Merge pull request #241 from paulpalamarchuk/add_sandbox_config_param

morgante · web-flow · commit dbda452b9746 · 2019-08-28T17:01:54.000-04:00
Add flag to enable GKE Sandbox
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 ## [Unreleased]
 ### Added
 
+* Added `sandbox_enabled` variable to use GKE Sandbox [#241]
 * Added `grant_registry_access` variable to grant Container Registry access to created SA [#236]
 * Support for Intranode Visbiility (IV) and Veritical Pod Autoscaling (VPA) beta features [#216]
 * Support for Workload Identity beta feature [#234]
@@ -171,6 +172,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 [v0.3.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.2.0...v0.3.0
 [v0.2.0]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/compare/v0.1.0...v0.2.0
 
+[#241]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/241
 [#250]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/250
 [#236]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/236
 [#217]: https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/pull/217
diff --git a/autogen/cluster.tf b/autogen/cluster.tf
@@ -158,6 +158,14 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
+
+      dynamic "sandbox_config" {
+        for_each = local.cluster_sandbox_enabled
+
+        content {
+          sandbox_type = sandbox_config.value
+        }
+      }
       {% endif %}
     }
   }
diff --git a/autogen/main.tf b/autogen/main.tf
@@ -75,6 +75,8 @@ locals {
     security_group = var.authenticator_security_group
   }]
 
+  cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
 {% endif %}
 
   cluster_output_name           = google_container_cluster.primary.name
diff --git a/autogen/variables.tf b/autogen/variables.tf
@@ -371,6 +371,12 @@ variable "node_metadata" {
   default     = "UNSPECIFIED"
 }
 
+variable "sandbox_enabled" {
+  type        = bool
+  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
+  default     = false
+}
+
 variable "enable_intranode_visibility" {
   type        = bool
   description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -191,6 +191,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
+
+      dynamic "sandbox_config" {
+        for_each = local.cluster_sandbox_enabled
+
+        content {
+          sandbox_type = sandbox_config.value
+        }
+      }
     }
   }
 
diff --git a/modules/beta-private-cluster/main.tf b/modules/beta-private-cluster/main.tf
@@ -70,6 +70,8 @@ locals {
     security_group = var.authenticator_security_group
   }]
 
+  cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -368,6 +368,12 @@ variable "node_metadata" {
   default     = "UNSPECIFIED"
 }
 
+variable "sandbox_enabled" {
+  type        = bool
+  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
+  default     = false
+}
+
 variable "enable_intranode_visibility" {
   type        = bool
   description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -182,6 +182,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | bool | `"true"` | no |
 | remove\_default\_node\_pool | Remove default node pool while setting up the cluster | bool | `"false"` | no |
+| sandbox\_enabled | (Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it). | bool | `"false"` | no |
 | service\_account | The service account to run nodes as if not overridden in `node_pools`. The create_service_account variable default value (true) will cause a cluster-specific service account to be created. | string | `""` | no |
 | stub\_domains | Map of stub domains and their resolvers to forward DNS queries for a certain domain to an external DNS server | map(list(string)) | `<map>` | no |
 | subnetwork | The subnetwork to host the cluster in (required) | string | n/a | yes |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" {
           node_metadata = workload_metadata_config.value.node_metadata
         }
       }
+
+      dynamic "sandbox_config" {
+        for_each = local.cluster_sandbox_enabled
+
+        content {
+          sandbox_type = sandbox_config.value
+        }
+      }
     }
   }
 
diff --git a/modules/beta-public-cluster/main.tf b/modules/beta-public-cluster/main.tf
@@ -70,6 +70,8 @@ locals {
     security_group = var.authenticator_security_group
   }]
 
+  cluster_sandbox_enabled = var.sandbox_enabled ? ["gvisor"] : []
+
 
   cluster_output_name           = google_container_cluster.primary.name
   cluster_output_location       = google_container_cluster.primary.location
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
@@ -344,6 +344,12 @@ variable "node_metadata" {
   default     = "UNSPECIFIED"
 }
 
+variable "sandbox_enabled" {
+  type        = bool
+  description = "(Beta) Enable GKE Sandbox (Do not forget to set `image_type` = `COS_CONTAINERD` and `node_version` = `1.12.7-gke.17` or later to use it)."
+  default     = false
+}
+
 variable "enable_intranode_visibility" {
   type        = bool
   description = "Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network"

Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,14 @@ resource "google_container_cluster" "primary" {`
`158`	`158`	`node_metadata = workload_metadata_config.value.node_metadata`
`159`	`159`	`}`
`160`	`160`	`}`
	`161`	`+`
	`162`	`+ dynamic "sandbox_config" {`
	`163`	`+ for_each = local.cluster_sandbox_enabled`
	`164`	`+`
	`165`	`+ content {`
	`166`	`+ sandbox_type = sandbox_config.value`
	`167`	`+ }`
	`168`	`+ }`
`161`	`169`	`{% endif %}`
`162`	`170`	`}`
`163`	`171`	`}`
Original file line number	Diff line number	Diff line change
`@@ -149,6 +149,14 @@ resource "google_container_cluster" "primary" {`
`149`	`149`	`node_metadata = workload_metadata_config.value.node_metadata`
`150`	`150`	`}`
`151`	`151`	`}`
	`152`	`+`
	`153`	`+ dynamic "sandbox_config" {`
	`154`	`+ for_each = local.cluster_sandbox_enabled`
	`155`	`+`
	`156`	`+ content {`
	`157`	`+ sandbox_type = sandbox_config.value`
	`158`	`+ }`
	`159`	`+ }`
`152`	`160`	`}`
`153`	`161`	`}`
`154`	`162`