From 72cf8732fa05964596f9f266dd34217803e2c0cc Mon Sep 17 00:00:00 2001 From: SavvasM1 <83591012+SavvasM1@users.noreply.github.com> Date: Tue, 25 Jun 2024 18:21:46 +0300 Subject: [PATCH] feat: Add enable_cilium_clusterwide_network_policy support (#1972) --- README.md | 1 + autogen/main/cluster.tf.tmpl | 3 +++ autogen/main/variables.tf.tmpl | 7 +++++++ cluster.tf | 3 +++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 5 ++++- modules/beta-autopilot-private-cluster/variables.tf | 7 +++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 5 ++++- modules/beta-autopilot-public-cluster/variables.tf | 7 +++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-private-cluster-update-variant/variables.tf | 7 +++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 5 ++++- modules/beta-private-cluster/variables.tf | 7 +++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-public-cluster-update-variant/variables.tf | 7 +++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 5 ++++- modules/beta-public-cluster/variables.tf | 7 +++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 3 +++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 3 +++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 29 files changed, 112 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 8927e84d4..9633443be 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index d197879e4..633ba6931 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -238,6 +238,9 @@ resource "google_container_cluster" "primary" { {% endif %} enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + {% if beta_cluster %} enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d420ed96c..515a8af1f 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -592,8 +592,15 @@ variable "enable_fqdn_network_policy" { description = "Enable FQDN Network Policies on the cluster" default = null } + {% endif %} +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/cluster.tf b/cluster.tf index 969a0bf57..01f808aee 100644 --- a/cluster.tf +++ b/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index dd10eb218..751d7fca5 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -88,6 +88,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index c51ef9c66..bfee2c044 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 8efc4a138..6e6f2b157 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -399,6 +399,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index bb063d68c..2adc82640 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -81,6 +81,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index c56f3a954..8fb611878 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 5a2d71d26..173fc9940 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -369,6 +369,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ba2948a96..871ae3bce 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -197,6 +197,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index f3f6c1d21..359d57c00 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index da51f4869..9733efd77 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 863d39522..e9be4250b 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -175,6 +175,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index dfcd012de..3a3f91129 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index da51f4869..9733efd77 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 5976e0a7c..7d4c7d512 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 60a9f8068..3c3f34f0c 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index cc0ae40e2..a55430896 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index fb40bfb57..8a4e99701 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -168,6 +168,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 6be429c0b..fe6a6c242 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index cc0ae40e2..a55430896 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" { default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ffcab6b50..b3ee32780 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -191,6 +191,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index 03c3082bb..04837e28e 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 85b100dbb..d032c417d 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 053b9feb8..4934cf9c6 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -169,6 +169,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 21edac9a0..31573d02a 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 85b100dbb..d032c417d 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/variables.tf b/variables.tf index eef896bf0..d36fe3014 100644 --- a/variables.tf +++ b/variables.tf @@ -514,6 +514,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string