Merge branch 'main' into huge_pages

Author: apeabody

README.md

@@ -323,6 +323,13 @@ The node_pools variable takes the following parameters:
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
 | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional |
+| container_log_max_size | Defines the maximum size of the container log file before it is rotated. | null | Optional |
+| container_log_max_files | Defines the maximum number of container log files that can be present for a container. | null | Optional |
+| image_gc_low_threshold_percent | Defines the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. | null | Optional |
+| image_gc_high_threshold_percent | Defines the percent of disk usage after which image garbage collection is always run. | null | Optional |
+| image_minimum_gc_age | Defines the minimum age for an unused image before it is garbage collected. | null | Optional |
+| image_maximum_gc_age | Defines the maximum age an image can be unused before it is garbage collected. | null | Optional |
+| allowed_unsafe_sysctls | Defines a comma-separated allowlist of unsafe sysctls or sysctl patterns which can be set on the Pods. This should be passed as comma separated string. | null | Optional |
 | enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional |
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |
 | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |

autogen/main/README.md

@@ -203,6 +203,13 @@ The node_pools variable takes the following parameters:
 | cpu_cfs_quota | Enforces the Pod's CPU limit. Setting this value to false means that the CPU limits for Pods are ignored | null | Optional |
 | cpu_cfs_quota_period | The CPU CFS quota period value, which specifies the period of how often a cgroup's access to CPU resources should be reallocated | null | Optional |
 | pod_pids_limit | Controls the maximum number of processes allowed to run in a pod. The value must be greater than or equal to 1024 and less than 4194304. | null | Optional |
+| container_log_max_size | Defines the maximum size of the container log file before it is rotated. | null | Optional |
+| container_log_max_files | Defines the maximum number of container log files that can be present for a container. | null | Optional |
+| image_gc_low_threshold_percent | Defines the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. | null | Optional |
+| image_gc_high_threshold_percent | Defines the percent of disk usage after which image garbage collection is always run. | null | Optional |
+| image_minimum_gc_age | Defines the minimum age for an unused image before it is garbage collected. | null | Optional |
+| image_maximum_gc_age | Defines the maximum age an image can be unused before it is garbage collected. | null | Optional |
+| allowed_unsafe_sysctls | Defines a comma-separated allowlist of unsafe sysctls or sysctl patterns which can be set on the Pods. This should be passed as comma separated string. | null | Optional |
 | enable_confidential_nodes | An optional flag to enable confidential node config. | false | Optional |
 | disk_size_gb | Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB | 100 | Optional |
 | disk_type | Type of the disk attached to each node (e.g. 'pd-standard' or 'pd-ssd') | pd-standard | Optional |

autogen/main/cluster.tf.tmpl

@@ -589,7 +589,7 @@ resource "google_container_cluster" "primary" {
       dynamic "kubelet_config" {
         for_each = length(setintersection(
           keys(var.node_pools[0]),
-          ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
+          ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
         )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
 
         content {
@@ -598,6 +598,13 @@ resource "google_container_cluster" "primary" {
           cpu_cfs_quota_period                   = lookup(var.node_pools[0], "cpu_cfs_quota_period", null)
           insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null
           pod_pids_limit                         = lookup(var.node_pools[0], "pod_pids_limit", null)
+          container_log_max_size                 = lookup(var.node_pools[0], "container_log_max_size", null)
+          container_log_max_files                = lookup(var.node_pools[0], "container_log_max_files", null)
+          image_gc_low_threshold_percent         = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null)
+          image_gc_high_threshold_percent        = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null)
+          image_minimum_gc_age                   = lookup(var.node_pools[0], "image_minimum_gc_age", null)
+          image_maximum_gc_age                   = lookup(var.node_pools[0], "image_maximum_gc_age", null)
+          allowed_unsafe_sysctls                 = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)]
         }
       }
 
@@ -1144,7 +1151,7 @@ resource "google_container_node_pool" "windows_pools" {
     dynamic "kubelet_config" {
       for_each = length(setintersection(
         keys(each.value),
-        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
+        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
       )) != 0 ? [1] : []
 
       content {
@@ -1153,6 +1160,13 @@ resource "google_container_node_pool" "windows_pools" {
         cpu_cfs_quota_period                   = lookup(each.value, "cpu_cfs_quota_period", null)
         insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) != null ? upper(tostring(each.value.insecure_kubelet_readonly_port_enabled)) : null
         pod_pids_limit                         = lookup(each.value, "pod_pids_limit", null)
+        container_log_max_size                 = lookup(each.value, "container_log_max_size", null)
+        container_log_max_files                = lookup(each.value, "container_log_max_files", null)
+        image_gc_low_threshold_percent         = lookup(each.value, "image_gc_low_threshold_percent", null)
+        image_gc_high_threshold_percent        = lookup(each.value, "image_gc_high_threshold_percent", null)
+        image_minimum_gc_age                   = lookup(each.value, "image_minimum_gc_age", null)
+        image_maximum_gc_age                   = lookup(each.value, "image_maximum_gc_age", null)
+        allowed_unsafe_sysctls                 = lookup(each.value, "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(each.value, "allowed_unsafe_sysctls", null)) : trimspace(s)]
       }
     }
 

cluster.tf

@@ -446,7 +446,7 @@ resource "google_container_cluster" "primary" {
       dynamic "kubelet_config" {
         for_each = length(setintersection(
           keys(var.node_pools[0]),
-          ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
+          ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
         )) != 0 || var.insecure_kubelet_readonly_port_enabled != null ? [1] : []
 
         content {
@@ -455,6 +455,13 @@ resource "google_container_cluster" "primary" {
           cpu_cfs_quota_period                   = lookup(var.node_pools[0], "cpu_cfs_quota_period", null)
           insecure_kubelet_readonly_port_enabled = lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled) != null ? upper(tostring(lookup(var.node_pools[0], "insecure_kubelet_readonly_port_enabled", var.insecure_kubelet_readonly_port_enabled))) : null
           pod_pids_limit                         = lookup(var.node_pools[0], "pod_pids_limit", null)
+          container_log_max_size                 = lookup(var.node_pools[0], "container_log_max_size", null)
+          container_log_max_files                = lookup(var.node_pools[0], "container_log_max_files", null)
+          image_gc_low_threshold_percent         = lookup(var.node_pools[0], "image_gc_low_threshold_percent", null)
+          image_gc_high_threshold_percent        = lookup(var.node_pools[0], "image_gc_high_threshold_percent", null)
+          image_minimum_gc_age                   = lookup(var.node_pools[0], "image_minimum_gc_age", null)
+          image_maximum_gc_age                   = lookup(var.node_pools[0], "image_maximum_gc_age", null)
+          allowed_unsafe_sysctls                 = lookup(var.node_pools[0], "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(var.node_pools[0], "allowed_unsafe_sysctls", null)) : trimspace(s)]
         }
       }
 
@@ -839,7 +846,7 @@ resource "google_container_node_pool" "pools" {
     dynamic "kubelet_config" {
       for_each = length(setintersection(
         keys(each.value),
-        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
+        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
       )) != 0 ? [1] : []
 
       content {
@@ -848,6 +855,13 @@ resource "google_container_node_pool" "pools" {
         cpu_cfs_quota_period                   = lookup(each.value, "cpu_cfs_quota_period", null)
         insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) != null ? upper(tostring(each.value.insecure_kubelet_readonly_port_enabled)) : null
         pod_pids_limit                         = lookup(each.value, "pod_pids_limit", null)
+        container_log_max_size                 = lookup(each.value, "container_log_max_size", null)
+        container_log_max_files                = lookup(each.value, "container_log_max_files", null)
+        image_gc_low_threshold_percent         = lookup(each.value, "image_gc_low_threshold_percent", null)
+        image_gc_high_threshold_percent        = lookup(each.value, "image_gc_high_threshold_percent", null)
+        image_minimum_gc_age                   = lookup(each.value, "image_minimum_gc_age", null)
+        image_maximum_gc_age                   = lookup(each.value, "image_maximum_gc_age", null)
+        allowed_unsafe_sysctls                 = lookup(each.value, "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(each.value, "allowed_unsafe_sysctls", null)) : trimspace(s)]
       }
     }
 
@@ -1180,7 +1194,7 @@ resource "google_container_node_pool" "windows_pools" {
     dynamic "kubelet_config" {
       for_each = length(setintersection(
         keys(each.value),
-        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit"]
+        ["cpu_manager_policy", "cpu_cfs_quota", "cpu_cfs_quota_period", "insecure_kubelet_readonly_port_enabled", "pod_pids_limit", "container_log_max_size", "container_log_max_files", "image_gc_low_threshold_percent", "image_gc_high_threshold_percent", "image_minimum_gc_age", "image_maximum_gc_age", "allowed_unsafe_sysctls"]
       )) != 0 ? [1] : []
 
       content {
@@ -1189,6 +1203,13 @@ resource "google_container_node_pool" "windows_pools" {
         cpu_cfs_quota_period                   = lookup(each.value, "cpu_cfs_quota_period", null)
         insecure_kubelet_readonly_port_enabled = lookup(each.value, "insecure_kubelet_readonly_port_enabled", null) != null ? upper(tostring(each.value.insecure_kubelet_readonly_port_enabled)) : null
         pod_pids_limit                         = lookup(each.value, "pod_pids_limit", null)
+        container_log_max_size                 = lookup(each.value, "container_log_max_size", null)
+        container_log_max_files                = lookup(each.value, "container_log_max_files", null)
+        image_gc_low_threshold_percent         = lookup(each.value, "image_gc_low_threshold_percent", null)
+        image_gc_high_threshold_percent        = lookup(each.value, "image_gc_high_threshold_percent", null)
+        image_minimum_gc_age                   = lookup(each.value, "image_minimum_gc_age", null)
+        image_maximum_gc_age                   = lookup(each.value, "image_maximum_gc_age", null)
+        allowed_unsafe_sysctls                 = lookup(each.value, "allowed_unsafe_sysctls", null) == null ? null : [for s in split(",", lookup(each.value, "allowed_unsafe_sysctls", null)) : trimspace(s)]
       }
     }
 

examples/confidential_safer_cluster/network.tf

@@ -16,7 +16,7 @@
 
 module "gcp-network" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   project_id   = var.project_id
   network_name = local.network_name

examples/deploy_service/main.tf

@@ -55,7 +55,7 @@ resource "kubernetes_pod" "nginx-example" {
 
   spec {
     container {
-      image = "nginx:1.27.5"
+      image = "nginx:1.28.0"
       name  = "nginx-example"
     }
   }

examples/island_cluster_anywhere_in_gcp_design/network.tf

@@ -14,7 +14,7 @@
 
 module "net" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   for_each = { for k, v in var.gke_spokes : k => v }
 
@@ -163,7 +163,7 @@ resource "google_compute_network_attachment" "router_net_attachment" {
 
 module "cloud_router" {
   source   = "terraform-google-modules/cloud-router/google"
-  version  = "~> 6.0"
+  version  = "~> 7.0"
   for_each = { for k, v in var.gke_spokes : k => v }
 
   name    = "router-${each.value["cluster_name"]}-${random_id.rand.hex}"

examples/island_cluster_with_vm_router/main.tf

@@ -25,7 +25,7 @@ resource "google_service_account" "gke-sa" {
 
 module "net" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   network_name                           = "gke-net-${random_id.rand.hex}"
   routing_mode                           = "GLOBAL"

examples/safer_cluster_iap_bastion/network.tf

@@ -17,7 +17,7 @@
 
 module "vpc" {
   source  = "terraform-google-modules/network/google"
-  version = "~> 10.0"
+  version = "~> 11.0"
 
   project_id   = module.enabled_google_apis.project_id
   network_name = var.network_name

examples/simple_autopilot_private/main.tf

@@ -50,7 +50,8 @@ module "gke" {
   enable_private_endpoint                = true
   enable_private_nodes                   = true
   network_tags                           = [local.cluster_type]
-  node_pools_cgroup_mode                 = "CGROUP_MODE_V2"
+  # TODO: b/413643369
+  # node_pools_cgroup_mode                 = "CGROUP_MODE_V2"
   deletion_protection                    = false
   insecure_kubelet_readonly_port_enabled = false
 }