container: add rbac config binding (#14692) (#10441)

modular-magician · web-flow · commit 92db0dc4ca27 · 2025-07-31T10:19:50.000-07:00
[upstream:e43963ca763cd7172e93626876d9b00686eb5d42]

Signed-off-by: Modular Magician &lt;magic-modules@google.com&gt;
diff --git a/.changelog/14692.txt b/.changelog/14692.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+container: added support for `rbac_binding_config` in `google_container_cluster`
+```
diff --git a/google-beta/services/container/resource_container_cluster.go b/google-beta/services/container/resource_container_cluster.go
@@ -2537,6 +2537,27 @@ func ResourceContainerCluster() *schema.Resource {
 					},
 				},
 			},
+			"rbac_binding_config": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				MaxItems:    1,
+				Computed:    true,
+				Description: `RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"enable_insecure_binding_system_unauthenticated": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjects system:anonymous or system:unauthenticated.`,
+						},
+						"enable_insecure_binding_system_authenticated": {
+							Type:        schema.TypeBool,
+							Optional:    true,
+							Description: `Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjects system:authenticated.`,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -2862,6 +2883,10 @@ func resourceContainerClusterCreate(d *schema.ResourceData, meta interface{}) er
 		cluster.AnonymousAuthenticationConfig = expandAnonymousAuthenticationConfig(v)
 	}
 
+	if v, ok := d.GetOk("rbac_binding_config"); ok {
+		cluster.RbacBindingConfig = expandRBACBindingConfig(v)
+	}
+
 	needUpdateAfterCreate := false
 
 	// For now PSC based cluster don't support `enable_private_endpoint` on `create`, but only on `update` API call.
@@ -3438,6 +3463,10 @@ func resourceContainerClusterRead(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := d.Set("rbac_binding_config", flattenRBACBindingConfig(cluster.RbacBindingConfig)); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -4970,6 +4999,22 @@ func resourceContainerClusterUpdate(d *schema.ResourceData, meta interface{}) er
 		}
 	}
 
+	if d.HasChange("rbac_binding_config") {
+		req := &container.UpdateClusterRequest{
+			Update: &container.ClusterUpdate{
+				DesiredRbacBindingConfig: expandRBACBindingConfig(d.Get("rbac_binding_config")),
+				ForceSendFields:          []string{"DesiredRbacBindingConfig"},
+			}}
+
+		updateF := updateFunc(req, "updating GKE cluster RBAC binding config")
+		// Call update serially.
+		if err := transport_tpg.LockedCall(lockKey, updateF); err != nil {
+			return err
+		}
+
+		log.Printf("[INFO] GKE cluster %s's RBAC binding config has been updated", d.Id())
+	}
+
 	d.Partial(false)
 
 	if d.HasChange("cluster_telemetry") {
@@ -6523,6 +6568,20 @@ func expandWorkloadAltsConfig(configured interface{}) *container.WorkloadALTSCon
 	}
 }
 
+func expandRBACBindingConfig(configured interface{}) *container.RBACBindingConfig {
+	l := configured.([]interface{})
+	if len(l) == 0 || l[0] == nil {
+		return nil
+	}
+
+	config := l[0].(map[string]interface{})
+	return &container.RBACBindingConfig{
+		EnableInsecureBindingSystemUnauthenticated: config["enable_insecure_binding_system_unauthenticated"].(bool),
+		EnableInsecureBindingSystemAuthenticated:   config["enable_insecure_binding_system_authenticated"].(bool),
+		ForceSendFields:                            []string{"EnableInsecureBindingSystemUnauthenticated", "EnableInsecureBindingSystemAuthenticated"},
+	}
+}
+
 func flattenNotificationConfig(c *container.NotificationConfig) []map[string]interface{} {
 	if c == nil {
 		return nil
@@ -7501,6 +7560,18 @@ func flattenWorkloadAltsConfig(c *container.WorkloadALTSConfig) []map[string]int
 	}
 }
 
+func flattenRBACBindingConfig(c *container.RBACBindingConfig) []map[string]interface{} {
+	if c == nil {
+		return nil
+	}
+	return []map[string]interface{}{
+		{
+			"enable_insecure_binding_system_authenticated":   c.EnableInsecureBindingSystemAuthenticated,
+			"enable_insecure_binding_system_unauthenticated": c.EnableInsecureBindingSystemUnauthenticated,
+		},
+	}
+}
+
 func resourceContainerClusterStateImporter(d *schema.ResourceData, meta interface{}) ([]*schema.ResourceData, error) {
 	config := meta.(*transport_tpg.Config)
 
diff --git a/google-beta/services/container/resource_container_cluster_test.go b/google-beta/services/container/resource_container_cluster_test.go
@@ -14066,3 +14066,67 @@ resource "google_container_cluster" "primary" {
 }
  `, name, networkName, subnetworkName, mode)
 }
+
+func TestAccContainerCluster_RbacBindingConfig(t *testing.T) {
+	t.Parallel()
+
+	clusterName := fmt.Sprintf("tf-test-cluster-%s", acctest.RandString(t, 10))
+	networkName := acctest.BootstrapSharedTestNetwork(t, "gke-cluster")
+	subnetworkName := acctest.BootstrapSubnet(t, "gke-cluster", networkName)
+
+	acctest.VcrTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.AccTestPreCheck(t) },
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories(t),
+		CheckDestroy:             testAccCheckContainerClusterDestroyProducer(t),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccContainerCluster_RbacBindingConfig(clusterName, networkName, subnetworkName, true, true),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.#", "1"),
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.0.enable_insecure_binding_system_unauthenticated", "true"),
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.0.enable_insecure_binding_system_authenticated", "true"),
+				),
+			},
+			{
+				ResourceName:            "google_container_cluster.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+			{
+				Config: testAccContainerCluster_RbacBindingConfig(clusterName, networkName, subnetworkName, false, false),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.#", "1"),
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.0.enable_insecure_binding_system_unauthenticated", "false"),
+					resource.TestCheckResourceAttr("google_container_cluster.primary", "rbac_binding_config.0.enable_insecure_binding_system_authenticated", "false"),
+				),
+			},
+			{
+				ResourceName:            "google_container_cluster.primary",
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"deletion_protection"},
+			},
+		},
+	})
+}
+
+func testAccContainerCluster_RbacBindingConfig(clusterName, networkName, subnetworkName string, unauthenticated, authenticated bool) string {
+	return fmt.Sprintf(`
+resource "google_container_cluster" "primary" {
+  name               = "%s"
+  location           = "us-central1-a"
+  initial_node_count = 1
+
+  network    = "%s"
+  subnetwork = "%s"
+
+  rbac_binding_config {
+	enable_insecure_binding_system_unauthenticated = %t
+	enable_insecure_binding_system_authenticated   = %t
+  }
+
+  deletion_protection = false
+}
+`, clusterName, networkName, subnetworkName, unauthenticated, authenticated)
+}
diff --git a/website/docs/r/container_cluster.html.markdown b/website/docs/r/container_cluster.html.markdown
@@ -440,6 +440,8 @@ Fleet configuration for the cluster. Structure is [documented below](#nested_fle
 * `anonymous_authentication_config` - (Optional)
   Configuration for [anonymous authentication restrictions](https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict-anon-access). Structure is [documented below](#anonymous_authentication_config).
 
+* `rbac_binding_config` - (Optional)
+  RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. Structure is [documented below](#nested_rbac_binding_config).
 
 <a name="nested_default_snat_status"></a>The `default_snat_status` block supports
 
@@ -1574,6 +1576,11 @@ linux_node_config {
 
 * `mode` - (Optional) Sets or removes authentication restrictions. Available options include `LIMITED` and `ENABLED`.
 
+<a name="nested_rbac_binding_config"></a>The `rbac_binding_config` block supports:
+
+* `enable_insecure_binding_system_unauthenticated` - (Optional) Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjects system:anonymous or system:unauthenticated.
+* `enable_insecure_binding_system_authenticated` - (Optional) Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjects system:authenticated.
+
 
 ## Attributes Reference
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:enhancement
	`2`	+container: added support for `rbac_binding_config` in `google_container_cluster`
	`3`	+```