diff --git a/CHANGELOG.md b/CHANGELOG.md index 54236093c2..ffaf0f3b55 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,8 +14,13 @@ Extending the adopted spec, each change should have a link to its corresponding ### Added +* Added support for resource usage export config [#238] +* Added `sandbox_enabled` variable to use GKE Sandbox [#241] +* Added `grant_registry_access` variable to grant Container Registry access to created SA [#236] * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216] * Support for Workload Identity beta feature [#234] +* Support for Google Groups based RBAC beta feature [#217] +* Support for disabling node pool autoscaling by setting `autoscaling` to `false` within the node pool variable. [#250] ## [v4.1.0] 2019-07-24 @@ -174,6 +179,11 @@ Extending the adopted spec, each change should have a link to its corresponding [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0 [#228]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/228 +[#238]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/238 +[#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241 +[#250]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/250 +[#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236 +[#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217 [#234]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/234 [#216]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/216 [#214]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/214 diff --git a/README.md b/README.md index ea1ef578ab..923d3f7a09 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | create\_service\_account | Defines if service account specified to run nodes should be created. | bool | `"true"` | no | | description | The description of the cluster | string | `""` | no | | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | diff --git a/autogen/cluster.tf b/autogen/cluster.tf index 1dd055dc11..9ae4414a18 100644 --- a/autogen/cluster.tf +++ b/autogen/cluster.tf @@ -67,6 +67,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_config.value + } + } + } {% endif %} dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config @@ -158,6 +167,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } {% endif %} } } @@ -189,6 +206,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } {% endif %} } @@ -220,9 +244,14 @@ resource "google_container_node_pool" "pools" { max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) {% endif %} - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) + } } management { diff --git a/autogen/main.tf b/autogen/main.tf index bb628b0980..c4b070f9a3 100644 --- a/autogen/main.tf +++ b/autogen/main.tf @@ -71,6 +71,12 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + {% endif %} cluster_output_name = google_container_cluster.primary.name diff --git a/autogen/sa.tf b/autogen/sa.tf index c5f7f132a1..62b31f457a 100644 --- a/autogen/sa.tf +++ b/autogen/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/autogen/variables.tf b/autogen/variables.tf index d90210ef82..16c2955ced 100644 --- a/autogen/variables.tf +++ b/autogen/variables.tf @@ -263,6 +263,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." @@ -362,18 +368,30 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + type = string + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" default = false } - variable "enable_vertical_pod_autoscaling" { +variable "enable_vertical_pod_autoscaling" { type = bool description = "Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it" default = false @@ -385,5 +403,10 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} {% endif %} diff --git a/cluster.tf b/cluster.tf index 7da3248f21..0f94ddb0e5 100644 --- a/cluster.tf +++ b/cluster.tf @@ -142,9 +142,14 @@ resource "google_container_node_pool" "pools" { lookup(var.node_pools[count.index], "min_count", 1), ) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) + } } management { diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md index f2cd8c925a..74bd64c022 100644 --- a/modules/beta-private-cluster/README.md +++ b/modules/beta-private-cluster/README.md @@ -136,6 +136,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | @@ -153,6 +154,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | identity\_namespace | Workload Identity namespace | string | `""` | no | @@ -189,6 +191,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf index 4ccffeb4ec..901ae674eb 100644 --- a/modules/beta-private-cluster/cluster.tf +++ b/modules/beta-private-cluster/cluster.tf @@ -62,6 +62,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_config.value + } + } + } dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config content { @@ -149,6 +158,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } @@ -176,6 +193,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** @@ -200,9 +224,14 @@ resource "google_container_node_pool" "pools" { ) max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) + } } management { diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf index 16da0d4ee9..ad6116e7ef 100644 --- a/modules/beta-private-cluster/main.tf +++ b/modules/beta-private-cluster/main.tf @@ -66,6 +66,12 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-private-cluster/sa.tf b/modules/beta-private-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/beta-private-cluster/sa.tf +++ b/modules/beta-private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf index cd8b420c1a..975fe7a173 100644 --- a/modules/beta-private-cluster/variables.tf +++ b/modules/beta-private-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." @@ -357,11 +363,23 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + type = string + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" @@ -380,4 +398,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md index 7240337192..316f46d43e 100644 --- a/modules/beta-public-cluster/README.md +++ b/modules/beta-public-cluster/README.md @@ -131,6 +131,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| +| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com | string | `"null"` | no | | basic\_auth\_password | The password to be used with Basic Authentication. | string | `""` | no | | basic\_auth\_username | The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration. | string | `""` | no | | cloudrun | (Beta) Enable CloudRun addon | string | `"false"` | no | @@ -145,6 +146,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no | | enable\_intranode\_visibility | Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network | bool | `"false"` | no | | enable\_vertical\_pod\_autoscaling | Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | identity\_namespace | Workload Identity namespace | string | `""` | no | @@ -180,6 +182,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | region | The region to host the cluster in (required) | string | n/a | yes | | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no | | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no | +| resource\_usage\_export\_dataset\_id | The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | string | `""` | no | +| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no | | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no | | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `` | no | | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes | diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf index 802bcd25e9..1c8561344a 100644 --- a/modules/beta-public-cluster/cluster.tf +++ b/modules/beta-public-cluster/cluster.tf @@ -62,6 +62,15 @@ resource "google_container_cluster" "primary" { } } + dynamic "resource_usage_export_config" { + for_each = var.resource_usage_export_dataset_id != "" ? [var.resource_usage_export_dataset_id] : [] + content { + enable_network_egress_metering = true + bigquery_destination { + dataset_id = resource_usage_export_config.value + } + } + } dynamic "master_authorized_networks_config" { for_each = var.master_authorized_networks_config content { @@ -149,6 +158,14 @@ resource "google_container_cluster" "primary" { node_metadata = workload_metadata_config.value.node_metadata } } + + dynamic "sandbox_config" { + for_each = local.cluster_sandbox_enabled + + content { + sandbox_type = sandbox_config.value + } + } } } @@ -171,6 +188,13 @@ resource "google_container_cluster" "primary" { identity_namespace = workload_identity_config.value.identity_namespace } } + + dynamic "authenticator_groups_config" { + for_each = local.cluster_authenticator_security_group + content { + security_group = authenticator_groups_config.value.security_group + } + } } /****************************************** @@ -195,9 +219,14 @@ resource "google_container_node_pool" "pools" { ) max_pods_per_node = lookup(var.node_pools[count.index], "max_pods_per_node", null) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) + } } management { diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf index f99d4d9056..c956463414 100644 --- a/modules/beta-public-cluster/main.tf +++ b/modules/beta-public-cluster/main.tf @@ -66,6 +66,12 @@ locals { node_metadata = var.node_metadata }] + cluster_authenticator_security_group = var.authenticator_security_group == null ? [] : [{ + security_group = var.authenticator_security_group + }] + + cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : [] + cluster_output_name = google_container_cluster.primary.name cluster_output_location = google_container_cluster.primary.location diff --git a/modules/beta-public-cluster/sa.tf b/modules/beta-public-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/beta-public-cluster/sa.tf +++ b/modules/beta-public-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf index 8699854665..850f38ea83 100644 --- a/modules/beta-public-cluster/variables.tf +++ b/modules/beta-public-cluster/variables.tf @@ -261,6 +261,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." @@ -333,11 +339,23 @@ variable "pod_security_policy_config" { }] } +variable "resource_usage_export_dataset_id" { + type = string + description = "The dataset id for which network egress metering for this cluster will be enabled. If enabled, a daemonset will be created in the cluster to meter network egress traffic." + default = "" +} + variable "node_metadata" { description = "Specifies how node metadata is exposed to the workload running on the node" default = "UNSPECIFIED" } +variable "sandbox_enabled" { + type = bool + description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)." + default = false +} + variable "enable_intranode_visibility" { type = bool description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network" @@ -356,4 +374,9 @@ variable "identity_namespace" { default = "" } +variable "authenticator_security_group" { + type = string + description = "The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com" + default = null +} diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md index 10ffe18910..c29d58ee93 100644 --- a/modules/private-cluster/README.md +++ b/modules/private-cluster/README.md @@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | bool | `"true"` | no | | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | bool | `"false"` | no | | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | bool | `"false"` | no | +| grant\_registry\_access | Grants created cluster-specific service account storage.objectViewer role. | bool | `"false"` | no | | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | bool | `"true"` | no | | http\_load\_balancing | Enable httpload balancer addon | bool | `"true"` | no | | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | number | `"0"` | no | diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf index d6af244b8a..a5bb5da979 100644 --- a/modules/private-cluster/cluster.tf +++ b/modules/private-cluster/cluster.tf @@ -147,9 +147,14 @@ resource "google_container_node_pool" "pools" { lookup(var.node_pools[count.index], "min_count", 1), ) - autoscaling { - min_node_count = lookup(var.node_pools[count.index], "min_count", 1) - max_node_count = lookup(var.node_pools[count.index], "max_count", 100) + node_count = lookup(var.node_pools[count.index], "autoscaling", true) ? null : lookup(var.node_pools[count.index], "min_count", 1) + + dynamic "autoscaling" { + for_each = lookup(var.node_pools[count.index], "autoscaling", true) ? [var.node_pools[count.index]] : [] + content { + min_node_count = lookup(autoscaling.value, "min_count", 1) + max_node_count = lookup(autoscaling.value, "max_count", 100) + } } management { diff --git a/modules/private-cluster/sa.tf b/modules/private-cluster/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/modules/private-cluster/sa.tf +++ b/modules/private-cluster/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf index bad2d93ba3..8008e08975 100644 --- a/modules/private-cluster/variables.tf +++ b/modules/private-cluster/variables.tf @@ -251,6 +251,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created." diff --git a/sa.tf b/sa.tf index 0ebe86003d..9e063fcc22 100644 --- a/sa.tf +++ b/sa.tf @@ -61,3 +61,11 @@ resource "google_project_iam_member" "cluster_service_account-monitoring_viewer" role = "roles/monitoring.viewer" member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" } + +resource "google_project_iam_member" "cluster_service_account-gcr" { + count = var.create_service_account && var.grant_registry_access ? 1 : 0 + project = var.project_id + role = "roles/storage.objectViewer" + member = "serviceAccount:${google_service_account.cluster_service_account[0].email}" +} + diff --git a/test/make.sh b/test/make.sh index e3937328c0..ec1cd6b01d 100755 --- a/test/make.sh +++ b/test/make.sh @@ -25,7 +25,8 @@ finish() { trap finish EXIT # Create a temporary file in the auto-cleaned up directory while avoiding # overwriting TMPDIR for other processes. -# shellcheck disable=SC2120 # (Arguments may be passed, e.g. maketemp -d) +# shellcheck disable=SC2120 +# (Arguments may be passed, e.g. maketemp -d) maketemp() { TMPDIR="${DELETE_AT_EXIT}" mktemp "$@" } diff --git a/variables.tf b/variables.tf index 4f7a18b26a..460bdeaeff 100644 --- a/variables.tf +++ b/variables.tf @@ -251,6 +251,12 @@ variable "create_service_account" { default = true } +variable "grant_registry_access" { + type = bool + description = "Grants created cluster-specific service account storage.objectViewer role." + default = false +} + variable "service_account" { type = string description = "The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created."