diff --git a/README.md b/README.md
index 4d2ce374ca..ad823bf62c 100644
--- a/README.md
+++ b/README.md
@@ -113,8 +113,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
}) | {
"enabled": false,
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -132,7 +132,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -171,7 +171,7 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/autogen/main/firewall.tf.tmpl b/autogen/main/firewall.tf.tmpl
index 90ed18e5a8..54c4065171 100644
--- a/autogen/main/firewall.tf.tmpl
+++ b/autogen/main/firewall.tf.tmpl
@@ -96,7 +96,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -122,7 +122,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -145,7 +145,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index bdae4d18ab..ec6ffbda91 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -539,13 +539,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -563,13 +563,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/firewall.tf b/firewall.tf
index 5f59035682..50ce15d30b 100644
--- a/firewall.tf
+++ b/firewall.tf
@@ -92,7 +92,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -118,7 +118,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -141,7 +141,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index edccc2b660..e5cba90d0c 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -144,8 +144,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -176,7 +176,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -225,7 +225,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-private-cluster-update-variant/firewall.tf b/modules/beta-private-cluster-update-variant/firewall.tf
index 2d53388cce..46d8ddfc36 100644
--- a/modules/beta-private-cluster-update-variant/firewall.tf
+++ b/modules/beta-private-cluster-update-variant/firewall.tf
@@ -86,7 +86,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -112,7 +112,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -135,7 +135,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index cfbc2dca49..8bc8eb6a14 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -523,13 +523,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -547,13 +547,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 0d3ac0699f..76fa48eb3a 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -122,8 +122,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -154,7 +154,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -203,7 +203,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-private-cluster/firewall.tf b/modules/beta-private-cluster/firewall.tf
index 2d53388cce..46d8ddfc36 100644
--- a/modules/beta-private-cluster/firewall.tf
+++ b/modules/beta-private-cluster/firewall.tf
@@ -86,7 +86,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -112,7 +112,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -135,7 +135,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index cfbc2dca49..8bc8eb6a14 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -523,13 +523,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -547,13 +547,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index a7c9d9fcae..debba5b9c9 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -138,8 +138,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -167,7 +167,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -214,7 +214,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-public-cluster-update-variant/firewall.tf b/modules/beta-public-cluster-update-variant/firewall.tf
index 5f59035682..50ce15d30b 100644
--- a/modules/beta-public-cluster-update-variant/firewall.tf
+++ b/modules/beta-public-cluster-update-variant/firewall.tf
@@ -92,7 +92,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -118,7 +118,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -141,7 +141,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 3d9b0adff6..2e31a181ab 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -492,13 +492,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -516,13 +516,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index d7a352bc64..6e23ba921d 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -116,8 +116,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
@@ -145,7 +145,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | `bool` | `false` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
@@ -192,7 +192,7 @@ Then perform the following commands on the root folder:
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/beta-public-cluster/firewall.tf b/modules/beta-public-cluster/firewall.tf
index 5f59035682..50ce15d30b 100644
--- a/modules/beta-public-cluster/firewall.tf
+++ b/modules/beta-public-cluster/firewall.tf
@@ -92,7 +92,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -118,7 +118,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -141,7 +141,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 3d9b0adff6..2e31a181ab 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -492,13 +492,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -516,13 +516,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index dac9049abd..b640ed3464 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -141,8 +141,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
}) | {
"enabled": false,
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -163,7 +163,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -203,7 +203,7 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/private-cluster-update-variant/firewall.tf b/modules/private-cluster-update-variant/firewall.tf
index 2d53388cce..46d8ddfc36 100644
--- a/modules/private-cluster-update-variant/firewall.tf
+++ b/modules/private-cluster-update-variant/firewall.tf
@@ -86,7 +86,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -112,7 +112,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -135,7 +135,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index 5fa0408f67..b94e1fd848 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -421,13 +421,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -445,13 +445,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index 58e591caf9..5e1a43d98d 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -119,8 +119,8 @@ Then perform the following commands on the root folder:
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| add\_cluster\_firewall\_rules | Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled. | `bool` | `false` | no |
-| add\_shadow\_firewall\_rules | Create shadow firewall rules to match the GKE managed ingress firewall rules. | `bool` | `false` | no |
+| add\_cluster\_firewall\_rules | Create additional firewall rules | `bool` | `false` | no |
+| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| basic\_auth\_password | The password to be used with Basic Authentication. | `string` | `""` | no |
| basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | `string` | `""` | no |
| cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | object({
enabled = bool
min_cpu_cores = number
max_cpu_cores = number
min_memory_gb = number
max_memory_gb = number
}) | {
"enabled": false,
"max_cpu_cores": 0,
"max_memory_gb": 0,
"min_cpu_cores": 0,
"min_memory_gb": 0
} | no |
@@ -141,7 +141,7 @@ Then perform the following commands on the root folder:
| enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | `bool` | `true` | no |
| enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | `bool` | `false` | no |
| firewall\_inbound\_ports | List of TCP ports for admission/webhook controllers | `list(string)` | [
"8443",
"9443",
"15017"
]
| no |
-| firewall\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall. | `number` | `1000` | no |
+| firewall\_priority | Priority rule for firewall rules | `number` | `1000` | no |
| gcloud\_upgrade | Whether to upgrade gcloud at runtime | `bool` | `false` | no |
| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | `bool` | `false` | no |
| horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | `bool` | `true` | no |
@@ -181,7 +181,7 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. | `string` | `""` | no |
-| shadow\_firewall\_rules\_priority | Priority for the shadow ingress firewall rules. | `number` | `999` | no |
+| shadow\_firewall\_rules\_priority | The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000. | `number` | `999` | no |
| skip\_provisioners | Flag to skip all local-exec provisioners. It breaks `stub_domains` and `upstream_nameservers` variables functionality. | `bool` | `false` | no |
| stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | `map(list(string))` | `{}` | no |
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
diff --git a/modules/private-cluster/firewall.tf b/modules/private-cluster/firewall.tf
index 2d53388cce..46d8ddfc36 100644
--- a/modules/private-cluster/firewall.tf
+++ b/modules/private-cluster/firewall.tf
@@ -86,7 +86,7 @@ resource "google_compute_firewall" "shadow_allow_pods" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-all"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow pod communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing pod communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -112,7 +112,7 @@ resource "google_compute_firewall" "shadow_allow_master" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-master"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow master and woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
@@ -135,7 +135,7 @@ resource "google_compute_firewall" "shadow_allow_nodes" {
count = var.add_shadow_firewall_rules ? 1 : 0
name = "gke-shadow-${substr(var.name, 0, min(25, length(var.name)))}-vms"
- description = "Managed by terraform gke module: A shadow firewall rule to match the fireall allow woker nodes communication."
+ description = "Managed by terraform gke module: A shadow firewall rule to match the default rule allowing woker nodes communication."
project = local.network_project_id
network = var.network
priority = var.shadow_firewall_rules_priority
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 5fa0408f67..b94e1fd848 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -421,13 +421,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -445,13 +445,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}
diff --git a/variables.tf b/variables.tf
index 2a39db4f0b..54741e6ab2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -397,13 +397,13 @@ variable "enable_binary_authorization" {
variable "add_cluster_firewall_rules" {
type = bool
- description = "Create GKE shadow firewall rules by creating the same firewall rules as Google-managed ones with higher priority and firewall logs enabled."
+ description = "Create additional firewall rules"
default = false
}
variable "firewall_priority" {
type = number
- description = "The firewall priority of GKE shadow firewall rules. The priority should be less than 1000, which is the priority of Google-managed GKE firewall."
+ description = "Priority rule for firewall rules"
default = 1000
}
@@ -421,13 +421,13 @@ variable "gcloud_upgrade" {
variable "add_shadow_firewall_rules" {
type = bool
- description = "Create shadow firewall rules to match the GKE managed ingress firewall rules."
+ description = "Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled)."
default = false
}
variable "shadow_firewall_rules_priority" {
type = number
- description = "Priority for the shadow ingress firewall rules."
+ description = "The firewall priority of GKE shadow firewall rules. The priority should be less than default firewall, which is 1000."
default = 999
}