Restrict node access to cluster metadata service

Author: marko7460

autogen/cluster_regional.tf

@@ -106,6 +106,11 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      {% if beta_cluster %}
+      workload_metadata_config {
+        node_metadata = "${var.node_metadata}"
+      }
+      {% endif %}
     }
   }
 {% if private_cluster %}
@@ -168,6 +173,12 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+    {% if beta_cluster %}
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
+    {% endif %}
   }
 
   lifecycle {

autogen/cluster_zonal.tf

@@ -169,6 +169,12 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+    {% if beta_cluster %}
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
+    {% endif %}
   }
 
   lifecycle {

autogen/variables.tf

@@ -300,6 +300,11 @@ variable "pod_security_policy_config" {
     "enabled" = false
   }]
 }
+
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "UNSPECIFIED"
+}
 {% endif %}
 
 variable "basic_auth_username" {

modules/beta-private-cluster/README.md

@@ -154,6 +154,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | string | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |

modules/beta-private-cluster/cluster_regional.tf

@@ -102,6 +102,9 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config {
+        node_metadata = "${var.node_metadata}"
+      }
     }
   }
 
@@ -160,6 +163,10 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
   }
 
   lifecycle {

modules/beta-private-cluster/cluster_zonal.tf

@@ -161,6 +161,10 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
   }
 
   lifecycle {

modules/beta-private-cluster/variables.tf

@@ -302,6 +302,11 @@ variable "pod_security_policy_config" {
   }]
 }
 
+variable "node_metadata" {
+  description = "Specifies how node metadata is exposed to the workload running on the node"
+  default     = "UNSPECIFIED"
+}
+
 variable "basic_auth_username" {
   description = "The username to be used with Basic Authentication. An empty value will disable Basic Authentication, which is the recommended configuration."
   default     = ""

modules/beta-public-cluster/README.md

@@ -145,6 +145,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy | Enable network policy addon | string | `"false"` | no |
 | network\_policy\_provider | The network policy provider. | string | `"CALICO"` | no |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | string | `""` | no |
+| node\_metadata | Specifies how node metadata is exposed to the workload running on the node | string | `"UNSPECIFIED"` | no |
 | node\_pools | List of maps containing node pools | list | `<list>` | no |
 | node\_pools\_labels | Map of maps containing node labels by node-pool name | map | `<map>` | no |
 | node\_pools\_metadata | Map of maps containing node metadata by node-pool name | map | `<map>` | no |

modules/beta-public-cluster/cluster_regional.tf

@@ -102,6 +102,9 @@ resource "google_container_cluster" "primary" {
 
     node_config {
       service_account = "${lookup(var.node_pools[0], "service_account", local.service_account)}"
+      workload_metadata_config {
+        node_metadata = "${var.node_metadata}"
+      }
     }
   }
 
@@ -154,6 +157,10 @@ resource "google_container_node_pool" "pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
   }
 
   lifecycle {

modules/beta-public-cluster/cluster_zonal.tf

@@ -155,6 +155,10 @@ resource "google_container_node_pool" "zonal_pools" {
       type  = "${lookup(var.node_pools[count.index], "accelerator_type", "")}"
       count = "${lookup(var.node_pools[count.index], "accelerator_count", 0)}"
     }
+
+    workload_metadata_config {
+      node_metadata = "${var.node_metadata}"
+    }
   }
 
   lifecycle {