diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index e9ff964931..d8b4840d5a 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -42,10 +42,10 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" -{% if private_cluster %} + {% if beta_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" -{% endif %} + {% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index f899035a0d..08149ee831 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -42,10 +42,11 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" -{% if private_cluster %} + {% if beta_cluster %} enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" -{% endif %} + {% endif %} + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/main.tf b/autogen/main.tf index 9d0f2ab9c8..96abf2ec51 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -140,6 +140,10 @@ locals { regional = "${element(concat(google_container_cluster.primary.*.addons_config.0.cloudrun_config.0.disabled, list("")), 0)}" zonal = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.cloudrun_config.0.disabled, list("")), 0)}" } + cluster_type_output_pod_security_policy_enabled = { + regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + } # /BETA features {% endif %} @@ -153,13 +157,6 @@ locals { zonal = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}" } -{% if private_cluster %} - cluster_type_output_pod_security_policy_enabled = { - regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - } - -{% endif %} cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" @@ -184,10 +181,9 @@ locals { # BETA features cluster_istio_enabled = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}" cluster_cloudrun_enabled = "${local.cluster_type_output_cloudrun_enabled[local.cluster_type] ? false : true}" - # /BETA features -{% endif %} -{% if private_cluster %} + cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}" + # /BETA features {% endif %} } diff --git a/autogen/outputs.tf b/autogen/outputs.tf index 1c33f8236e..58a2e15b0d 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -113,7 +113,6 @@ output "service_account" { value = "${local.service_account}" } {% if beta_cluster %} - output "istio_enabled" { description = "Whether Istio is enabled" value = "${local.cluster_istio_enabled}" @@ -123,8 +122,6 @@ output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = "${local.cluster_cloudrun_enabled}" } -{% endif %} -{% if private_cluster %} output "pod_security_policy_enabled" { description = "Whether pod security policy is enabled" diff --git a/autogen/variables.tf b/autogen/variables.tf index 7c4b3f2e8d..45dff454ae 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -86,21 +86,6 @@ variable "master_authorized_networks_config" { default = [] } -{% if private_cluster %} -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - -variable "pod_security_policy_config" { - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] -} - -{% endif %} variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true @@ -279,7 +264,6 @@ variable "master_ipv4_cidr_block" { } {% endif %} {% if beta_cluster %} - variable "istio" { description = "(Beta) Enable Istio addon" default = false @@ -304,6 +288,18 @@ variable "database_encryption" { key_name = "" }] } + +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + default = [{ + "enabled" = false + }] +} {% endif %} variable "basic_auth_username" { diff --git a/cluster_zonal.tf b/cluster_zonal.tf index 5f3735857e..087ac258d7 100644 --- a/cluster_zonal.tf +++ b/cluster_zonal.tf @@ -42,6 +42,7 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-private-cluster/cluster_zonal.tf b/modules/beta-private-cluster/cluster_zonal.tf index 95697ce5b2..843821ca28 100644 --- a/modules/beta-private-cluster/cluster_zonal.tf +++ b/modules/beta-private-cluster/cluster_zonal.tf @@ -44,6 +44,7 @@ resource "google_container_cluster" "zonal_primary" { enable_binary_authorization = "${var.enable_binary_authorization}" pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index f9ebd7f70a..75d26fd69b 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -133,6 +133,11 @@ locals { zonal = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.cloudrun_config.0.disabled, list("")), 0)}" } + cluster_type_output_pod_security_policy_enabled = { + regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + } + # /BETA features cluster_type_output_node_pools_names = { @@ -143,10 +148,6 @@ locals { regional = "${concat(google_container_node_pool.pools.*.version, list(""))}" zonal = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}" } - cluster_type_output_pod_security_policy_enabled = { - regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - } cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" @@ -170,8 +171,9 @@ locals { # BETA features cluster_istio_enabled = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}" cluster_cloudrun_enabled = "${local.cluster_type_output_cloudrun_enabled[local.cluster_type] ? false : true}" - # /BETA features cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}" + + # /BETA features } /****************************************** diff --git a/modules/beta-private-cluster/outputs.tf b/modules/beta-private-cluster/outputs.tf index acc7d1b7bc..f7c707cc8f 100644 --- a/modules/beta-private-cluster/outputs.tf +++ b/modules/beta-private-cluster/outputs.tf @@ -112,7 +112,6 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - output "istio_enabled" { description = "Whether Istio is enabled" value = "${local.cluster_istio_enabled}" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6c024e01a6..39e694e832 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -86,19 +86,6 @@ variable "master_authorized_networks_config" { default = [] } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - -variable "pod_security_policy_config" { - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] -} - variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true @@ -302,6 +289,19 @@ variable "database_encryption" { }] } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + + default = [{ + "enabled" = false + }] +} + variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 988e39fcc8..5e8c2514f2 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | database\_encryption | Application-layer Secrets Encryption settings. Example: database_encryption = [{ state = "ENCRYPTED", key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key" }] | list | `` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no | @@ -152,6 +153,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | +| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | @@ -182,6 +184,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | | node\_pools\_versions | List of node pools versions | +| pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | diff --git a/modules/beta-public-cluster/cluster_regional.tf b/modules/beta-public-cluster/cluster_regional.tf index ad92b21d6e..60601bd644 100644 --- a/modules/beta-public-cluster/cluster_regional.tf +++ b/modules/beta-public-cluster/cluster_regional.tf @@ -42,6 +42,8 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-public-cluster/cluster_zonal.tf b/modules/beta-public-cluster/cluster_zonal.tf index 936c569c5a..37a8f847a2 100644 --- a/modules/beta-public-cluster/cluster_zonal.tf +++ b/modules/beta-public-cluster/cluster_zonal.tf @@ -42,6 +42,9 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index 83f4865b38..4bfdf29952 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -124,6 +124,11 @@ locals { zonal = "${element(concat(google_container_cluster.zonal_primary.*.addons_config.0.cloudrun_config.0.disabled, list("")), 0)}" } + cluster_type_output_pod_security_policy_enabled = { + regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" + } + # /BETA features cluster_type_output_node_pools_names = { @@ -157,6 +162,7 @@ locals { # BETA features cluster_istio_enabled = "${local.cluster_type_output_istio_enabled[local.cluster_type] ? false : true}" cluster_cloudrun_enabled = "${local.cluster_type_output_cloudrun_enabled[local.cluster_type] ? false : true}" + cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}" # /BETA features } diff --git a/modules/beta-public-cluster/outputs.tf b/modules/beta-public-cluster/outputs.tf index eb24b144e3..f7c707cc8f 100644 --- a/modules/beta-public-cluster/outputs.tf +++ b/modules/beta-public-cluster/outputs.tf @@ -112,7 +112,6 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - output "istio_enabled" { description = "Whether Istio is enabled" value = "${local.cluster_istio_enabled}" @@ -122,3 +121,8 @@ output "cloudrun_enabled" { description = "Whether CloudRun enabled" value = "${local.cluster_cloudrun_enabled}" } + +output "pod_security_policy_enabled" { + description = "Whether pod security policy is enabled" + value = "${local.cluster_pod_security_policy_enabled}" +} diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 55402b611b..244fd9c345 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -269,6 +269,19 @@ variable "database_encryption" { }] } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + +variable "pod_security_policy_config" { + description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." + + default = [{ + "enabled" = false + }] +} + variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." default = "" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 60bd47280d..371ca009c8 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -126,7 +126,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | @@ -157,7 +156,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `` | no | | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no | @@ -186,7 +184,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | network\_policy\_enabled | Whether network policy enabled | | node\_pools\_names | List of node pools names | | node\_pools\_versions | List of node pools versions | -| pod\_security\_policy\_enabled | Whether pod security policy is enabled | | region | Cluster region | | service\_account | The service account to default running nodes as if not overridden in `node_pools`. | | type | Cluster type (regional / zonal) | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index a2c8fcf10d..b5869e6b61 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -42,8 +42,6 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 1a824110df..d318acd764 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -42,8 +42,7 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" - enable_binary_authorization = "${var.enable_binary_authorization}" - pod_security_policy_config = "${var.pod_security_policy_config}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index ecb267e9ce..99dddeea37 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -132,11 +132,6 @@ locals { zonal = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}" } - cluster_type_output_pod_security_policy_enabled = { - regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - zonal = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}" - } - cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}" cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}" cluster_master_auth_map = "${local.cluster_master_auth_list_layer2[0]}" @@ -158,7 +153,6 @@ locals { cluster_http_load_balancing_enabled = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}" cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}" cluster_kubernetes_dashboard_enabled = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}" - cluster_pod_security_policy_enabled = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}" } /****************************************** diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 0cda908649..6b9d5895ab 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -112,8 +112,3 @@ output "service_account" { description = "The service account to default running nodes as if not overridden in `node_pools`." value = "${local.service_account}" } - -output "pod_security_policy_enabled" { - description = "Whether pod security policy is enabled" - value = "${local.cluster_pod_security_policy_enabled}" -} diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 3ed993ea11..f40aedc99a 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -86,19 +86,6 @@ variable "master_authorized_networks_config" { default = [] } -variable "enable_binary_authorization" { - description = "Enable BinAuthZ Admission controller" - default = false -} - -variable "pod_security_policy_config" { - description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] -} - variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true