feat: add support for multi networking (#2385)

DrFaust92 · web-flow · commit e4223ac52021 · 2025-07-15T16:24:07.000-07:00
Signed-off-by: drfaust92 &lt;ilia.lazebnik@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -178,6 +178,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
 | enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -253,6 +253,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
@@ -1016,6 +1016,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   description = "Disable L4 Load Balancer firewall reconciliation"
   default     = null
 }
+
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
 {% if beta_cluster %}
   {% if autopilot_cluster != true %}
 
diff --git a/cluster.tf b/cluster.tf
@@ -192,6 +192,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/metadata.display.yaml b/metadata.display.yaml
@@ -141,6 +141,9 @@ spec:
         enable_mesh_certificates:
           name: enable_mesh_certificates
           title: Enable Mesh Certificates
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/metadata.yaml b/metadata.yaml
@@ -712,6 +712,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: enable_identity_service
         description: (Optional) Enable the Identity Service component, which allows customers to use external identity providers with the K8S API.
         varType: bool
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
@@ -97,6 +97,7 @@ Then perform the following commands on the root folder:
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
 | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
 | enable\_private\_nodes | Whether nodes have internal IP addresses only | `bool` | `true` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml
@@ -103,6 +103,9 @@ spec:
         enable_l4_ilb_subsetting:
           name: enable_l4_ilb_subsetting
           title: Enable L4 Ilb Subsetting
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml
@@ -461,6 +461,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: allow_net_admin
         description: (Optional) Enable NET_ADMIN for the cluster.
         varType: bool
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
@@ -595,6 +595,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   default     = null
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
+
 variable "allow_net_admin" {
   description = "(Optional) Enable NET_ADMIN for the cluster."
   type        = bool
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
@@ -90,6 +90,7 @@ Then perform the following commands on the root folder:
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
 | enable\_fqdn\_network\_policy | Enable FQDN Network Policies on the cluster | `bool` | `null` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
 | enable\_secret\_manager\_addon | Enable the Secret Manager add-on for this cluster | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -112,6 +112,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml
@@ -100,6 +100,9 @@ spec:
         enable_l4_ilb_subsetting:
           name: enable_l4_ilb_subsetting
           title: Enable L4 Ilb Subsetting
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml
@@ -439,6 +439,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: allow_net_admin
         description: (Optional) Enable NET_ADMIN for the cluster.
         varType: bool
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
@@ -559,6 +559,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   default     = null
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
+
 variable "allow_net_admin" {
   description = "(Optional) Enable NET_ADMIN for the cluster."
   type        = bool
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
@@ -213,6 +213,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -205,6 +205,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml
@@ -154,6 +154,9 @@ spec:
         enable_mesh_certificates:
           name: enable_mesh_certificates
           title: Enable Mesh Certificates
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -711,6 +711,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: istio
         description: (Beta) Enable Istio addon
         varType: bool
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
@@ -960,6 +960,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   default     = null
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
+
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   type        = bool
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
@@ -191,6 +191,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_private\_endpoint | Whether the master's internal IP address is used as the cluster endpoint | `bool` | `false` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -205,6 +205,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml
@@ -154,6 +154,9 @@ spec:
         enable_mesh_certificates:
           name: enable_mesh_certificates
           title: Enable Mesh Certificates
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
@@ -711,6 +711,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: istio
         description: (Beta) Enable Istio addon
         varType: bool
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
@@ -960,6 +960,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   default     = null
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
+
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   type        = bool
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
@@ -206,6 +206,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -205,6 +205,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml
@@ -151,6 +151,9 @@ spec:
         enable_mesh_certificates:
           name: enable_mesh_certificates
           title: Enable Mesh Certificates
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -689,6 +689,9 @@ spec:
       - name: disable_l4_lb_firewall_reconciliation
         description: Disable L4 Load Balancer firewall reconciliation
         varType: bool
+      - name: enable_multi_networking
+        description: Whether multi-networking is enabled for this cluster
+        varType: bool
       - name: istio
         description: (Beta) Enable Istio addon
         varType: bool
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
@@ -924,6 +924,12 @@ variable "disable_l4_lb_firewall_reconciliation" {
   default     = null
 }
 
+variable "enable_multi_networking" {
+  type        = bool
+  description = "Whether multi-networking is enabled for this cluster"
+  default     = null
+}
+
 variable "istio" {
   description = "(Beta) Enable Istio addon"
   type        = bool
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
@@ -184,6 +184,7 @@ Then perform the following commands on the root folder:
 | enable\_kubernetes\_alpha | Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days. | `bool` | `false` | no |
 | enable\_l4\_ilb\_subsetting | Enable L4 ILB Subsetting on the cluster | `bool` | `false` | no |
 | enable\_mesh\_certificates | Controls the issuance of workload mTLS certificates. When enabled the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster. Requires Workload Identity. | `bool` | `false` | no |
+| enable\_multi\_networking | Whether multi-networking is enabled for this cluster | `bool` | `null` | no |
 | enable\_network\_egress\_export | Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic. | `bool` | `false` | no |
 | enable\_pod\_security\_policy | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. Pod Security Policy was removed from GKE clusters with version >= 1.25.0. | `bool` | `false` | no |
 | enable\_resource\_consumption\_export | Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. | `bool` | `true` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -205,6 +205,8 @@ resource "google_container_cluster" "primary" {
 
   disable_l4_lb_firewall_reconciliation = var.disable_l4_lb_firewall_reconciliation
 
+  enable_multi_networking = var.enable_multi_networking
+
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
 
   in_transit_encryption_config = var.in_transit_encryption_config
diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml
@@ -151,6 +151,9 @@ spec:
         enable_mesh_certificates:
           name: enable_mesh_certificates
           title: Enable Mesh Certificates
+        enable_multi_networking:
+          name: enable_multi_networking
+          title: Enable Multi Networking
         enable_network_egress_export:
           name: enable_network_egress_export
           title: Enable Network Egress Export
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
diff --git a/variables.tf b/variables.tf
