Skip to content

Commit

Permalink
feat: Add enable_cilium_clusterwide_network_policy support (#1972)
Browse files Browse the repository at this point in the history
  • Loading branch information
SavvasM1 authored Jun 25, 2024
1 parent a6210fc commit 72cf873
Show file tree
Hide file tree
Showing 29 changed files with 112 additions and 6 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
Expand Down
3 changes: 3 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,9 @@ resource "google_container_cluster" "primary" {
{% endif %}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

{% if beta_cluster %}
enable_fqdn_network_policy = var.enable_fqdn_network_policy
{% endif %}
Expand Down
7 changes: 7 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -592,8 +592,15 @@ variable "enable_fqdn_network_policy" {
description = "Enable FQDN Network Policies on the cluster"
default = null
}

{% endif %}

variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
3 changes: 3 additions & 0 deletions cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" {
enable_tpu = var.enable_tpu

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ Then perform the following commands on the root folder:
| description | The description of the cluster | `string` | `""` | no |
| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" {
enabled = var.enable_vertical_pod_autoscaling
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
enable_autopilot = true
dynamic "master_authorized_networks_config" {
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -399,6 +399,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ Then perform the following commands on the root folder:
| description | The description of the cluster | `string` | `""` | no |
| disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,10 @@ resource "google_container_cluster" "primary" {
enabled = var.enable_vertical_pod_autoscaling
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
enable_autopilot = true
dynamic "master_authorized_networks_config" {
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -369,6 +369,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" {
}
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" {
}
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -568,6 +568,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,6 +190,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-public-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" {
}
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/beta-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
Expand Down
5 changes: 4 additions & 1 deletion modules/beta-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -198,7 +198,10 @@ resource "google_container_cluster" "primary" {
}
}

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

enable_fqdn_network_policy = var.enable_fqdn_network_policy
dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
Expand Down
7 changes: 7 additions & 0 deletions modules/beta-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,13 @@ variable "enable_fqdn_network_policy" {
default = null
}


variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
Expand Down
3 changes: 3 additions & 0 deletions modules/private-cluster-update-variant/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" {
enable_tpu = var.enable_tpu

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
6 changes: 6 additions & 0 deletions modules/private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" {
default = false
}

variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
1 change: 1 addition & 0 deletions modules/private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ Then perform the following commands on the root folder:
| disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | `bool` | `true` | no |
| dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `false` | no |
| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
| enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
| enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
| enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
| enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
Expand Down
3 changes: 3 additions & 0 deletions modules/private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,9 @@ resource "google_container_cluster" "primary" {
enable_tpu = var.enable_tpu

enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting

enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

dynamic "master_authorized_networks_config" {
for_each = local.master_authorized_networks_config
content {
Expand Down
6 changes: 6 additions & 0 deletions modules/private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -544,6 +544,12 @@ variable "enable_confidential_nodes" {
default = false
}

variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -514,6 +514,12 @@ variable "enable_confidential_nodes" {
default = false
}

variable "enable_cilium_clusterwide_network_policy" {
type = bool
description = "Enable Cilium Cluster Wide Network Policies on the cluster"
default = false
}

variable "security_posture_mode" {
description = "Security posture mode. Accepted values are `DISABLED` and `BASIC`. Defaults to `DISABLED`."
type = string
Expand Down

0 comments on commit 72cf873

Please sign in to comment.