloud.rb index 2cba22315..c42ab3374 100644 --- a/test/integration/simple_zonal_private/controls/gcloud.rb +++ b/test/integration/simple_zonal_private/controls/gcloud.rb @@ -58,7 +58,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains/controls/gcloud.rb b/test/integration/stub_domains/controls/gcloud.rb index 073027484..8131dc371 100644 --- a/test/integration/stub_domains/controls/gcloud.rb +++ b/test/integration/stub_domains/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains_private/controls/gcloud.rb b/test/integration/stub_domains_private/controls/gcloud.rb index 90251e9d5..2efafdb39 100644 --- a/test/integration/stub_domains_private/controls/gcloud.rb +++ b/test/integration/stub_domains_private/controls/gcloud.rb @@ -49,7 +49,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb b/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb index 073027484..8131dc371 100644 --- a/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb +++ b/test/integration/stub_domains_upstream_nameservers/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/test/integration/upstream_nameservers/controls/gcloud.rb b/test/integration/upstream_nameservers/controls/gcloud.rb index 073027484..8131dc371 100644 --- a/test/integration/upstream_nameservers/controls/gcloud.rb +++ b/test/integration/upstream_nameservers/controls/gcloud.rb @@ -42,7 +42,9 @@ "kubernetesDashboard" => { "disabled" => true, }, - "networkPolicyConfig" => {}, + "networkPolicyConfig" => { + "disabled" => true, + }, ) end end diff --git a/variables.tf b/variables.tf index c0bd3b6ee..c75ed61b1 100644 --- a/variables.tf +++ b/variables.tf @@ -99,7 +99,7 @@ variable "http_load_balancing" { variable "network_policy" { type = bool description = "Enable network policy addon" - default = true + default = false } variable "network_policy_provider" {