diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 714b90fb8e..4c96c90062 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -208,6 +208,9 @@ resource "google_container_cluster" "primary" { enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting {% endif %} {% endif %} +{% if beta_cluster %} + enable_fqdn_network_policy = var.enable_fqdn_network_policy +{% endif %} {% if autopilot_cluster %} enable_autopilot = true {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index d562de600b..1848cf0afe 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -560,6 +560,12 @@ variable "workload_config_audit_mode" { type = string default = "DISABLED" } + +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} {% endif %} variable "disable_default_snat" { diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index d2a2b93b4f..e6b22da2c8 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 443f827f1b..10aaf334d2 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -87,6 +87,7 @@ Then perform the following commands on the root folder: | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 7ed8a9fd17..2ac70aaa03 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - enable_autopilot = true + enable_fqdn_network_policy = var.enable_fqdn_network_policy + enable_autopilot = true dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 7140af0151..6152837fd6 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -386,6 +386,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 94a6a4feb1..b54731b25d 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index aa0ba1bc39..62260d6bb2 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -80,6 +80,7 @@ Then perform the following commands on the root folder: | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 901ffe4889..03da3ad707 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - enable_autopilot = true + enable_fqdn_network_policy = var.enable_fqdn_network_policy + enable_autopilot = true dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 2d0577aaf1..277281a69e 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -356,6 +356,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index 395be4698d..cc52cfb0cd 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index f7d417b0f9..9784d38d29 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -192,6 +192,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 29770ab8f6..fdbecb2ac2 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -164,7 +164,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 9713043962..6a444b2f53 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -531,6 +531,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index ac420da8e6..a7cd79e65b 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2fa1e3be1e..9563237347 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -170,6 +170,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 1ddb1a76e8..520b0529a8 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -164,7 +164,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 9713043962..6a444b2f53 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -531,6 +531,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 4132fa898d..18b79d6b97 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index c8e28f09cc..3b515c1f2d 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -185,6 +185,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index d35a15d495..63af038480 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -164,7 +164,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0ca442912b..46572f3c17 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -501,6 +501,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 285c24c848..97e2092654 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index a8602ab576..4d606346bd 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -163,6 +163,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | | enable\_gcfs | Enable image streaming on cluster level. | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 4857f57520..a8db1c6e13 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -164,7 +164,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0ca442912b..46572f3c17 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -501,6 +501,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = null +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 5bfc9dcdc3..b3871e81ee 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.80.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes"