From d919a9bd01d48a537ba48068ab990502c9bd8d87 Mon Sep 17 00:00:00 2001 From: Matthis Holleville Date: Mon, 10 Jun 2024 10:20:33 +0200 Subject: [PATCH 1/3] feat: enable Cilium cluster-wide network policy support Enabled support for CiliumClusterWideNetworkPolicy across various Terraform modules to enhance network security and policy enforcement capabilities in Kubernetes clusters. This change allows for the utilization of Cilium's extended network policy features, providing users with the option to enforce more granular network policies at the cluster level. Signed-off-by: Matthis Holleville --- cluster.tf | 2 ++ modules/beta-private-cluster-update-variant/cluster.tf | 1 + modules/beta-private-cluster-update-variant/variables.tf | 5 +++++ modules/beta-private-cluster/cluster.tf | 2 ++ modules/beta-private-cluster/variables.tf | 5 +++++ modules/private-cluster/cluster.tf | 1 + modules/private-cluster/variables.tf | 5 +++++ modules/safer-cluster-update-variant/main.tf | 1 + modules/safer-cluster-update-variant/variables.tf | 5 +++++ modules/safer-cluster/main.tf | 1 + modules/safer-cluster/variables.tf | 5 +++++ variables.tf | 6 ++++++ 12 files changed, 39 insertions(+) diff --git a/cluster.tf b/cluster.tf index 7bb3a42d4e..d579ea181c 100644 --- a/cluster.tf +++ b/cluster.tf @@ -171,6 +171,8 @@ resource "google_container_cluster" "primary" { } } + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a5b96fd63c..a749968b21 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -309,6 +309,7 @@ resource "google_container_cluster" "primary" { } datapath_provider = var.datapath_provider + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy networking_mode = "VPC_NATIVE" diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index f5bae458a5..134ef4757e 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -848,3 +848,8 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool +} \ No newline at end of file diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ec2614867..f35771ce63 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -309,6 +309,8 @@ resource "google_container_cluster" "primary" { } datapath_provider = var.datapath_provider + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy + networking_mode = "VPC_NATIVE" diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index f5bae458a5..134ef4757e 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -848,3 +848,8 @@ variable "fleet_project_grant_service_agent" { type = bool default = false } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool +} \ No newline at end of file diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7f3f78766b..7609b49f23 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -269,6 +269,7 @@ resource "google_container_cluster" "primary" { } datapath_provider = var.datapath_provider + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy security_posture_config { diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 9f3c9f0952..281595521b 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -758,3 +758,8 @@ variable "fleet_project" { type = string default = null } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool +} \ No newline at end of file diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index f79239f47d..2298bbe651 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -69,6 +69,7 @@ module "gke" { // it provides redundant NetworkPolicy capabilities. If V2 is enabled, the // Calico add-on should be disabled. network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy // Default to the recommended Dataplane V2 which enables NetworkPolicies and // allows for network policy logging of allowed and denied requests to Pods. diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index d6e72d35c4..94faf9d0e5 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -532,3 +532,8 @@ variable "deletion_protection" { description = "Whether or not to allow Terraform to destroy the cluster." default = true } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool +} \ No newline at end of file diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index ac8b6d9409..214872b1ae 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -73,6 +73,7 @@ module "gke" { // Default to the recommended Dataplane V2 which enables NetworkPolicies and // allows for network policy logging of allowed and denied requests to Pods. datapath_provider = var.datapath_provider + enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy maintenance_start_time = var.maintenance_start_time maintenance_end_time = var.maintenance_end_time diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index d6e72d35c4..94faf9d0e5 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -532,3 +532,8 @@ variable "deletion_protection" { description = "Whether or not to allow Terraform to destroy the cluster." default = true } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index bf850ccc99..ca79ba677f 100644 --- a/variables.tf +++ b/variables.tf @@ -728,3 +728,9 @@ variable "fleet_project" { type = string default = null } + +variable "enable_cilium_clusterwide_network_policy" { + description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." + type = bool + default = false +} \ No newline at end of file From 0a8164f2df67c509a2a41607625c5f8f4811f125 Mon Sep 17 00:00:00 2001 From: Matthis Holleville Date: Mon, 10 Jun 2024 10:21:00 +0200 Subject: [PATCH 2/3] feat: Improve readability and consistency in Terraform configurations Aligned variable assignments across multiple Terraform modules to enhance readability and maintain consistency in the codebase. This change ensures that the code formatting follows best practices, making it easier for developers to understand and maintain the infrastructure as code. Signed-off-by: Matthis Holleville --- modules/beta-private-cluster-update-variant/cluster.tf | 2 +- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/private-cluster/cluster.tf | 2 +- modules/safer-cluster-update-variant/main.tf | 2 +- modules/safer-cluster/main.tf | 2 +- variables.tf | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index a749968b21..8f3c95ad36 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -308,7 +308,7 @@ resource "google_container_cluster" "primary" { } } - datapath_provider = var.datapath_provider + datapath_provider = var.datapath_provider enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy networking_mode = "VPC_NATIVE" diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index f35771ce63..809d6e31df 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -308,9 +308,9 @@ resource "google_container_cluster" "primary" { } } - datapath_provider = var.datapath_provider + datapath_provider = var.datapath_provider enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy - + networking_mode = "VPC_NATIVE" diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index 7609b49f23..0a0b64a4cc 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -268,7 +268,7 @@ resource "google_container_cluster" "primary" { } } - datapath_provider = var.datapath_provider + datapath_provider = var.datapath_provider enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 2298bbe651..9432da898e 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -68,7 +68,7 @@ module "gke" { // NOTE: Dataplane-V2 conflicts with the Calico network policy add-on because // it provides redundant NetworkPolicy capabilities. If V2 is enabled, the // Calico add-on should be disabled. - network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true + network_policy = var.datapath_provider == "ADVANCED_DATAPATH" ? false : true enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy // Default to the recommended Dataplane V2 which enables NetworkPolicies and diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 214872b1ae..8f3086d859 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -72,7 +72,7 @@ module "gke" { // Default to the recommended Dataplane V2 which enables NetworkPolicies and // allows for network policy logging of allowed and denied requests to Pods. - datapath_provider = var.datapath_provider + datapath_provider = var.datapath_provider enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy maintenance_start_time = var.maintenance_start_time diff --git a/variables.tf b/variables.tf index ca79ba677f..be0c836eef 100644 --- a/variables.tf +++ b/variables.tf @@ -732,5 +732,5 @@ variable "fleet_project" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool - default = false + default = false } \ No newline at end of file From c52c7f12a76da6df3637b09b56b45c6f6583c83c Mon Sep 17 00:00:00 2001 From: Matthis Holleville Date: Mon, 10 Jun 2024 10:23:52 +0200 Subject: [PATCH 3/3] feat: enable default false for CiliumClusterWideNetworkPolicy across modules Ensured consistency in the default behavior of CiliumClusterWideNetworkPolicy across various Terraform modules by setting its default value to false. This change aligns the modules' configurations with best practices for optional features, providing a safer default configuration for users. Signed-off-by: Matthis Holleville --- modules/beta-private-cluster-update-variant/variables.tf | 1 + modules/beta-private-cluster/variables.tf | 1 + modules/private-cluster/variables.tf | 1 + modules/safer-cluster-update-variant/variables.tf | 1 + modules/safer-cluster/variables.tf | 1 + 5 files changed, 5 insertions(+) diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 134ef4757e..5466bd6479 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -852,4 +852,5 @@ variable "fleet_project_grant_service_agent" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool + default = false } \ No newline at end of file diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 134ef4757e..5466bd6479 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -852,4 +852,5 @@ variable "fleet_project_grant_service_agent" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool + default = false } \ No newline at end of file diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 281595521b..254135d8b6 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -762,4 +762,5 @@ variable "fleet_project" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool + default = false } \ No newline at end of file diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 94faf9d0e5..6e9d04f2bf 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -536,4 +536,5 @@ variable "deletion_protection" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool + default = false } \ No newline at end of file diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 94faf9d0e5..6e9d04f2bf 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -536,4 +536,5 @@ variable "deletion_protection" { variable "enable_cilium_clusterwide_network_policy" { description = "(Optional) Whether CiliumClusterWideNetworkPolicy is enabled on this cluster. Defaults to false." type = bool + default = false } \ No newline at end of file