Skip to content

Commit

Permalink
fix: resolve deprecation warning for binary authorization
Browse files Browse the repository at this point in the history
enable_binary_authorization is now deprecated in favor of the
binary_authorization block. This preserves the module's interface, but
updates the underlying behavior

Fixes terraform-google-modules#1331
  • Loading branch information
wyardley committed Jul 22, 2022
1 parent 35b2bf5 commit 40b3440
Show file tree
Hide file tree
Showing 13 changed files with 94 additions and 27 deletions.
9 changes: 8 additions & 1 deletion autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,14 @@ resource "google_container_cluster" "primary" {
{% if autopilot_cluster != true %}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

{% if beta_cluster %}
enable_intranode_visibility = var.enable_intranode_visibility
enable_kubernetes_alpha = var.enable_kubernetes_alpha
Expand Down
4 changes: 3 additions & 1 deletion autogen/safer-cluster/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,9 @@ module "gke" {
database_encryption = var.database_encryption

// We suggest to define policies about which images can run on a cluster.
enable_binary_authorization = true
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}

// Use of PodSecurityPolicy admission controller
// https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
Expand Down
13 changes: 10 additions & 3 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
13 changes: 10 additions & 3 deletions modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

enable_intranode_visibility = var.enable_intranode_visibility
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
Expand Down
13 changes: 10 additions & 3 deletions modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

enable_intranode_visibility = var.enable_intranode_visibility
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
Expand Down
13 changes: 10 additions & 3 deletions modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

enable_intranode_visibility = var.enable_intranode_visibility
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
Expand Down
13 changes: 10 additions & 3 deletions modules/beta-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

enable_intranode_visibility = var.enable_intranode_visibility
enable_kubernetes_alpha = var.enable_kubernetes_alpha
enable_tpu = var.enable_tpu
Expand Down
13 changes: 10 additions & 3 deletions modules/private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
13 changes: 10 additions & 3 deletions modules/private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
vertical_pod_autoscaling {
enabled = var.enable_vertical_pod_autoscaling
}
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes
enable_binary_authorization = var.enable_binary_authorization
default_max_pods_per_node = var.default_max_pods_per_node
enable_shielded_nodes = var.enable_shielded_nodes

dynamic "binary_authorization" {
for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
content {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
4 changes: 3 additions & 1 deletion modules/safer-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,9 @@ module "gke" {
database_encryption = var.database_encryption

// We suggest to define policies about which images can run on a cluster.
enable_binary_authorization = true
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}

// Use of PodSecurityPolicy admission controller
// https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
Expand Down
4 changes: 3 additions & 1 deletion modules/safer-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,9 @@ module "gke" {
database_encryption = var.database_encryption

// We suggest to define policies about which images can run on a cluster.
enable_binary_authorization = true
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}

// Use of PodSecurityPolicy admission controller
// https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies
Expand Down
4 changes: 3 additions & 1 deletion test/fixtures/beta_cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,9 @@ module "this" {

gce_pd_csi_driver = true

enable_binary_authorization = true
binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}

enable_pod_security_policy = true

Expand Down
5 changes: 4 additions & 1 deletion test/fixtures/simple_regional/example.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,5 +26,8 @@ module "example" {
ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name
compute_engine_service_account = var.compute_engine_service_accounts[0]
skip_provisioners = true
enable_binary_authorization = true

binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

0 comments on commit 40b3440

Please sign in to comment.