Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(TPG>=5.44.2)!: add standard cluster support for insecureKubeletReadonlyPortEnabled #2082

Merged
merged 14 commits into from
Oct 16, 2024
Merged

feat(TPG>=5.44.2)!: add standard cluster support for insecureKubeletReadonlyPortEnabled #2082

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
37c63b9
feat(TPG>=5.44)!: add support for `insecureKubeletReadonlyPortEnabled`
wyardley Sep 11, 2024
fe59a6f
update to support autopilot and node_config_defaults
wyardley Sep 13, 2024
f4ba813
gate gcfs_config in node_config_defaults
wyardley Sep 17, 2024
9ebbd6d
update autopilot block name
wyardley Sep 17, 2024
4c2b883
update required provider versions
wyardley Sep 20, 2024
f2755fa
Skip autopilot for now, require != 6.3.0, update non-beta versions.tf
wyardley Sep 23, 2024
5b7e2bf
revert insecure_kubelet_readonly_port_enabled in example
wyardley Sep 23, 2024
d47309f
remove from autopilot variables as well
wyardley Sep 23, 2024
83e5798
update version specification order
wyardley Sep 25, 2024
086d138
Update autogen/main/cluster.tf.tmpl
wyardley Sep 25, 2024
114b68e
switch to optional bool for module implementation
wyardley Sep 25, 2024
b6c5fa6
update required versions
wyardley Oct 14, 2024
a908807
Merge branch 'master' into wyardley/issues/2013
apeabody Oct 15, 2024
4d72727
Merge branch 'master' into wyardley/issues/2013
apeabody Oct 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes |
Expand Down Expand Up @@ -319,6 +320,7 @@ The node_pools variable takes the following parameters:
| gpu_partition_size | Size of partitions to create on the GPU | null | Optional |
| image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional |
| initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional |
| key | The key required for the taint | | Required |
| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional |
| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional |
Expand Down
1 change: 1 addition & 0 deletions autogen/main/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -213,6 +213,7 @@ The node_pools variable takes the following parameters:
| gpu_partition_size | Size of partitions to create on the GPU | null | Optional |
| image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional |
| initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional |
| key | The key required for the taint | | Required |
| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional |
| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional |
Expand Down
18 changes: 10 additions & 8 deletions autogen/main/cluster.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -661,7 +661,6 @@ resource "google_container_cluster" "primary" {
}
}
}
{% if beta_cluster %}

node_pool_defaults {
node_config_defaults {
Expand All @@ -675,15 +674,17 @@ resource "google_container_cluster" "primary" {
}
{% endif %}
{% if autopilot_cluster != true %}
{% if beta_cluster %}
gcfs_config {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that gcfs_config is still beta, so will need to still gate this block.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah was going to rebase after #2098 originally, but now they may need to go together?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My quick read is that even in v6.3 while node_config_defaults is GA, node_config_defaults.gcfs_config is still beta?

Copy link
Contributor Author

@wyardley wyardley Sep 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think that's correct. The narrower fix I ended up with there still keeps gcfs_config gated (however breaks because then node_config_defaults is empty, which I think will be a potential issue either way unless we do the dynamic block?)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @wyardley - Looks like gcfs_config was promoted to GA in v6.5.0, so in the subsequent breaking release (35?) this can be resolved.

enabled = var.enable_gcfs
}
{% endif %}
insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null
{% endif %}
}
}
{% endif %}
{% if beta_cluster %}

{% if beta_cluster %}
depends_on = [google_project_iam_member.service_agent]
{% endif %}
}
Expand Down Expand Up @@ -1046,14 +1047,15 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
}
}
{% if beta_cluster %}
Expand Down
6 changes: 6 additions & 0 deletions autogen/main/variables.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,12 @@ variable "service_external_ips" {
}

{% if autopilot_cluster != true %}
variable "insecure_kubelet_readonly_port_enabled" {
type = bool
description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`."
default = null
}

variable "datapath_provider" {
type = string
description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
Expand Down
6 changes: 3 additions & 3 deletions autogen/main/versions.tf.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.40.0, < 7"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
wyardley marked this conversation as resolved.
Show resolved Hide resolved
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.40.0, < 7"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down Expand Up @@ -89,7 +89,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.40.0, < 7"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
29 changes: 19 additions & 10 deletions cluster.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,13 @@ resource "google_container_cluster" "primary" {
}
}
}

node_pool_defaults {
node_config_defaults {
insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null
}
}

}
/******************************************
Create Container Cluster node pools
Expand Down Expand Up @@ -739,14 +746,15 @@ resource "google_container_node_pool" "pools" {
dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
}
}

Expand Down Expand Up @@ -1029,14 +1037,15 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
}
}

Expand Down
29 changes: 15 additions & 14 deletions examples/node_pool/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,20 +67,21 @@ module "gke" {
service_account = var.compute_engine_service_account
},
{
name = "pool-03"
machine_type = "n1-standard-2"
node_locations = "${var.region}-b,${var.region}-c"
autoscaling = false
node_count = 2
disk_type = "pd-standard"
auto_upgrade = true
service_account = var.compute_engine_service_account
pod_range = "test"
sandbox_enabled = true
cpu_manager_policy = "static"
cpu_cfs_quota = true
local_ssd_ephemeral_count = 2
pod_pids_limit = 4096
name = "pool-03"
machine_type = "n1-standard-2"
node_locations = "${var.region}-b,${var.region}-c"
autoscaling = false
node_count = 2
disk_type = "pd-standard"
auto_upgrade = true
service_account = var.compute_engine_service_account
pod_range = "test"
sandbox_enabled = true
cpu_manager_policy = "static"
cpu_cfs_quota = true
insecure_kubelet_readonly_port_enabled = "FALSE"
local_ssd_ephemeral_count = 2
pod_pids_limit = 4096
},
{
name = "pool-04"
Expand Down
11 changes: 6 additions & 5 deletions examples/node_pool_update_variant/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,12 @@ module "gke" {

node_pools = [
{
name = "pool-01"
min_count = 1
max_count = 2
service_account = var.compute_engine_service_account
auto_upgrade = true
name = "pool-01"
min_count = 1
max_count = 2
service_account = var.compute_engine_service_account
auto_upgrade = true
insecure_kubelet_readonly_port_enabled = "FALSE"
},
{
name = "pool-02"
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-private-cluster-update-variant/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,7 @@ Then perform the following commands on the root folder:
| http\_load\_balancing | Enable httpload balancer addon | `bool` | `true` | no |
| identity\_namespace | The workload pool to attach all Kubernetes service accounts to. (Default value of `enabled` automatically sets project-based pool `[project_id].svc.id.goog`) | `string` | `"enabled"` | no |
| initial\_node\_count | The number of nodes to create in this cluster's default node pool. | `number` | `0` | no |
| insecure\_kubelet\_readonly\_port\_enabled | Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`. | `bool` | `null` | no |
| ip\_masq\_link\_local | Whether to masquerade traffic to the link-local prefix (169.254.0.0/16). | `bool` | `false` | no |
| ip\_masq\_resync\_interval | The interval at which the agent attempts to sync its ConfigMap file from the disk. | `string` | `"60s"` | no |
| ip\_range\_pods | The _name_ of the secondary subnet ip range to use for pods | `string` | n/a | yes |
Expand Down Expand Up @@ -377,6 +378,7 @@ The node_pools variable takes the following parameters:
| gpu_partition_size | Size of partitions to create on the GPU | null | Optional |
| image_type | The image type to use for this node. Note that changing the image type will delete and recreate all nodes in the node pool | COS_CONTAINERD | Optional |
| initial_node_count | The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource. Defaults to the value of min_count | " " | Optional |
| insecure_kubelet_readonly_port_enabled | (boolean) Whether or not to enable the insecure Kubelet readonly port. | null | Optional |
| key | The key required for the taint | | Required |
| logging_variant | The type of logging agent that is deployed by default for newly created node pools in the cluster. Valid values include DEFAULT and MAX_THROUGHPUT. | DEFAULT | Optional |
| local_ssd_count | The amount of local SSD disks that will be attached to each cluster node and may be used as a `hostpath` volume or a `local` PersistentVolume. | 0 | Optional |
Expand Down
23 changes: 13 additions & 10 deletions modules/beta-private-cluster-update-variant/cluster.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -581,6 +581,7 @@ resource "google_container_cluster" "primary" {
gcfs_config {
enabled = var.enable_gcfs
}
insecure_kubelet_readonly_port_enabled = var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null
}
}

Expand Down Expand Up @@ -915,14 +916,15 @@ resource "google_container_node_pool" "pools" {
dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
}
}

Expand Down Expand Up @@ -1219,14 +1221,15 @@ resource "google_container_node_pool" "windows_pools" {
dynamic "kubelet_config" {
for_each = length(setintersection(
keys(each.value),
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
)) != 0 ? [1] : []

content {
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
cpu_manager_policy = lookup(each.value, "cpu_manager_policy", "static")
cpu_cfs_quota = lookup(each.value, "cpu_cfs_quota", null)
cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled != null ? var.insecure_kubelet_readonly_port_enabled : null)
pod_pids_limit = lookup(each.value, "pod_pids_limit", null)
}
}

Expand Down
6 changes: 6 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,12 @@ variable "service_external_ips" {
default = false
}

variable "insecure_kubelet_readonly_port_enabled" {
type = bool
description = "Whether or not to set `insecure_kubelet_readonly_port_enabled` for node pool defaults and autopilot clusters. Note: this can be set at the node pool level separately within `node_pools`."
default = null
}

variable "datapath_provider" {
type = string
description = "The desired datapath provider for this cluster. By default, `DATAPATH_PROVIDER_UNSPECIFIED` enables the IPTables-based kube-proxy implementation. `ADVANCED_DATAPATH` enables Dataplane-V2 feature."
Expand Down
4 changes: 2 additions & 2 deletions modules/beta-private-cluster-update-variant/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
version = ">= 5.40.0, < 7"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 5.40.0, < 7"
version = ">= 5.44.2, !=6.0.0, !=6.0.1, !=6.1.0, !=6.2.0, !=6.3.0, !=6.4.0, !=6.5.0, !=6.6.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
Expand Down
Loading