Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: enabling vulnerability and audit modes for workloads #1749

Merged
merged 4 commits into from
Oct 10, 2023
Merged

feat!: enabling vulnerability and audit modes for workloads #1749

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4b6b29
feat: enabling vulnerability and audit modes for workloads
mmorejon Sep 27, 2023
9fef03d
fix typo
mmorejon Sep 27, 2023
cc70717
fix: change empty string by null
mmorejon Sep 28, 2023
86355a8
rollback to emtpy value
mmorejon Oct 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 2 additions & 1 deletion autogen/main/variables.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -548,14 +548,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
4 changes: 4 additions & 0 deletions autogen/safer-cluster/main.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -200,4 +200,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions autogen/safer-cluster/variables.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these new default values going to cause a replacement for existing clusters? Could we use null?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

workload_config_audit_mode cannot be null. This value is required. I got this message setting the value as null.

The argument "protect_config.0.workload_config.0.audit_mode" is required, but no definition was found.

workload_vulnerability_mode has the same behavior using an empty string or null value. I got a change in the tfstate only when DISABLED or BASIC is used.

~ protect_config {
   ~ workload_vulnerability_mode = "WORKLOAD_VULNERABILITY_MODE_UNSPECIFIED" -> "DISABLED"
}

and

~ protect_config {
   ~ workload_vulnerability_mode = "WORKLOAD_VULNERABILITY_MODE_UNSPECIFIED" -> "BASIC"
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@apeabody , what do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mmorejon - Yeah, for simplicity, I recommend we just go with default = "" and mark this as a breaking change.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. I set back the default value to empty.

}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
2 changes: 1 addition & 1 deletion modules/beta-autopilot-private-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-autopilot-private-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -373,14 +373,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-public-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-autopilot-public-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,14 +343,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster-update-variant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster-update-variant/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,14 +518,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -518,14 +518,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster-update-variant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster-update-variant/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,14 +488,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -488,14 +488,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 2 additions & 0 deletions modules/safer-cluster-update-variant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in | `list(string)` | `[]` | no |

## Outputs
Expand Down
4 changes: 4 additions & 0 deletions modules/safer-cluster-update-variant/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,4 +196,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions modules/safer-cluster-update-variant/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
2 changes: 2 additions & 0 deletions modules/safer-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in | `list(string)` | `[]` | no |

## Outputs
Expand Down
4 changes: 4 additions & 0 deletions modules/safer-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,4 +196,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions modules/safer-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}