Skip to content

Commit

Permalink
feat: Add support for configuring allow_net_admin in autopilot cluste…
Browse files Browse the repository at this point in the history
…rs (#1768)
  • Loading branch information
rossbannerman authored Nov 15, 2023
1 parent 29d79b1 commit 493149d
Show file tree
Hide file tree
Showing 8 changed files with 27 additions and 0 deletions.
4 changes: 4 additions & 0 deletions autogen/main/cluster.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,10 @@ resource "google_container_cluster" "primary" {
}
{% endif %}
}
{% if autopilot_cluster %}

allow_net_admin = var.allow_net_admin
{% endif %}
{% if autopilot_cluster != true %}

datapath_provider = var.datapath_provider
Expand Down
7 changes: 7 additions & 0 deletions autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -849,3 +849,10 @@ variable "enable_gcfs" {
}
{% endif %}
{% endif %}
{% if autopilot_cluster %}
variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}
{% endif %}
1 change: 1 addition & 0 deletions modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-private-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {

}

allow_net_admin = var.allow_net_admin

networking_mode = "VPC_NATIVE"

protect_config {
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -448,3 +448,8 @@ variable "timeouts" {
}
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}
1 change: 1 addition & 0 deletions modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ Then perform the following commands on the root folder:
| add\_master\_webhook\_firewall\_rules | Create master\_webhook firewall rules for ports defined in `firewall_inbound_ports` | `bool` | `false` | no |
| add\_shadow\_firewall\_rules | Create GKE shadow firewall (the same as default firewall rules with firewall logs enabled). | `bool` | `false` | no |
| additional\_ip\_range\_pods | List of _names_ of the additional secondary subnet ip ranges to use for pods | `list(string)` | `[]` | no |
| allow\_net\_admin | (Optional) Enable NET\_ADMIN for the cluster. | `bool` | `null` | no |
| authenticator\_security\_group | The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format [email protected] | `string` | `null` | no |
| cluster\_ipv4\_cidr | The IP address range of the kubernetes pods in this cluster. Default is an automatically assigned CIDR. | `string` | `null` | no |
| cluster\_resource\_labels | The GCE resource labels (a map of key/value pairs) to be applied to the cluster | `map(string)` | `{}` | no |
Expand Down
2 changes: 2 additions & 0 deletions modules/beta-autopilot-public-cluster/cluster.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,8 @@ resource "google_container_cluster" "primary" {

}

allow_net_admin = var.allow_net_admin

networking_mode = "VPC_NATIVE"

protect_config {
Expand Down
5 changes: 5 additions & 0 deletions modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -418,3 +418,8 @@ variable "timeouts" {
}
}

variable "allow_net_admin" {
description = "(Optional) Enable NET_ADMIN for the cluster."
type = bool
default = null
}

0 comments on commit 493149d

Please sign in to comment.