feat: Add support for configuring allow_net_admin in autopilot cluste…

…rs (#1768)

autogen/main/cluster.tf.tmpl

@@ -326,6 +326,10 @@ resource "google_container_cluster" "primary" {
     }
     {% endif %}
   }
+  {% if autopilot_cluster %}
+
+  allow_net_admin = var.allow_net_admin
+  {% endif %}
   {% if autopilot_cluster != true %}
 
   datapath_provider = var.datapath_provider

autogen/main/variables.tf.tmpl

@@ -849,3 +849,10 @@ variable "enable_gcfs" {
 }
   {% endif %}
 {% endif %}
+{% if autopilot_cluster %}
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type = bool
+  default = null
+}
+{% endif %}

modules/beta-autopilot-private-cluster/README.md

@@ -75,6 +75,7 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {
 
   }
 
+  allow_net_admin = var.allow_net_admin
+
   networking_mode = "VPC_NATIVE"
 
   protect_config {

modules/beta-autopilot-private-cluster/variables.tf

@@ -448,3 +448,8 @@ variable "timeouts" {
   }
 }
 
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type        = bool
+  default     = null
+}

modules/beta-autopilot-public-cluster/README.md

@@ -69,6 +69,7 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |

modules/beta-autopilot-public-cluster/cluster.tf

@@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {
 
   }
 
+  allow_net_admin = var.allow_net_admin
+
   networking_mode = "VPC_NATIVE"
 
   protect_config {

modules/beta-autopilot-public-cluster/variables.tf

@@ -418,3 +418,8 @@ variable "timeouts" {
   }
 }
 
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type        = bool
+  default     = null
+}