diff --git a/README.md b/README.md index 7078768c6..6d70bb087 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,7 @@ Then perform the following commands on the root folder: | datapath\_provider | The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature. | `string` | `"DATAPATH_PROVIDER_UNSPECIFIED"` | no | | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | description | The description of the cluster | `string` | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index ab5d52fbd..9c7108100 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -64,11 +64,10 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" -{% if beta_cluster %} default_snat_status { disabled = var.disable_default_snat } -{% endif %} + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null {% if beta_cluster and autopilot_cluster != true %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 7150db078..7cc07c857 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -474,13 +474,13 @@ variable "enable_confidential_nodes" { description = "An optional flag to enable confidential node config." default = false } +{% endif %} variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" default = false } -{% endif %} {% if beta_cluster %} variable "notification_config_topic" { diff --git a/cluster.tf b/cluster.tf index fd49dc15a..d63244a6a 100644 --- a/cluster.tf +++ b/cluster.tf @@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null logging_service = var.logging_service diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index b86d2185d..08d06c247 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -51,6 +51,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null logging_service = var.logging_service diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index a0357381a..e9e1e034e 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -51,6 +51,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null logging_service = var.logging_service diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index e62c1398a..0b094cd00 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null dynamic "cluster_telemetry" { diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 1f1f805a0..97ac128e4 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null dynamic "cluster_telemetry" { diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 4eea77247..9a10cf15d 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null dynamic "cluster_telemetry" { diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 729947509..e0c42b8d6 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -59,6 +59,7 @@ resource "google_container_cluster" "primary" { default_snat_status { disabled = var.disable_default_snat } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null dynamic "cluster_telemetry" { diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index 0739ee3e8..ca778fb71 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -173,6 +173,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index ae9e57ae5..06182fffb 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null logging_service = var.logging_service diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index e7f0e602d..bfb8725b7 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -415,6 +415,12 @@ variable "shadow_firewall_rules_priority" { } +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index ef16dd667..4a23c2403 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -151,6 +151,7 @@ Then perform the following commands on the root folder: | default\_max\_pods\_per\_node | The maximum number of pods to schedule per node | `number` | `110` | no | | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | `bool` | `false` | no | | description | The description of the cluster | `string` | `""` | no | +| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index e4540e64f..61b68da73 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -50,6 +50,10 @@ resource "google_container_cluster" "primary" { subnetwork = "projects/${local.network_project_id}/regions/${local.region}/subnetworks/${var.subnetwork}" + default_snat_status { + disabled = var.disable_default_snat + } + min_master_version = var.release_channel == null || var.release_channel == "UNSPECIFIED" ? local.master_version : null logging_service = var.logging_service diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index e7f0e602d..bfb8725b7 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -415,6 +415,12 @@ variable "shadow_firewall_rules_priority" { } +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon" diff --git a/variables.tf b/variables.tf index 48e9c772d..4d6f9a36b 100644 --- a/variables.tf +++ b/variables.tf @@ -391,6 +391,12 @@ variable "shadow_firewall_rules_priority" { } +variable "disable_default_snat" { + type = bool + description = "Whether to disable the default SNAT to support the private use of public IP addresses" + default = false +} + variable "network_policy" { type = bool description = "Enable network policy addon"