From 2ccc0f33381a114e82cf010103043cba0d229b0c Mon Sep 17 00:00:00 2001 From: pp Date: Wed, 21 Aug 2019 18:36:48 +0300 Subject: [PATCH] Add flag to enable GKE Sandbox * Add `sandbox_enabled` variable to use GKE Sandbox (Fixes #240) --- CHANGELOG.md | 2 ++ autogen/cluster.tf | 8 ++++++++ autogen/main.tf | 2 ++ autogen/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 8 ++++++++ modules/beta-private-cluster/main.tf | 2 ++ modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 8 ++++++++ modules/beta-public-cluster/main.tf | 2 ++ modules/beta-public-cluster/variables.tf | 6 ++++++ 12 files changed, 52 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 706682fbf1..eef59ce695 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Added `sandbox_enabled` variable to use GKE Sandbox [#241] * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -170,6 +171,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 664de67855..aa89d96076 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -158,6 +158,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } {% endif %} } } diff --git a/autogen/main.tf b/autogen/main.tf index 9d6476b916..2e60262e44 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -75,6 +75,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/variables.tf b/autogen/variables.tf index 9a956194e0..e8e569cf1e 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -371,6 +371,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index eba9f48d31..dcb14943be 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -191,6 +191,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index d887d332ed..49ef6364ae 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 43fea3b6dc..ad6116e7ef 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -70,6 +70,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 6aa50eafff..d1f4a91e72 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -368,6 +368,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 49ffddedc1..047a12eac1 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -182,6 +182,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index c26d85ff50..82c67f4f03 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index db5138e99f..c956463414 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -70,6 +70,8 @@ locals { security_group = var.authenticator_security_group }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index d8b68de69b..c52b0b7a83 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -344,6 +344,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"