From 38430c4e021297c557332fa71bf6b093bc8171e1 Mon Sep 17 00:00:00 2001 From: Till Adam Date: Wed, 6 Sep 2023 12:19:45 +0200 Subject: [PATCH] feat: add fqdn policies --- autogen/main/cluster.tf.tmpl | 3 +++ autogen/main/variables.tf.tmpl | 6 ++++++ autogen/main/versions.tf.tmpl | 4 ++-- modules/beta-autopilot-private-cluster/README.md | 1 + modules/beta-autopilot-private-cluster/cluster.tf | 3 ++- modules/beta-autopilot-private-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-private-cluster/versions.tf | 4 ++-- modules/beta-autopilot-public-cluster/README.md | 1 + modules/beta-autopilot-public-cluster/cluster.tf | 3 ++- modules/beta-autopilot-public-cluster/variables.tf | 6 ++++++ modules/beta-autopilot-public-cluster/versions.tf | 4 ++-- modules/beta-private-cluster-update-variant/README.md | 1 + modules/beta-private-cluster-update-variant/cluster.tf | 3 ++- modules/beta-private-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-private-cluster-update-variant/versions.tf | 4 ++-- modules/beta-private-cluster/README.md | 1 + modules/beta-private-cluster/cluster.tf | 3 ++- modules/beta-private-cluster/variables.tf | 6 ++++++ modules/beta-private-cluster/versions.tf | 4 ++-- modules/beta-public-cluster-update-variant/README.md | 1 + modules/beta-public-cluster-update-variant/cluster.tf | 3 ++- modules/beta-public-cluster-update-variant/variables.tf | 6 ++++++ modules/beta-public-cluster-update-variant/versions.tf | 4 ++-- modules/beta-public-cluster/README.md | 1 + modules/beta-public-cluster/cluster.tf | 3 ++- modules/beta-public-cluster/variables.tf | 6 ++++++ modules/beta-public-cluster/versions.tf | 4 ++-- 27 files changed, 77 insertions(+), 20 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 6312993cb4..e861fc59fb 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -210,6 +210,9 @@ resource "google_container_cluster" "primary" { enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting {% endif %} {% endif %} +{% if beta_cluster %} + enable_fqdn_network_policy = var.enable_fqdn_network_policy +{% endif %} {% if autopilot_cluster %} enable_autopilot = true {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index 2525d07242..1e55751b1b 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -553,6 +553,12 @@ variable "workload_config_audit_mode" { type = string default = "DISABLED" } + +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} {% endif %} variable "disable_default_snat" { diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl index 494d40d45f..541fbe469b 100644 --- a/autogen/main/versions.tf.tmpl +++ b/autogen/main/versions.tf.tmpl @@ -24,11 +24,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md index bda0297ff9..d80a80f6f5 100644 --- a/modules/beta-autopilot-private-cluster/README.md +++ b/modules/beta-autopilot-private-cluster/README.md @@ -86,6 +86,7 @@ Then perform the following commands on the root folder: | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | `bool` | `false` | no | diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf index 5e79c23dac..30a347efe4 100644 --- a/modules/beta-autopilot-private-cluster/cluster.tf +++ b/modules/beta-autopilot-private-cluster/cluster.tf @@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - enable_autopilot = true + enable_fqdn_network_policy = var.enable_fqdn_network_policy + enable_autopilot = true dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf index 86483f30d9..41deaed971 100644 --- a/modules/beta-autopilot-private-cluster/variables.tf +++ b/modules/beta-autopilot-private-cluster/variables.tf @@ -379,6 +379,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf index 7125c7b741..188edf2468 100644 --- a/modules/beta-autopilot-private-cluster/versions.tf +++ b/modules/beta-autopilot-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md index f788a817a8..35be0e6e11 100644 --- a/modules/beta-autopilot-public-cluster/README.md +++ b/modules/beta-autopilot-public-cluster/README.md @@ -79,6 +79,7 @@ Then perform the following commands on the root folder: | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no | | enable\_tpu | Enable Cloud TPU resources in the cluster. WARNING: changing this after cluster creation is destructive! | `bool` | `false` | no | diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf index 4c9569106a..6d96f25659 100644 --- a/modules/beta-autopilot-public-cluster/cluster.tf +++ b/modules/beta-autopilot-public-cluster/cluster.tf @@ -81,7 +81,8 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - enable_autopilot = true + enable_fqdn_network_policy = var.enable_fqdn_network_policy + enable_autopilot = true dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf index c8776f6853..b7368e75bd 100644 --- a/modules/beta-autopilot-public-cluster/variables.tf +++ b/modules/beta-autopilot-public-cluster/variables.tf @@ -349,6 +349,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf index cb0a26bc62..373ba14b89 100644 --- a/modules/beta-autopilot-public-cluster/versions.tf +++ b/modules/beta-autopilot-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index e9aed6200b..c499abe9de 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -191,6 +191,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 0234c223f2..0a41d8b524 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 119f9a5c09..284e99d34b 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -524,6 +524,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf index 090b353012..7ffef41630 100644 --- a/modules/beta-private-cluster-update-variant/versions.tf +++ b/modules/beta-private-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f47073beca..d56e1abd60 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -169,6 +169,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 02c6f3fca3..08388e1b17 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 119f9a5c09..284e99d34b 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -524,6 +524,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf index 736e1f16bf..300187e24f 100644 --- a/modules/beta-private-cluster/versions.tf +++ b/modules/beta-private-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index 2ea2d6489d..95088c2bcc 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -184,6 +184,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index 43b03300df..844a3d0b00 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 05bab8df6b..cda040c7ee 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -494,6 +494,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf index 214a5841b8..35c1e24ce2 100644 --- a/modules/beta-public-cluster-update-variant/versions.tf +++ b/modules/beta-public-cluster-update-variant/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index eee0349812..2c7bd76a0c 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -162,6 +162,7 @@ Then perform the following commands on the root folder: | enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no | | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no | | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no | +| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `false` | no | | enable\_identity\_service | Enable the Identity Service component, which allows customers to use external identity providers with the K8S API. | `bool` | `false` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | `bool` | `false` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1183a20d12..74e84b4430 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -170,7 +170,8 @@ resource "google_container_cluster" "primary" { } } - enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting + enable_fqdn_network_policy = var.enable_fqdn_network_policy dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 05bab8df6b..cda040c7ee 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -494,6 +494,12 @@ variable "workload_config_audit_mode" { default = "DISABLED" } +variable "enable_fqdn_network_policy" { + type = bool + description = "Enable FQDN Network Policies on the cluster" + default = false +} + variable "disable_default_snat" { type = bool description = "Whether to disable the default SNAT to support the private use of public IP addresses" diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf index 39299bb4d7..65edf114f4 100644 --- a/modules/beta-public-cluster/versions.tf +++ b/modules/beta-public-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } google-beta = { source = "hashicorp/google-beta" - version = ">= 4.76.0, < 5.0, !=4.65.0, !=4.65.1" + version = ">= 4.81.0, < 5.0, !=4.65.0, !=4.65.1" } kubernetes = { source = "hashicorp/kubernetes"