feat: add fields to support binary authorization

Signed-off-by: Carlos Salas <[email protected]>

Author: salasberryfin

cloud/services/container/clusters/reconcile.go

@@ -267,15 +267,20 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 		ReleaseChannel: &containerpb.ReleaseChannel{
 			Channel: convertToSdkReleaseChannel(s.scope.GCPManagedControlPlane.Spec.ReleaseChannel),
 		},
+		BinaryAuthorization: &containerpb.BinaryAuthorization{
+			EvaluationMode: convertToSdkBinaryAuthorizationEvaluationMode(s.scope.GCPManagedControlPlane.Spec.BinaryAuthorization),
+		},
 		ControlPlaneEndpointsConfig: &containerpb.ControlPlaneEndpointsConfig{
 			IpEndpointsConfig: &containerpb.ControlPlaneEndpointsConfig_IPEndpointsConfig{
 				AuthorizedNetworksConfig: convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig),
 			},
 		},
 	}
+
 	if initialClusterVersionFromSpec := s.scope.GetControlPlaneVersion(); initialClusterVersionFromSpec != nil {
 		cluster.InitialClusterVersion = convertToSdkMasterVersion(*initialClusterVersionFromSpec)
 	}
+
 	if s.scope.GCPManagedControlPlane.Spec.ClusterNetwork != nil {
 		cn := s.scope.GCPManagedControlPlane.Spec.ClusterNetwork
 		if cn.UseIPAliases {
@@ -284,16 +289,19 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 			cluster.IpAllocationPolicy.ClusterIpv4CidrBlock = cn.Pod.CidrBlock
 			cluster.IpAllocationPolicy.ServicesIpv4CidrBlock = cn.Service.CidrBlock
 		}
+
 		if cn.PrivateCluster != nil {
 			cluster.PrivateClusterConfig = &containerpb.PrivateClusterConfig{}
 
 			enablePublicEndpoint := !cn.PrivateCluster.EnablePrivateEndpoint
 			cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.EnablePublicEndpoint = &enablePublicEndpoint
+
 			if cn.PrivateCluster.EnablePrivateEndpoint {
 				cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig = &containerpb.MasterAuthorizedNetworksConfig{
 					Enabled: true,
 				}
 			}
+
 			cluster.NetworkConfig.DefaultEnablePrivateNodes = &cn.PrivateCluster.EnablePrivateNodes
 
 			cluster.PrivateClusterConfig.MasterIpv4CidrBlock = cn.PrivateCluster.ControlPlaneCidrBlock
@@ -442,6 +450,22 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
 	}
 }
 
+// convertToSdkBinaryAuthorizationEvaluationMode converts the BinaryAuthorization string to the SDK int32 value.
+func convertToSdkBinaryAuthorizationEvaluationMode(mode *infrav1exp.BinaryAuthorization) containerpb.BinaryAuthorization_EvaluationMode {
+	if mode == nil {
+		return containerpb.BinaryAuthorization_EVALUATION_MODE_UNSPECIFIED
+	}
+
+	switch *mode {
+	case infrav1exp.EvaluationModeDisabled:
+		return containerpb.BinaryAuthorization_DISABLED
+	case infrav1exp.EvaluationModeProjectSingletonPolicyEnforce:
+		return containerpb.BinaryAuthorization_PROJECT_SINGLETON_POLICY_ENFORCE
+	default:
+		return containerpb.BinaryAuthorization_EVALUATION_MODE_UNSPECIFIED
+	}
+}
+
 func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
 	log.V(4).Info("Checking diff and preparing update.")
 

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml

@@ -66,6 +66,14 @@ spec:
           spec:
             description: GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane.
             properties:
+              binaryAuthorization:
+                description: |-
+                  BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+                  This feature is disabled if this field is not specified.
+                enum:
+                - disabled
+                - project_singleton_policy_enforce
+                type: string
               clusterName:
                 description: |-
                   ClusterName allows you to specify the name of the GKE cluster.

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanetemplates.yaml

@@ -53,6 +53,14 @@ spec:
                     description: GCPManagedControlPlaneTemplateResourceSpec specifies
                       an GCP managed control plane template resource.
                     properties:
+                      binaryAuthorization:
+                        description: |-
+                          BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+                          This feature is disabled if this field is not specified.
+                        enum:
+                        - disabled
+                        - project_singleton_policy_enforce
+                        type: string
                       clusterNetwork:
                         description: ClusterNetwork define the cluster network.
                         properties:

exp/api/v1beta1/gcpmanagedcontrolplane_types.go

@@ -113,6 +113,18 @@ type AuthenticatorGroupConfig struct {
 	SecurityGroups string `json:"securityGroups,omitempty"`
 }
 
+// BinaryAuthorization is the Binary Authorization evaluation mode of the GKE cluster
+// +kubebuilder:validation:Enum=disabled;project_singleton_policy_enforce
+type BinaryAuthorization string
+
+const (
+	// EvaluationModeDisabled disables BinaryAuthorization.
+	EvaluationModeDisabled BinaryAuthorization = "disabled"
+	// EvaluationModeProjectSingletonPolicyEnforce enforces Kubernetes admission requests with BinaryAuthorization using the
+	// project's singleton policy. This is equivalent to setting the
+	EvaluationModeProjectSingletonPolicyEnforce BinaryAuthorization = "project_singleton_policy_enforce"
+)
+
 // ClusterSecurity defines the cluster security options.
 type ClusterSecurity struct {
 	// WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)

exp/api/v1beta1/types_class.go

@@ -54,6 +54,11 @@ type GCPManagedControlPlaneClassSpec struct {
 	// +optional
 	ReleaseChannel *ReleaseChannel `json:"releaseChannel,omitempty"`
 
+	// BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+	// This feature is disabled if this field is not specified.
+	// +optional
+	BinaryAuthorization *BinaryAuthorization `json:"binaryAuthorization,omitempty"`
+
 	// MasterAuthorizedNetworksConfig represents configuration options for master authorized networks feature of the GKE cluster.
 	// This feature is disabled if this field is not specified.
 	// +optional