From c6c56add24b03301ec7a9dcdd67574e65e40daff Mon Sep 17 00:00:00 2001 From: chrislovecnm Date: Fri, 21 Jun 2019 18:18:04 -0600 Subject: [PATCH] Enabling two features in beta clusters This allow pod security policies and binary authorization to be used by both beta private and beta public clusters. Previously these two features where limited to only private clusters, and this commit also removes that functionality from private clusters. --- autogen/cluster_regional.tf | 4 ++-- autogen/cluster_zonal.tf | 5 +++-- autogen/variables.tf | 5 +++-- cluster_zonal.tf | 1 + modules/beta-private-cluster/cluster_zonal.tf | 1 + modules/beta-public-cluster/README.md | 2 ++ modules/beta-public-cluster/cluster_regional.tf | 2 ++ modules/beta-public-cluster/cluster_zonal.tf | 3 +++ modules/beta-public-cluster/variables.tf | 13 +++++++++++++ modules/private-cluster/README.md | 2 -- modules/private-cluster/cluster_regional.tf | 2 -- modules/private-cluster/cluster_zonal.tf | 3 +-- modules/private-cluster/variables.tf | 13 ------------- variables.tf | 2 ++ 14 files changed, 33 insertions(+), 25 deletions(-) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index bf7d39be3f..faad9bd020 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -42,10 +42,10 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" -{% if private_cluster %} + {% if beta_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" -{% endif %} + {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index d86342e1cc..07a7890a36 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -42,10 +42,11 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" -{% if private_cluster %} + {% if beta_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" -{% endif %} + {% endif %} + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/variables.tf b/autogen/variables.tf index e1d1f50ee1..6dbd051bf4 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -86,7 +86,7 @@ variable "master_authorized_networks_config" { default = [] } -{% if private_cluster %} +{% if beta_cluster %} variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false @@ -99,8 +99,9 @@ variable "pod_security_policy_config" { "enabled" = false }] } - {% endif %} + + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 5ab108cfa2..8b13c6c2d6 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -42,6 +42,7 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf index bdac00bd0c..d6a338e64d 100644 --- a/modules/beta-private-cluster/cluster_zonal.tf +++ b/modules/beta-private-cluster/cluster_zonal.tf @@ -44,6 +44,7 @@ resource "google_container_cluster" "zonal_primary" { enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 30e8978bf4..6c1e00367c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -122,6 +122,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | @@ -150,6 +151,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf index 438efff015..c01c495ea1 100644 --- a/modules/beta-public-cluster/cluster_regional.tf +++ b/modules/beta-public-cluster/cluster_regional.tf @@ -42,6 +42,8 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf index d04c5b4d3e..4e69ec33c1 100644 --- a/modules/beta-public-cluster/cluster_zonal.tf +++ b/modules/beta-public-cluster/cluster_zonal.tf @@ -42,6 +42,9 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 858b73ae87..bb3ea0a99b 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -86,6 +86,19 @@ variable "master_authorized_networks_config" { default = [] } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + + default = [{ + "enabled" = false + }] +} + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 0f173c16d6..17e6c4c96f 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -124,7 +124,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | @@ -155,7 +154,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 5c0818a904..172e0b28ab 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -42,8 +42,6 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 39fbcb6098..793960b7d6 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -42,8 +42,7 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9d6b123ac8..005a04228e 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -86,19 +86,6 @@ variable "master_authorized_networks_config" { default = [] } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - -variable "pod_security_policy_config" { - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] -} - variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true diff --git a/variables.tf b/variables.tf index 70af17bd71..82293af300 100644 --- a/variables.tf +++ b/variables.tf @@ -86,6 +86,8 @@ variable "master_authorized_networks_config" { default = [] } + + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true