From 493149d37aa13bbda1fc8dbcaec1b40f051c642e Mon Sep 17 00:00:00 2001 From: Ross Bannerman Date: Tue, 14 Nov 2023 19:44:01 -0500 Subject: [PATCH] feat: Add support for configuring allow_net_admin in autopilot clusters (#1768) --- autogen/main/cluster.tf.tmpl | 4 ++++ autogen/main/variables.tf.tmpl | 7 +++++++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 2 ++ modules/beta-autopilot-private-cluster/variables.tf | 5 +++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 2 ++ modules/beta-autopilot-public-cluster/variables.tf | 5 +++++ 8 files changed, 27 insertions(+) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 4d36e1994..577dc312f 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -326,6 +326,10 @@ resource "google_container_cluster" "primary" { } {% endif %} } + {% if autopilot_cluster %} + + allow_net_admin = var.allow_net_admin + {% endif %} {% if autopilot_cluster != true %} datapath_provider = var.datapath_provider diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index b4937103d..d97f8b4ee 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -849,3 +849,10 @@ variable "enable_gcfs" { } {% endif %} {% endif %} +{% if autopilot_cluster %} +variable "allow_net_admin" { + description = "(Optional) Enable NET_ADMIN for the cluster." + type = bool + default = null +} +{% endif %} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index d07c96ba6..0065139e5 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -75,6 +75,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 62f7e174e..f73640869 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" { } + allow_net_admin = var.allow_net_admin + networking_mode = "VPC_NATIVE" protect_config { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index bf6494953..4bb85fac2 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -448,3 +448,8 @@ variable "timeouts" { } } +variable "allow_net_admin" { + description = "(Optional) Enable NET_ADMIN for the cluster." + type = bool + default = null +} diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 6214c27a0..e80fb4b92 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -69,6 +69,7 @@ Then perform the following commands on the root folder: | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no | | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no | | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no | +| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no | | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no | | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no | | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index b7466a440..7e0bccf5b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" { } + allow_net_admin = var.allow_net_admin + networking_mode = "VPC_NATIVE" protect_config { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 6329fcd5c..cadce988a 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -418,3 +418,8 @@ variable "timeouts" { } } +variable "allow_net_admin" { + description = "(Optional) Enable NET_ADMIN for the cluster." + type = bool + default = null +}