From 36f30e9371914c2a3e2f47458046c62cc2f9a6a6 Mon Sep 17 00:00:00 2001 From: Savvas Date: Sun, 9 Jun 2024 15:21:25 +0300 Subject: [PATCH 1/4] Enable clusterwide network policies --- README.md | 1 + autogen/main/cluster.tf.tmpl | 3 +++ autogen/main/variables.tf.tmpl | 6 ++++++ cluster.tf | 3 +++ modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 3 +++ modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 3 +++ modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 5 ++++- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 5 ++++- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 5 ++++- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/private-cluster-update-variant/README.md | 1 + modules/private-cluster-update-variant/cluster.tf | 3 +++ modules/private-cluster-update-variant/variables.tf | 6 ++++++ modules/private-cluster/README.md | 1 + modules/private-cluster/cluster.tf | 3 +++ modules/private-cluster/variables.tf | 6 ++++++ variables.tf | 6 ++++++ 29 files changed, 103 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cd04741814..dfbb135cf1 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 859499c51a..5c967098c2 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -236,6 +236,9 @@ resource "google_container_cluster" "primary" { enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting {% endif %} + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + {% if beta_cluster %} enable_fqdn_network_policy = var.enable_fqdn_network_policy {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 375df975b5..651afdbe73 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -584,6 +584,12 @@ variable "enable_fqdn_network_policy" { description = "Enable FQDN Network Policies on the cluster" default = null } + +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} {% endif %} variable "security_posture_mode" { diff --git a/cluster.tf b/cluster.tf index 7bb3a42d4e..8df2443cee 100644 --- a/cluster.tf +++ b/cluster.tf @@ -175,6 +175,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index 5628cde23f..a594412bdf 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -88,6 +88,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 397c7755b9..66338c5154 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -84,6 +84,9 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 9e5c223a81..22f73b684d 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -399,6 +399,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index 0e3c169dff..fdad3c316c 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -81,6 +81,7 @@ Then perform the following commands on the root folder: | description | The description of the cluster | `string` | `""` | no | | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 01ea54baf4..14c80a056b 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -84,6 +84,9 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index 0ecca7a1a3..d1d2f4675d 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -369,6 +369,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index df021bbc49..cdb5f1d2db 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -196,6 +196,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a5b96fd63c..c54edd4227 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -196,7 +196,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f5bae458a5..487aedf022 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -562,6 +562,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 2fec641037..31ac4ff839 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -174,6 +174,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ec2614867..819f299fb0 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -196,7 +196,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f5bae458a5..487aedf022 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -562,6 +562,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index eb71fa8cf5..1ef4ce5c31 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -189,6 +189,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 8461ae63b7..1ac6ecae7e 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -196,7 +196,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 0a3b46eefb..69369e4e1a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -532,6 +532,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 5f1d6445f9..bb0c5e3a3d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -167,6 +167,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 0a92c4d317..f477116eba 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -196,7 +196,10 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 0a3b46eefb..69369e4e1a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -532,6 +532,12 @@ variable "enable_fqdn_network_policy" { default = null } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md index ad4e7d90cf..29becf5033 100644 --- a/modules/private-cluster-update-variant/README.md +++ b/modules/private-cluster-update-variant/README.md @@ -190,6 +190,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index a6bff1de29..14c917a846 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -175,6 +175,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf index 9f3c9f0952..1e3d1b92a3 100644 --- a/modules/private-cluster-update-variant/variables.tf +++ b/modules/private-cluster-update-variant/variables.tf @@ -538,6 +538,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 692d0a0e79..9ab2aae484 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -168,6 +168,7 @@ Then perform the following commands on the root folder: | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no | | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | +| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7f3f78766b..f348ca7c8b 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -175,6 +175,9 @@ resource "google_container_cluster" "primary" { enable_tpu = var.enable_tpu enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9f3c9f0952..1e3d1b92a3 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -538,6 +538,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string diff --git a/variables.tf b/variables.tf index bf850ccc99..eede92f75a 100644 --- a/variables.tf +++ b/variables.tf @@ -723,6 +723,12 @@ variable "enable_l4_ilb_subsetting" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From 32745c75584bda6fc3646d19da0ecf14ffc44486 Mon Sep 17 00:00:00 2001 From: Savvas Date: Sun, 16 Jun 2024 00:07:29 +0300 Subject: [PATCH 2/4] Pull variable outside the if beta cluster condition --- autogen/main/variables.tf.tmpl | 3 ++- modules/beta-autopilot-private-cluster/variables.tf | 1 + modules/beta-autopilot-public-cluster/variables.tf | 1 + .../beta-private-cluster-update-variant/variables.tf | 1 + modules/beta-private-cluster/variables.tf | 1 + .../beta-public-cluster-update-variant/variables.tf | 1 + modules/beta-public-cluster/variables.tf | 1 + variables.tf | 12 ++++++------ 8 files changed, 14 insertions(+), 7 deletions(-) diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 651afdbe73..6d0c8bf688 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -585,12 +585,13 @@ variable "enable_fqdn_network_policy" { default = null } +{% endif %} + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" default = false } -{% endif %} variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 22f73b684d..9e3d1f62ba 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -399,6 +399,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index d1d2f4675d..af64e9394a 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -369,6 +369,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 487aedf022..9903c14fb8 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -562,6 +562,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 487aedf022..9903c14fb8 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -562,6 +562,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 69369e4e1a..0b3f8e397a 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -532,6 +532,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 69369e4e1a..0b3f8e397a 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -532,6 +532,7 @@ variable "enable_fqdn_network_policy" { default = null } + variable "enable_cilium_clusterwide_network_policy" { type = bool description = "Enable Cilium Cluster Wide Network Policies on the cluster" diff --git a/variables.tf b/variables.tf index eede92f75a..e81f9140ff 100644 --- a/variables.tf +++ b/variables.tf @@ -508,6 +508,12 @@ variable "enable_confidential_nodes" { default = false } +variable "enable_cilium_clusterwide_network_policy" { + type = bool + description = "Enable Cilium Cluster Wide Network Policies on the cluster" + default = false +} + variable "security_posture_mode" { description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`." type = string @@ -723,12 +729,6 @@ variable "enable_l4_ilb_subsetting" { default = false } -variable "enable_cilium_clusterwide_network_policy" { - type = bool - description = "Enable Cilium Cluster Wide Network Policies on the cluster" - default = false -} - variable "fleet_project" { description = "(Optional) Register the cluster with the fleet in this project." type = string From f261c428cd5744381dd6f642c32392b856083536 Mon Sep 17 00:00:00 2001 From: SavvasM1 <83591012+SavvasM1@users.noreply.github.com> Date: Fri, 21 Jun 2024 10:55:09 +0300 Subject: [PATCH 3/4] Add clusterwide variable back --- modules/beta-autopilot-private-cluster/cluster.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 857f2def26..3e65c455af 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -84,8 +84,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - - + + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting enable_fqdn_network_policy = var.enable_fqdn_network_policy From cae3fa8868b437d10777bf1f4e571db780175fcd Mon Sep 17 00:00:00 2001 From: Savvas Date: Sat, 22 Jun 2024 08:54:10 +0300 Subject: [PATCH 4/4] Re-run make-build and lint --- modules/beta-autopilot-private-cluster/cluster.tf | 8 ++++---- modules/beta-autopilot-public-cluster/cluster.tf | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 3e65c455af..bfee2c0445 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -84,12 +84,12 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - + + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting - + enable_fqdn_network_policy = var.enable_fqdn_network_policy - enable_autopilot = true dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 13e7187576..8fb6118780 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -85,10 +85,10 @@ resource "google_container_cluster" "primary" { enabled = var.enable_vertical_pod_autoscaling } + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting - enable_fqdn_network_policy = var.enable_fqdn_network_policy enable_autopilot = true dynamic "master_authorized_networks_config" {