feat: enable binauthz for autopilot (#2030)

autogen/main/cluster.tf.tmpl

@@ -208,13 +208,15 @@ resource "google_container_cluster" "primary" {
   {% if autopilot_cluster != true %}
   default_max_pods_per_node = var.default_max_pods_per_node
   enable_shielded_nodes       = var.enable_shielded_nodes
+  {% endif %}
 
   dynamic "binary_authorization" {
     for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
     content {
       evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
     }
   }
+  {% if autopilot_cluster != true %}
 
   dynamic "identity_service_config" {
     for_each = var.enable_identity_service ? [var.enable_identity_service] : []
@@ -248,7 +250,7 @@ resource "google_container_cluster" "primary" {
       enabled = secret_manager_config.value
     }
   }
-  
+
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
 {% endif %}
 {% if autopilot_cluster %}
@@ -1039,7 +1041,7 @@ resource "google_container_node_pool" "windows_pools" {
       for_each = length(merge(
         local.node_pools_linux_node_configs_sysctls["all"],
         local.node_pools_linux_node_configs_sysctls[each.value["name"]],
-        local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} 
+        local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]}
       )) != 0 ? [1] : []
 
       content {

autogen/main/variables.tf.tmpl

@@ -743,12 +743,14 @@ variable "enable_shielded_nodes" {
   default     = true
 }
 
+{% endif %}
 variable "enable_binary_authorization" {
   type        = bool
   description = "Enable BinAuthZ Admission controller"
   default     = false
 }
 
+{% if autopilot_cluster != true %}
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
   default     = "GKE_METADATA"

examples/autopilot_private_firewalls/main.tf

@@ -52,6 +52,7 @@ module "gke" {
   add_shadow_firewall_rules         = true
   network_tags                      = ["allow-google-apis"]
   deletion_protection               = false
+  enable_binary_authorization       = true
 
   master_authorized_networks = [
     {

modules/beta-autopilot-private-cluster/README.md

@@ -88,6 +88,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
     enabled = var.enable_vertical_pod_autoscaling
   }
 
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

modules/beta-autopilot-private-cluster/variables.tf

@@ -469,6 +469,12 @@ variable "database_encryption" {
   }]
 }
 
+variable "enable_binary_authorization" {
+  type        = bool
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 
 variable "gke_backup_agent_config" {
   type        = bool

modules/beta-autopilot-public-cluster/README.md

@@ -81,6 +81,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |

modules/beta-autopilot-public-cluster/cluster.tf

@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
     enabled = var.enable_vertical_pod_autoscaling
   }
 
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

modules/beta-autopilot-public-cluster/variables.tf

@@ -433,6 +433,12 @@ variable "database_encryption" {
   }]
 }
 
+variable "enable_binary_authorization" {
+  type        = bool
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 
 variable "gke_backup_agent_config" {
   type        = bool