Enabling two features in beta clusters

This allow pod security policies and binary authorization to be used
by both beta private and  beta public clusters. Previously these two features
where limited to only private clusters, and this commit also removes
that functionality from private clusters.

Author: chrislovecnm

autogen/cluster_regional.tf

@@ -42,10 +42,10 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-{% if private_cluster %}
+  {% if beta_cluster %}
   enable_binary_authorization       = "${var.enable_binary_authorization}"
   pod_security_policy_config        = "${var.pod_security_policy_config}"
-{% endif %}
+  {% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

autogen/cluster_zonal.tf

@@ -42,10 +42,11 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-{% if private_cluster %}
+  {% if beta_cluster %}
   enable_binary_authorization       = "${var.enable_binary_authorization}"
   pod_security_policy_config        = "${var.pod_security_policy_config}"
-{% endif %}
+  {% endif %}
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

autogen/outputs.tf

@@ -123,11 +123,20 @@ output "cloudrun_enabled" {
   description = "Whether CloudRun enabled"
   value       = "${local.cluster_cloudrun_enabled}"
 }
-{% endif %}
-{% if private_cluster %}
 
 output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = "${local.cluster_pod_security_policy_enabled}"
 }
+
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+
+output "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  value       = "${local.cluster_binary_authorization_enabled}"
+}
+
 {% endif %}

autogen/variables.tf

@@ -86,7 +86,7 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
-{% if private_cluster %}
+{% if beta_cluster %}
 variable "enable_binary_authorization" {
   description = "Enable BinAuthZ Admission controller"
   default     = false
@@ -99,8 +99,9 @@ variable "pod_security_policy_config" {
     "enabled" = false
   }]
 }
-
 {% endif %}
+
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

cluster_zonal.tf

@@ -42,6 +42,7 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/beta-private-cluster/README.md

@@ -177,6 +177,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 |------|-------------|
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
 | cloudrun\_enabled | Whether CloudRun enabled |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller |
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
@@ -193,6 +194,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
 | pod\_security\_policy\_enabled | Whether pod security policy is enabled |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |

modules/beta-private-cluster/cluster_zonal.tf

@@ -44,6 +44,7 @@ resource "google_container_cluster" "zonal_primary" {
 
   enable_binary_authorization       = "${var.enable_binary_authorization}"
   pod_security_policy_config        = "${var.pod_security_policy_config}"
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/beta-private-cluster/outputs.tf

@@ -127,3 +127,14 @@ output "pod_security_policy_enabled" {
   description = "Whether pod security policy is enabled"
   value       = "${local.cluster_pod_security_policy_enabled}"
 }
+
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+
+output "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  value       = "${local.cluster_binary_authorization_enabled}"
+}
+

modules/beta-public-cluster/README.md

@@ -123,6 +123,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | database\_encryption | Application-layer Secrets Encryption settings. Example:   database_encryption = [{     state = "ENCRYPTED",     key_name = "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key"   }] | list | `<list>` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
 | http\_load\_balancing | Enable httpload balancer addon | string | `"true"` | no |
 | initial\_node\_count | The number of nodes to create in this cluster's default node pool. | string | `"0"` | no |
@@ -151,6 +152,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
 | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
+| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
@@ -166,6 +168,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 |------|-------------|
 | ca\_certificate | Cluster ca certificate (base64 encoded) |
 | cloudrun\_enabled | Whether CloudRun enabled |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller |
 | endpoint | Cluster endpoint |
 | horizontal\_pod\_autoscaling\_enabled | Whether horizontal pod autoscaling enabled |
 | http\_load\_balancing\_enabled | Whether http load balancing enabled |
@@ -181,6 +184,8 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy\_enabled | Whether network policy enabled |
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |

modules/beta-public-cluster/cluster_regional.tf

@@ -42,6 +42,8 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/beta-public-cluster/cluster_zonal.tf

@@ -42,6 +42,9 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/beta-public-cluster/outputs.tf

@@ -122,3 +122,19 @@ output "cloudrun_enabled" {
   description = "Whether CloudRun enabled"
   value       = "${local.cluster_cloudrun_enabled}"
 }
+
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+
+output "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  value       = "${local.cluster_binary_authorization_enabled}"
+}
+

modules/beta-public-cluster/variables.tf

@@ -86,6 +86,19 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+variable "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
+variable "pod_security_policy_config" {
+  description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
+
+  default = [{
+    "enabled" = false
+  }]
+}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

modules/private-cluster/README.md

@@ -125,7 +125,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
-| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
@@ -156,7 +155,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
 | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
-| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
@@ -185,7 +183,6 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy\_enabled | Whether network policy enabled |
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
-| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |

modules/private-cluster/cluster_regional.tf

@@ -42,8 +42,6 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/cluster_zonal.tf

@@ -42,8 +42,7 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-  enable_binary_authorization       = "${var.enable_binary_authorization}"
-  pod_security_policy_config        = "${var.pod_security_policy_config}"
+
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/outputs.tf

@@ -112,8 +112,3 @@ output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${local.service_account}"
 }
-
-output "pod_security_policy_enabled" {
-  description = "Whether pod security policy is enabled"
-  value       = "${local.cluster_pod_security_policy_enabled}"
-}

modules/private-cluster/variables.tf

@@ -86,19 +86,6 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
-variable "enable_binary_authorization" {
-  description = "Enable BinAuthZ Admission controller"
-  default     = false
-}
-
-variable "pod_security_policy_config" {
-  description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
-
-  default = [{
-    "enabled" = false
-  }]
-}
-
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

variables.tf

@@ -86,6 +86,8 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true