Skip to content

Commit

Permalink
Add policycontroller fields to fleet default configs for GKE Hub Feat…
Browse files Browse the repository at this point in the history 
…ure resource (GoogleCloudPlatform#9426)
  • Loading branch information
@tonyzhc @trodge
tonyzhc authored and trodge committed Nov 27, 2023
1 parent 115c002 commit 23b35bd
Show file tree
Hide file tree
Showing 5 changed files with 438 additions and 0 deletions.
170 changes: 170 additions & 0 deletions mmv1/products/gkehub2/Feature.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,21 @@ examples:
skip_test: true
primary_resource_name: 'fmt.Sprintf("configmanagement")'
primary_resource_id: 'feature'
- !ruby/object:Provider::Terraform::Examples
name: 'enable_fleet_default_member_config_policycontroller'
skip_test: true
primary_resource_name: 'fmt.Sprintf("policycontroller")'
primary_resource_id: 'feature'
- !ruby/object:Provider::Terraform::Examples
name: 'enable_fleet_default_member_config_policycontroller_update'
skip_test: true
primary_resource_name: 'fmt.Sprintf("policycontroller")'
primary_resource_id: 'feature'
- !ruby/object:Provider::Terraform::Examples
name: 'enable_fleet_default_member_config_policycontroller_set_empty'
skip_test: true
primary_resource_name: 'fmt.Sprintf("policycontroller")'
primary_resource_id: 'feature'
autogen_async: true
# Skip sweeper gen since this is a child resource.
skip_sweeper: true
Expand Down Expand Up @@ -259,6 +274,161 @@ properties:
- !ruby/object:Api::Type::String
name: version
description: 'Version of ACM installed'
- !ruby/object:Api::Type::NestedObject
name: policycontroller
description: Policy Controller spec
properties:
- !ruby/object:Api::Type::String
name: version
description: 'Configures the version of Policy Controller'
default_from_api: true
- !ruby/object:Api::Type::NestedObject
name: policyControllerHubConfig
description: 'Configuration of Policy Controller'
required: true
properties:
- !ruby/object:Api::Type::Enum
name: installSpec
description: 'Configures the mode of the Policy Controller installation'
values:
- :INSTALL_SPEC_UNSPECIFIED
- :INSTALL_SPEC_NOT_INSTALLED
- :INSTALL_SPEC_ENABLED
- :INSTALL_SPEC_SUSPENDED
- :INSTALL_SPEC_DETACHED
required: true
- !ruby/object:Api::Type::Integer
name: auditIntervalSeconds
description: 'Interval for Policy Controller Audit scans (in seconds). When set to 0, this disables audit functionality altogether.'
- !ruby/object:Api::Type::Array
name: exemptableNamespaces
description: 'The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.'
item_type: Api::Type::String
- !ruby/object:Api::Type::Boolean
name: logDeniesEnabled
description: 'Logs all denies and dry run failures.'
- !ruby/object:Api::Type::Boolean
name: mutationEnabled
description: 'Enables the ability to mutate resources using Policy Controller.'
- !ruby/object:Api::Type::Boolean
name: referentialRulesEnabled
description: 'Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.'
- !ruby/object:Api::Type::NestedObject
name: monitoring
description: 'Monitoring specifies the configuration of monitoring Policy Controller.'
default_from_api: true
properties:
- !ruby/object:Api::Type::Array
name: backends
description: 'Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.'
default_from_api: true
item_type: !ruby/object:Api::Type::Enum
name: 'required but unused'
description: 'required but unused'
values:
- :MONITORING_BACKEND_UNSPECIFIED
- :PROMETHEUS
- :CLOUD_MONITORING
- !ruby/object:Api::Type::Integer
name: constraintViolationLimit
description: 'The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used.'
- !ruby/object:Api::Type::Map
name: deploymentConfigs
description: 'Map of deployment configs to deployments ("admission", "audit", "mutation").'
key_name: component
key_description: 'Specifies which component to apply the deployment config to. Accepted values are "admission", "audit" and "mutation".'
default_from_api: true
value_type: !ruby/object:Api::Type::NestedObject
name: deploymentConfig
description: 'Configures deployment-specific options, such as high availability.'
properties:
- !ruby/object:Api::Type::Integer
name: replicaCount
description: 'Pod replica count.'
send_empty_value: false
default_from_api: true
- !ruby/object:Api::Type::NestedObject
name: containerResources
description: 'Container resource requirements.'
properties:
- !ruby/object:Api::Type::NestedObject
name: limits
description: 'Limits describes the maximum amount of compute resources allowed for use by the running container.'
properties:
- !ruby/object:Api::Type::String
name: memory
description: 'Memory requirement expressed in Kubernetes resource units.'
- !ruby/object:Api::Type::String
name: cpu
description: 'CPU requirement expressed in Kubernetes resource units.'
- !ruby/object:Api::Type::NestedObject
name: requests
description: 'Requests describes the amount of compute resources reserved for the container by the kube-scheduler.'
properties:
- !ruby/object:Api::Type::String
name: memory
description: 'Memory requirement expressed in Kubernetes resource units.'
- !ruby/object:Api::Type::String
name: cpu
description: 'CPU requirement expressed in Kubernetes resource units.'
- !ruby/object:Api::Type::Enum
name: podAffinity
description: 'Pod affinity configuration.'
default_from_api: true
values:
- :AFFINITY_UNSPECIFIED
- :NO_AFFINITY
- :ANTI_AFFINITY
- !ruby/object:Api::Type::Array
name: podToleration
api_name: podTolerations
description: 'Pod tolerations of node taints.'
item_type: !ruby/object:Api::Type::NestedObject
name: 'required but unused'
description: 'required but unused'
properties:
- !ruby/object:Api::Type::String
name: key
description: 'Matches a taint key (not necessarily unique).'
- !ruby/object:Api::Type::String
name: operator
description: 'Matches a taint operator.'
- !ruby/object:Api::Type::String
name: value
description: 'Matches a taint value.'
- !ruby/object:Api::Type::String
name: effect
description: 'Matches a taint effect.'
- !ruby/object:Api::Type::NestedObject
name: policyContent
description: 'Specifies the desired policy content on the cluster.'
# default_from_api: true
properties:
- !ruby/object:Api::Type::NestedObject
name: templateLibrary
description: 'Configures the installation of the Template Library.'
default_from_api: true
properties:
- !ruby/object:Api::Type::Enum
name: installation
description: 'Configures the manner in which the template library is installed on the cluster.'
values:
- :INSTALATION_UNSPECIFIED
- :NOT_INSTALLED
- :ALL
- !ruby/object:Api::Type::Map
name: bundles
description: 'Configures which bundles to install and their corresponding install specs.'
key_name: bundle
key_description: 'A bundle name supported in this version. Values configure the exempted namespaces for this bundle.'
value_type: !ruby/object:Api::Type::NestedObject
name: bundleInstallSpec
description: 'The specification configuration for a single managed bundle.'
properties:
- !ruby/object:Api::Type::Array
name: exemptedNamespaces
description: 'The set of namespaces to be exempted from the bundle.'
item_type: Api::Type::String
- !ruby/object:Api::Type::NestedObject
name: state
description: Output only. The Hub-wide Feature state
Expand Down
23 changes: 23 additions & 0 deletions mmv1/templates/terraform/examples/enable_fleet_default_member_config_policycontroller.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_ENABLED"
exemptable_namespaces = ["foo"]
policy_content {
bundles {
bundle = "policy-essentials-v2022"
exempted_namespaces = ["foo", "bar"]
}
template_library {
installation = "ALL"
}
}
audit_interval_seconds = 30
referential_rules_enabled = true
}
}
}
}
20 changes: 20 additions & 0 deletions ...s/terraform/examples/enable_fleet_default_member_config_policycontroller_set_empty.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_ENABLED"
policy_content {}
constraint_violation_limit = 50
referential_rules_enabled = true
log_denies_enabled = true
mutation_enabled = true
deployment_configs {
component = "admission"
}
monitoring {}
}
}
}
}
57 changes: 57 additions & 0 deletions ...ates/terraform/examples/enable_fleet_default_member_config_policycontroller_update.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
resource "google_gke_hub_feature" "feature" {
name = "policycontroller"
location = "global"
fleet_default_member_config {
policycontroller {
policy_controller_hub_config {
install_spec = "INSTALL_SPEC_SUSPENDED"
policy_content {
bundles {
bundle = "pci-dss-v3.2.1"
exempted_namespaces = ["baz", "bar"]
}
bundles {
bundle = "nist-sp-800-190"
exempted_namespaces = []
}
template_library {
installation = "ALL"
}
}
constraint_violation_limit = 50
referential_rules_enabled = true
log_denies_enabled = true
mutation_enabled = true
deployment_configs {
component = "admission"
replica_count = 2
pod_affinity = "ANTI_AFFINITY"
}
deployment_configs {
component = "audit"
container_resources {
limits {
memory = "1Gi"
cpu = "1.5"
}
requests {
memory = "500Mi"
cpu = "150m"
}
}
pod_toleration {
key = "key1"
operator = "Equal"
value = "value1"
effect = "NoSchedule"
}
}
monitoring {
backends = [
"PROMETHEUS"
]
}
}
}
}
}
Loading

0 comments on commit 23b35bd

Please sign in to comment.