From 704962b1b5408bed8e4102df198eb843b7e8d1d1 Mon Sep 17 00:00:00 2001 From: Bharath KKB Date: Wed, 26 Feb 2020 13:51:27 -0600 Subject: [PATCH] feat: Enable WI and shielded nodes by default in beta clusters (#441) BREAKING CHANGE: Beta clusters now have Workload Identity enabled by default. To disable Workload Identity, set `identity_namespace = null` BREAKING CHANGE: Beta clusters now have shielded nodes enabled by default. To disable, set `enable_shielded_nodes = false`. --- autogen/main/main.tf.tmpl | 4 ++-- autogen/main/variables.tf.tmpl | 6 +++--- examples/workload_identity/main.tf | 1 - modules/beta-private-cluster-update-variant/README.md | 4 ++-- modules/beta-private-cluster-update-variant/main.tf | 4 ++-- modules/beta-private-cluster-update-variant/variables.tf | 6 +++--- modules/beta-private-cluster/README.md | 4 ++-- modules/beta-private-cluster/main.tf | 4 ++-- modules/beta-private-cluster/variables.tf | 6 +++--- modules/beta-public-cluster/README.md | 4 ++-- modules/beta-public-cluster/main.tf | 4 ++-- modules/beta-public-cluster/variables.tf | 6 +++--- 12 files changed, 26 insertions(+), 27 deletions(-) diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index eeb04cfef..0bb004f07 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -164,8 +164,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ - identity_namespace = var.identity_namespace + cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + identity_namespace = "${var.project_id}.svc.id.goog"}] : [{identity_namespace = var.identity_namespace }] # /BETA features {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index bedce28b5..c8c7f42f1 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -451,9 +451,9 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - description = "Workload Identity namespace" + description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`)" type = string - default = "" + default = "enabled" } variable "authenticator_security_group" { @@ -471,6 +471,6 @@ variable "release_channel" { variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" - default = false + default = true } {% endif %} diff --git a/examples/workload_identity/main.tf b/examples/workload_identity/main.tf index ac1dd3303..d4e3db08c 100644 --- a/examples/workload_identity/main.tf +++ b/examples/workload_identity/main.tf @@ -41,7 +41,6 @@ module "gke" { ip_range_services = var.ip_range_services remove_default_node_pool = true service_account = "create" - identity_namespace = "${var.project_id}.svc.id.goog" node_metadata = "GKE_METADATA_SERVER" node_pools = [ { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 690dd5c33..63de87bf8 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -174,12 +174,12 @@ Then perform the following commands on the root folder: | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no | +| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | -| identity\_namespace | Workload Identity namespace | string | `""` | no | +| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`) | string | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index f49848021..2a7ca5caf 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -149,8 +149,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ - identity_namespace = var.identity_namespace + cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f320bb248..e9eba4646 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -444,9 +444,9 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - description = "Workload Identity namespace" + description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`)" type = string - default = "" + default = "enabled" } variable "authenticator_security_group" { @@ -464,5 +464,5 @@ variable "release_channel" { variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" - default = false + default = true } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 4b4ae0184..04a6c9795 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -152,12 +152,12 @@ Then perform the following commands on the root folder: | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no | +| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | -| identity\_namespace | Workload Identity namespace | string | `""` | no | +| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`) | string | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index f49848021..2a7ca5caf 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -149,8 +149,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ - identity_namespace = var.identity_namespace + cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f320bb248..e9eba4646 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -444,9 +444,9 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - description = "Workload Identity namespace" + description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`)" type = string - default = "" + default = "enabled" } variable "authenticator_security_group" { @@ -464,5 +464,5 @@ variable "release_channel" { variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" - default = false + default = true } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 76183a04c..3006302e4 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,12 +131,12 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | -| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"false"` | no | +| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | | grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | -| identity\_namespace | Workload Identity namespace | string | `""` | no | +| identity\_namespace | Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`) | string | `"enabled"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | | ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | bool | `"false"` | no | | ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | string | `"60s"` | no | diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 4b03ff52d..39854b8b9 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -149,8 +149,8 @@ locals { cluster_intranode_visibility_enabled = local.cluster_output_intranode_visbility_enabled cluster_vertical_pod_autoscaling_enabled = local.cluster_output_vertical_pod_autoscaling_enabled - cluster_workload_identity_config = var.identity_namespace == "" ? [] : [{ - identity_namespace = var.identity_namespace + cluster_workload_identity_config = var.identity_namespace == null ? [] : var.identity_namespace == "enabled" ? [{ + identity_namespace = "${var.project_id}.svc.id.goog" }] : [{ identity_namespace = var.identity_namespace }] # /BETA features diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 4732035bd..248fd0bf7 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -420,9 +420,9 @@ variable "enable_vertical_pod_autoscaling" { } variable "identity_namespace" { - description = "Workload Identity namespace" + description = "Workload Identity namespace. (Default value of `enabled` automatically sets project based namespace `project_id..svc.id.goog`)" type = string - default = "" + default = "enabled" } variable "authenticator_security_group" { @@ -440,5 +440,5 @@ variable "release_channel" { variable "enable_shielded_nodes" { type = bool description = "Enable Shielded Nodes features on all nodes in this cluster" - default = false + default = true }