From c0afa55b3bd6bb28e30c920e8fbcb0c76657b4f6 Mon Sep 17 00:00:00 2001 From: 6uellerBpanda Date: Mon, 19 May 2025 11:07:15 +0200 Subject: [PATCH] feat(gke): add kubelet_readonly_port_enabled (#3092) Thanks for this! --- modules/gke-cluster-autopilot/README.md | 10 +++++----- modules/gke-cluster-autopilot/main.tf | 11 +++++++---- modules/gke-cluster-autopilot/variables.tf | 1 + modules/gke-cluster-standard/README.md | 10 +++++----- modules/gke-cluster-standard/main.tf | 1 + modules/gke-cluster-standard/variables.tf | 1 + 6 files changed, 20 insertions(+), 14 deletions(-) diff --git a/modules/gke-cluster-autopilot/README.md b/modules/gke-cluster-autopilot/README.md index b9a2ebeb7..461b1a5a6 100644 --- a/modules/gke-cluster-autopilot/README.md +++ b/modules/gke-cluster-autopilot/README.md @@ -270,8 +270,8 @@ module "cluster-1" { |---|---|:---:|:---:|:---:| | [location](variables.tf#L146) | Autopilot clusters are always regional. | string | ✓ | | | [name](variables.tf#L225) | Cluster name. | string | ✓ | | -| [project_id](variables.tf#L256) | Cluster project ID. | string | ✓ | | -| [vpc_config](variables.tf#L272) | VPC-level configuration. | object({…}) | ✓ | | +| [project_id](variables.tf#L257) | Cluster project ID. | string | ✓ | | +| [vpc_config](variables.tf#L273) | VPC-level configuration. | object({…}) | ✓ | | | [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} | | [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | object({…}) | | {} | | [deletion_protection](variables.tf#L64) | Whether or not to allow Terraform to destroy the cluster. Unless this field is set to false in Terraform state, a terraform destroy or terraform apply that would delete the cluster will fail. | bool | | true | @@ -284,9 +284,9 @@ module "cluster-1" { | [maintenance_config](variables.tf#L162) | Maintenance window configuration. | object({…}) | | {…} | | [min_master_version](variables.tf#L185) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null | | [monitoring_config](variables.tf#L191) | Monitoring configuration. System metrics collection cannot be disabled. Control plane metrics are optional. Kube state metrics are optional. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} | -| [node_config](variables.tf#L230) | Configuration for nodes and nodepools. | object({…}) | | {} | -| [node_locations](variables.tf#L249) | Zones in which the cluster's nodes are located. | list(string) | | [] | -| [release_channel](variables.tf#L261) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | string | | "REGULAR" | +| [node_config](variables.tf#L230) | Configuration for nodes and nodepools. | object({…}) | | {} | +| [node_locations](variables.tf#L250) | Zones in which the cluster's nodes are located. | list(string) | | [] | +| [release_channel](variables.tf#L262) | Release channel for GKE upgrades. Clusters created in the Autopilot mode must use a release channel. Choose between \"RAPID\", \"REGULAR\", and \"STABLE\". | string | | "REGULAR" | ## Outputs diff --git a/modules/gke-cluster-autopilot/main.tf b/modules/gke-cluster-autopilot/main.tf index 5235ae4ea..b77f8308c 100644 --- a/modules/gke-cluster-autopilot/main.tf +++ b/modules/gke-cluster-autopilot/main.tf @@ -266,10 +266,13 @@ resource "google_container_cluster" "cluster" { } } } - dynamic "node_pool_auto_config" { - for_each = var.node_config.tags != null ? [""] : [] - content { - network_tags { + node_pool_auto_config { + node_kubelet_config { + insecure_kubelet_readonly_port_enabled = upper(var.node_config.kubelet_readonly_port_enabled) + } + dynamic "network_tags" { + for_each = var.node_config.tags != null ? [""] : [] + content { tags = toset(var.node_config.tags) } } diff --git a/modules/gke-cluster-autopilot/variables.tf b/modules/gke-cluster-autopilot/variables.tf index 714adb899..333647856 100644 --- a/modules/gke-cluster-autopilot/variables.tf +++ b/modules/gke-cluster-autopilot/variables.tf @@ -234,6 +234,7 @@ variable "node_config" { service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) + kubelet_readonly_port_enabled = optional(bool, true) }) default = {} nullable = false diff --git a/modules/gke-cluster-standard/README.md b/modules/gke-cluster-standard/README.md index 1b3ab36c2..e2a5c9e81 100644 --- a/modules/gke-cluster-standard/README.md +++ b/modules/gke-cluster-standard/README.md @@ -498,8 +498,8 @@ module "cluster-1" { |---|---|:---:|:---:|:---:| | [location](variables.tf#L265) | Cluster zone or region. | string | ✓ | | | [name](variables.tf#L380) | Cluster name. | string | ✓ | | -| [project_id](variables.tf#L413) | Cluster project id. | string | ✓ | | -| [vpc_config](variables.tf#L424) | VPC-level configuration. | object({…}) | ✓ | | +| [project_id](variables.tf#L414) | Cluster project id. | string | ✓ | | +| [vpc_config](variables.tf#L425) | VPC-level configuration. | object({…}) | ✓ | | | [access_config](variables.tf#L17) | Control plane endpoint and nodes access configurations. | object({…}) | | {} | | [backup_configs](variables.tf#L43) | Configuration for Backup for GKE. | object({…}) | | {} | | [cluster_autoscaling](variables.tf#L65) | Enable and configure limits for Node Auto-Provisioning with Cluster Autoscaler. | object({…}) | | null | @@ -515,9 +515,9 @@ module "cluster-1" { | [max_pods_per_node](variables.tf#L314) | Maximum number of pods per node in this cluster. | number | | 110 | | [min_master_version](variables.tf#L320) | Minimum version of the master, defaults to the version of the most recent official release. | string | | null | | [monitoring_config](variables.tf#L326) | Monitoring configuration. Google Cloud Managed Service for Prometheus is enabled by default. | object({…}) | | {} | -| [node_config](variables.tf#L385) | Node-level configuration. | object({…}) | | {} | -| [node_locations](variables.tf#L406) | Zones in which the cluster's nodes are located. | list(string) | | [] | -| [release_channel](variables.tf#L418) | Release channel for GKE upgrades. | string | | null | +| [node_config](variables.tf#L385) | Node-level configuration. | object({…}) | | {} | +| [node_locations](variables.tf#L407) | Zones in which the cluster's nodes are located. | list(string) | | [] | +| [release_channel](variables.tf#L419) | Release channel for GKE upgrades. | string | | null | ## Outputs diff --git a/modules/gke-cluster-standard/main.tf b/modules/gke-cluster-standard/main.tf index 1ef3f4929..ecfb2404b 100644 --- a/modules/gke-cluster-standard/main.tf +++ b/modules/gke-cluster-standard/main.tf @@ -81,6 +81,7 @@ resource "google_container_cluster" "cluster" { # gcfs_config deactivation need the block to be defined so it can't be dynamic node_pool_defaults { node_config_defaults { + insecure_kubelet_readonly_port_enabled = upper(var.node_config.kubelet_readonly_port_enabled) gcfs_config { enabled = var.enable_features.image_streaming } diff --git a/modules/gke-cluster-standard/variables.tf b/modules/gke-cluster-standard/variables.tf index c8378da4c..3d72bd9c4 100644 --- a/modules/gke-cluster-standard/variables.tf +++ b/modules/gke-cluster-standard/variables.tf @@ -391,6 +391,7 @@ variable "node_config" { service_account = optional(string) tags = optional(list(string)) workload_metadata_config_mode = optional(string) + kubelet_readonly_port_enabled = optional(bool, true) }) default = {} nullable = false