Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add support for configuring allow_net_admin in autopilot clusters #1768

Merged
merged 11 commits into from
Nov 15, 2023
4 changes: 4 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,10 @@ resource "google_container_cluster" "primary" {
}
{% endif %}
}
{% if autopilot_cluster %}

allow_net_admin = var.allow_net_admin
{% endif %}
{% if autopilot_cluster != true %}

datapath_provider = var.datapath_provider
Expand Down
7 changes: 7 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -849,3 +849,10 @@ variable "enable_gcfs" {
}
{% endif %}
{% endif %}
{% if autopilot_cluster %}
variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}
{% endif %}
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {

}

allow_net_admin = var.allow_net_admin

networking_mode = "VPC_NATIVE"

protect_config {
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -448,3 +448,8 @@ variable "timeouts" {
}
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {

}

allow_net_admin = var.allow_net_admin

networking_mode = "VPC_NATIVE"

protect_config {
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -418,3 +418,8 @@ variable "timeouts" {
}
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}