diff --git a/CHANGELOG.md b/CHANGELOG.md index 61d6432d64..56d2524846 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ Extending the adopted spec, each change should have a link to its corresponding ## [Unreleased] ### Added +* Add `sandbox_enabled` variable to use GKE Sandbox [#241] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] @@ -168,6 +169,7 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 +[#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 21dfdeb93c..5eec7aa7a9 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -158,6 +158,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } {% endif %} } } diff --git a/autogen/main.tf b/autogen/main.tf index cf67bd9e08..9ad24a6e88 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -70,7 +70,8 @@ locals { cluster_node_metadata_config = var.node_metadata == "UNSPECIFIED" ? [] : [{ node_metadata = var.node_metadata }] - + + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/variables.tf b/autogen/variables.tf index 59f8408b2f..bee81756e7 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -365,6 +365,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..f6d8250ded 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -189,6 +189,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ccffeb4ec..793e2a4f5e 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 16da0d4ee9..f8e42e8956 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,6 +66,7 @@ locals { node_metadata = var.node_metadata }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd8b420c1a..e3d00f6a68 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -362,6 +362,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..96ad2bfb87 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -180,6 +180,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 802bcd25e9..ffe1853925 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index f99d4d9056..c96113534e 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,6 +66,7 @@ locals { node_metadata = var.node_metadata }] + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 8699854665..5af8bbe0be 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -338,6 +338,12 @@ variable "node_metadata" { default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"