Skip to content

Commit

Permalink
feat!: enabling vulnerability and audit modes for workloads (#1749)
Browse files Browse the repository at this point in the history
Signed-off-by: Manuel Morejon <[email protected]>
  • Loading branch information
mmorejon authored Oct 10, 2023
1 parent 2b48458 commit 7bfd6fe
Show file tree
Hide file tree
Showing 21 changed files with 72 additions and 13 deletions.
3 changes: 2 additions & 1 deletion autogen/main/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -548,14 +548,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
4 changes: 4 additions & 0 deletions autogen/safer-cluster/main.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -200,4 +200,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions autogen/safer-cluster/variables.tf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
2 changes: 1 addition & 1 deletion modules/beta-autopilot-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-autopilot-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -373,14 +373,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-autopilot-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,7 @@ Then perform the following commands on the root folder:
| subnetwork | The subnetwork to host the cluster in (required) | `string` | n/a | yes |
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-autopilot-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -343,14 +343,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -273,7 +273,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -518,14 +518,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-private-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-private-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -518,14 +518,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -488,14 +488,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 1 addition & 1 deletion modules/beta-public-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@ Then perform the following commands on the root folder:
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing Windows node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Worload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in (optional if regional cluster / required if zonal) | `list(string)` | `[]` | no |

Expand Down
3 changes: 2 additions & 1 deletion modules/beta-public-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -488,14 +488,15 @@ variable "enable_confidential_nodes" {
description = "An optional flag to enable confidential node config."
default = false
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Worload config audit mode."
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
Expand Down
2 changes: 2 additions & 0 deletions modules/safer-cluster-update-variant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in | `list(string)` | `[]` | no |

## Outputs
Expand Down
4 changes: 4 additions & 0 deletions modules/safer-cluster-update-variant/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -196,4 +196,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions modules/safer-cluster-update-variant/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}
2 changes: 2 additions & 0 deletions modules/safer-cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -272,6 +272,8 @@ For simplicity, we suggest using `roles/container.admin` and
| timeouts | Timeout for cluster operations. | `map(string)` | `{}` | no |
| upstream\_nameservers | If specified, the values replace the nameservers taken by default from the node’s /etc/resolv.conf | `list(string)` | `[]` | no |
| windows\_node\_pools | List of maps containing node pools | `list(map(string))` | `[]` | no |
| workload\_config\_audit\_mode | (beta) Workload config audit mode. | `string` | `"DISABLED"` | no |
| workload\_vulnerability\_mode | (beta) Vulnerability mode. | `string` | `""` | no |
| zones | The zones to host the cluster in | `list(string)` | `[]` | no |

## Outputs
Expand Down
4 changes: 4 additions & 0 deletions modules/safer-cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -196,4 +196,8 @@ module "gke" {
timeouts = var.timeouts

enable_gcfs = var.enable_gcfs

// Enabling vulnerability and audit for workloads
workload_vulnerability_mode = var.workload_vulnerability_mode
workload_config_audit_mode = var.workload_config_audit_mode
}
12 changes: 12 additions & 0 deletions modules/safer-cluster/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -496,3 +496,15 @@ variable "enable_mesh_certificates" {
default = false
description = "Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity."
}

variable "workload_vulnerability_mode" {
description = "(beta) Vulnerability mode."
type = string
default = ""
}

variable "workload_config_audit_mode" {
description = "(beta) Workload config audit mode."
type = string
default = "DISABLED"
}

0 comments on commit 7bfd6fe

Please sign in to comment.