diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 9f13114ce..40b7ae119 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -495,7 +495,7 @@ resource "google_container_node_pool" "pools" { node_config { {% if beta_cluster %} - image_type = lookup(each.value, "image_type", var.sandbox_enabled ? "COS_CONTAINERD" : "COS") + image_type = lookup(each.value, "image_type", lookup(each.value, "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") {% else %} image_type = lookup(each.value, "image_type", "COS") {% endif %} @@ -577,8 +577,7 @@ resource "google_container_node_pool" "pools" { } {% if beta_cluster %} dynamic "sandbox_config" { - for_each = local.cluster_sandbox_enabled - + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { sandbox_type = sandbox_config.value } diff --git a/autogen/main/main.tf.tmpl b/autogen/main/main.tf.tmpl index b4a65db06..b50fcb079 100644 --- a/autogen/main/main.tf.tmpl +++ b/autogen/main/main.tf.tmpl @@ -105,8 +105,6 @@ locals { cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] - {% endif %} cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf index 08744bc4c..5faf87cb4 100644 --- a/examples/node_pool/main.tf +++ b/examples/node_pool/main.tf @@ -70,14 +70,15 @@ module "gke" { }, { name = "pool-03" + machine_type = "n1-standard-2" node_locations = "${var.region}-b,${var.region}-c" autoscaling = false node_count = 2 disk_type = "pd-standard" - image_type = "COS" auto_upgrade = true service_account = var.compute_engine_service_account pod_range = "test" + sandbox_enabled = true }, ] diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index c50137843..15f3cd244 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -447,7 +447,7 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", var.sandbox_enabled ? "COS_CONTAINERD" : "COS") + image_type = lookup(each.value, "image_type", lookup(each.value, "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") machine_type = lookup(each.value, "machine_type", "e2-medium") labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, @@ -523,8 +523,7 @@ resource "google_container_node_pool" "pools" { } } dynamic "sandbox_config" { - for_each = local.cluster_sandbox_enabled - + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { sandbox_type = sandbox_config.value } diff --git a/modules/beta-private-cluster-update-variant/main.tf b/modules/beta-private-cluster-update-variant/main.tf index b1936826d..9427c9f5b 100644 --- a/modules/beta-private-cluster-update-variant/main.tf +++ b/modules/beta-private-cluster-update-variant/main.tf @@ -96,8 +96,6 @@ locals { cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index dc30efc0e..f3bead1ee 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -363,7 +363,7 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", var.sandbox_enabled ? "COS_CONTAINERD" : "COS") + image_type = lookup(each.value, "image_type", lookup(each.value, "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") machine_type = lookup(each.value, "machine_type", "e2-medium") labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, @@ -439,8 +439,7 @@ resource "google_container_node_pool" "pools" { } } dynamic "sandbox_config" { - for_each = local.cluster_sandbox_enabled - + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { sandbox_type = sandbox_config.value } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index b1936826d..9427c9f5b 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -96,8 +96,6 @@ locals { cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 3c6e8501c..5bda5198d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -428,7 +428,7 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", var.sandbox_enabled ? "COS_CONTAINERD" : "COS") + image_type = lookup(each.value, "image_type", lookup(each.value, "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") machine_type = lookup(each.value, "machine_type", "e2-medium") labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, @@ -504,8 +504,7 @@ resource "google_container_node_pool" "pools" { } } dynamic "sandbox_config" { - for_each = local.cluster_sandbox_enabled - + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { sandbox_type = sandbox_config.value } diff --git a/modules/beta-public-cluster-update-variant/main.tf b/modules/beta-public-cluster-update-variant/main.tf index 27a9762ca..9a04729f8 100644 --- a/modules/beta-public-cluster-update-variant/main.tf +++ b/modules/beta-public-cluster-update-variant/main.tf @@ -96,8 +96,6 @@ locals { cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 7f3770f3f..60dd3b09e 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -344,7 +344,7 @@ resource "google_container_node_pool" "pools" { } node_config { - image_type = lookup(each.value, "image_type", var.sandbox_enabled ? "COS_CONTAINERD" : "COS") + image_type = lookup(each.value, "image_type", lookup(each.value, "sandbox_enabled", var.sandbox_enabled) ? "COS_CONTAINERD" : "COS") machine_type = lookup(each.value, "machine_type", "e2-medium") labels = merge( lookup(lookup(local.node_pools_labels, "default_values", {}), "cluster_name", true) ? { "cluster_name" = var.name } : {}, @@ -420,8 +420,7 @@ resource "google_container_node_pool" "pools" { } } dynamic "sandbox_config" { - for_each = local.cluster_sandbox_enabled - + for_each = tobool((lookup(each.value, "sandbox_enabled", var.sandbox_enabled))) ? ["gvisor"] : [] content { sandbox_type = sandbox_config.value } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 27a9762ca..9a04729f8 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -96,8 +96,6 @@ locals { cluster_gce_pd_csi_config = var.gce_pd_csi_driver ? [{ enabled = true }] : [{ enabled = false }] - cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] - cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ security_group = var.authenticator_security_group diff --git a/test/integration/node_pool/controls/gcloud.rb b/test/integration/node_pool/controls/gcloud.rb index f242b53b5..4ea213df5 100644 --- a/test/integration/node_pool/controls/gcloud.rb +++ b/test/integration/node_pool/controls/gcloud.rb @@ -351,7 +351,7 @@ including( "name" => "pool-03", "config" => including( - "machineType" => "e2-medium", + "machineType" => "n1-standard-2", ), ) ) @@ -408,6 +408,7 @@ "all-pools-example" => "true", "cluster_name" => cluster_name, "node_pool" => "pool-03", + "sandbox.gke.io/runtime"=>"gvisor" }, ), ) @@ -441,6 +442,17 @@ ) end + it "has the expected image" do + expect(data['nodePools']).to include( + including( + "name" => "pool-03", + "config" => including( + "imageType" => "COS_CONTAINERD", + ), + ) + ) + end + it "has the expected linux node config sysctls" do expect(data['nodePools']).to include( including(