diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index dfc78b0f76..ab5d52fbde 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -151,7 +151,14 @@ resource "google_container_cluster" "primary" { {% if autopilot_cluster != true %} default_max_pods_per_node = var.default_max_pods_per_node enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + {% if beta_cluster %} enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha diff --git a/cluster.tf b/cluster.tf index 88d642bdb1..fd49dc15a3 100644 --- a/cluster.tf +++ b/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 19f9b459b1..e62c1398ad 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 0e3bc21bf7..1f1f805a0d 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index db712ee4d3..4eea77247b 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 162f87882b..729947509c 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + enable_intranode_visibility = var.enable_intranode_visibility enable_kubernetes_alpha = var.enable_kubernetes_alpha enable_tpu = var.enable_tpu diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf index b774c06d5f..ae9e57ae50 100644 --- a/modules/private-cluster-update-variant/cluster.tf +++ b/modules/private-cluster-update-variant/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index b044d76b62..e4540e64fe 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" { vertical_pod_autoscaling { enabled = var.enable_vertical_pod_autoscaling } - default_max_pods_per_node = var.default_max_pods_per_node - enable_shielded_nodes = var.enable_shielded_nodes - enable_binary_authorization = var.enable_binary_authorization + default_max_pods_per_node = var.default_max_pods_per_node + enable_shielded_nodes = var.enable_shielded_nodes + + dynamic "binary_authorization" { + for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : [] + content { + evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE" + } + } + dynamic "master_authorized_networks_config" { for_each = local.master_authorized_networks_config content { diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb index 0fcb76f4e2..99f477e099 100644 --- a/test/integration/beta_cluster/controls/gcloud.rb +++ b/test/integration/beta_cluster/controls/gcloud.rb @@ -81,7 +81,7 @@ it "has the expected binaryAuthorization config" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end diff --git a/test/integration/safer_cluster/controls/gcloud.rb b/test/integration/safer_cluster/controls/gcloud.rb index 24929af071..1525ab6694 100644 --- a/test/integration/safer_cluster/controls/gcloud.rb +++ b/test/integration/safer_cluster/controls/gcloud.rb @@ -82,7 +82,7 @@ it "has binary authorization" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb index eac8fd0ee7..81fa2e720a 100644 --- a/test/integration/simple_regional/controls/gcloud.rb +++ b/test/integration/simple_regional/controls/gcloud.rb @@ -70,7 +70,7 @@ it "has the expected binaryAuthorization config" do expect(data['binaryAuthorization']).to eq({ - "enabled" => true, + "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE", }) end end