chore: split poco into example

examples/simple_zonal_with_acm/README.md

@@ -1,6 +1,6 @@
 # Simple Zonal Cluster
 
-This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/)'s [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview) and [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) with the [Policy Essentials v2022 policy bundle](https://cloud.google.com/anthos-config-management/docs/how-to/using-policy-essentials-v2022).
+This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/)'s [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview).
 
 It incorporates the standard cluster module and the [ACM install module](../../modules/acm).
 
@@ -27,12 +27,6 @@ After applying the Terraform configuration, you can run the following commands t
     kubectl describe ns shipping-dev
     ```
 
-4. You can also use `kubectl` to view any policy violations on the cluster:
-
-    ```
-    kubectl get constraint -l policycontroller.gke.io/bundleName=policy-essentials-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]'
-    ```
-
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Inputs
 

examples/simple_zonal_with_acm/acm.tf

@@ -26,6 +26,8 @@ module "acm" {
   sync_branch = "1.0.0"
   policy_dir  = "foo-corp"
 
+  enable_policy_controller = false
+
   enable_fleet_feature = var.enable_fleet_feature
 
   secret_type = "ssh"

examples/simple_zonal_with_poco/README.md

@@ -0,0 +1,37 @@
+# Simple Zonal Cluster
+
+This example illustrates how to create a simple cluster and install [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) with the [Pod Security Standards Baseline policy bundle](https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/how-to/using-pss-baseline).
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no |
+| enable\_fleet\_feature | Whether to enable the Policy Controller feature on the fleet. | `bool` | `true` | no |
+| project\_id | The project ID to host the cluster in | `string` | n/a | yes |
+| region | The region to host the cluster in | `string` | `"us-central1"` | no |
+| zone | The zone to host the cluster in | `string` | `"us-central1-a"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| cluster\_name | Cluster name |
+| ip\_range\_pods | The secondary IP range used for pods |
+| ip\_range\_services | The secondary IP range used for services |
+| location | n/a |
+| network | n/a |
+| project\_id | Standard test outputs |
+| region | n/a |
+| service\_account | The default service account used for running nodes. |
+| subnetwork | n/a |
+| zones | List of zones in which the cluster resides |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+To provision this example, run the following from within this directory:
+- `terraform init` to get the plugins
+- `terraform plan` to see the infrastructure plan
+- `terraform apply` to apply the infrastructure build
+- `terraform destroy` to destroy the built infrastructure

examples/simple_zonal_with_poco/main.tf

@@ -0,0 +1,53 @@
+/**
+ * Copyright 2018-2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+  cluster_type = "simple-zonal-poco"
+}
+
+provider "google" {
+  region = var.region
+}
+
+module "gke" {
+  source  = "terraform-google-modules/kubernetes-engine/google"
+  version = "~> 33.0"
+
+  project_id    = var.project_id
+  fleet_project = var.project_id
+  regional      = false
+  region        = var.region
+  zones         = [var.zone]
+
+  name = "${local.cluster_type}-cluster${var.cluster_name_suffix}"
+
+  network           = google_compute_network.main.name
+  subnetwork        = google_compute_subnetwork.main.name
+  ip_range_pods     = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+  ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+
+  service_account     = "create"
+  deletion_protection = false
+  node_pools = [
+    {
+      name         = "poco-node-pool"
+      autoscaling  = false
+      auto_upgrade = true
+      node_count   = 4
+      machine_type = "e2-standard-4"
+    },
+  ]
+}

examples/simple_zonal_with_poco/network.tf

@@ -0,0 +1,45 @@
+/**
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "random_string" "suffix" {
+  length  = 4
+  special = false
+  upper   = false
+}
+
+resource "google_compute_network" "main" {
+  project                 = var.project_id
+  name                    = "cft-gke-test-${random_string.suffix.result}"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "main" {
+  project       = var.project_id
+  name          = "cft-gke-test-${random_string.suffix.result}"
+  ip_cidr_range = "10.0.0.0/17"
+  region        = var.region
+  network       = google_compute_network.main.self_link
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-pods-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.0.0/18"
+  }
+
+  secondary_ip_range {
+    range_name    = "cft-gke-test-services-${random_string.suffix.result}"
+    ip_cidr_range = "192.168.64.0/18"
+  }
+}

examples/simple_zonal_with_poco/outputs.tf

@@ -0,0 +1,61 @@
+/**
+ * Copyright 2018-2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "service_account" {
+  description = "The default service account used for running nodes."
+  value       = module.gke.service_account
+}
+
+# Standard test outputs
+output "project_id" {
+  value = var.project_id
+}
+
+output "region" {
+  value = module.gke.region
+}
+
+output "cluster_name" {
+  description = "Cluster name"
+  value       = module.gke.name
+}
+
+output "network" {
+  value = google_compute_network.main.name
+}
+
+output "subnetwork" {
+  value = google_compute_subnetwork.main.name
+}
+
+output "location" {
+  value = module.gke.location
+}
+
+output "ip_range_pods" {
+  description = "The secondary IP range used for pods"
+  value       = google_compute_subnetwork.main.secondary_ip_range[0].range_name
+}
+
+output "ip_range_services" {
+  description = "The secondary IP range used for services"
+  value       = google_compute_subnetwork.main.secondary_ip_range[1].range_name
+}
+
+output "zones" {
+  description = "List of zones in which the cluster resides"
+  value       = module.gke.zones
+}

examples/simple_zonal_with_poco/policy.tf

@@ -0,0 +1,51 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_gke_hub_feature" "poco_feature" {
+  name     = "policycontroller"
+  project  = var.project_id
+  location = "global"
+
+  count = var.enable_fleet_feature ? 1 : 0
+}
+
+resource "google_gke_hub_feature_membership" "poco_feature_member" {
+  project  = var.project_id
+  location = "global"
+
+  feature             = "policycontroller"
+  membership          = module.gke.fleet_membership
+  membership_location = module.gke.region
+
+  policycontroller {
+    policy_controller_hub_config {
+      install_spec = "INSTALL_SPEC_ENABLED"
+      policy_content {
+        template_library {
+          installation = "ALL"
+        }
+        bundles {
+          bundle_name = "pss-baseline-v2022"
+        }
+      }
+      referential_rules_enabled = true
+    }
+  }
+
+  depends_on = [
+    google_gke_hub_feature.poco_feature
+  ]
+}

examples/simple_zonal_with_poco/variables.tf

@@ -0,0 +1,44 @@
+/**
+ * Copyright 2018-2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  description = "The project ID to host the cluster in"
+  type        = string
+}
+
+variable "cluster_name_suffix" {
+  description = "A suffix to append to the default cluster name"
+  type        = string
+  default     = ""
+}
+
+variable "region" {
+  description = "The region to host the cluster in"
+  type        = string
+  default     = "us-central1"
+}
+
+variable "zone" {
+  type        = string
+  description = "The zone to host the cluster in"
+  default     = "us-central1-a"
+}
+
+variable "enable_fleet_feature" {
+  description = "Whether to enable the Policy Controller feature on the fleet."
+  type        = bool
+  default     = true
+}

examples/simple_zonal_with_poco/versions.tf

@@ -0,0 +1,27 @@
+/**
+ * Copyright 2021-2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+terraform {
+  required_providers {
+    google = {
+      source = "hashicorp/google"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+  required_version = ">= 1.3"
+}

test/integration/simple_zonal/simple_zonal_test.go

@@ -79,10 +79,6 @@ func TestSimpleZonal(t *testing.T) {
 		assert.NoError(err)
 		configkubeNS := testutils.ParseKubectlJSONResult(t, configNameSpace)
 		assert.Contains(configkubeNS.Get("metadata.name").String(), "config-management-system", "Namespace is Functional")
-		gateKeeperNameSpace, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "ns", "gatekeeper-system", "-o", "json")
-		assert.NoError(err)
-		gateKeeperkubeNS := testutils.ParseKubectlJSONResult(t, gateKeeperNameSpace)
-		assert.Contains(gateKeeperkubeNS.Get("metadata.name").String(), "gatekeeper-system", "Namespace is Functional")
 	})
 
 	bpt.Test()