terraform-google-modules · apeabody · Nov 15, 2023 · Oct 11, 2023 · Nov 3, 2023 · Nov 13, 2023
@@ -326,6 +326,11 @@ resource "google_container_cluster" "primary" {
     }
     {% endif %}
   }
+
+  {% if autopilot_cluster %}
+  allow_net_admin = var.allow_net_admin
+  {% endif %}
+
   {% if autopilot_cluster != true %}
 
   datapath_provider = var.datapath_provider

@@ -849,3 +849,11 @@ variable "enable_gcfs" {
 }
   {% endif %}
 {% endif %}
+
+{% if autopilot_cluster %}
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type = bool
+  default = null
+}
+{% endif %}
diff --git a/cluster.tf b/cluster.tf
@@ -215,6 +215,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
 

@@ -75,6 +75,7 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `false` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |

@@ -130,6 +130,9 @@ resource "google_container_cluster" "primary" {
 
   }
 
+  allow_net_admin = var.allow_net_admin
+
+
   networking_mode = "VPC_NATIVE"
 
   protect_config {

@@ -448,3 +448,9 @@ variable "timeouts" {
   }
 }
 
+
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type        = bool
+  default     = false
+}
@@ -69,6 +69,7 @@ Then perform the following commands on the root folder:
 | add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
+| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `false` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
 | cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
 | cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |

@@ -130,6 +130,9 @@ resource "google_container_cluster" "primary" {
 
   }
 
+  allow_net_admin = var.allow_net_admin
+
+
   networking_mode = "VPC_NATIVE"
 
   protect_config {

@@ -418,3 +418,9 @@ variable "timeouts" {
   }
 }
 
+
+variable "allow_net_admin" {
+  description = "(Optional) Enable NET_ADMIN for the cluster."
+  type        = bool
+  default     = false
+}
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -265,6 +265,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"

diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -804,3 +804,4 @@ variable "enable_gcfs" {
   description = "Enable image streaming on cluster level."
   default     = false
 }
+
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -265,6 +265,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"

diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -804,3 +804,4 @@ variable "enable_gcfs" {
   description = "Enable image streaming on cluster level."
   default     = false
 }
+
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -265,6 +265,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"

diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -774,3 +774,4 @@ variable "enable_gcfs" {
   description = "Enable image streaming on cluster level."
   default     = false
 }
+
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -265,6 +265,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
   networking_mode = "VPC_NATIVE"

diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -774,3 +774,4 @@ variable "enable_gcfs" {
   description = "Enable image streaming on cluster level."
   default     = false
 }
+
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -215,6 +215,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
 

diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
@@ -702,3 +702,4 @@ variable "config_connector" {
   description = "Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -215,6 +215,8 @@ resource "google_container_cluster" "primary" {
     }
   }
 
+
+
   datapath_provider = var.datapath_provider
 
 

diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
@@ -702,3 +702,4 @@ variable "config_connector" {
   description = "Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+
diff --git a/variables.tf b/variables.tf
@@ -672,3 +672,4 @@ variable "config_connector" {
   description = "Whether ConfigConnector is enabled for this cluster."
   default     = false
 }
+