From 54b43aa7b3eb0825f21987d9af6430142ac57187 Mon Sep 17 00:00:00 2001
From: Dana Hoffman <danahoffman@google.com>
Date: Wed, 14 Mar 2018 14:00:31 -0700
Subject: [PATCH] Add support for pod security policy (#1192)

* move setid calls back

* add support for pod security policy

* pod security policy docs

* Revert "move setid calls back"

This reverts commit 0c7b2dbf92aff33dac8c5beb95568c2bc86dd7de.

* cleanup

* remove comments about disabling update
---
 google/config.go                              |  7 +++
 google/resource_container_cluster.go          | 46 ++++++++++++++++++-
 google/resource_container_cluster_test.go     | 36 +++++++++++++++
 .../docs/r/container_cluster.html.markdown    |  9 ++++
 4 files changed, 97 insertions(+), 1 deletion(-)

diff --git a/google/config.go b/google/config.go
index a2910a1ee11..78935c9fd78 100644
--- a/google/config.go
+++ b/google/config.go
@@ -167,6 +167,13 @@ func (c *Config) loadAndValidate() error {
 	}
 	c.clientContainer.UserAgent = userAgent
 
+	log.Printf("[INFO] Instantiating GKE Beta client...")
+	c.clientContainerBeta, err = containerBeta.New(client)
+	if err != nil {
+		return err
+	}
+	c.clientContainerBeta.UserAgent = userAgent
+
 	log.Printf("[INFO] Instantiating Google Cloud DNS client...")
 	c.clientDns, err = dns.New(client)
 	if err != nil {
diff --git a/google/resource_container_cluster.go b/google/resource_container_cluster.go
index b7c97cd4b1a..9b53fb22d5d 100644
--- a/google/resource_container_cluster.go
+++ b/google/resource_container_cluster.go
@@ -18,7 +18,7 @@ import (
 var (
 	instanceGroupManagerURL           = regexp.MustCompile("^https://www.googleapis.com/compute/v1/projects/([a-z][a-z0-9-]{5}(?:[-a-z0-9]{0,23}[a-z0-9])?)/zones/([a-z0-9-]*)/instanceGroupManagers/([^/]*)")
 	ContainerClusterBaseApiVersion    = v1
-	ContainerClusterVersionedFeatures = []Feature{}
+	ContainerClusterVersionedFeatures = []Feature{Feature{Version: v1beta1, Item: "pod_security_policy_config"}}
 
 	networkConfig = &schema.Resource{
 		Schema: map[string]*schema.Schema{
@@ -356,6 +356,22 @@ func resourceContainerCluster() *schema.Resource {
 				Computed: true,
 			},
 
+			"pod_security_policy_config": {
+				Type:     schema.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				ForceNew: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enabled": {
+							Type:     schema.TypeBool,
+							Required: true,
+							ForceNew: true,
+						},
+					},
+				},
+			},
+
 			"project": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -575,6 +591,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
+	if v, ok := d.GetOk("pod_security_policy_config"); ok {
+		cluster.PodSecurityPolicyConfig = expandPodSecurityPolicyConfig(v)
+	}
+
 	req := &containerBeta.CreateClusterRequest{
 		Cluster: cluster,
 	}
@@ -742,6 +762,12 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		d.Set("instance_group_urls", igUrls)
 	}
 
+	if cluster.PodSecurityPolicyConfig != nil {
+		if err := d.Set("pod_security_policy_config", flattenPodSecurityPolicyConfig(cluster.PodSecurityPolicyConfig)); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -1270,6 +1296,16 @@ func expandNetworkPolicy(configured interface{}) *containerBeta.NetworkPolicy {
 	return result
 }
 
+func expandPodSecurityPolicyConfig(configured interface{}) *containerBeta.PodSecurityPolicyConfig {
+	result := &containerBeta.PodSecurityPolicyConfig{}
+	if len(configured.([]interface{})) > 0 {
+		config := configured.([]interface{})[0].(map[string]interface{})
+		result.Enabled = config["enabled"].(bool)
+		result.ForceSendFields = []string{"Enabled"}
+	}
+	return result
+}
+
 func flattenNetworkPolicy(c *containerBeta.NetworkPolicy) []map[string]interface{} {
 	result := []map[string]interface{}{}
 	if c != nil {
@@ -1358,6 +1394,14 @@ func flattenMasterAuthorizedNetworksConfig(c *containerBeta.MasterAuthorizedNetw
 	return []map[string]interface{}{result}
 }
 
+func flattenPodSecurityPolicyConfig(c *containerBeta.PodSecurityPolicyConfig) []map[string]interface{} {
+	return []map[string]interface{}{
+		{
+			"enabled": c.Enabled,
+		},
+	}
+}
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	parts := strings.Split(d.Id(), "/")
 	if len(parts) != 2 {
diff --git a/google/resource_container_cluster_test.go b/google/resource_container_cluster_test.go
index 2e4f3d94a85..24b8660064c 100644
--- a/google/resource_container_cluster_test.go
+++ b/google/resource_container_cluster_test.go
@@ -719,6 +719,29 @@ func TestAccContainerCluster_withIPAllocationPolicy(t *testing.T) {
 	})
 }
 
+func TestAccContainerCluster_withPodSecurityPolicy(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("cluster-test-%s", acctest.RandString(10))
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckContainerClusterDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_withPodSecurityPolicy(clusterName, true),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckContainerCluster(
+						"google_container_cluster.with_pod_security_policy"),
+					resource.TestCheckResourceAttr("google_container_cluster.with_pod_security_policy",
+						"pod_security_policy_config.0.enabled", "true"),
+				),
+			},
+		},
+	})
+}
+
 func testAccCheckContainerClusterDestroy(s *terraform.State) error {
 	config := testAccProvider.Meta().(*Config)
 
@@ -1643,3 +1666,16 @@ resource "google_container_cluster" "with_ip_allocation_policy" {
 	}
 }`, acctest.RandString(10), secondaryRanges.String(), cluster, ipAllocationPolicy.String())
 }
+
+func testAccContainerCluster_withPodSecurityPolicy(clusterName string, enabled bool) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "with_pod_security_policy" {
+	name = "cluster-test-%s"
+	zone = "us-central1-a"
+	initial_node_count = 1
+
+	pod_security_policy_config {
+		enabled = %v
+	}
+}`, clusterName, enabled)
+}
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
index 559ee9806a8..ee67d1c70f6 100644
--- a/website/docs/r/container_cluster.html.markdown
+++ b/website/docs/r/container_cluster.html.markdown
@@ -148,6 +148,10 @@ output "cluster_ca_certificate" {
     or set to the same value as `min_master_version` on create. Defaults to the default
     version set by GKE which is not necessarily the latest version.
 
+* `pod_security_policy_config` - (Optional, [Beta](/docs/providers/google/index.html#beta-features)) Configuration for the
+    [PodSecurityPolicy](https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies) feature.
+    Structure is documented below.
+
 * `project` - (Optional) The ID of the project in which the resource belongs. If it
     is not provided, the provider project is used.
 
@@ -292,6 +296,11 @@ The `guest_accelerator` block supports:
 
 * `count` (Required) - The number of the guest accelerator cards exposed to this instance.
 
+The `pod_security_policy_config` block supports:
+
+* `enabled` (Required) - Enable the PodSecurityPolicy controller for this cluster.
+    If enabled, pods must be valid under a PodSecurityPolicy to be created.
+
 ## Attributes Reference
 
 In addition to the arguments listed above, the following computed attributes are