diff --git a/README.md b/README.md index 580e9bf148..ed106b14b9 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | string | `"110"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 1fd446eb38..4a14b75ba8 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -83,8 +83,8 @@ resource "google_container_cluster" "primary" { default_max_pods_per_node = var.default_max_pods_per_node enable_shielded_nodes = var.enable_shielded_nodes -{% if beta_cluster %} enable_binary_authorization = var.enable_binary_authorization +{% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 38b78d7e10..dc097ada62 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -454,11 +454,6 @@ variable "cloudrun" { default = false } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." @@ -524,6 +519,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/cluster.tf b/cluster.tf index f74bdde9d7..acda1e1ac0 100644 --- a/cluster.tf +++ b/cluster.tf @@ -70,7 +70,8 @@ resource "google_container_cluster" "primary" { default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes + enable_shielded_nodes = var.enable_shielded_nodes + enable_binary_authorization = var.enable_binary_authorization dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/examples/simple_regional/main.tf b/examples/simple_regional/main.tf index c4ddf21aa2..7c05ceba94 100644 --- a/examples/simple_regional/main.tf +++ b/examples/simple_regional/main.tf @@ -24,18 +24,19 @@ provider "google" { } module "gke" { - source = "../../" - project_id = var.project_id - name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" - regional = true - region = var.region - network = var.network - subnetwork = var.subnetwork - ip_range_pods = var.ip_range_pods - ip_range_services = var.ip_range_services - create_service_account = false - service_account = var.compute_engine_service_account - skip_provisioners = var.skip_provisioners + source = "../../" + project_id = var.project_id + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + regional = true + region = var.region + network = var.network + subnetwork = var.subnetwork + ip_range_pods = var.ip_range_pods + ip_range_services = var.ip_range_services + create_service_account = false + service_account = var.compute_engine_service_account + enable_binary_authorization = var.enable_binary_authorization + skip_provisioners = var.skip_provisioners } data "google_client_config" "default" { diff --git a/examples/simple_regional/variables.tf b/examples/simple_regional/variables.tf index ae6a86978e..b60c83ed5d 100644 --- a/examples/simple_regional/variables.tf +++ b/examples/simple_regional/variables.tf @@ -52,3 +52,8 @@ variable "skip_provisioners" { description = "Flag to skip local-exec provisioners" default = false } + +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 22b6e957b5..d79cdf2632 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -441,11 +441,6 @@ variable "cloudrun" { default = false } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." @@ -510,6 +505,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 22b6e957b5..d79cdf2632 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -441,11 +441,6 @@ variable "cloudrun" { default = false } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." @@ -510,6 +505,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index e373d59bef..72cd76365b 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -410,11 +410,6 @@ variable "cloudrun" { default = false } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." @@ -479,6 +474,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index e373d59bef..72cd76365b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -410,11 +410,6 @@ variable "cloudrun" { default = false } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - variable "enable_pod_security_policy" { type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." @@ -479,6 +474,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 306c88b197..2f5b2adfc5 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -154,6 +154,7 @@ Then perform the following commands on the root folder: | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index f770591678..3bfc09c8d9 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -70,7 +70,8 @@ resource "google_container_cluster" "primary" { default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes + enable_shielded_nodes = var.enable_shielded_nodes + enable_binary_authorization = var.enable_binary_authorization dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e0050848ae..ca88ece9b3 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -408,6 +408,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index f0b01c85d9..2d8d7e605d 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -132,6 +132,7 @@ Then perform the following commands on the root folder: | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | bool | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index a925a49181..5ddbea5b9d 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -70,7 +70,8 @@ resource "google_container_cluster" "primary" { default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes + enable_shielded_nodes = var.enable_shielded_nodes + enable_binary_authorization = var.enable_binary_authorization dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e0050848ae..ca88ece9b3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -408,6 +408,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules" diff --git a/test/fixtures/simple_regional/example.tf b/test/fixtures/simple_regional/example.tf index 2e08ae6628..cb50faf354 100644 --- a/test/fixtures/simple_regional/example.tf +++ b/test/fixtures/simple_regional/example.tf @@ -26,4 +26,5 @@ module "example" { ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name compute_engine_service_account = var.compute_engine_service_accounts[0] skip_provisioners = true + enable_binary_authorization = true } diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index adab9feec3..ba30021332 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -65,6 +65,12 @@ "enabled" => true, }) end + + it "has the expected binaryAuthorization config" do + expect(data['binaryAuthorization']).to eq({ + "enabled" => true, + }) + end end describe "default node pool" do diff --git a/variables.tf b/variables.tf index f07fa52b4b..9804cb2b7e 100644 --- a/variables.tf +++ b/variables.tf @@ -384,6 +384,11 @@ variable "enable_shielded_nodes" { default = true } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "add_cluster_firewall_rules" { type = bool description = "Create additional firewall rules"