Merge pull request #1504 from salasberryfin/feat-support-workload-identity

feat: add fields to support workload identity & binary authorization

Author: k8s-ci-robot

cloud/services/container/clusters/reconcile.go

@@ -267,15 +267,20 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 		ReleaseChannel: &containerpb.ReleaseChannel{
 			Channel: convertToSdkReleaseChannel(s.scope.GCPManagedControlPlane.Spec.ReleaseChannel),
 		},
+		BinaryAuthorization: &containerpb.BinaryAuthorization{
+			EvaluationMode: convertToSdkBinaryAuthorizationEvaluationMode(s.scope.GCPManagedControlPlane.Spec.BinaryAuthorization),
+		},
 		ControlPlaneEndpointsConfig: &containerpb.ControlPlaneEndpointsConfig{
 			IpEndpointsConfig: &containerpb.ControlPlaneEndpointsConfig_IPEndpointsConfig{
 				AuthorizedNetworksConfig: convertToSdkMasterAuthorizedNetworksConfig(s.scope.GCPManagedControlPlane.Spec.MasterAuthorizedNetworksConfig),
 			},
 		},
 	}
+
 	if initialClusterVersionFromSpec := s.scope.GetControlPlaneVersion(); initialClusterVersionFromSpec != nil {
 		cluster.InitialClusterVersion = convertToSdkMasterVersion(*initialClusterVersionFromSpec)
 	}
+
 	if s.scope.GCPManagedControlPlane.Spec.ClusterNetwork != nil {
 		cn := s.scope.GCPManagedControlPlane.Spec.ClusterNetwork
 		if cn.UseIPAliases {
@@ -284,16 +289,19 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 			cluster.IpAllocationPolicy.ClusterIpv4CidrBlock = cn.Pod.CidrBlock
 			cluster.IpAllocationPolicy.ServicesIpv4CidrBlock = cn.Service.CidrBlock
 		}
+
 		if cn.PrivateCluster != nil {
 			cluster.PrivateClusterConfig = &containerpb.PrivateClusterConfig{}
 
 			enablePublicEndpoint := !cn.PrivateCluster.EnablePrivateEndpoint
 			cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.EnablePublicEndpoint = &enablePublicEndpoint
+
 			if cn.PrivateCluster.EnablePrivateEndpoint {
 				cluster.ControlPlaneEndpointsConfig.IpEndpointsConfig.AuthorizedNetworksConfig = &containerpb.MasterAuthorizedNetworksConfig{
 					Enabled: true,
 				}
 			}
+
 			cluster.NetworkConfig.DefaultEnablePrivateNodes = &cn.PrivateCluster.EnablePrivateNodes
 
 			cluster.PrivateClusterConfig.MasterIpv4CidrBlock = cn.PrivateCluster.ControlPlaneCidrBlock
@@ -306,16 +314,35 @@ func (s *Service) createCluster(ctx context.Context, log *logr.Logger) error {
 			}
 		}
 	}
+
 	if !s.scope.IsAutopilotCluster() {
 		cluster.NodePools = scope.ConvertToSdkNodePools(nodePools, machinePools, isRegional, cluster.GetName())
+
 		if s.scope.GCPManagedControlPlane.Spec.LoggingService != nil {
 			cluster.LoggingService = s.scope.GCPManagedControlPlane.Spec.LoggingService.String()
 		}
+
 		if s.scope.GCPManagedControlPlane.Spec.MonitoringService != nil {
 			cluster.MonitoringService = s.scope.GCPManagedControlPlane.Spec.MonitoringService.String()
 		}
 	}
 
+	if s.scope.GCPManagedControlPlane.Spec.ClusterSecurity != nil {
+		cs := s.scope.GCPManagedControlPlane.Spec.ClusterSecurity
+		if cs.WorkloadIdentityConfig != nil {
+			cluster.WorkloadIdentityConfig = &containerpb.WorkloadIdentityConfig{
+				WorkloadPool: cs.WorkloadIdentityConfig.WorkloadPool,
+			}
+		}
+
+		if cs.AuthenticatorGroupConfig != nil {
+			cluster.AuthenticatorGroupsConfig = &containerpb.AuthenticatorGroupsConfig{
+				Enabled:       true,
+				SecurityGroup: cs.AuthenticatorGroupConfig.SecurityGroups,
+			}
+		}
+	}
+
 	createClusterRequest := &containerpb.CreateClusterRequest{
 		Cluster: cluster,
 		Parent:  s.scope.ClusterLocation(),
@@ -425,6 +452,22 @@ func convertToSdkMasterAuthorizedNetworksConfig(config *infrav1exp.MasterAuthori
 	}
 }
 
+// convertToSdkBinaryAuthorizationEvaluationMode converts the BinaryAuthorization string to the SDK int32 value.
+func convertToSdkBinaryAuthorizationEvaluationMode(mode *infrav1exp.BinaryAuthorization) containerpb.BinaryAuthorization_EvaluationMode {
+	if mode == nil {
+		return containerpb.BinaryAuthorization_EVALUATION_MODE_UNSPECIFIED
+	}
+
+	switch *mode {
+	case infrav1exp.EvaluationModeDisabled:
+		return containerpb.BinaryAuthorization_DISABLED
+	case infrav1exp.EvaluationModeProjectSingletonPolicyEnforce:
+		return containerpb.BinaryAuthorization_PROJECT_SINGLETON_POLICY_ENFORCE
+	default:
+		return containerpb.BinaryAuthorization_EVALUATION_MODE_UNSPECIFIED
+	}
+}
+
 func (s *Service) checkDiffAndPrepareUpdate(existingCluster *containerpb.Cluster, log *logr.Logger) (bool, *containerpb.UpdateClusterRequest) {
 	log.V(4).Info("Checking diff and preparing update.")
 

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanes.yaml

@@ -66,6 +66,14 @@ spec:
           spec:
             description: GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane.
             properties:
+              binaryAuthorization:
+                description: |-
+                  BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+                  This feature is disabled if this field is not specified.
+                enum:
+                - disabled
+                - project_singleton_policy_enforce
+                type: string
               clusterName:
                 description: |-
                   ClusterName allows you to specify the name of the GKE cluster.
@@ -132,6 +140,34 @@ spec:
                       pod IPs in the cluster.
                     type: boolean
                 type: object
+              clusterSecurity:
+                description: ClusterSecurity defines the cluster security.
+                properties:
+                  authenticatorGroupConfig:
+                    description: AuthenticatorGroupConfig is RBAC security group for
+                      use with Google security groups in Kubernetes RBAC.
+                    properties:
+                      securityGroups:
+                        description: SecurityGroups is the name of the security group-of-groups
+                          to be used.
+                        type: string
+                    required:
+                    - securityGroups
+                    type: object
+                  workloadIdentityConfig:
+                    description: |-
+                      WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+                      service accounts to access Google Cloud services
+                    properties:
+                      workloadPool:
+                        description: |-
+                          WorkloadPool is the workload pool to attach all Kubernetes service accounts to Google Cloud services.
+                          Only relevant when enabled is true
+                        type: string
+                    required:
+                    - workloadPool
+                    type: object
+                type: object
               controlPlaneVersion:
                 description: |-
                   ControlPlaneVersion represents the control plane version of the GKE cluster.

config/crd/bases/infrastructure.cluster.x-k8s.io_gcpmanagedcontrolplanetemplates.yaml

@@ -53,6 +53,14 @@ spec:
                     description: GCPManagedControlPlaneTemplateResourceSpec specifies
                       an GCP managed control plane template resource.
                     properties:
+                      binaryAuthorization:
+                        description: |-
+                          BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+                          This feature is disabled if this field is not specified.
+                        enum:
+                        - disabled
+                        - project_singleton_policy_enforce
+                        type: string
                       clusterNetwork:
                         description: ClusterNetwork define the cluster network.
                         properties:
@@ -115,6 +123,35 @@ spec:
                               pod IPs in the cluster.
                             type: boolean
                         type: object
+                      clusterSecurity:
+                        description: ClusterSecurity defines the cluster security.
+                        properties:
+                          authenticatorGroupConfig:
+                            description: AuthenticatorGroupConfig is RBAC security
+                              group for use with Google security groups in Kubernetes
+                              RBAC.
+                            properties:
+                              securityGroups:
+                                description: SecurityGroups is the name of the security
+                                  group-of-groups to be used.
+                                type: string
+                            required:
+                            - securityGroups
+                            type: object
+                          workloadIdentityConfig:
+                            description: |-
+                              WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+                              service accounts to access Google Cloud services
+                            properties:
+                              workloadPool:
+                                description: |-
+                                  WorkloadPool is the workload pool to attach all Kubernetes service accounts to Google Cloud services.
+                                  Only relevant when enabled is true
+                                type: string
+                            required:
+                            - workloadPool
+                            type: object
+                        type: object
                       enableAutopilot:
                         description: EnableAutopilot indicates whether to enable autopilot
                           for this GKE cluster.

exp/api/v1beta1/gcpmanagedcontrolplane_types.go

@@ -113,6 +113,30 @@ type AuthenticatorGroupConfig struct {
 	SecurityGroups string `json:"securityGroups,omitempty"`
 }
 
+// BinaryAuthorization is the Binary Authorization evaluation mode of the GKE cluster
+// +kubebuilder:validation:Enum=disabled;project_singleton_policy_enforce
+type BinaryAuthorization string
+
+const (
+	// EvaluationModeDisabled disables BinaryAuthorization.
+	EvaluationModeDisabled BinaryAuthorization = "disabled"
+	// EvaluationModeProjectSingletonPolicyEnforce enforces Kubernetes admission requests with BinaryAuthorization using the
+	// project's singleton policy. This is equivalent to setting the
+	EvaluationModeProjectSingletonPolicyEnforce BinaryAuthorization = "project_singleton_policy_enforce"
+)
+
+// ClusterSecurity defines the cluster security options.
+type ClusterSecurity struct {
+	// WorkloadIdentityConfig allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM)
+	// service accounts to access Google Cloud services
+	// +optional
+	WorkloadIdentityConfig *WorkloadIdentityConfig `json:"workloadIdentityConfig,omitempty"`
+
+	// AuthenticatorGroupConfig is RBAC security group for use with Google security groups in Kubernetes RBAC.
+	// +optional
+	AuthenticatorGroupConfig *AuthenticatorGroupConfig `json:"authenticatorGroupConfig,omitempty"`
+}
+
 // GCPManagedControlPlaneSpec defines the desired state of GCPManagedControlPlane.
 type GCPManagedControlPlaneSpec struct {
 	GCPManagedControlPlaneClassSpec `json:",inline"`

exp/api/v1beta1/types_class.go

@@ -31,6 +31,10 @@ type GCPManagedControlPlaneClassSpec struct {
 	// +optional
 	ClusterNetwork *ClusterNetwork `json:"clusterNetwork,omitempty"`
 
+	// ClusterSecurity defines the cluster security.
+	// +optional
+	ClusterSecurity *ClusterSecurity `json:"clusterSecurity,omitempty"`
+
 	// Project is the name of the project to deploy the cluster to.
 	Project string `json:"project"`
 
@@ -50,6 +54,11 @@ type GCPManagedControlPlaneClassSpec struct {
 	// +optional
 	ReleaseChannel *ReleaseChannel `json:"releaseChannel,omitempty"`
 
+	// BinaryAuthorization represents the mode of operation of Binary Authorization for the GKE cluster.
+	// This feature is disabled if this field is not specified.
+	// +optional
+	BinaryAuthorization *BinaryAuthorization `json:"binaryAuthorization,omitempty"`
+
 	// MasterAuthorizedNetworksConfig represents configuration options for master authorized networks feature of the GKE cluster.
 	// This feature is disabled if this field is not specified.
 	// +optional