Skip to content

Commit

Permalink
feat: add security posture (#1750)
Browse files Browse the repository at this point in the history
Signed-off-by: Manuel Morejon <[email protected]>
  • Loading branch information
mmorejon authored Oct 27, 2023
1 parent f43a241 commit 5d959a6
Show file tree
Hide file tree
Showing 37 changed files with 250 additions and 0 deletions.
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,8 @@ Then perform the following commands on the root folder:
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,12 @@ resource "google_container_cluster" "primary" {
workload_vulnerability_mode = var.workload_vulnerability_mode
}
{% endif %}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,18 @@ variable "enable_fqdn_network_policy" {
}
{% endif %}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
4 changes: 4 additions & 0 deletions autogen/safer-cluster/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -204,4 +204,8 @@ module "gke" {
// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode

// Enabling security posture
security_posture_mode = var.security_posture_mode
security_posture_vulnerability_mode = var.security_posture_vulnerability_mode
}
12 changes: 12 additions & 0 deletions autogen/safer-cluster/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,18 @@ variable "gke_backup_agent_config" {
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`."
type = string
default = null
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
6 changes: 6 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -211,6 +211,12 @@ resource "google_container_cluster" "primary" {

datapath_provider = var.datapath_provider


security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,8 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@ resource "google_container_cluster" "primary" {
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,18 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ Then perform the following commands on the root folder:
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
| release\_channel | The release channel of this cluster. Accepted values are `UNSPECIFIED`, `RAPID`, `REGULAR` and `STABLE`. Defaults to `REGULAR`. | `string` | `"REGULAR"` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -136,6 +136,12 @@ resource "google_container_cluster" "primary" {
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -362,6 +362,18 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,8 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" {
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,18 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,8 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" {
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,18 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,8 @@ Then perform the following commands on the root folder:
| remove\_default\_node\_pool | Remove default node pool while setting up the cluster | `bool` | `false` | no |
| resource\_usage\_export\_dataset\_id | The ID of a BigQuery Dataset for using BigQuery as the destination of resource usage export. | `string` | `""` | no |
| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` to use it). | `bool` | `false` | no |
| security\_posture\_mode | Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`. | `string` | `"DISABLED"` | no |
| security\_posture\_vulnerability\_mode | Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`. | `string` | `"VULNERABILITY_DISABLED"` | no |
| service\_account | The service account to run nodes as if not overridden in `node_pools`. The create\_service\_account variable default value (true) will cause a cluster-specific service account to be created. This service account should already exists and it will be used by the node pools. If you wish to only override the service account name, you can use service\_account\_name variable. | `string` | `""` | no |
| service\_account\_name | The name of the service account that will be created if create\_service\_account is true. If you wish to use an existing service account, use service\_account variable. | `string` | `""` | no |
| service\_external\_ips | Whether external ips specified by a service will be allowed in this cluster | `bool` | `false` | no |
Expand Down
6 changes: 6 additions & 0 deletions modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ resource "google_container_cluster" "primary" {
}
workload_vulnerability_mode = var.workload_vulnerability_mode
}

security_posture_config {
mode = var.security_posture_mode
vulnerability_mode = var.security_posture_vulnerability_mode
}

ip_allocation_policy {
cluster_secondary_range_name = var.ip_range_pods
services_secondary_range_name = var.ip_range_services
Expand Down
12 changes: 12 additions & 0 deletions modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -507,6 +507,18 @@ variable "enable_fqdn_network_policy" {
default = null
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
default = "DISABLED"
}

variable "security_posture_vulnerability_mode" {
description = "Security posture vulnerability mode. Accepted values are `VULNERABILITY_DISABLED` and `VULNERABILITY_BASIC`. Defaults to `VULNERABILITY_DISABLED`."
type = string
default = "VULNERABILITY_DISABLED"
}

variable "disable_default_snat" {
type = bool
description = "Whether to disable the default SNAT to support the private use of public IP addresses"
Expand Down
Loading

0 comments on commit 5d959a6

Please sign in to comment.