feat(cgroup): add support for configuring Linux cgroup mode in autopilot clusters (#2282)

Author: Ameausoone

autogen/main/cluster.tf.tmpl

@@ -286,10 +286,13 @@ resource "google_container_cluster" "primary" {
   }
 {% if autopilot_cluster %}
   dynamic "node_pool_auto_config" {
-    for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+    for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : length(var.network_tags) > 0 ? var.network_tags : null
+      dynamic "network_tags" {
+        for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : length(var.network_tags) > 0 ? var.network_tags : null
+        }
       }
 
       dynamic "node_kubelet_config" {
@@ -298,6 +301,12 @@ resource "google_container_cluster" "primary" {
           insecure_kubelet_readonly_port_enabled = upper(tostring(var.insecure_kubelet_readonly_port_enabled))
         }
       }
+      dynamic "linux_node_config" {
+        for_each = var.node_pools_cgroup_mode != null ? [1] : []
+        content {
+          cgroup_mode = var.node_pools_cgroup_mode
+        }
+      }
     }
   }
 {% endif %}

autogen/main/variables.tf.tmpl

@@ -114,6 +114,23 @@ variable "insecure_kubelet_readonly_port_enabled" {
   default     = null
 }
 
+{% if autopilot_cluster %}
+variable "node_pools_cgroup_mode" {
+  type = string
+  description = "Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management."
+  validation {
+    condition = var.node_pools_cgroup_mode == null || contains([
+      "",
+      "CGROUP_MODE_UNSPECIFIED",
+      "CGROUP_MODE_V1",
+      "CGROUP_MODE_V2"
+    ], var.node_pools_cgroup_mode != null ? var.node_pools_cgroup_mode : "")
+    error_message = "The node_pools_cgroup_mode must be one of CGROUP_MODE_UNSPECIFIED, CGROUP_MODE_V1, or CGROUP_MODE_V2."
+  }
+  default = null
+}
+
+{% endif %}
 {% if autopilot_cluster != true %}
 variable "datapath_provider" {
   type        = string

examples/simple_autopilot_private/main.tf

@@ -50,6 +50,7 @@ module "gke" {
   enable_private_endpoint                = true
   enable_private_nodes                   = true
   network_tags                           = [local.cluster_type]
+  node_pools_cgroup_mode                 = "CGROUP_MODE_V2"
   deletion_protection                    = false
   insecure_kubelet_readonly_port_enabled = false
 }

examples/simple_autopilot_private_cmek/main.tf

@@ -71,6 +71,7 @@ module "gke" {
   enable_private_endpoint         = true
   enable_private_nodes            = true
   network_tags                    = [local.cluster_type]
+  node_pools_cgroup_mode          = "CGROUP_MODE_V2"
   deletion_protection             = false
   boot_disk_kms_key               = values(module.kms.keys)[0]
   depends_on                      = [google_kms_crypto_key_iam_member.main]

examples/simple_autopilot_private_non_default_sa/main.tf

@@ -49,6 +49,7 @@ module "gke" {
   enable_vertical_pod_autoscaling = true
   enable_private_endpoint         = true
   enable_private_nodes            = true
+  node_pools_cgroup_mode          = "CGROUP_MODE_V2"
   deletion_protection             = false
 
   master_authorized_networks = [

examples/simple_autopilot_public/main.tf

@@ -47,6 +47,7 @@ module "gke" {
   release_channel                 = "RAPID"
   enable_vertical_pod_autoscaling = true
   network_tags                    = [local.cluster_type]
+  node_pools_cgroup_mode          = "CGROUP_MODE_V2"
   deletion_protection             = false
   enable_l4_ilb_subsetting        = true
   stateful_ha                     = false

modules/beta-autopilot-private-cluster/README.md

@@ -136,6 +136,7 @@ Then perform the following commands on the root folder:
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -142,10 +142,13 @@ resource "google_container_cluster" "primary" {
     }
   }
   dynamic "node_pool_auto_config" {
-    for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+    for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null || var.node_pools_cgroup_mode != null ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : length(var.network_tags) > 0 ? var.network_tags : null
+      dynamic "network_tags" {
+        for_each = length(var.network_tags) > 0 || var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules || var.add_master_webhook_firewall_rules || var.add_shadow_firewall_rules ? concat(var.network_tags, [local.cluster_network_tag]) : length(var.network_tags) > 0 ? var.network_tags : null
+        }
       }
 
       dynamic "node_kubelet_config" {
@@ -154,6 +157,12 @@ resource "google_container_cluster" "primary" {
           insecure_kubelet_readonly_port_enabled = upper(tostring(var.insecure_kubelet_readonly_port_enabled))
         }
       }
+      dynamic "linux_node_config" {
+        for_each = var.node_pools_cgroup_mode != null ? [1] : []
+        content {
+          cgroup_mode = var.node_pools_cgroup_mode
+        }
+      }
     }
   }
 

modules/beta-autopilot-private-cluster/variables.tf

@@ -114,6 +114,21 @@ variable "insecure_kubelet_readonly_port_enabled" {
   default     = null
 }
 
+variable "node_pools_cgroup_mode" {
+  type        = string
+  description = "Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management."
+  validation {
+    condition = var.node_pools_cgroup_mode == null || contains([
+      "",
+      "CGROUP_MODE_UNSPECIFIED",
+      "CGROUP_MODE_V1",
+      "CGROUP_MODE_V2"
+    ], var.node_pools_cgroup_mode != null ? var.node_pools_cgroup_mode : "")
+    error_message = "The node_pools_cgroup_mode must be one of CGROUP_MODE_UNSPECIFIED, CGROUP_MODE_V1, or CGROUP_MODE_V2."
+  }
+  default = null
+}
+
 variable "maintenance_start_time" {
   type        = string
   description = "Time window specified for daily or recurring maintenance operations in RFC3339 format"

modules/beta-autopilot-public-cluster/README.md

@@ -126,6 +126,7 @@ Then perform the following commands on the root folder:
 | network | The VPC network to host the cluster in (required) | `string` | n/a | yes |
 | network\_project\_id | The project ID of the shared VPC's host (for shared vpc support) | `string` | `""` | no |
 | network\_tags | (Optional) - List of network tags applied to auto-provisioned node pools. | `list(string)` | `[]` | no |
+| node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | `list(string)` | <pre>[<br>  "10.0.0.0/8",<br>  "172.16.0.0/12",<br>  "192.168.0.0/16"<br>]</pre> | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |