From 7bfd6fe0db9205e384b652daf0bc3986ff2372e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20Morej=C3=B3n?= Date: Tue, 10 Oct 2023 20:44:50 +0200 Subject: [PATCH] feat!: enabling vulnerability and audit modes for workloads (#1749) Signed-off-by: Manuel Morejon --- autogen/main/variables.tf.tmpl | 3 ++- autogen/safer-cluster/main.tf.tmpl | 4 ++++ autogen/safer-cluster/variables.tf.tmpl | 12 ++++++++++++ modules/beta-autopilot-private-cluster/README.md | 2 +- modules/beta-autopilot-private-cluster/variables.tf | 3 ++- modules/beta-autopilot-public-cluster/README.md | 2 +- modules/beta-autopilot-public-cluster/variables.tf | 3 ++- .../beta-private-cluster-update-variant/README.md | 2 +- .../beta-private-cluster-update-variant/variables.tf | 3 ++- modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/variables.tf | 3 ++- modules/beta-public-cluster-update-variant/README.md | 2 +- .../beta-public-cluster-update-variant/variables.tf | 3 ++- modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/variables.tf | 3 ++- modules/safer-cluster-update-variant/README.md | 2 ++ modules/safer-cluster-update-variant/main.tf | 4 ++++ modules/safer-cluster-update-variant/variables.tf | 12 ++++++++++++ modules/safer-cluster/README.md | 2 ++ modules/safer-cluster/main.tf | 4 ++++ modules/safer-cluster/variables.tf | 12 ++++++++++++ 21 files changed, 72 insertions(+), 13 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index c75927e03..d562de600 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -548,6 +548,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -555,7 +556,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index ea4052fb0..8c1c686e2 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -200,4 +200,8 @@ module "gke" { timeouts = var.timeouts enable_gcfs = var.enable_gcfs + + // Enabling vulnerability and audit for workloads + workload_vulnerability_mode = var.workload_vulnerability_mode + workload_config_audit_mode = var.workload_config_audit_mode } diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 8f3283dbb..182162bb1 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" { default = false description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." } + +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Workload config audit mode." + type = string + default = "DISABLED" +} diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index ee45b31d3..443f827f1 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -134,7 +134,7 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index b3171164c..7140af015 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -373,6 +373,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -380,7 +381,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 5b7da3d32..aa0ba1bc3 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -123,7 +123,7 @@ Then perform the following commands on the root folder: | subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes | | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0cbb512b9..2d0577aaf 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -343,6 +343,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -350,7 +351,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index ff2a9b498..f7d417b0f 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -273,7 +273,7 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 77daf4b0e..971304396 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -518,6 +518,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -525,7 +526,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index e5f765341..2fa1e3be1 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -251,7 +251,7 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 77daf4b0e..971304396 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -518,6 +518,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -525,7 +526,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index a3fd0b1c3..c8e28f09c 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -262,7 +262,7 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index dfaacc3c6..0ca442912 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -488,6 +488,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -495,7 +496,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7476d1ea2..a8602ab57 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -240,7 +240,7 @@ Then perform the following commands on the root folder: | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no | -| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | | workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no | diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index dfaacc3c6..0ca442912 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -488,6 +488,7 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } + variable "workload_vulnerability_mode" { description = "(beta) Vulnerability mode." type = string @@ -495,7 +496,7 @@ variable "workload_vulnerability_mode" { } variable "workload_config_audit_mode" { - description = "(beta) Worload config audit mode." + description = "(beta) Workload config audit mode." type = string default = "DISABLED" } diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 55487870b..915a8d8d5 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index d4ae3bfa7..4e64aca38 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -196,4 +196,8 @@ module "gke" { timeouts = var.timeouts enable_gcfs = var.enable_gcfs + + // Enabling vulnerability and audit for workloads + workload_vulnerability_mode = var.workload_vulnerability_mode + workload_config_audit_mode = var.workload_config_audit_mode } diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 6c0efd8ad..ec2b11849 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" { default = false description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." } + +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Workload config audit mode." + type = string + default = "DISABLED" +} diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 55487870b..915a8d8d5 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and | timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no | | upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no | | windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no | +| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no | +| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no | | zones | The zones to host the cluster in | `list(string)` | `[]` | no | ## Outputs diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 8e7de8439..0d0910d1c 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -196,4 +196,8 @@ module "gke" { timeouts = var.timeouts enable_gcfs = var.enable_gcfs + + // Enabling vulnerability and audit for workloads + workload_vulnerability_mode = var.workload_vulnerability_mode + workload_config_audit_mode = var.workload_config_audit_mode } diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 6c0efd8ad..ec2b11849 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" { default = false description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity." } + +variable "workload_vulnerability_mode" { + description = "(beta) Vulnerability mode." + type = string + default = "" +} + +variable "workload_config_audit_mode" { + description = "(beta) Workload config audit mode." + type = string + default = "DISABLED" +}