Merge branch 'master' into dev

Author: apeabody

README.md

@@ -143,6 +143,7 @@ Then perform the following commands on the root folder:
 | add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
 | additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
 | authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | `string` | `null` | no |
+| boot\_disk\_kms\_key | The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY\_PROJECT\_ID]/locations/[LOCATION]/keyRings/[RING\_NAME]/cryptoKeys/[KEY\_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption | `string` | `null` | no |
 | cluster\_autoscaling | Cluster autoscaling configuration. See [more details](https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1beta1/projects.locations.clusters#clusterautoscaling) | <pre>object({<br>    enabled                     = bool<br>    autoscaling_profile         = string<br>    min_cpu_cores               = number<br>    max_cpu_cores               = number<br>    min_memory_gb               = number<br>    max_memory_gb               = number<br>    gpu_resources               = list(object({ resource_type = string, minimum = number, maximum = number }))<br>    auto_repair                 = bool<br>    auto_upgrade                = bool<br>    disk_size                   = optional(number)<br>    disk_type                   = optional(string)<br>    image_type                  = optional(string)<br>    strategy                    = optional(string)<br>    max_surge                   = optional(number)<br>    max_unavailable             = optional(number)<br>    node_pool_soak_duration     = optional(string)<br>    batch_soak_duration         = optional(string)<br>    batch_percentage            = optional(number)<br>    batch_node_count            = optional(number)<br>    enable_secure_boot          = optional(bool, false)<br>    enable_integrity_monitoring = optional(bool, true)<br>  })</pre> | <pre>{<br>  "auto_repair": true,<br>  "auto_upgrade": true,<br>  "autoscaling_profile": "BALANCED",<br>  "disk_size": 100,<br>  "disk_type": "pd-standard",<br>  "enable_integrity_monitoring": true,<br>  "enable_secure_boot": false,<br>  "enabled": false,<br>  "gpu_resources": [],<br>  "image_type": "COS_CONTAINERD",<br>  "max_cpu_cores": 0,<br>  "max_memory_gb": 0,<br>  "min_cpu_cores": 0,<br>  "min_memory_gb": 0<br>}</pre> | no |
 | cluster\_dns\_domain | The suffix used for all cluster service records. | `string` | `""` | no |
 | cluster\_dns\_provider | Which in-cluster DNS provider should be used. PROVIDER\_UNSPECIFIED (default) or PLATFORM\_DEFAULT or CLOUD\_DNS. | `string` | `"PROVIDER_UNSPECIFIED"` | no |

autogen/main/README.md

@@ -201,6 +201,7 @@ The node_pools variable takes the following parameters:
 | cpu_manager_policy | The CPU manager policy on the node. One of "none" or "static". | "static" | Optional |
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
+| pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 {% endif %}
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |

autogen/main/cluster.tf.tmpl

@@ -139,6 +139,8 @@ resource "google_container_cluster" "primary" {
         service_account = local.service_account
         oauth_scopes = local.node_pools_oauth_scopes["all"]
 
+        boot_disk_kms_key = var.boot_disk_kms_key
+
         management {
             auto_repair  = lookup(var.cluster_autoscaling, "auto_repair", true)
             auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade",true)
@@ -524,7 +526,7 @@ resource "google_container_cluster" "primary" {
         }
       }
 
-      boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", "")
+      boot_disk_kms_key = lookup(var.node_pools[0], "boot_disk_kms_key", var.boot_disk_kms_key)
       {% endif %}
 
       shielded_instance_config {
@@ -985,13 +987,14 @@ resource "google_container_node_pool" "windows_pools" {
     dynamic "kubelet_config" {
       for_each = length(setintersection(
         keys(each.value),
-        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period"]
+        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "pod_pids_limit"]
       )) != 0 ? [1] : []
 
       content {
         cpu_manager_policy   = lookup(each.value, "cpu_manager_policy", "static")
         cpu_cfs_quota        = lookup(each.value, "cpu_cfs_quota", null)
         cpu_cfs_quota_period = lookup(each.value, "cpu_cfs_quota_period", null)
+        pod_pids_limit       = lookup(each.value, "pod_pids_limit", null)
       }
     }
     {% endif %}

autogen/main/variables.tf.tmpl

@@ -413,6 +413,14 @@ variable "service_account_name" {
   default     = ""
 }
 
+{% if autopilot_cluster != true %}
+variable "boot_disk_kms_key" {
+  type        = string
+  description = "The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool, if not overridden in `node_pools`. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption"
+  default     = null
+}
+
+{% endif %}
 variable "issue_client_certificate" {
   type        = bool
   description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!"

cluster.tf

@@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" {
         service_account = local.service_account
         oauth_scopes    = local.node_pools_oauth_scopes["all"]
 
+        boot_disk_kms_key = var.boot_disk_kms_key
+
         management {
           auto_repair  = lookup(var.cluster_autoscaling, "auto_repair", true)
           auto_upgrade = lookup(var.cluster_autoscaling, "auto_upgrade", true)

examples/deploy_service/main.tf

@@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" {
 
   spec {
     container {
-      image = "nginx:1.26.0"
+      image = "nginx:1.27.0"
       name  = "nginx-example"
     }
   }

examples/island_cluster_anywhere_in_gcp_design/README.md

@@ -0,0 +1,37 @@
+# GKE island cluster anywhere in GCP design
+
+This example provisions a cluster in an island VPC allowing reuse of the IP address space for multiple clusters across different GCP organizations.
+
+## Deploy
+
+1. Create NCC hub.
+2. Update `ncc_hub_project_id`, `ncc_hub_name`, `network_name` and gke spokes in `terraform.tfvars`.
+3. Run `terraform apply`.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| gke\_spokes | n/a | `any` | n/a | yes |
+| ingress\_ip\_addrs\_subnet\_cidr | Subnet to use for reserving internal ip addresses for the ILBs. | `string` | n/a | yes |
+| master\_authorized\_networks | List of master authorized networks. If none are provided, disallow external access (except the cluster node IPs, which GKE automatically whitelists). | `list(object({ cidr_block = string, display_name = string }))` | n/a | yes |
+| ncc\_hub\_name | n/a | `string` | n/a | yes |
+| ncc\_hub\_project\_id | n/a | `string` | n/a | yes |
+| net\_attachment\_subnet\_cidr | Subnet for the router PSC interface network attachment in island network. | `string` | n/a | yes |
+| node\_locations | n/a | `list(string)` | n/a | yes |
+| primary\_net\_name | Primary VPC network name. | `string` | n/a | yes |
+| primary\_subnet | Subnet to use in primary network to deploy the router. | `string` | n/a | yes |
+| proxy\_subnet\_cidr | CIDR for the regional managed proxy subnet. | `string` | n/a | yes |
+| region | n/a | `string` | n/a | yes |
+| router\_machine\_type | n/a | `string` | n/a | yes |
+| secondary\_ranges | n/a | `map(string)` | n/a | yes |
+| subnet\_cidr | Primary subnet CIDR used by the cluster. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cluster\_ids | n/a |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/island_cluster_anywhere_in_gcp_design/main.tf

@@ -0,0 +1,93 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_id" "rand" {
+  byte_length = 4
+}
+
+resource "google_service_account" "gke-sa" {
+  for_each = { for k, v in var.gke_spokes : k => v }
+
+  account_id = "gke-sa-${random_id.rand.hex}"
+  project    = each.value["project_id"]
+}
+
+module "gke" {
+  source  = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
+  version = "~> 31.0"
+
+  for_each = { for k, v in var.gke_spokes : k => v }
+
+  name                                 = each.value["cluster_name"]
+  project_id                           = each.value["project_id"]
+  region                               = var.region
+  release_channel                      = "RAPID"
+  zones                                = var.node_locations
+  network                              = module.net[each.key].network_name
+  subnetwork                           = "${each.value["cluster_name"]}-${var.region}-snet"
+  ip_range_pods                        = "${each.value["cluster_name"]}-${var.region}-snet-pods"
+  ip_range_services                    = "${each.value["cluster_name"]}-${var.region}-snet-services"
+  enable_private_endpoint              = true
+  enable_private_nodes                 = true
+  datapath_provider                    = "ADVANCED_DATAPATH"
+  monitoring_enable_managed_prometheus = false
+  enable_shielded_nodes                = true
+  master_global_access_enabled         = false
+  master_ipv4_cidr_block               = var.secondary_ranges["master_cidr"]
+  master_authorized_networks           = var.master_authorized_networks
+  deletion_protection                  = false
+  remove_default_node_pool             = true
+  disable_default_snat                 = true
+  gateway_api_channel                  = "CHANNEL_STANDARD"
+
+  node_pools = [
+    {
+      name                      = "default"
+      machine_type              = "e2-highcpu-2"
+      min_count                 = 1
+      max_count                 = 100
+      local_ssd_count           = 0
+      spot                      = true
+      local_ssd_ephemeral_count = 0
+      disk_size_gb              = 100
+      disk_type                 = "pd-standard"
+      image_type                = "COS_CONTAINERD"
+      logging_variant           = "DEFAULT"
+      auto_repair               = true
+      auto_upgrade              = true
+      service_account           = google_service_account.gke-sa[each.key].email
+      initial_node_count        = 1
+      enable_secure_boot        = true
+    },
+  ]
+
+  node_pools_tags = {
+    all = ["gke-${random_id.rand.hex}"]
+  }
+
+  node_pools_oauth_scopes = {
+    all = [
+      "https://www.googleapis.com/auth/logging.write",
+      "https://www.googleapis.com/auth/monitoring",
+    ]
+  }
+
+  timeouts = {
+    create = "15m"
+    update = "15m"
+    delete = "15m"
+  }
+}

examples/island_cluster_anywhere_in_gcp_design/manifests/k8s.yaml

@@ -0,0 +1,88 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: whereami
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: whereami
+  template:
+    metadata:
+      labels:
+        app: whereami
+    spec:
+      containers:
+      - name: whereami
+        image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.19
+        ports:
+          - name: http
+            containerPort: 8080
+        resources:
+          requests:
+            cpu: "50m"
+            memory: 128Mi
+          limits:
+            cpu: "100m"
+            memory: 256Mi
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 5
+          timeoutSeconds: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: whereami
+spec:
+  type: ClusterIP
+  selector:
+    app: whereami
+  ports:
+  - port: 80
+    targetPort: 8080
+    protocol: TCP
+---
+kind: Gateway
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: l7-ilb
+spec:
+  gatewayClassName: gke-l7-rilb
+  listeners:
+  - name: http
+    protocol: HTTP
+    port: 80
+  addresses:
+  - type: NamedAddress
+    value: gke-spoke-1-l7-rilb-ip
+---
+kind: HTTPRoute
+apiVersion: gateway.networking.k8s.io/v1beta1
+metadata:
+  name: whereami
+spec:
+  parentRefs:
+  - kind: Gateway
+    name: l7-ilb
+  rules:
+  - backendRefs:
+    - name: whereami
+      port: 80