From 0194db7e195c3c909647b25998398d17cdb32926 Mon Sep 17 00:00:00 2001 From: feliperfmarques Date: Thu, 19 Sep 2024 00:45:23 -0300 Subject: [PATCH] feat: enable L4 ILB subsetting support for safer clusters --- autogen/safer-cluster/main.tf.tmpl | 3 +++ autogen/safer-cluster/variables.tf.tmpl | 6 ++++++ modules/safer-cluster-update-variant/README.md | 1 + modules/safer-cluster-update-variant/main.tf | 3 +++ modules/safer-cluster-update-variant/variables.tf | 6 ++++++ modules/safer-cluster/README.md | 1 + modules/safer-cluster/main.tf | 3 +++ modules/safer-cluster/variables.tf | 6 ++++++ 8 files changed, 29 insertions(+) diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index 5a156c7ccc..95a2fc6e2e 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -169,6 +169,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 88da0f4adc..eeb1b77ec4 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index ee2e8bee69..d2203ddf33 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -221,6 +221,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index f79239f47d..85f55f3e7b 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -165,6 +165,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index d6e72d35c4..1934526404 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index ee2e8bee69..d2203ddf33 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -221,6 +221,7 @@ For simplicity, we suggest using `roles/container.admin` and | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | +| enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no | | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no | | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | `bool` | `false` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable\_private\_nodes is true | `bool` | `true` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index ac8b6d9409..3c67db4830 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -165,6 +165,9 @@ module "gke" { // Enable cost allocation support enable_cost_allocation = var.enable_cost_allocation + // Enable L4 ILB subsetting on the cluster + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + // Use of PodSecurityPolicy admission controller // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies enable_pod_security_policy = var.enable_pod_security_policy diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index d6e72d35c4..1934526404 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -391,6 +391,12 @@ variable "enable_intranode_visibility" { default = false } +variable "enable_l4_ilb_subsetting" { + type = bool + description = "Enable L4 ILB Subsetting on the cluster" + default = false +} + variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it"