From 41a0c83955079464d044adbd52d972fb8d69a909 Mon Sep 17 00:00:00 2001 From: Peter C Date: Tue, 7 Dec 2021 18:32:57 -0500 Subject: [PATCH] feat: Use ADVANCED_DATAPATH (aka. Dataplane V2) for safer-cluster modules (#1085) BREAKING CHANGE: safer-cluster modules now use ADVANCED_DATAPATH by default. Set `datapath_provider` to `DATAPATH_PROVIDER_UNSPECIFIED` to continue using Dataplane v1. --- autogen/safer-cluster/main.tf.tmpl | 10 +++++++++- autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 10 +++++++++- .../safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 10 +++++++++- modules/safer-cluster/variables.tf | 6 ++++++ .../safer_cluster/controls/gcloud.rb | 17 +++++++++++------ 9 files changed, 58 insertions(+), 9 deletions(-) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 8432943d9..720b1eb87 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -65,7 +65,15 @@ module "gke" { // NetworkPolicies need to be configured in every namespace. The network // policies should be under the control of a cental cluster management team, // rather than individual teams. - network_policy = true + // + // NOTE: Dataplane-V2 conflicts with the Calico network policy add-on because + // it provides redundant NetworkPolicy capabilities. If V2 is enabled, the + // Calico add-on should be disabled. + network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true + + // Default to the recommended Dataplane V2 which enables NetworkPolicies and + // allows for network policy logging of allowed and denied requests to Pods. + datapath_provider = var.datapath_provider maintenance_start_time = var.maintenance_start_time diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 5d7eaea69..7dd286b2a 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -95,6 +95,12 @@ variable "http_load_balancing" { default = true } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation." + default = "ADVANCED_DATAPATH" +} + variable "maintenance_start_time" { type = string description = "Time window specified for daily maintenance operations in RFC3339 format" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 0508e75bf..10bcc3434 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -208,6 +208,7 @@ For simplicity, we suggest using `roles/container.admin` and | compute\_engine\_service\_account | Use the given service account for nodes rather than creating a new dedicated service account. | `string` | `""` | no | | config\_connector | (Beta) Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation. | `string` | `"ADVANCED_DATAPATH"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 36d63d05e..b3a501f92 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -61,7 +61,15 @@ module "gke" { // NetworkPolicies need to be configured in every namespace. The network // policies should be under the control of a cental cluster management team, // rather than individual teams. - network_policy = true + // + // NOTE: Dataplane-V2 conflicts with the Calico network policy add-on because + // it provides redundant NetworkPolicy capabilities. If V2 is enabled, the + // Calico add-on should be disabled. + network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true + + // Default to the recommended Dataplane V2 which enables NetworkPolicies and + // allows for network policy logging of allowed and denied requests to Pods. + datapath_provider = var.datapath_provider maintenance_start_time = var.maintenance_start_time diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 2bb14cbe7..c8cc2f8a0 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -95,6 +95,12 @@ variable "http_load_balancing" { default = true } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation." + default = "ADVANCED_DATAPATH" +} + variable "maintenance_start_time" { type = string description = "Time window specified for daily maintenance operations in RFC3339 format" diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 0508e75bf..10bcc3434 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -208,6 +208,7 @@ For simplicity, we suggest using `roles/container.admin` and | compute\_engine\_service\_account | Use the given service account for nodes rather than creating a new dedicated service account. | `string` | `""` | no | | config\_connector | (Beta) Whether ConfigConnector is enabled for this cluster. | `bool` | `false` | no | | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key\_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key\_name is the name of a CloudKMS key. | `list(object({ state = string, key_name = string }))` | 
[
  {
    "key_name": "",
    "state": "DECRYPTED"
  }
]
| no | +| datapath\_provider | The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation. | `string` | `"ADVANCED_DATAPATH"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 3b09c1dca..803144e50 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -61,7 +61,15 @@ module "gke" { // NetworkPolicies need to be configured in every namespace. The network // policies should be under the control of a cental cluster management team, // rather than individual teams. - network_policy = true + // + // NOTE: Dataplane-V2 conflicts with the Calico network policy add-on because + // it provides redundant NetworkPolicy capabilities. If V2 is enabled, the + // Calico add-on should be disabled. + network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true + + // Default to the recommended Dataplane V2 which enables NetworkPolicies and + // allows for network policy logging of allowed and denied requests to Pods. + datapath_provider = var.datapath_provider maintenance_start_time = var.maintenance_start_time diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 2bb14cbe7..c8cc2f8a0 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -95,6 +95,12 @@ variable "http_load_balancing" { default = true } +variable "datapath_provider" { + type = string + description = "The desired datapath provider for this cluster. By default, `ADVANCED_DATAPATH` enables Dataplane-V2 feature. `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation as a fallback since upgrading to V2 requires a cluster re-creation." + default = "ADVANCED_DATAPATH" +} + variable "maintenance_start_time" { type = string description = "Time window specified for daily maintenance operations in RFC3339 format" diff --git a/test/integration/safer_cluster/controls/gcloud.rb b/test/integration/safer_cluster/controls/gcloud.rb index 5f05dfd0f..14323652c 100644 --- a/test/integration/safer_cluster/controls/gcloud.rb +++ b/test/integration/safer_cluster/controls/gcloud.rb @@ -57,16 +57,21 @@ "kubernetesDashboard" => including( "disabled" => true, ), - "networkPolicyConfig" => {}, + "networkPolicyConfig" => including( + "disabled" => true, + ), ) end end - it "has network policy enabled" do - expect(data['networkPolicy']).to eq({ - "enabled" => true, - "provider" => "CALICO", - }) + it "has network policy disabled" do + expect(data['networkPolicy']).to be_nil + end + + it "has dataplane v2 enabled" do + expect(data['networkConfig']).to include( + "datapathProvider" => "ADVANCED_DATAPATH" + ) end it "has binary authorization" do