diff --git a/README.md b/README.md
index cdbd00bbc7..cc78543fa2 100644
--- a/README.md
+++ b/README.md
@@ -250,6 +250,7 @@ Then perform the following commands on the root folder:
| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 3fac2124f7..60dd637a67 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -274,6 +274,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index a9e0f84162..aeadaa4020 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -1149,3 +1149,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/autogen/main/versions.tf.tmpl b/autogen/main/versions.tf.tmpl
index 8112dc71a6..c0b27363c7 100644
--- a/autogen/main/versions.tf.tmpl
+++ b/autogen/main/versions.tf.tmpl
@@ -24,33 +24,33 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
{% elif beta_cluster and autopilot_cluster %}
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
{% elif autopilot_cluster %}
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
{% else %}
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
{% endif %}
kubernetes = {
diff --git a/cluster.tf b/cluster.tf
index eb9ca74a5b..5d8d52feea 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -213,6 +213,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/metadata.display.yaml b/metadata.display.yaml
index 20130caa5c..88b217ea74 100644
--- a/metadata.display.yaml
+++ b/metadata.display.yaml
@@ -357,6 +357,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/metadata.yaml b/metadata.yaml
index 619f80b6de..bc20b61aae 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -754,6 +754,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index 4653799d0f..8bb24fff14 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -147,6 +147,7 @@ Then perform the following commands on the root folder:
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
index 2c41d52604..f88d73aefc 100644
--- a/modules/beta-autopilot-private-cluster/cluster.tf
+++ b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -133,6 +133,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-autopilot-private-cluster/metadata.display.yaml b/modules/beta-autopilot-private-cluster/metadata.display.yaml
index 4c27521a94..488817de4e 100644
--- a/modules/beta-autopilot-private-cluster/metadata.display.yaml
+++ b/modules/beta-autopilot-private-cluster/metadata.display.yaml
@@ -262,6 +262,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-autopilot-private-cluster/metadata.yaml b/modules/beta-autopilot-private-cluster/metadata.yaml
index f20123fca4..3243aa531e 100644
--- a/modules/beta-autopilot-private-cluster/metadata.yaml
+++ b/modules/beta-autopilot-private-cluster/metadata.yaml
@@ -497,6 +497,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index 209c17513b..3289ccbab8 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -662,3 +662,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-autopilot-private-cluster/versions.tf b/modules/beta-autopilot-private-cluster/versions.tf
index 44d1f77f83..9d71fd013f 100644
--- a/modules/beta-autopilot-private-cluster/versions.tf
+++ b/modules/beta-autopilot-private-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index c0a7da461b..e844252556 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -135,6 +135,7 @@ Then perform the following commands on the root folder:
| notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
index 13bb1a7665..a0c3844b19 100644
--- a/modules/beta-autopilot-public-cluster/cluster.tf
+++ b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -133,6 +133,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-autopilot-public-cluster/metadata.display.yaml b/modules/beta-autopilot-public-cluster/metadata.display.yaml
index 668f78e8b5..8ed240e3be 100644
--- a/modules/beta-autopilot-public-cluster/metadata.display.yaml
+++ b/modules/beta-autopilot-public-cluster/metadata.display.yaml
@@ -244,6 +244,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-autopilot-public-cluster/metadata.yaml b/modules/beta-autopilot-public-cluster/metadata.yaml
index ae68cc551b..dc74c90177 100644
--- a/modules/beta-autopilot-public-cluster/metadata.yaml
+++ b/modules/beta-autopilot-public-cluster/metadata.yaml
@@ -475,6 +475,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index ab4ea6737a..7990bcaa25 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -626,3 +626,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-autopilot-public-cluster/versions.tf b/modules/beta-autopilot-public-cluster/versions.tf
index 937778f4f8..4a16da1287 100644
--- a/modules/beta-autopilot-public-cluster/versions.tf
+++ b/modules/beta-autopilot-public-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster-update-variant/README.md b/modules/beta-private-cluster-update-variant/README.md
index 3754714166..4007c3c220 100644
--- a/modules/beta-private-cluster-update-variant/README.md
+++ b/modules/beta-private-cluster-update-variant/README.md
@@ -295,6 +295,7 @@ Then perform the following commands on the root folder:
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index c3cfd5a8b4..3d30e4f22f 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -226,6 +226,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-private-cluster-update-variant/metadata.display.yaml b/modules/beta-private-cluster-update-variant/metadata.display.yaml
index 85fc641407..bf98556f42 100644
--- a/modules/beta-private-cluster-update-variant/metadata.display.yaml
+++ b/modules/beta-private-cluster-update-variant/metadata.display.yaml
@@ -400,6 +400,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-private-cluster-update-variant/metadata.yaml b/modules/beta-private-cluster-update-variant/metadata.yaml
index bc4890e868..b01129100e 100644
--- a/modules/beta-private-cluster-update-variant/metadata.yaml
+++ b/modules/beta-private-cluster-update-variant/metadata.yaml
@@ -779,6 +779,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-private-cluster-update-variant/variables.tf b/modules/beta-private-cluster-update-variant/variables.tf
index 08a084d61b..05240bd672 100644
--- a/modules/beta-private-cluster-update-variant/variables.tf
+++ b/modules/beta-private-cluster-update-variant/variables.tf
@@ -1075,3 +1075,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-private-cluster-update-variant/versions.tf b/modules/beta-private-cluster-update-variant/versions.tf
index 166c9be6ab..c60f3f6c28 100644
--- a/modules/beta-private-cluster-update-variant/versions.tf
+++ b/modules/beta-private-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-private-cluster/README.md b/modules/beta-private-cluster/README.md
index 60003fadae..9b3796a6b1 100644
--- a/modules/beta-private-cluster/README.md
+++ b/modules/beta-private-cluster/README.md
@@ -273,6 +273,7 @@ Then perform the following commands on the root folder:
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index 603d388abe..3b6b1f0712 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -226,6 +226,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-private-cluster/metadata.display.yaml b/modules/beta-private-cluster/metadata.display.yaml
index 747ac7f7d0..dfa63577da 100644
--- a/modules/beta-private-cluster/metadata.display.yaml
+++ b/modules/beta-private-cluster/metadata.display.yaml
@@ -400,6 +400,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-private-cluster/metadata.yaml b/modules/beta-private-cluster/metadata.yaml
index 15e9b4a0e5..0bb5f331fa 100644
--- a/modules/beta-private-cluster/metadata.yaml
+++ b/modules/beta-private-cluster/metadata.yaml
@@ -779,6 +779,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-private-cluster/variables.tf b/modules/beta-private-cluster/variables.tf
index 08a084d61b..05240bd672 100644
--- a/modules/beta-private-cluster/variables.tf
+++ b/modules/beta-private-cluster/variables.tf
@@ -1075,3 +1075,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-private-cluster/versions.tf b/modules/beta-private-cluster/versions.tf
index bcf3dd08ac..93abd8d3a3 100644
--- a/modules/beta-private-cluster/versions.tf
+++ b/modules/beta-private-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster-update-variant/README.md b/modules/beta-public-cluster-update-variant/README.md
index 91677a836b..5c8173cc0a 100644
--- a/modules/beta-public-cluster-update-variant/README.md
+++ b/modules/beta-public-cluster-update-variant/README.md
@@ -283,6 +283,7 @@ Then perform the following commands on the root folder:
| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index d521ca8ce1..bc5fbc6c51 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -226,6 +226,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-public-cluster-update-variant/metadata.display.yaml b/modules/beta-public-cluster-update-variant/metadata.display.yaml
index 7aaca97523..5c125f694a 100644
--- a/modules/beta-public-cluster-update-variant/metadata.display.yaml
+++ b/modules/beta-public-cluster-update-variant/metadata.display.yaml
@@ -382,6 +382,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-public-cluster-update-variant/metadata.yaml b/modules/beta-public-cluster-update-variant/metadata.yaml
index 0fd586c4f9..4e1df95864 100644
--- a/modules/beta-public-cluster-update-variant/metadata.yaml
+++ b/modules/beta-public-cluster-update-variant/metadata.yaml
@@ -757,6 +757,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-public-cluster-update-variant/variables.tf b/modules/beta-public-cluster-update-variant/variables.tf
index 2534714c8a..3f22fe9dee 100644
--- a/modules/beta-public-cluster-update-variant/variables.tf
+++ b/modules/beta-public-cluster-update-variant/variables.tf
@@ -1039,3 +1039,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-public-cluster-update-variant/versions.tf b/modules/beta-public-cluster-update-variant/versions.tf
index d0572ca75b..a483626691 100644
--- a/modules/beta-public-cluster-update-variant/versions.tf
+++ b/modules/beta-public-cluster-update-variant/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/beta-public-cluster/README.md b/modules/beta-public-cluster/README.md
index 24960703fa..a028e9c5f1 100644
--- a/modules/beta-public-cluster/README.md
+++ b/modules/beta-public-cluster/README.md
@@ -261,6 +261,7 @@ Then perform the following commands on the root folder:
| parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index 0379a3f001..73266458a0 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -226,6 +226,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/beta-public-cluster/metadata.display.yaml b/modules/beta-public-cluster/metadata.display.yaml
index 16424f1f95..240fef4ed9 100644
--- a/modules/beta-public-cluster/metadata.display.yaml
+++ b/modules/beta-public-cluster/metadata.display.yaml
@@ -382,6 +382,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/beta-public-cluster/metadata.yaml b/modules/beta-public-cluster/metadata.yaml
index 73726a9738..375048a002 100644
--- a/modules/beta-public-cluster/metadata.yaml
+++ b/modules/beta-public-cluster/metadata.yaml
@@ -757,6 +757,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/beta-public-cluster/variables.tf b/modules/beta-public-cluster/variables.tf
index 2534714c8a..3f22fe9dee 100644
--- a/modules/beta-public-cluster/variables.tf
+++ b/modules/beta-public-cluster/variables.tf
@@ -1039,3 +1039,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/beta-public-cluster/versions.tf b/modules/beta-public-cluster/versions.tf
index 703d349158..6ea2b44a88 100644
--- a/modules/beta-public-cluster/versions.tf
+++ b/modules/beta-public-cluster/versions.tf
@@ -21,11 +21,11 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/private-cluster-update-variant/README.md b/modules/private-cluster-update-variant/README.md
index e885df8d6f..325dcb7b3d 100644
--- a/modules/private-cluster-update-variant/README.md
+++ b/modules/private-cluster-update-variant/README.md
@@ -284,6 +284,7 @@ Then perform the following commands on the root folder:
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index 14bff26bd5..ce7f002147 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -213,6 +213,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/private-cluster-update-variant/metadata.display.yaml b/modules/private-cluster-update-variant/metadata.display.yaml
index f9f9526958..95a2060a48 100644
--- a/modules/private-cluster-update-variant/metadata.display.yaml
+++ b/modules/private-cluster-update-variant/metadata.display.yaml
@@ -376,6 +376,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/private-cluster-update-variant/metadata.yaml b/modules/private-cluster-update-variant/metadata.yaml
index 4d33be167c..e79a062d38 100644
--- a/modules/private-cluster-update-variant/metadata.yaml
+++ b/modules/private-cluster-update-variant/metadata.yaml
@@ -736,6 +736,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/private-cluster-update-variant/variables.tf b/modules/private-cluster-update-variant/variables.tf
index a340f25200..540d57dc07 100644
--- a/modules/private-cluster-update-variant/variables.tf
+++ b/modules/private-cluster-update-variant/variables.tf
@@ -1009,3 +1009,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/private-cluster-update-variant/versions.tf b/modules/private-cluster-update-variant/versions.tf
index 32449b3905..2081eda7fa 100644
--- a/modules/private-cluster-update-variant/versions.tf
+++ b/modules/private-cluster-update-variant/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index c6709314c0..493133f0b2 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -262,6 +262,7 @@ Then perform the following commands on the root folder:
| private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
| project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
| ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | object({
enabled = bool
logging_enabled = optional(bool, false)
monitoring_enabled = optional(bool, false)
}) | {
"enabled": false,
"logging_enabled": false,
"monitoring_enabled": false
} | no |
+| rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | object({
enable_insecure_binding_system_unauthenticated = optional(bool, null)
enable_insecure_binding_system_authenticated = optional(bool, null)
}) | {
"enable_insecure_binding_system_authenticated": null,
"enable_insecure_binding_system_unauthenticated": null
} | no |
| region | The region to host the cluster in (optional if zonal cluster / required if regional) | `string` | `null` | no |
| regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | `bool` | `true` | no |
| registry\_project\_ids | Projects holding Google Container Registries. If empty, we use the cluster project. If a service account is created and the `grant_registry_access` variable is set to `true`, the `storage.objectViewer` and `artifactregsitry.reader` roles are assigned on these projects. | `list(string)` | `[]` | no |
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index bfc3b1b0b5..352d8bf8e2 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -213,6 +213,14 @@ resource "google_container_cluster" "primary" {
}
}
+ dynamic "rbac_binding_config" {
+ for_each = var.rbac_binding_config.enable_insecure_binding_system_unauthenticated != null || var.rbac_binding_config.enable_insecure_binding_system_authenticated != null ? [var.rbac_binding_config] : []
+ content {
+ enable_insecure_binding_system_unauthenticated = rbac_binding_config.value["enable_insecure_binding_system_unauthenticated"]
+ enable_insecure_binding_system_authenticated = rbac_binding_config.value["enable_insecure_binding_system_authenticated"]
+ }
+ }
+
dynamic "secret_manager_config" {
for_each = var.enable_secret_manager_addon ? [var.enable_secret_manager_addon] : []
content {
diff --git a/modules/private-cluster/metadata.display.yaml b/modules/private-cluster/metadata.display.yaml
index 0993346a8a..fc62e48b2e 100644
--- a/modules/private-cluster/metadata.display.yaml
+++ b/modules/private-cluster/metadata.display.yaml
@@ -376,6 +376,9 @@ spec:
ray_operator_config:
name: ray_operator_config
title: Ray Operator Config
+ rbac_binding_config:
+ name: rbac_binding_config
+ title: Rbac Binding Config
region:
name: region
title: Region
diff --git a/modules/private-cluster/metadata.yaml b/modules/private-cluster/metadata.yaml
index bc28e5a90c..1168a0da26 100644
--- a/modules/private-cluster/metadata.yaml
+++ b/modules/private-cluster/metadata.yaml
@@ -736,6 +736,16 @@ spec:
- name: ip_endpoints_enabled
description: (Optional) Controls whether to allow direct IP access. Defaults to `true`.
varType: bool
+ - name: rbac_binding_config
+ description: RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.
+ varType: |-
+ object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ defaultValue:
+ enable_insecure_binding_system_authenticated: null
+ enable_insecure_binding_system_unauthenticated: null
outputs:
- name: ca_certificate
description: Cluster ca certificate (base64 encoded)
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index a340f25200..540d57dc07 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -1009,3 +1009,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/modules/private-cluster/versions.tf b/modules/private-cluster/versions.tf
index c1724185fb..a015c2fb7b 100644
--- a/modules/private-cluster/versions.tf
+++ b/modules/private-cluster/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"
diff --git a/variables.tf b/variables.tf
index 52f97c0146..20cf7384d1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -973,3 +973,15 @@ variable "ip_endpoints_enabled" {
type = bool
default = null
}
+
+variable "rbac_binding_config" {
+ type = object({
+ enable_insecure_binding_system_unauthenticated = optional(bool, null)
+ enable_insecure_binding_system_authenticated = optional(bool, null)
+ })
+ description = "RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created."
+ default = {
+ enable_insecure_binding_system_unauthenticated = null
+ enable_insecure_binding_system_authenticated = null
+ }
+}
diff --git a/versions.tf b/versions.tf
index 54c6af0c0a..953a17b805 100644
--- a/versions.tf
+++ b/versions.tf
@@ -21,7 +21,7 @@ terraform {
required_providers {
google = {
source = "hashicorp/google"
- version = ">= 6.42.0, < 7"
+ version = ">= 6.47.0, < 7"
}
kubernetes = {
source = "hashicorp/kubernetes"