From 878917d7d7d27c32677a3ee88d108c041a4ec6f5 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Wed, 5 Jun 2019 18:54:04 +0300 Subject: [PATCH 01/13] Add configuration flag for `pod_security_policy_config` #140 --- autogen/cluster_regional.tf | 1 + autogen/cluster_zonal.tf | 1 + autogen/main.tf | 11 +++++++++++ autogen/outputs.tf | 8 ++++++++ autogen/variables.tf | 4 ++++ 5 files changed, 25 insertions(+) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index 36bfdb1cd4..9d2c0d1bb0 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -44,6 +44,7 @@ resource "google_container_cluster" "primary" { {% if private_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index 00b5729a4d..8bec6d4219 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -44,6 +44,7 @@ resource "google_container_cluster" "zonal_primary" { {% if private_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] diff --git a/autogen/main.tf b/autogen/main.tf index 3592fd1abc..09ae0ccefb 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -139,6 +139,14 @@ locals { zonal = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}" } +{% if private_cluster %} + cluster_type_output_pod_security_policy_enabled = { + regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + } + +{% endif %} + cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" @@ -161,6 +169,9 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" +{% if private_cluster %} + cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? false : true}" +{% endif %} } /****************************************** diff --git a/autogen/outputs.tf b/autogen/outputs.tf index d7bcf2a2a0..b660b25295 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -112,3 +112,11 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } + +{% if private_cluster %} +output "pod_security_policy_enabled" { +description = "Whether pod security policy is enabled" +value = "${local.cluster_pod_security_policy_enabled}" +} + +{% endif %} \ No newline at end of file diff --git a/autogen/variables.tf b/autogen/variables.tf index 1b4ce5b884..b7c369864e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -90,6 +90,10 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + default = [{ "enabled" = false }] } {% endif %} From c39f7e614db62b311eebec6a5b5143eb716ccdef Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Wed, 5 Jun 2019 19:16:56 +0300 Subject: [PATCH 02/13] Files generated from templates --- modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster_regional.tf | 2 ++ modules/private-cluster/cluster_zonal.tf | 2 ++ modules/private-cluster/main.tf | 6 ++++++ modules/private-cluster/outputs.tf | 6 ++++++ modules/private-cluster/variables.tf | 7 +++++++ outputs.tf | 1 + 7 files changed, 26 insertions(+) diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 52c969f71b..0f173c16d6 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -155,6 +155,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | @@ -183,6 +184,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | | node\_pools\_versions | List of node pools versions | +| pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 9630acf411..be94502867 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -43,6 +43,8 @@ resource "google_container_cluster" "primary" { monitoring_service = "${var.monitoring_service}" enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index fc98826190..8143af9566 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -43,6 +43,8 @@ resource "google_container_cluster" "zonal_primary" { monitoring_service = "${var.monitoring_service}" enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 4c5c780309..7dd05dac04 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -132,6 +132,11 @@ locals { zonal = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}" } + cluster_type_output_pod_security_policy_enabled = { + regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + } + cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" @@ -154,6 +159,7 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" + cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? false : true}" } /****************************************** diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 6b9d5895ab..c5e8534e82 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -112,3 +112,9 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } + +output "pod_security_policy_enabled" { +description = "Whether pod security policy is enabled" +value = "${local.cluster_pod_security_policy_enabled}" +} + diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c3537af0de..b98b71e19e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -89,6 +89,13 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false + + variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + + default = [{ + "enabled" = false + }] } variable "horizontal_pod_autoscaling" { diff --git a/outputs.tf b/outputs.tf index 6b9d5895ab..38552c4f89 100644 --- a/outputs.tf +++ b/outputs.tf @@ -112,3 +112,4 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } + From ab9750eb3c8b5d967426b4ed2509740707f6faf7 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Wed, 5 Jun 2019 19:53:31 +0300 Subject: [PATCH 03/13] Added changes to changelog.md --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index bf81e988cb..ee119cf485 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Extending the adopted spec, each change should have a link to its corresponding ### Added * Add configuration flag for enable BinAuthZ Admission controller [#160] +* Add configuration flag for `pod_security_policy_config` [#163] * Support for a guest accelerator in node pool configuration. [#157] * Support to scale the default node cluster. [#149] * Support for configuring the network policy provider. [#159] From e54e148ac9d0697cadfafc3c4e3131e0fb22a4e0 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:12:38 +0300 Subject: [PATCH 04/13] Update autogen/cluster_regional.tf Co-Authored-By: Aaron Lane --- autogen/cluster_regional.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index 9d2c0d1bb0..e055f639dd 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -43,8 +43,8 @@ resource "google_container_cluster" "primary" { monitoring_service = "${var.monitoring_service}" {% if private_cluster %} - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] From 4fdaeeda19468876c31ebb85e6cf97fca0e3e1c7 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:12:47 +0300 Subject: [PATCH 05/13] Update autogen/main.tf Co-Authored-By: Aaron Lane --- autogen/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/main.tf b/autogen/main.tf index 09ae0ccefb..4fa1214f30 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -146,7 +146,6 @@ locals { } {% endif %} - cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" From a2b6db13a296432dacb5629709fe5efc49a3a6c5 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:12:56 +0300 Subject: [PATCH 06/13] Update autogen/outputs.tf Co-Authored-By: Aaron Lane --- autogen/outputs.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/autogen/outputs.tf b/autogen/outputs.tf index b660b25295..7a5439a4ce 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -115,8 +115,8 @@ output "service_account" { {% if private_cluster %} output "pod_security_policy_enabled" { -description = "Whether pod security policy is enabled" + description = "Whether pod security policy is enabled" value = "${local.cluster_pod_security_policy_enabled}" } -{% endif %} \ No newline at end of file +{% endif %} From 853df6c2142db225c8c1227edde5f2bf0da7bc17 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:13:05 +0300 Subject: [PATCH 07/13] Update autogen/outputs.tf Co-Authored-By: Aaron Lane --- autogen/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/outputs.tf b/autogen/outputs.tf index 7a5439a4ce..191e303bd1 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -116,7 +116,7 @@ output "service_account" { {% if private_cluster %} output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" -value = "${local.cluster_pod_security_policy_enabled}" + value = "${local.cluster_pod_security_policy_enabled}" } {% endif %} From 593c186324a6c6ec08ad1cfbdf3fc8e239a3cbd5 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:13:44 +0300 Subject: [PATCH 08/13] Update autogen/main.tf Co-Authored-By: Aaron Lane --- autogen/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main.tf b/autogen/main.tf index 4fa1214f30..e309c7f6c8 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -140,7 +140,7 @@ locals { } {% if private_cluster %} - cluster_type_output_pod_security_policy_enabled = { + cluster_type_output_pod_security_policy_enabled = { regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" } From 59563ff972a8a7f7c4b58867fe2e33e52cddd9cd Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Thu, 6 Jun 2019 18:13:57 +0300 Subject: [PATCH 09/13] Update autogen/cluster_zonal.tf Co-Authored-By: Aaron Lane --- autogen/cluster_zonal.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index 8bec6d4219..a1ae54b19f 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -43,8 +43,8 @@ resource "google_container_cluster" "zonal_primary" { monitoring_service = "${var.monitoring_service}" {% if private_cluster %} - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] From 73f8285569e62e1afb65ef84b7892bd8137ee718 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Thu, 6 Jun 2019 18:22:06 +0300 Subject: [PATCH 10/13] new files generated --- modules/private-cluster/cluster_regional.tf | 5 ++--- modules/private-cluster/cluster_zonal.tf | 5 ++--- modules/private-cluster/outputs.tf | 4 ++-- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index be94502867..dc22a7b912 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -42,9 +42,8 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" - + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 8143af9566..b451df9f7c 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -42,9 +42,8 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" - + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index c5e8534e82..f4f5676fa5 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -114,7 +114,7 @@ output "service_account" { } output "pod_security_policy_enabled" { -description = "Whether pod security policy is enabled" -value = "${local.cluster_pod_security_policy_enabled}" + description = "Whether pod security policy is enabled" + value = "${local.cluster_pod_security_policy_enabled}" } From 5463a5ff2f5e6cf13f5630bb4f7100cfc8e64f74 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Mon, 10 Jun 2019 16:06:20 +0300 Subject: [PATCH 11/13] Typos fixed --- autogen/variables.tf | 6 +++++- modules/private-cluster/variables.tf | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/autogen/variables.tf b/autogen/variables.tf index b7c369864e..c169f85b65 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -90,10 +90,14 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false +} variable "pod_security_policy_config" { description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - default = [{ "enabled" = false }] + + default = [{ + "enabled" = false + }] } {% endif %} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index b98b71e19e..9d6b123ac8 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -89,8 +89,9 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false +} - variable "pod_security_policy_config" { +variable "pod_security_policy_config" { description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." default = [{ From 4e7e57475c558897e8810aabd42b1d13b8c1fb2a Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Tue, 11 Jun 2019 14:36:42 +0300 Subject: [PATCH 12/13] fixed incorrect condition --- autogen/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/main.tf b/autogen/main.tf index e309c7f6c8..ad07ed8ac3 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -169,7 +169,7 @@ locals { cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" {% if private_cluster %} - cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? false : true}" + cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}" {% endif %} } From d7b6d7844ad6466b3c56b3ce656ef7f02bf00ef1 Mon Sep 17 00:00:00 2001 From: Aaron Lane Date: Thu, 13 Jun 2019 11:48:10 -0400 Subject: [PATCH 13/13] Disable fail fast behaviour in tests --- .kitchen.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.kitchen.yml b/.kitchen.yml index d024d0c5e9..7c3e2fea07 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -23,6 +23,7 @@ provisioner: verifier: name: terraform color: false + fail_fast: false platforms: - name: local