From 6069ece9cd12acbbba8ff16ab0cbc9b17bc47985 Mon Sep 17 00:00:00 2001 From: "Marcel S. Gongora" <2498591+msgongora@users.noreply.github.com> Date: Wed, 8 Jul 2020 02:34:37 -0400 Subject: [PATCH] fix: Simplified pod security policy interface. BREAKING CHANGE: Pod security policy enablement has been changed to use a simple boolean flag (`var. enable_pod_security_policy`) --- autogen/main/cluster.tf.tmpl | 4 ++-- autogen/main/variables.tf.tmpl | 9 +++------ autogen/safer-cluster/main.tf.tmpl | 6 +++--- autogen/safer-cluster/variables.tf.tmpl | 9 +++------ examples/simple_regional_beta/README.md | 2 +- examples/simple_regional_beta/main.tf | 2 +- examples/simple_regional_beta/variables.tf | 7 +++---- modules/beta-private-cluster-update-variant/README.md | 2 +- modules/beta-private-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-private-cluster-update-variant/variables.tf | 9 +++------ modules/beta-private-cluster/README.md | 2 +- modules/beta-private-cluster/cluster.tf | 4 ++-- modules/beta-private-cluster/variables.tf | 9 +++------ modules/beta-public-cluster-update-variant/README.md | 2 +- modules/beta-public-cluster-update-variant/cluster.tf | 4 ++-- modules/beta-public-cluster-update-variant/variables.tf | 9 +++------ modules/beta-public-cluster/README.md | 2 +- modules/beta-public-cluster/cluster.tf | 4 ++-- modules/beta-public-cluster/variables.tf | 9 +++------ modules/safer-cluster-update-variant/README.md | 2 +- modules/safer-cluster-update-variant/main.tf | 6 +++--- modules/safer-cluster-update-variant/variables.tf | 9 +++------ modules/safer-cluster/README.md | 2 +- modules/safer-cluster/main.tf | 6 +++--- modules/safer-cluster/variables.tf | 9 +++------ test/fixtures/beta_cluster/main.tf | 4 +--- 26 files changed, 55 insertions(+), 82 deletions(-) diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl index 2de1e4efe7..8e69479c29 100644 --- a/autogen/main/cluster.tf.tmpl +++ b/autogen/main/cluster.tf.tmpl @@ -94,9 +94,9 @@ resource "google_container_cluster" "primary" { } dynamic "pod_security_policy_config" { - for_each = var.pod_security_policy_config + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { - enabled = pod_security_policy_config.value.enabled + enabled = pod_security_policy_config.value } } {% endif %} diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl index a924a4d8cc..7f55b1c219 100644 --- a/autogen/main/variables.tf.tmpl +++ b/autogen/main/variables.tf.tmpl @@ -455,13 +455,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] + default = false } variable "node_metadata" { diff --git a/autogen/safer-cluster/main.tf.tmpl b/autogen/safer-cluster/main.tf.tmpl index e58a4e60da..d9bf1dfdf0 100644 --- a/autogen/safer-cluster/main.tf.tmpl +++ b/autogen/safer-cluster/main.tf.tmpl @@ -137,9 +137,9 @@ module "gke" { // We suggest to define policies about which images can run on a cluster. enable_binary_authorization = true - // Define PodSecurityPolicies for differnet applications. - // Example: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example - pod_security_policy_config = var.pod_security_policy_config + // Use of PodSecurityPolicy admission controller + // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies + enable_pod_security_policy = var.enable_pod_security_policy resource_usage_export_dataset_id = var.resource_usage_export_dataset_id diff --git a/autogen/safer-cluster/variables.tf.tmpl b/autogen/safer-cluster/variables.tf.tmpl index 6b057482b0..1170330d00 100644 --- a/autogen/safer-cluster/variables.tf.tmpl +++ b/autogen/safer-cluster/variables.tf.tmpl @@ -328,13 +328,10 @@ variable "skip_provisioners" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = true - }] + default = false } variable "gce_pd_csi_driver" { diff --git a/examples/simple_regional_beta/README.md b/examples/simple_regional_beta/README.md index 916cb254d0..4a8e72a5b9 100644 --- a/examples/simple_regional_beta/README.md +++ b/examples/simple_regional_beta/README.md @@ -13,13 +13,13 @@ This example illustrates how to create a simple cluster with beta features. | database\_encryption | Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key. | object | `` | no | | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | gce\_pd\_csi\_driver | (Beta) Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. | bool | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for services | string | n/a | yes | | istio | Boolean to enable / disable Istio | string | `"true"` | no | | network | The VPC network to host the cluster in | string | n/a | yes | | node\_pools | List of maps containing node pools | list(map(string)) | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/examples/simple_regional_beta/main.tf b/examples/simple_regional_beta/main.tf index 5c913cce8c..1dc08e0440 100644 --- a/examples/simple_regional_beta/main.tf +++ b/examples/simple_regional_beta/main.tf @@ -45,7 +45,7 @@ module "gke" { node_pools = var.node_pools database_encryption = var.database_encryption enable_binary_authorization = var.enable_binary_authorization - pod_security_policy_config = var.pod_security_policy_config + enable_pod_security_policy = var.enable_pod_security_policy release_channel = "REGULAR" # Disable workload identity diff --git a/examples/simple_regional_beta/variables.tf b/examples/simple_regional_beta/variables.tf index 793b721d6f..cdedce33d2 100644 --- a/examples/simple_regional_beta/variables.tf +++ b/examples/simple_regional_beta/variables.tf @@ -106,11 +106,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - default = [{ - "enabled" = false - }] + default = false } variable "zones" { diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md index c265410368..5033121995 100644 --- a/modules/beta-private-cluster-update-variant/README.md +++ b/modules/beta-private-cluster-update-variant/README.md @@ -165,6 +165,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | @@ -209,7 +210,6 @@ Then perform the following commands on the root folder: | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf index 7c4e82681a..1a4ebae6bd 100644 --- a/modules/beta-private-cluster-update-variant/cluster.tf +++ b/modules/beta-private-cluster-update-variant/cluster.tf @@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" { } dynamic "pod_security_policy_config" { - for_each = var.pod_security_policy_config + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { - enabled = pod_security_policy_config.value.enabled + enabled = pod_security_policy_config.value } } dynamic "master_authorized_networks_config" { diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf index 3fb37a3bd7..c7e92dad2d 100644 --- a/modules/beta-private-cluster-update-variant/variables.tf +++ b/modules/beta-private-cluster-update-variant/variables.tf @@ -448,13 +448,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] + default = false } variable "node_metadata" { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index 6fb90f64d1..0034f412fc 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -143,6 +143,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | @@ -187,7 +188,6 @@ Then perform the following commands on the root folder: | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 385e1cfeb0..cbb7e4af36 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" { } dynamic "pod_security_policy_config" { - for_each = var.pod_security_policy_config + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { - enabled = pod_security_policy_config.value.enabled + enabled = pod_security_policy_config.value } } dynamic "master_authorized_networks_config" { diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index 3fb37a3bd7..c7e92dad2d 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -448,13 +448,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] + default = false } variable "node_metadata" { diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md index ba700a0de0..7bdb0ac194 100644 --- a/modules/beta-public-cluster-update-variant/README.md +++ b/modules/beta-public-cluster-update-variant/README.md @@ -158,6 +158,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | @@ -199,7 +200,6 @@ Then perform the following commands on the root folder: | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf index d7485acf99..a81f1ea931 100644 --- a/modules/beta-public-cluster-update-variant/cluster.tf +++ b/modules/beta-public-cluster-update-variant/cluster.tf @@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" { } dynamic "pod_security_policy_config" { - for_each = var.pod_security_policy_config + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { - enabled = pod_security_policy_config.value.enabled + enabled = pod_security_policy_config.value } } dynamic "master_authorized_networks_config" { diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf index 25d0248139..20c7315720 100644 --- a/modules/beta-public-cluster-update-variant/variables.tf +++ b/modules/beta-public-cluster-update-variant/variables.tf @@ -424,13 +424,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] + default = false } variable "node_metadata" { diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 89f2478422..bb59bcd80d 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -136,6 +136,7 @@ Then perform the following commands on the root folder: | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster | bool | `"true"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | @@ -177,7 +178,6 @@ Then perform the following commands on the root folder: | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list(string) | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in (required) | string | n/a | yes | | region | The region to host the cluster in (optional if zonal cluster / required if regional) | string | `"null"` | no | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 1019c1957a..572bc7f7c7 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -81,9 +81,9 @@ resource "google_container_cluster" "primary" { } dynamic "pod_security_policy_config" { - for_each = var.pod_security_policy_config + for_each = var.enable_pod_security_policy ? [var.enable_pod_security_policy] : [] content { - enabled = pod_security_policy_config.value.enabled + enabled = pod_security_policy_config.value } } dynamic "master_authorized_networks_config" { diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 25d0248139..20c7315720 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -424,13 +424,10 @@ variable "enable_binary_authorization" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = false - }] + default = false } variable "node_metadata" { diff --git a/modules/safer-cluster-update-variant/README.md b/modules/safer-cluster-update-variant/README.md index 6f9120c81a..dad190de7c 100644 --- a/modules/safer-cluster-update-variant/README.md +++ b/modules/safer-cluster-update-variant/README.md @@ -212,6 +212,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true | bool | `"true"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | @@ -242,7 +243,6 @@ For simplicity, we suggest using `roles/container.admin` and | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/safer-cluster-update-variant/main.tf b/modules/safer-cluster-update-variant/main.tf index 1d044fb07b..c188ed57e4 100644 --- a/modules/safer-cluster-update-variant/main.tf +++ b/modules/safer-cluster-update-variant/main.tf @@ -133,9 +133,9 @@ module "gke" { // We suggest to define policies about which images can run on a cluster. enable_binary_authorization = true - // Define PodSecurityPolicies for differnet applications. - // Example: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example - pod_security_policy_config = var.pod_security_policy_config + // Use of PodSecurityPolicy admission controller + // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies + enable_pod_security_policy = var.enable_pod_security_policy resource_usage_export_dataset_id = var.resource_usage_export_dataset_id diff --git a/modules/safer-cluster-update-variant/variables.tf b/modules/safer-cluster-update-variant/variables.tf index 4644b2d5fc..6f24d35cff 100644 --- a/modules/safer-cluster-update-variant/variables.tf +++ b/modules/safer-cluster-update-variant/variables.tf @@ -328,13 +328,10 @@ variable "skip_provisioners" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = true - }] + default = false } variable "gce_pd_csi_driver" { diff --git a/modules/safer-cluster/README.md b/modules/safer-cluster/README.md index 6f9120c81a..dad190de7c 100644 --- a/modules/safer-cluster/README.md +++ b/modules/safer-cluster/README.md @@ -212,6 +212,7 @@ For simplicity, we suggest using `roles/container.admin` and | dns\_cache | (Beta) The status of the NodeLocal DNSCache addon. | bool | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | bool | `"false"` | no | +| enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | bool | `"false"` | no | | enable\_private\_endpoint | When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true | bool | `"true"` | no | | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | bool | `"true"` | no | | enable\_shielded\_nodes | Enable Shielded Nodes features on all nodes in this cluster. | bool | `"true"` | no | @@ -242,7 +243,6 @@ For simplicity, we suggest using `roles/container.admin` and | node\_pools\_oauth\_scopes | Map of lists containing node oauth scopes by node-pool name | map(list(string)) | `` | no | | node\_pools\_tags | Map of lists containing node network tags by node-pool name | map(list(string)) | `` | no | | node\_pools\_taints | Map of lists containing node taints by node-pool name | object | `` | no | -| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | object | `` | no | | project\_id | The project ID to host the cluster in | string | n/a | yes | | region | The region to host the cluster in | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | diff --git a/modules/safer-cluster/main.tf b/modules/safer-cluster/main.tf index 0ecca42f5c..daf3d2f409 100644 --- a/modules/safer-cluster/main.tf +++ b/modules/safer-cluster/main.tf @@ -133,9 +133,9 @@ module "gke" { // We suggest to define policies about which images can run on a cluster. enable_binary_authorization = true - // Define PodSecurityPolicies for differnet applications. - // Example: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#example - pod_security_policy_config = var.pod_security_policy_config + // Use of PodSecurityPolicy admission controller + // https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies + enable_pod_security_policy = var.enable_pod_security_policy resource_usage_export_dataset_id = var.resource_usage_export_dataset_id diff --git a/modules/safer-cluster/variables.tf b/modules/safer-cluster/variables.tf index 4644b2d5fc..6f24d35cff 100644 --- a/modules/safer-cluster/variables.tf +++ b/modules/safer-cluster/variables.tf @@ -328,13 +328,10 @@ variable "skip_provisioners" { default = false } -variable "pod_security_policy_config" { - type = list(object({ enabled = bool })) +variable "enable_pod_security_policy" { + type = bool description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created." - - default = [{ - "enabled" = true - }] + default = false } variable "gce_pd_csi_driver" { diff --git a/test/fixtures/beta_cluster/main.tf b/test/fixtures/beta_cluster/main.tf index ed6a96bc70..bd1a91b354 100644 --- a/test/fixtures/beta_cluster/main.tf +++ b/test/fixtures/beta_cluster/main.tf @@ -60,9 +60,7 @@ module "this" { enable_binary_authorization = true - pod_security_policy_config = [{ - enabled = true - }] + enable_pod_security_policy = true } data "google_client_config" "default" {