Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[safer-cluster] Replace "kubernetes_version" with "release_channel" #487

Merged
merged 6 commits into from
Apr 21, 2020
Merged

[safer-cluster] Replace "kubernetes_version" with "release_channel" #487

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4d117c4
Fix kubernetes_version and node_version variables
skinlayers Apr 13, 2020
8e73494
Regenerate modules
skinlayers Apr 13, 2020
503212d
Replace kubernetes_version with REGULAR release channel.
skinlayers Apr 13, 2020
cddc4d8
Regenerate modules and documentation
skinlayers Apr 13, 2020
7723a6b
Update autogen/safer-cluster/variables.tf.tmpl
skinlayers Apr 13, 2020
cabf08a
Remove unused node_version variables.
skinlayers Apr 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 4 additions & 2 deletions autogen/safer-cluster/main.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,16 @@ module "gke" {

// We need to enforce a minimum Kubernetes Version to ensure
// that the necessary security features are enabled.
kubernetes_version = "latest"
kubernetes_version = var.kubernetes_version

// Nodes are created with a default version. The nodepool enables
// auto_upgrade so that the node versions can be kept up to date with
// the master upgrades.
//
// https://cloud.google.com/kubernetes-engine/versioning-and-upgrades
node_version = ""
node_version = var.node_version
Copy link
Contributor Author

@skinlayers skinlayers Apr 13, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@morgante Is node_version actually used anywhere in any of the modules? I was grepping through the code last night, but AFAICT, node_version is never consumed by any resource. Am I crazy, or can we just remove node_version, node_version_regional, and node_version_zonal from autogen/main & autogen/safer-cluster?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, it looks like we might have dropped it entirely. Feel free to remove the variable in that case.


release_channel = var.release_channel

master_authorized_networks = var.master_authorized_networks

Expand Down
8 changes: 7 additions & 1 deletion autogen/safer-cluster/variables.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ variable "subnetwork" {
variable "kubernetes_version" {
type = string
description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. "
default = "latest"
default = null
}

variable "node_version" {
Expand All @@ -77,6 +77,12 @@ variable "node_version" {
default = ""
}

variable "release_channel" {
type = string
description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."
default = "REGULAR"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, why pick REGULAR as default over STABLE?

Copy link
Contributor Author

@skinlayers skinlayers Apr 20, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #486 & #451 for additional context.

tl;dr Google deems both STABLE & REGULAR to be "production-quality". REGULAR is usually just a few patch revisions behind the latest GKE version. @morgante (Cloud Foundation Toolkit maintainer who works for Google) would prefer safer-cluster use the latest version of GKE. I can see a number of reason for this preference. For instance if you wanted to apply additional CIS Benchmarks listed here: https://cloud.google.com/kubernetes-engine/docs/concepts/cis-benchmarks. That page currently only refers to GKE v1.15, which is also the current REGULAR channel.

Copy link

@umairidris umairidris Apr 20, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, I looked through it but didn't see any particular reason for picking regular over stable (maybe I missed that section).

While I don't have a strong opinion, based on the GKE documentation I think a default setting would be better suited to the more stable option. Users who want newer features etc can switch to regular etc if they would like by overriding.

I will leave it up to your judgment, just doing a drive-by here. Thanks for the PR, we're hoping to use it as soon as it's released :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think regular is a reasonable default, because we'd potentially like to add enhanced security features in the future w/o waiting for them to appear in the stable channel. For clusters which require extra stability, they can override.

}

variable "master_authorized_networks" {
type = list(object({ cidr_block = string, display_name = string }))
description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
Expand Down
3 changes: 2 additions & 1 deletion modules/safer-cluster-update-variant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ For simplicity, we suggest using `roles/container.admin` and
| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
| istio | (Beta) Enable Istio addon | string | `"false"` | no |
| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `""` | no |
| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
Expand All @@ -241,6 +241,7 @@ For simplicity, we suggest using `roles/container.admin` and
| region | The region to host the cluster in | string | n/a | yes |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | string | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
Expand Down
6 changes: 4 additions & 2 deletions modules/safer-cluster-update-variant/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@ module "gke" {

// We need to enforce a minimum Kubernetes Version to ensure
// that the necessary security features are enabled.
kubernetes_version = "latest"
kubernetes_version = var.kubernetes_version

// Nodes are created with a default version. The nodepool enables
// auto_upgrade so that the node versions can be kept up to date with
// the master upgrades.
//
// https://cloud.google.com/kubernetes-engine/versioning-and-upgrades
node_version = ""
node_version = var.node_version

release_channel = var.release_channel

master_authorized_networks = var.master_authorized_networks

Expand Down
8 changes: 7 additions & 1 deletion modules/safer-cluster-update-variant/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ variable "subnetwork" {
variable "kubernetes_version" {
type = string
description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. "
default = "latest"
default = ""
}

variable "node_version" {
Expand All @@ -77,6 +77,12 @@ variable "node_version" {
default = ""
}

variable "release_channel" {
type = string
description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."
default = "REGULAR"
}

variable "master_authorized_networks" {
type = list(object({ cidr_block = string, display_name = string }))
description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
Expand Down
3 changes: 2 additions & 1 deletion modules/safer-cluster/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ For simplicity, we suggest using `roles/container.admin` and
| ip\_range\_services | The _name_ of the secondary subnet range to use for services | string | n/a | yes |
| istio | (Beta) Enable Istio addon | string | `"false"` | no |
| istio\_auth | (Beta) The authentication type between services in Istio. | string | `"AUTH_MUTUAL_TLS"` | no |
| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `"latest"` | no |
| kubernetes\_version | The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. | string | `""` | no |
| logging\_service | The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none | string | `"logging.googleapis.com/kubernetes"` | no |
| maintenance\_start\_time | Time window specified for daily maintenance operations in RFC3339 format | string | `"05:00"` | no |
| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | object | `<list>` | no |
Expand All @@ -241,6 +241,7 @@ For simplicity, we suggest using `roles/container.admin` and
| region | The region to host the cluster in | string | n/a | yes |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
| registry\_project\_id | Project holding the Google Container Registry. If empty, we use the cluster project. If grant_registry_access is true, storage.objectViewer role is assigned on this project. | string | `""` | no |
| release\_channel | (Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | string | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | bool | `"false"` | no |
Expand Down
6 changes: 4 additions & 2 deletions modules/safer-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@ module "gke" {

// We need to enforce a minimum Kubernetes Version to ensure
// that the necessary security features are enabled.
kubernetes_version = "latest"
kubernetes_version = var.kubernetes_version

// Nodes are created with a default version. The nodepool enables
// auto_upgrade so that the node versions can be kept up to date with
// the master upgrades.
//
// https://cloud.google.com/kubernetes-engine/versioning-and-upgrades
node_version = ""
node_version = var.node_version

release_channel = var.release_channel

master_authorized_networks = var.master_authorized_networks

Expand Down
8 changes: 7 additions & 1 deletion modules/safer-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ variable "subnetwork" {
variable "kubernetes_version" {
type = string
description = "The Kubernetes version of the masters. If set to 'latest' it will pull latest available version in the selected region. The module enforces certain minimum versions to ensure that specific features are available. "
default = "latest"
default = ""
}

variable "node_version" {
Expand All @@ -77,6 +77,12 @@ variable "node_version" {
default = ""
}

variable "release_channel" {
type = string
description = "(Beta) The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`."
default = "REGULAR"
}

variable "master_authorized_networks" {
type = list(object({ cidr_block = string, display_name = string }))
description = "List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists)."
Expand Down