From f6d8ca8c705a6d154a1216fa64602a349730f9d2 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Tue, 4 Jun 2019 19:49:38 +0300 Subject: [PATCH 01/12] Add configuration flag for #141 --- autogen/cluster_regional.tf | 3 +++ autogen/cluster_zonal.tf | 3 +++ autogen/outputs.tf | 7 +++++++ autogen/variables.tf | 7 +++++++ examples/deploy_service/README.md | 1 + examples/disable_client_cert/README.md | 1 + examples/node_pool/README.md | 1 + examples/shared_vpc/README.md | 1 + examples/simple_regional_private/README.md | 1 + examples/simple_zonal_private/README.md | 1 + examples/stub_domains/README.md | 1 + modules/private-cluster/README.md | 2 ++ modules/private-cluster/cluster_regional.tf | 2 ++ modules/private-cluster/cluster_zonal.tf | 2 ++ modules/private-cluster/outputs.tf | 5 +++++ modules/private-cluster/variables.tf | 5 +++++ outputs.tf | 1 + variables.tf | 1 + 18 files changed, 45 insertions(+) diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf index bb521ed4c3..557d96db28 100644 --- a/autogen/cluster_regional.tf +++ b/autogen/cluster_regional.tf @@ -36,6 +36,9 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" +{% if private_cluster %} + enable_binary_authorization = "${var.enable_binary_authorization}" +{% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf index 557d5b4f90..a3cad39ad5 100644 --- a/autogen/cluster_zonal.tf +++ b/autogen/cluster_zonal.tf @@ -36,6 +36,9 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" +{% if private_cluster %} + enable_binary_authorization = "${var.enable_binary_authorization}" +{% endif %} master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/autogen/outputs.tf b/autogen/outputs.tf index d7bcf2a2a0..5e75c55656 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -78,6 +78,13 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } +{% if private_cluster %} +output "enable_binary_authorization" { +description = "Enable BinAuthZ Admission controller" +value = "${var.enable_binary_authorization}" +} +{% endif %} + output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" diff --git a/autogen/variables.tf b/autogen/variables.tf index 407c68fc0b..a407887e3c 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -86,6 +86,13 @@ variable "master_authorized_networks_config" { default = [] } +{% if private_cluster %} +variable "enable_binary_authorization" { +description = "Enable BinAuthZ Admission controller" +default = false +} +{% endif %} + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true diff --git a/examples/deploy_service/README.md b/examples/deploy_service/README.md index 4b43c09e72..6fa642325f 100644 --- a/examples/deploy_service/README.md +++ b/examples/deploy_service/README.md @@ -16,6 +16,7 @@ It will: |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md index 929ba1926e..cf76d32f93 100644 --- a/examples/disable_client_cert/README.md +++ b/examples/disable_client_cert/README.md @@ -14,6 +14,7 @@ This example illustrates how to create a simple cluster and disable deprecated s | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | | credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index 2146e2c53f..de6be7a71e 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -10,6 +10,7 @@ This example illustrates how to create a cluster with multiple custom node-pool |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/shared_vpc/README.md b/examples/shared_vpc/README.md index d66cdd5fc4..b9d5012dfa 100644 --- a/examples/shared_vpc/README.md +++ b/examples/shared_vpc/README.md @@ -10,6 +10,7 @@ This example illustrates how to create a simple cluster where the host network i |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/simple_regional_private/README.md b/examples/simple_regional_private/README.md index 9987f9dad0..f7dad8de75 100644 --- a/examples/simple_regional_private/README.md +++ b/examples/simple_regional_private/README.md @@ -10,6 +10,7 @@ This example illustrates how to create a simple private cluster. |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/simple_zonal_private/README.md b/examples/simple_zonal_private/README.md index 0e2c56ff7a..55ee023ba2 100644 --- a/examples/simple_zonal_private/README.md +++ b/examples/simple_zonal_private/README.md @@ -10,6 +10,7 @@ This example illustrates how to create a simple private cluster. |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/stub_domains/README.md b/examples/stub_domains/README.md index 4c380ada81..9b7266f892 100644 --- a/examples/stub_domains/README.md +++ b/examples/stub_domains/README.md @@ -15,6 +15,7 @@ It will: |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index e1978dd332..3add5ef8e4 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no | @@ -167,6 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | +| enable\_binary\_authorization | Enable BinAuthZ Admission controller | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index 34625f72fb..c0b16ba515 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -36,6 +36,8 @@ resource "google_container_cluster" "primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 9ffdac36a9..c3bc350d36 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -36,6 +36,8 @@ resource "google_container_cluster" "zonal_primary" { logging_service = "${var.logging_service}" monitoring_service = "${var.monitoring_service}" + enable_binary_authorization = "${var.enable_binary_authorization}" + master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 6b9d5895ab..34740721de 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -78,6 +78,11 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } +output "enable_binary_authorization" { +description = "Enable BinAuthZ Admission controller" +value = "${var.enable_binary_authorization}" +} + output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index 4e376876cb..36f5664046 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -86,6 +86,11 @@ variable "master_authorized_networks_config" { default = [] } +variable "enable_binary_authorization" { + description = "Enable BinAuthZ Admission controller" + default = false +} + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true diff --git a/outputs.tf b/outputs.tf index 6b9d5895ab..8e909c35ca 100644 --- a/outputs.tf +++ b/outputs.tf @@ -78,6 +78,7 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } + output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" diff --git a/variables.tf b/variables.tf index 8a95caab5e..5bd8018f21 100644 --- a/variables.tf +++ b/variables.tf @@ -86,6 +86,7 @@ variable "master_authorized_networks_config" { default = [] } + variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true From 196bff1308482f2cedc0c68bcae10ff9ed04b797 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 20:14:12 +0300 Subject: [PATCH 02/12] Update autogen/variables.tf Co-Authored-By: Aaron Lane --- autogen/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/variables.tf b/autogen/variables.tf index a407887e3c..00cc89eb72 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -89,7 +89,7 @@ variable "master_authorized_networks_config" { {% if private_cluster %} variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" -default = false + default = false } {% endif %} From eb48e8ee020077a3d98aedacbe4d7f7ed635dfbf Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 20:14:34 +0300 Subject: [PATCH 03/12] Update autogen/variables.tf Co-Authored-By: Aaron Lane --- autogen/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autogen/variables.tf b/autogen/variables.tf index 00cc89eb72..c3cca51dbd 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -88,7 +88,7 @@ variable "master_authorized_networks_config" { {% if private_cluster %} variable "enable_binary_authorization" { -description = "Enable BinAuthZ Admission controller" + description = "Enable BinAuthZ Admission controller" default = false } {% endif %} From 6701908cb33eae2347bb45904191165cb307e085 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 20:14:45 +0300 Subject: [PATCH 04/12] Update examples/deploy_service/README.md Co-Authored-By: Aaron Lane --- examples/deploy_service/README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/deploy_service/README.md b/examples/deploy_service/README.md index 6fa642325f..4b43c09e72 100644 --- a/examples/deploy_service/README.md +++ b/examples/deploy_service/README.md @@ -16,7 +16,6 @@ It will: |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | From 199bc05518119f6c94b4428efedf23d628d1c172 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Tue, 4 Jun 2019 20:18:46 +0300 Subject: [PATCH 05/12] Unnecessary output droped --- autogen/outputs.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/autogen/outputs.tf b/autogen/outputs.tf index 5e75c55656..d75a85ca94 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -78,12 +78,6 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } -{% if private_cluster %} -output "enable_binary_authorization" { -description = "Enable BinAuthZ Admission controller" -value = "${var.enable_binary_authorization}" -} -{% endif %} output "network_policy_enabled" { description = "Whether network policy enabled" From 8eb763d8e8b32ce2813b12958b82da80148bd228 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 21:24:17 +0300 Subject: [PATCH 06/12] Update autogen/outputs.tf Co-Authored-By: Aaron Lane --- autogen/outputs.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/outputs.tf b/autogen/outputs.tf index d75a85ca94..d7bcf2a2a0 100644 --- a/autogen/outputs.tf +++ b/autogen/outputs.tf @@ -78,7 +78,6 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } - output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" From 3e14ee39863db3ee60a7bd521fe8a17314f84235 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 21:24:26 +0300 Subject: [PATCH 07/12] Update autogen/variables.tf Co-Authored-By: Aaron Lane --- autogen/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/autogen/variables.tf b/autogen/variables.tf index c3cca51dbd..d66b51fba2 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -91,6 +91,7 @@ variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" default = false } + {% endif %} variable "horizontal_pod_autoscaling" { From 6b27b56e4cdc702ce36554fc7dcff1838ed985d5 Mon Sep 17 00:00:00 2001 From: Ingwarr Date: Tue, 4 Jun 2019 21:24:33 +0300 Subject: [PATCH 08/12] Update autogen/variables.tf Co-Authored-By: Aaron Lane --- autogen/variables.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/autogen/variables.tf b/autogen/variables.tf index d66b51fba2..a4c01c4ef4 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -93,7 +93,6 @@ variable "enable_binary_authorization" { } {% endif %} - variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true From b66fac15b5ec3453ddd0b13610f01c64e74506e9 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Tue, 4 Jun 2019 21:26:33 +0300 Subject: [PATCH 09/12] Unnecessary output droped from private-cluster module --- modules/private-cluster/outputs.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/private-cluster/outputs.tf b/modules/private-cluster/outputs.tf index 34740721de..6b9d5895ab 100644 --- a/modules/private-cluster/outputs.tf +++ b/modules/private-cluster/outputs.tf @@ -78,11 +78,6 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } -output "enable_binary_authorization" { -description = "Enable BinAuthZ Admission controller" -value = "${var.enable_binary_authorization}" -} - output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" From f09377a95bb0a342acf71617de6d1c8494aec040 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Wed, 5 Jun 2019 19:58:50 +0300 Subject: [PATCH 10/12] CHANGELOG.md updated --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47996c284f..92e201c973 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ Extending the adopted spec, each change should have a link to its corresponding ### Added +* Add configuration flag for enable BinAuthZ Admission controller [#160] * Support for a guest accelerator in node pool configuration. [#157] * Support to scale the default node cluster. [#149] From be4f14779ef9c1cde4d017c2764aec8f14ecec64 Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Thu, 6 Jun 2019 21:07:33 +0300 Subject: [PATCH 11/12] new files generated --- examples/disable_client_cert/README.md | 1 - examples/node_pool/README.md | 1 - examples/shared_vpc/README.md | 1 - examples/simple_regional_private/README.md | 1 - examples/simple_zonal_private/README.md | 1 - examples/stub_domains/README.md | 1 - main.tf | 2 +- modules/private-cluster/README.md | 1 - modules/private-cluster/cluster_regional.tf | 1 - modules/private-cluster/cluster_zonal.tf | 1 - modules/private-cluster/main.tf | 2 +- modules/private-cluster/variables.tf | 74 ++++++++++----------- outputs.tf | 1 - variables.tf | 1 - 14 files changed, 39 insertions(+), 50 deletions(-) diff --git a/examples/disable_client_cert/README.md b/examples/disable_client_cert/README.md index cf76d32f93..929ba1926e 100644 --- a/examples/disable_client_cert/README.md +++ b/examples/disable_client_cert/README.md @@ -14,7 +14,6 @@ This example illustrates how to create a simple cluster and disable deprecated s | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | | credentials\_path | The path to the GCP credentials JSON file | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/node_pool/README.md b/examples/node_pool/README.md index de6be7a71e..2146e2c53f 100644 --- a/examples/node_pool/README.md +++ b/examples/node_pool/README.md @@ -10,7 +10,6 @@ This example illustrates how to create a cluster with multiple custom node-pool |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/shared_vpc/README.md b/examples/shared_vpc/README.md index b9d5012dfa..d66cdd5fc4 100644 --- a/examples/shared_vpc/README.md +++ b/examples/shared_vpc/README.md @@ -10,7 +10,6 @@ This example illustrates how to create a simple cluster where the host network i |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/simple_regional_private/README.md b/examples/simple_regional_private/README.md index f7dad8de75..9987f9dad0 100644 --- a/examples/simple_regional_private/README.md +++ b/examples/simple_regional_private/README.md @@ -10,7 +10,6 @@ This example illustrates how to create a simple private cluster. |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/simple_zonal_private/README.md b/examples/simple_zonal_private/README.md index 55ee023ba2..0e2c56ff7a 100644 --- a/examples/simple_zonal_private/README.md +++ b/examples/simple_zonal_private/README.md @@ -10,7 +10,6 @@ This example illustrates how to create a simple private cluster. |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/examples/stub_domains/README.md b/examples/stub_domains/README.md index 9b7266f892..4c380ada81 100644 --- a/examples/stub_domains/README.md +++ b/examples/stub_domains/README.md @@ -15,7 +15,6 @@ It will: |------|-------------|:----:|:-----:|:-----:| | cluster\_name\_suffix | A suffix to append to the default cluster name | string | `""` | no | | compute\_engine\_service\_account | Service account to associate to the nodes in the cluster | string | n/a | yes | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | ip\_range\_pods | The secondary ip range to use for pods | string | n/a | yes | | ip\_range\_services | The secondary ip range to use for pods | string | n/a | yes | | network | The VPC network to host the cluster in | string | n/a | yes | diff --git a/main.tf b/main.tf index e96d301c43..fe9e57ee39 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ locals { kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}" kubernetes_version_zonal = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}" node_version_regional = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}" - node_version_zonal = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}" + node_version_zonal = "${var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal}" custom_kube_dns_config = "${length(keys(var.stub_domains)) > 0 ? true : false}" network_project_id = "${var.network_project_id != "" ? var.network_project_id : var.project_id}" diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 62c6e8a1a0..52c969f71b 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -169,7 +169,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | |------|-------------| | ca\_certificate | Cluster ca certificate (base64 encoded) | -| enable\_binary\_authorization | Enable BinAuthZ Admission controller | | endpoint | Cluster endpoint | | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled | | http\_load\_balancing\_enabled | Whether http load balancing enabled | diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf index a4a00ea869..9630acf411 100644 --- a/modules/private-cluster/cluster_regional.tf +++ b/modules/private-cluster/cluster_regional.tf @@ -43,7 +43,6 @@ resource "google_container_cluster" "primary" { monitoring_service = "${var.monitoring_service}" enable_binary_authorization = "${var.enable_binary_authorization}" - master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf index 637ca4655a..fc98826190 100644 --- a/modules/private-cluster/cluster_zonal.tf +++ b/modules/private-cluster/cluster_zonal.tf @@ -43,7 +43,6 @@ resource "google_container_cluster" "zonal_primary" { monitoring_service = "${var.monitoring_service}" enable_binary_authorization = "${var.enable_binary_authorization}" - master_authorized_networks_config = ["${var.master_authorized_networks_config}"] master_auth { diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index 4c5c780309..b87fdc9894 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -34,7 +34,7 @@ locals { kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}" kubernetes_version_zonal = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}" node_version_regional = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}" - node_version_zonal = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}" + node_version_zonal = "${var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal}" custom_kube_dns_config = "${length(keys(var.stub_domains)) > 0 ? true : false}" network_project_id = "${var.network_project_id != "" ? var.network_project_id : var.project_id}" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index c3537af0de..d7fadef273 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -88,37 +88,37 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" - default = false + default = false } variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" - default = true + default = true } variable "http_load_balancing" { description = "Enable httpload balancer addon" - default = true + default = true } variable "kubernetes_dashboard" { description = "Enable kubernetes dashboard addon" - default = false + default = false } variable "network_policy" { description = "Enable network policy addon" - default = false + default = false } variable "network_policy_provider" { description = "The network policy provider." - default = "CALICO" + default = "CALICO" } variable "maintenance_start_time" { description = "Time window specified for daily maintenance operations in RFC3339 format" - default = "05:00" + default = "05:00" } variable "ip_range_pods" { @@ -131,21 +131,21 @@ variable "ip_range_services" { variable "initial_node_count" { description = "The number of nodes to create in this cluster's default node pool." - default = 0 + default = 0 } variable "remove_default_node_pool" { description = "Remove default node pool while setting up the cluster" - default = false + default = false } variable "disable_legacy_metadata_endpoints" { description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = "true" + default = "true" } variable "node_pools" { - type = "list" + type = "list" description = "List of maps containing node pools" default = [ @@ -156,123 +156,123 @@ variable "node_pools" { } variable "node_pools_labels" { - type = "map" + type = "map" description = "Map of maps containing node labels by node-pool name" default = { - all = {} + all = {} default-node-pool = {} } } variable "node_pools_metadata" { - type = "map" + type = "map" description = "Map of maps containing node metadata by node-pool name" default = { - all = {} + all = {} default-node-pool = {} } } variable "node_pools_taints" { - type = "map" + type = "map" description = "Map of lists containing node taints by node-pool name" default = { - all = [] + all = [] default-node-pool = [] } } variable "node_pools_tags" { - type = "map" + type = "map" description = "Map of lists containing node network tags by node-pool name" default = { - all = [] + all = [] default-node-pool = [] } } variable "node_pools_oauth_scopes" { - type = "map" + type = "map" description = "Map of lists containing node oauth scopes by node-pool name" default = { - all = ["https://www.googleapis.com/auth/cloud-platform"] + all = ["https://www.googleapis.com/auth/cloud-platform"] default-node-pool = [] } } variable "stub_domains" { - type = "map" + type = "map" description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" - default = {} + default = {} } variable "non_masquerade_cidrs" { - type = "list" + type = "list" description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading." - default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] } variable "ip_masq_resync_interval" { description = "The interval at which the agent attempts to sync its ConfigMap file from the disk." - default = "60s" + default = "60s" } variable "ip_masq_link_local" { description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)." - default = "false" + default = "false" } variable "logging_service" { description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" - default = "logging.googleapis.com" + default = "logging.googleapis.com" } variable "monitoring_service" { description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" - default = "monitoring.googleapis.com" + default = "monitoring.googleapis.com" } variable "service_account" { description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created." - default = "create" + default = "create" } variable "deploy_using_private_endpoint" { description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." - default = "false" + default = "false" } variable "enable_private_endpoint" { description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" - default = false + default = false } variable "enable_private_nodes" { description = "(Beta) Whether nodes have internal IP addresses only" - default = false + default = false } variable "master_ipv4_cidr_block" { description = "(Beta) The IP range in CIDR notation to use for the hosted master network" - default = "10.0.0.0/28" + default = "10.0.0.0/28" } variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" + default = "" } variable "basic_auth_password" { description = "The password to be used with Basic Authentication." - default = "" + default = "" } variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" - default = "false" + default = "false" } diff --git a/outputs.tf b/outputs.tf index 8e909c35ca..6b9d5895ab 100644 --- a/outputs.tf +++ b/outputs.tf @@ -78,7 +78,6 @@ output "ca_certificate" { value = "${local.cluster_ca_certificate}" } - output "network_policy_enabled" { description = "Whether network policy enabled" value = "${local.cluster_network_policy_enabled}" diff --git a/variables.tf b/variables.tf index 46c6f621fd..2723a39df5 100644 --- a/variables.tf +++ b/variables.tf @@ -86,7 +86,6 @@ variable "master_authorized_networks_config" { default = [] } - variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" default = true From d6463937c8a7b4bcb10c926d5f3ba91a2ba1799c Mon Sep 17 00:00:00 2001 From: Ihor Pukha Date: Fri, 7 Jun 2019 15:52:15 +0300 Subject: [PATCH 12/12] Additional typo fixes --- main.tf | 2 +- modules/private-cluster/main.tf | 2 +- modules/private-cluster/variables.tf | 74 ++++++++++++++-------------- 3 files changed, 39 insertions(+), 39 deletions(-) diff --git a/main.tf b/main.tf index fe9e57ee39..e96d301c43 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ locals { kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}" kubernetes_version_zonal = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}" node_version_regional = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}" - node_version_zonal = "${var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal}" + node_version_zonal = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}" custom_kube_dns_config = "${length(keys(var.stub_domains)) > 0 ? true : false}" network_project_id = "${var.network_project_id != "" ? var.network_project_id : var.project_id}" diff --git a/modules/private-cluster/main.tf b/modules/private-cluster/main.tf index b87fdc9894..4c5c780309 100644 --- a/modules/private-cluster/main.tf +++ b/modules/private-cluster/main.tf @@ -34,7 +34,7 @@ locals { kubernetes_version_regional = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.region.latest_master_version}" kubernetes_version_zonal = "${var.kubernetes_version != "latest" ? var.kubernetes_version : data.google_container_engine_versions.zone.latest_master_version}" node_version_regional = "${var.node_version != "" && var.regional ? var.node_version : local.kubernetes_version_regional}" - node_version_zonal = "${var.node_version != "" && ! var.regional ? var.node_version : local.kubernetes_version_zonal}" + node_version_zonal = "${var.node_version != "" && !var.regional ? var.node_version : local.kubernetes_version_zonal}" custom_kube_dns_config = "${length(keys(var.stub_domains)) > 0 ? true : false}" network_project_id = "${var.network_project_id != "" ? var.network_project_id : var.project_id}" diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index d7fadef273..c3537af0de 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -88,37 +88,37 @@ variable "master_authorized_networks_config" { variable "enable_binary_authorization" { description = "Enable BinAuthZ Admission controller" - default = false + default = false } variable "horizontal_pod_autoscaling" { description = "Enable horizontal pod autoscaling addon" - default = true + default = true } variable "http_load_balancing" { description = "Enable httpload balancer addon" - default = true + default = true } variable "kubernetes_dashboard" { description = "Enable kubernetes dashboard addon" - default = false + default = false } variable "network_policy" { description = "Enable network policy addon" - default = false + default = false } variable "network_policy_provider" { description = "The network policy provider." - default = "CALICO" + default = "CALICO" } variable "maintenance_start_time" { description = "Time window specified for daily maintenance operations in RFC3339 format" - default = "05:00" + default = "05:00" } variable "ip_range_pods" { @@ -131,21 +131,21 @@ variable "ip_range_services" { variable "initial_node_count" { description = "The number of nodes to create in this cluster's default node pool." - default = 0 + default = 0 } variable "remove_default_node_pool" { description = "Remove default node pool while setting up the cluster" - default = false + default = false } variable "disable_legacy_metadata_endpoints" { description = "Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated." - default = "true" + default = "true" } variable "node_pools" { - type = "list" + type = "list" description = "List of maps containing node pools" default = [ @@ -156,123 +156,123 @@ variable "node_pools" { } variable "node_pools_labels" { - type = "map" + type = "map" description = "Map of maps containing node labels by node-pool name" default = { - all = {} + all = {} default-node-pool = {} } } variable "node_pools_metadata" { - type = "map" + type = "map" description = "Map of maps containing node metadata by node-pool name" default = { - all = {} + all = {} default-node-pool = {} } } variable "node_pools_taints" { - type = "map" + type = "map" description = "Map of lists containing node taints by node-pool name" default = { - all = [] + all = [] default-node-pool = [] } } variable "node_pools_tags" { - type = "map" + type = "map" description = "Map of lists containing node network tags by node-pool name" default = { - all = [] + all = [] default-node-pool = [] } } variable "node_pools_oauth_scopes" { - type = "map" + type = "map" description = "Map of lists containing node oauth scopes by node-pool name" default = { - all = ["https://www.googleapis.com/auth/cloud-platform"] + all = ["https://www.googleapis.com/auth/cloud-platform"] default-node-pool = [] } } variable "stub_domains" { - type = "map" + type = "map" description = "Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server" - default = {} + default = {} } variable "non_masquerade_cidrs" { - type = "list" + type = "list" description = "List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading." - default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] + default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"] } variable "ip_masq_resync_interval" { description = "The interval at which the agent attempts to sync its ConfigMap file from the disk." - default = "60s" + default = "60s" } variable "ip_masq_link_local" { description = "Whether to masquerade traffic to the link-local prefix (169.254.0.0/16)." - default = "false" + default = "false" } variable "logging_service" { description = "The logging service that the cluster should write logs to. Available options include logging.googleapis.com, logging.googleapis.com/kubernetes (beta), and none" - default = "logging.googleapis.com" + default = "logging.googleapis.com" } variable "monitoring_service" { description = "The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com, monitoring.googleapis.com/kubernetes (beta) and none" - default = "monitoring.googleapis.com" + default = "monitoring.googleapis.com" } variable "service_account" { description = "The service account to run nodes as if not overridden in `node_pools`. The default value will cause a cluster-specific service account to be created." - default = "create" + default = "create" } variable "deploy_using_private_endpoint" { description = "(Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment." - default = "false" + default = "false" } variable "enable_private_endpoint" { description = "(Beta) Whether the master's internal IP address is used as the cluster endpoint" - default = false + default = false } variable "enable_private_nodes" { description = "(Beta) Whether nodes have internal IP addresses only" - default = false + default = false } variable "master_ipv4_cidr_block" { description = "(Beta) The IP range in CIDR notation to use for the hosted master network" - default = "10.0.0.0/28" + default = "10.0.0.0/28" } variable "basic_auth_username" { description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration." - default = "" + default = "" } variable "basic_auth_password" { description = "The password to be used with Basic Authentication." - default = "" + default = "" } variable "issue_client_certificate" { description = "Issues a client certificate to authenticate to the cluster endpoint. To maximize the security of your cluster, leave this option disabled. Client certificates don't automatically rotate and aren't easily revocable. WARNING: changing this after cluster creation is destructive!" - default = "false" + default = "false" }