From 721f846b117e36808c559ed7459561d4beca9e66 Mon Sep 17 00:00:00 2001 From: m10ev <42208556+m10ev@users.noreply.github.com> Date: Thu, 3 Dec 2020 22:13:00 +0200 Subject: [PATCH] feat: Add option for CPU manager policy (#749) --- README.md | 4 ++-- autogen/main/README.md | 7 +++++-- autogen/main/cluster.tf.tmpl | 8 ++++++++ modules/beta-private-cluster-update-variant/README.md | 5 +++-- modules/beta-private-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-private-cluster/README.md | 5 +++-- modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster-update-variant/README.md | 5 +++-- modules/beta-public-cluster-update-variant/cluster.tf | 8 ++++++++ modules/beta-public-cluster/README.md | 5 +++-- modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/private-cluster-update-variant/README.md | 4 ++-- modules/private-cluster/README.md | 4 ++-- 13 files changed, 63 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index da19bc505..4b92c609e 100644 --- a/README.md +++ b/README.md @@ -209,14 +209,14 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/autogen/main/README.md b/autogen/main/README.md index b472dcdbb..a63121ae2 100644 --- a/autogen/main/README.md +++ b/autogen/main/README.md @@ -158,14 +158,17 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | +{% if beta_cluster %} +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "none" | Optional | +{% endif %} | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 0526d02a7..3ce9086c2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -527,6 +527,14 @@ resource "google_container_node_pool" "pools" { } boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + + dynamic "kubelet_config" { + for_each = contains(keys(each.value), "cpu_manager_policy") ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy") + } + } {% endif %} shielded_instance_config { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index 3d6ce9cf4..01028eb3e 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -272,14 +272,15 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "none" | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index ddd9857f3..2debd9aac 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -484,6 +484,14 @@ resource "google_container_node_pool" "pools" { boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + dynamic "kubelet_config" { + for_each = contains(keys(each.value), "cpu_manager_policy") ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy") + } + } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index bb1aa4317..e33ec012c 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -250,14 +250,15 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "none" | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 7bea7d0e2..5eef665af 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -412,6 +412,14 @@ resource "google_container_node_pool" "pools" { boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + dynamic "kubelet_config" { + for_each = contains(keys(each.value), "cpu_manager_policy") ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy") + } + } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 9a5ba632a..35a296988 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -259,14 +259,15 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "none" | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 4d130f1f3..38661039e 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -465,6 +465,14 @@ resource "google_container_node_pool" "pools" { boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + dynamic "kubelet_config" { + for_each = contains(keys(each.value), "cpu_manager_policy") ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy") + } + } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 9ae1a7c00..70da69984 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -237,14 +237,15 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | +| cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "none" | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 4b3fd37cd..b79fabb90 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -393,6 +393,14 @@ resource "google_container_node_pool" "pools" { boot_disk_kms_key = lookup(each.value, "boot_disk_kms_key", "") + dynamic "kubelet_config" { + for_each = contains(keys(each.value), "cpu_manager_policy") ? [1] : [] + + content { + cpu_manager_policy = lookup(each.value, "cpu_manager_policy") + } + } + shielded_instance_config { enable_secure_boot = lookup(each.value, "enable_secure_boot", false) enable_integrity_monitoring = lookup(each.value, "enable_integrity_monitoring", true) diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index a6fcab2e5..31b7a815a 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -243,14 +243,14 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index c5f6ce7a0..9f5096e58 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -221,14 +221,14 @@ The node_pools variable takes the following parameters: | --- | --- | --- | --- | | accelerator_count | The number of the guest accelerator cards exposed to this instance | 0 | Optional | | accelerator_type | The accelerator type resource to expose to the instance | " " | Optional | -| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | -| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | | auto_repair | Whether the nodes will be automatically repaired | true | Optional | | autoscaling | Configuration required by cluster autoscaler to adjust the size of the node pool to the current cluster usage | true | Optional | | auto_upgrade | Whether the nodes will be automatically upgraded | true (if cluster is regional) | Optional | | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional | | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional | | effect | Effect for the taint | | Required | +| enable_integrity_monitoring | Enables monitoring and attestation of the boot integrity of the instance. The attestation is performed against the integrity policy baseline. This baseline is initially derived from the implicitly trusted boot image when the instance is created. | true | Optional | +| enable_secure_boot | Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components, and halting the boot process if signature verification fails. | false | Optional | | image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS | Optional | | initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional | | key | The key required for the taint | | Required |