Add configuration flag for #141

autogen/cluster_regional.tf

@@ -36,6 +36,9 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+{% if private_cluster %}
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+{% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

autogen/cluster_zonal.tf

@@ -36,6 +36,9 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+{% if private_cluster %}
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+{% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

autogen/outputs.tf

@@ -78,6 +78,7 @@ output "ca_certificate" {
   value       = "${local.cluster_ca_certificate}"
 }
 
+
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
   value       = "${local.cluster_network_policy_enabled}"

autogen/variables.tf

@@ -86,6 +86,13 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+{% if private_cluster %}
+variable "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+{% endif %}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

examples/disable_client_cert/README.md

@@ -14,6 +14,7 @@ This example illustrates how to create a simple cluster and disable deprecated s
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
 | credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

examples/node_pool/README.md

@@ -10,6 +10,7 @@ This example illustrates how to create a cluster with multiple custom node-pool
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

examples/shared_vpc/README.md

@@ -10,6 +10,7 @@ This example illustrates how to create a simple cluster where the host network i
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

examples/simple_regional_private/README.md

@@ -10,6 +10,7 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

examples/simple_zonal_private/README.md

@@ -10,6 +10,7 @@ This example illustrates how to create a simple private cluster.
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

examples/stub_domains/README.md

@@ -15,6 +15,7 @@ It will:
 |------|-------------|:----:|:-----:|:-----:|
 | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no |
 | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes |
 | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes |
 | network | The VPC network to host the cluster in | string | n/a | yes |

modules/private-cluster/README.md

@@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
@@ -167,6 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | Name | Description |
 |------|-------------|
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller |
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |

modules/private-cluster/cluster_regional.tf

@@ -36,6 +36,8 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/cluster_zonal.tf

@@ -36,6 +36,8 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/outputs.tf

@@ -78,6 +78,11 @@ output "ca_certificate" {
   value       = "${local.cluster_ca_certificate}"
 }
 
+output "enable_binary_authorization" {
+description = "Enable BinAuthZ Admission controller"
+value = "${var.enable_binary_authorization}"
+}
+
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
   value       = "${local.cluster_network_policy_enabled}"

modules/private-cluster/variables.tf

@@ -86,6 +86,11 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+variable "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

outputs.tf

@@ -78,6 +78,7 @@ output "ca_certificate" {
   value       = "${local.cluster_ca_certificate}"
 }
 
+
 output "network_policy_enabled" {
   description = "Whether network policy enabled"
   value       = "${local.cluster_network_policy_enabled}"

variables.tf

@@ -86,6 +86,7 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true