Implement node kernel module signature enforcement field. (#15679)

hankfreund · web-flow · commit 2ef4bb5b0bdc · 2025-12-03T21:01:01.000Z
diff --git a/mmv1/third_party/terraform/services/container/node_config.go.tmpl b/mmv1/third_party/terraform/services/container/node_config.go.tmpl
@@ -889,6 +889,23 @@ func schemaNodeConfig() *schema.Schema {
 								Description:      `cgroupMode specifies the cgroup mode to be used on the node.`,
 								DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("CGROUP_MODE_UNSPECIFIED"),
 							},
+							"node_kernel_module_loading": {
+								Type:     schema.TypeList,
+								Optional: true,
+								MaxItems: 1,
+								Description: `The settings for kernel module loading.`,
+								Elem: &schema.Resource{
+									Schema: map[string]*schema.Schema{
+										"policy": {
+											Type:        schema.TypeString,
+											Optional:    true,
+											ValidateFunc: validation.StringInSlice([]string{"POLICY_UNSPECIFIED", "ENFORCE_SIGNED_MODULES", "DO_NOT_ENFORCE_SIGNED_MODULES"}, false),
+											Description: `The policy for kernel module loading.`,
+											DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("POLICY_UNSPECIFIED"),
+										},
+									},
+								},
+							},
 							"transparent_hugepage_enabled": {
 								Type:             schema.TypeString,
 								Optional:         true,
@@ -1176,8 +1193,8 @@ func schemaNodePoolAutoConfigNodeKubeletConfig() *schema.Schema {
 	}
 }
 
-// Separate since this currently only supports a single value -- a subset of
-// the overall LinuxNodeConfig
+// Separate since this currently only supports a subset of the overall
+// LinuxNodeConfig
 func schemaNodePoolAutoConfigLinuxNodeConfig() *schema.Schema {
 	return &schema.Schema{
 		Type:        schema.TypeList,
@@ -1194,6 +1211,23 @@ func schemaNodePoolAutoConfigLinuxNodeConfig() *schema.Schema {
 					Description:      `cgroupMode specifies the cgroup mode to be used on the node.`,
 					DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("CGROUP_MODE_UNSPECIFIED"),
 				},
+				"node_kernel_module_loading": {
+					Type:     schema.TypeList,
+					Optional: true,
+					MaxItems: 1,
+					Description: `The settings for kernel module loading.`,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"policy": {
+								Type:        schema.TypeString,
+								Optional:    true,
+								ValidateFunc: validation.StringInSlice([]string{"POLICY_UNSPECIFIED", "ENFORCE_SIGNED_MODULES", "DO_NOT_ENFORCE_SIGNED_MODULES"}, false),
+								Description: `The policy for kernel module loading.`,
+								DiffSuppressFunc: tpgresource.EmptyOrDefaultStringSuppress("POLICY_UNSPECIFIED"),
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -1893,6 +1927,10 @@ func expandLinuxNodeConfig(v interface{}) *container.LinuxNodeConfig {
 	if v, ok := cfg["hugepages_config"]; ok {
 		linuxNodeConfig.Hugepages = expandHugepagesConfig(v)
 	}
+	
+	if v, ok := cfg["node_kernel_module_loading"]; ok {
+		linuxNodeConfig.NodeKernelModuleLoading = expandNodeKernelModuleLoading(v)
+	}
 
 	return linuxNodeConfig
 }
@@ -1962,6 +2000,28 @@ func expandHugepagesConfig(v interface{}) *container.HugepagesConfig {
 	return hugepagesConfig
 }
 
+func expandNodeKernelModuleLoading(v interface{}) *container.NodeKernelModuleLoading {
+	if v == nil {
+		return nil
+	}
+	ls := v.([]interface{})
+	if len(ls) == 0 {
+		return nil
+	}
+	if ls[0] == nil {
+		return &container.NodeKernelModuleLoading{}
+	}
+	cfg := ls[0].(map[string]interface{})
+
+	NodeKernelModuleLoading := &container.NodeKernelModuleLoading{}
+
+	if v, ok := cfg["policy"]; ok {
+		NodeKernelModuleLoading.Policy = v.(string)
+	}
+
+	return NodeKernelModuleLoading
+}
+
 func expandContainerdConfig(v interface{}) *container.ContainerdConfig {
 	if v == nil {
 		return nil
@@ -2637,6 +2697,7 @@ func flattenLinuxNodeConfig(c *container.LinuxNodeConfig) []map[string]interface
 			"hugepages_config":             flattenHugepagesConfig(c.Hugepages),
 			"transparent_hugepage_enabled": c.TransparentHugepageEnabled,
 			"transparent_hugepage_defrag":  c.TransparentHugepageDefrag,
+			"node_kernel_module_loading":   flattenNodeKernelModuleLoading(c.NodeKernelModuleLoading),
 		})
 	}
 	return result
@@ -2663,6 +2724,16 @@ func flattenHugepagesConfig(c *container.HugepagesConfig) []map[string]interface
 	return result
 }
 
+func flattenNodeKernelModuleLoading(c *container.NodeKernelModuleLoading) []map[string]interface{} {
+	result := []map[string]interface{}{}
+	if c != nil {
+		result = append(result, map[string]interface{}{
+			"policy": c.Policy,
+		})
+	}
+	return result
+}
+
 func flattenContainerdConfig(c *container.ContainerdConfig) []map[string]interface{} {
 	result := []map[string]interface{}{}
 	if c == nil {
diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster.go.tmpl
@@ -6957,9 +6957,32 @@ func expandNodePoolAutoConfig(configured interface{}) *container.NodePoolAutoCon
 		npac.ResourceManagerTags = expandResourceManagerTags(v)
 	}
 
+	if v, ok := config["linux_node_config"]; ok {
+		npac.LinuxNodeConfig = expandNodePoolAutoConfigLinuxNodeConfig(v)
+	}
+
 	return npac
 }
 
+func expandNodePoolAutoConfigLinuxNodeConfig(configured interface{}) *container.LinuxNodeConfig {
+	if configured == nil {
+		return nil
+	}
+	ls := configured.([]interface{})
+	if len(ls) == 0 {
+		return nil
+	}
+	if ls[0] == nil {
+		return &container.LinuxNodeConfig{}
+	}
+	config := ls[0].(map[string]interface{})
+	linuxNodeConfig := &container.LinuxNodeConfig{}
+	if v, ok := config["node_kernel_module_loading"]; ok {
+		linuxNodeConfig.NodeKernelModuleLoading = expandNodeKernelModuleLoading(v)
+	}
+	return linuxNodeConfig
+}
+
 func expandNodePoolAutoConfigNetworkTags(configured interface{}) *container.NetworkTags {
 	l := configured.([]interface{})
 	if len(l) == 0 || l[0] == nil {
@@ -8053,9 +8076,13 @@ func flattenNodePoolAutoConfig(c *container.NodePoolAutoConfig) []map[string]int
 		result["resource_manager_tags"] = flattenResourceManagerTags(c.ResourceManagerTags)
 	}
 	if c.LinuxNodeConfig != nil {
-		result["linux_node_config"] = []map[string]interface{}{
-			{"cgroup_mode": c.LinuxNodeConfig.CgroupMode},
+		linuxNodeConfig := map[string]interface{}{
+			"cgroup_mode": c.LinuxNodeConfig.CgroupMode,
+		}
+		if c.LinuxNodeConfig.NodeKernelModuleLoading != nil {
+			linuxNodeConfig["node_kernel_module_loading"] = flattenNodeKernelModuleLoading(c.LinuxNodeConfig.NodeKernelModuleLoading)
 		}
+		result["linux_node_config"] = []map[string]interface{}{linuxNodeConfig}
 	}
 
 	return []map[string]interface{}{result}
diff --git a/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_cluster_test.go.tmpl
@@ -2104,7 +2104,7 @@ func TestAccContainerCluster_withNodeConfigLinuxNodeConfig(t *testing.T) {
 		Steps: []resource.TestStep{
 			// First test with empty `node_config.linux_node_config` (should result in "CGROUP_MODE_UNSPECIFIED")
 			{
-				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "", false),
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "", false, ""),
 				ConfigPlanChecks: resource.ConfigPlanChecks{
 					PreApply: []plancheck.PlanCheck{
 						acctest.ExpectNoDelete(),
@@ -2119,7 +2119,7 @@ func TestAccContainerCluster_withNodeConfigLinuxNodeConfig(t *testing.T) {
 			},
 			// Then add a config and make sure it updates.
 			{
-				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "CGROUP_MODE_V2", false),
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "CGROUP_MODE_V2", false, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(
 						"google_container_cluster.with_linux_node_config",
@@ -2140,7 +2140,7 @@ func TestAccContainerCluster_withNodeConfigLinuxNodeConfig(t *testing.T) {
 			},
 			// Lastly, update the setting in-place. V1 since UNSPECIFIED is default
 			{
-				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "CGROUP_MODE_V1", false),
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "CGROUP_MODE_V1", false, ""),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(
 						"google_container_cluster.with_linux_node_config",
@@ -2161,29 +2161,75 @@ func TestAccContainerCluster_withNodeConfigLinuxNodeConfig(t *testing.T) {
 			},
 			// Update linux config transparent hugepage
 			{
-                                Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "", true),
-                                Check: resource.ComposeTestCheckFunc(
-                                        resource.TestCheckResourceAttr(
-                                                "google_container_cluster.with_linux_node_config",
-                                                "node_config.0.linux_node_config.0.transparent_hugepage_enabled", "TRANSPARENT_HUGEPAGE_ENABLED_ALWAYS",
-                                        ),
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "", true, ""),
+				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(
-                                                "google_container_cluster.with_linux_node_config",
-                                                "node_config.0.linux_node_config.0.transparent_hugepage_defrag", "TRANSPARENT_HUGEPAGE_DEFRAG_ALWAYS",
-                                        ),
-                                ),
-                                ConfigPlanChecks: resource.ConfigPlanChecks{
-                                        PreApply: []plancheck.PlanCheck{
-                                                acctest.ExpectNoDelete(),
-                                        },
-                                },
-                        },
-                        {
-                                ResourceName:            "google_container_cluster.with_linux_node_config",
-                                ImportState:             true,
-                                ImportStateVerify:       true,
-                                ImportStateVerifyIgnore: []string{"min_master_version", "deletion_protection"},
-                        },
+						"google_container_cluster.with_linux_node_config",
+            "node_config.0.linux_node_config.0.transparent_hugepage_enabled", "TRANSPARENT_HUGEPAGE_ENABLED_ALWAYS",
+					),
+					resource.TestCheckResourceAttr(
+						"google_container_cluster.with_linux_node_config",
+            "node_config.0.linux_node_config.0.transparent_hugepage_defrag", "TRANSPARENT_HUGEPAGE_DEFRAG_ALWAYS",
+          ),
+        ),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						acctest.ExpectNoDelete(),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_container_cluster.with_linux_node_config",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"min_master_version", "deletion_protection"},
+			},
+			// Update node kernel module loading policy
+			{
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "CGROUP_MODE_V2", false, "ENFORCE_SIGNED_MODULES"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"google_container_cluster.with_linux_node_config",
+						"node_config.0.linux_node_config.0.node_kernel_module_loading.0.policy", "ENFORCE_SIGNED_MODULES",
+					),
+					resource.TestCheckResourceAttr(
+						"google_container_cluster.with_linux_node_config",
+						"node_config.0.linux_node_config.0.cgroup_mode", "CGROUP_MODE_V2",
+					),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						acctest.ExpectNoDelete(),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_container_cluster.with_linux_node_config",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"min_master_version", "deletion_protection"},
+			},
+			// Unset node kernel module loading policy
+			{
+				Config: testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, "", false, "DO_NOT_ENFORCE_SIGNED_MODULES"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"google_container_cluster.with_linux_node_config",
+						"node_config.0.linux_node_config.0.node_kernel_module_loading.0.policy", "DO_NOT_ENFORCE_SIGNED_MODULES",
+					),
+				),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						acctest.ExpectNoDelete(),
+					},
+				},
+			},
+			{
+				ResourceName:            "google_container_cluster.with_linux_node_config",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"min_master_version", "deletion_protection"},
+			},
 		},
 	})
 }
@@ -4424,7 +4470,7 @@ func TestAccContainerCluster_withAutopilot_withNodePoolAutoConfig(t *testing.T)
 				ResourceName:            "google_container_cluster.primary",
 				ImportState:             true,
 				ImportStateVerify:       true,
-				ImportStateVerifyIgnore: []string{"deletion_protection"},
+				ImportStateVerifyIgnore: []string{"min_master_version", "deletion_protection"},
 			},
 		},
 	})
@@ -9354,24 +9400,30 @@ resource "google_container_cluster" "with_node_config" {
 `, clusterName, networkName, subnetworkName)
 }
 
-func testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, cgroupMode string, thpEnabled bool) string {
-	// Empty block inside node_config if cgroupMode is empty
+func testAccContainerCluster_withNodeConfigLinuxNodeConfig(clusterName, networkName, subnetworkName, cgroupMode string, thpEnabled bool, nkmlPolicy string) string {
+	// Empty block inside node_config if sub-fields are empty
 	linuxNodeConfig := ""
 
-	if cgroupMode != "" {
-		linuxNodeConfig = fmt.Sprintf(`
-    linux_node_config {
-      cgroup_mode = "%s"
-    }
-`, cgroupMode)
-	}
-
-	if cgroupMode== "" && thpEnabled {
-	        linuxNodeConfig = `
-    linux_node_config {
-      transparent_hugepage_defrag = "TRANSPARENT_HUGEPAGE_DEFRAG_ALWAYS"
-      transparent_hugepage_enabled = "TRANSPARENT_HUGEPAGE_ENABLED_ALWAYS"
-    }`
+	if cgroupMode != "" || thpEnabled || nkmlPolicy != "" {
+		linuxNodeConfig = `linux_node_config {
+  		`
+		if cgroupMode != "" {
+			linuxNodeConfig = linuxNodeConfig + fmt.Sprintf(`cgroup_mode="%s"
+			`, cgroupMode)
+    }
+		if thpEnabled {
+			linuxNodeConfig = linuxNodeConfig + `
+			transparent_hugepage_defrag = "TRANSPARENT_HUGEPAGE_DEFRAG_ALWAYS"
+			transparent_hugepage_enabled = "TRANSPARENT_HUGEPAGE_ENABLED_ALWAYS"
+			`
+		}
+		if nkmlPolicy != "" {
+			linuxNodeConfig = linuxNodeConfig + fmt.Sprintf(`node_kernel_module_loading {
+				policy = "%s"
+			}
+			`, nkmlPolicy)
+		}
+		linuxNodeConfig = linuxNodeConfig + "}"
 	}
 
 	return fmt.Sprintf(`
@@ -9382,7 +9434,11 @@ resource "google_container_cluster" "with_linux_node_config" {
   name               = "%s"
   location           = "us-central1-f"
   initial_node_count = 1
-  min_master_version = data.google_container_engine_versions.central1a.latest_master_version
+  min_master_version = data.google_container_engine_versions.central1a.release_channel_latest_version["RAPID"]
+
+	release_channel {
+    channel = "RAPID"
+  }
 
   node_config {
     disk_size_gb = 15
@@ -13541,18 +13597,31 @@ resource "google_container_cluster" "primary" {
 `, name, networkName, subnetworkName)
 }
 
-
 func testAccContainerCluster_withAutopilot_withNodePoolAutoConfig(name, networkName, subnetworkName string, insecureKubeletReadonlyPortEnabled string) string {
   return fmt.Sprintf(`
+data "google_container_engine_versions" "uscentral1a" {
+  location = "us-central1-a"
+}
+
 resource "google_container_cluster" "primary" {
   name             = "%s"
   location         = "us-central1"
   enable_autopilot = true
+	min_master_version = data.google_container_engine_versions.uscentral1a.release_channel_latest_version["RAPID"]
+
+	release_channel {
+    channel = "RAPID"
+  }
 
 	node_pool_auto_config {
     node_kubelet_config {
       insecure_kubelet_readonly_port_enabled = "%s"
     }
+		linux_node_config {
+			node_kernel_module_loading {
+				policy = "ENFORCE_SIGNED_MODULES"
+			}
+		}
   }
 
   deletion_protection = false
diff --git a/mmv1/third_party/terraform/services/container/resource_container_node_pool_test.go.tmpl b/mmv1/third_party/terraform/services/container/resource_container_node_pool_test.go.tmpl
