Merge pull request #163 from ingwarr/issue140

Add configuration flag for `pod_security_policy_config` #140

Author: aaron-lane

.kitchen.yml

@@ -23,6 +23,7 @@ provisioner:
 verifier:
   name: terraform
   color: false
+  fail_fast: false
 
 platforms:
   - name: local

CHANGELOG.md

@@ -11,6 +11,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 ### Added
 
 * Add configuration flag for enable BinAuthZ Admission controller [#160]
+* Add configuration flag for `pod_security_policy_config` [#163]
 * Support for a guest accelerator in node pool configuration. [#157]
 * Support to scale the default node cluster. [#149]
 * Support for configuring the network policy provider. [#159]

autogen/cluster_regional.tf

@@ -43,7 +43,8 @@ resource "google_container_cluster" "primary" {
   monitoring_service = "${var.monitoring_service}"
 
 {% if private_cluster %}
-  enable_binary_authorization = "${var.enable_binary_authorization}"
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
 {% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 

autogen/cluster_zonal.tf

@@ -43,7 +43,8 @@ resource "google_container_cluster" "zonal_primary" {
   monitoring_service = "${var.monitoring_service}"
 
 {% if private_cluster %}
-  enable_binary_authorization = "${var.enable_binary_authorization}"
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
 {% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 

autogen/main.tf

@@ -139,6 +139,13 @@ locals {
     zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
   }
 
+{% if private_cluster %}
+  cluster_type_output_pod_security_policy_enabled = {
+    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+  }
+
+{% endif %}
   cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
   cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
   cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
@@ -161,6 +168,9 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+{% if private_cluster %}
+  cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? true : false}"
+{% endif %}
 }
 
 /******************************************

autogen/outputs.tf

@@ -112,3 +112,11 @@ output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${local.service_account}"
 }
+
+{% if private_cluster %}
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+
+{% endif %}

autogen/variables.tf

@@ -92,6 +92,14 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
+variable "pod_security_policy_config" {
+  description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
+
+  default     = [{
+    "enabled" = false
+  }]
+}
+
 {% endif %}
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"

modules/private-cluster/README.md

@@ -155,6 +155,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | node\_pools\_taints | Map of lists containing node taints by node-pool name | map | `<map>` | no |
 | node\_version | The Kubernetes version of the node pools. Defaults kubernetes_version (master) variable and can be overridden for individual node pools by setting the `version` key on them. Must be empyty or set the same as master at cluster creation. | string | `""` | no |
 | non\_masquerade\_cidrs | List of strings in CIDR notation that specify the IP address ranges that do not use IP masquerading. | list | `<list>` | no |
+| pod\_security\_policy\_config | enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created. | list | `<list>` | no |
 | project\_id | The project ID to host the cluster in (required) | string | n/a | yes |
 | region | The region to host the cluster in (required) | string | n/a | yes |
 | regional | Whether is a regional cluster (zonal cluster if set false. WARNING: changing this after cluster creation is destructive!) | string | `"true"` | no |
@@ -183,6 +184,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | network\_policy\_enabled | Whether network policy enabled |
 | node\_pools\_names | List of node pools names |
 | node\_pools\_versions | List of node pools versions |
+| pod\_security\_policy\_enabled | Whether pod security policy is enabled |
 | region | Cluster region |
 | service\_account | The service account to default running nodes as if not overridden in `node_pools`. |
 | type | Cluster type (regional / zonal) |

modules/private-cluster/cluster_regional.tf

@@ -42,7 +42,8 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-  enable_binary_authorization = "${var.enable_binary_authorization}"
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/cluster_zonal.tf

@@ -42,7 +42,8 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
-  enable_binary_authorization = "${var.enable_binary_authorization}"
+  enable_binary_authorization       = "${var.enable_binary_authorization}"
+  pod_security_policy_config        = "${var.pod_security_policy_config}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {

modules/private-cluster/main.tf

@@ -132,6 +132,11 @@ locals {
     zonal    = "${concat(google_container_node_pool.zonal_pools.*.version, list(""))}"
   }
 
+  cluster_type_output_pod_security_policy_enabled = {
+    regional = "${element(concat(google_container_cluster.primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+    zonal    = "${element(concat(google_container_cluster.zonal_primary.*.pod_security_policy_config.0.enabled, list("")), 0)}"
+  }
+
   cluster_master_auth_list_layer1 = "${local.cluster_type_output_master_auth[local.cluster_type]}"
   cluster_master_auth_list_layer2 = "${local.cluster_master_auth_list_layer1[0]}"
   cluster_master_auth_map         = "${local.cluster_master_auth_list_layer2[0]}"
@@ -154,6 +159,7 @@ locals {
   cluster_http_load_balancing_enabled        = "${local.cluster_type_output_http_load_balancing_enabled[local.cluster_type] ? false : true}"
   cluster_horizontal_pod_autoscaling_enabled = "${local.cluster_type_output_horizontal_pod_autoscaling_enabled[local.cluster_type] ? false : true}"
   cluster_kubernetes_dashboard_enabled       = "${local.cluster_type_output_kubernetes_dashboard_enabled[local.cluster_type] ? false : true}"
+  cluster_pod_security_policy_enabled        = "${local.cluster_type_output_pod_security_policy_enabled[local.cluster_type] ? false : true}"
 }
 
 /******************************************

modules/private-cluster/outputs.tf

@@ -112,3 +112,9 @@ output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${local.service_account}"
 }
+
+output "pod_security_policy_enabled" {
+  description = "Whether pod security policy is enabled"
+  value       = "${local.cluster_pod_security_policy_enabled}"
+}
+

modules/private-cluster/variables.tf

@@ -91,6 +91,14 @@ variable "enable_binary_authorization" {
   default     = false
 }
 
+variable "pod_security_policy_config" {
+  description = "enabled - Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created."
+
+  default = [{
+    "enabled" = false
+  }]
+}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true

outputs.tf

@@ -112,3 +112,4 @@ output "service_account" {
   description = "The service account to default running nodes as if not overridden in `node_pools`."
   value       = "${local.service_account}"
 }
+