diff --git a/infra/gcp/terraform/k8s-infra-ii-sandbox/provider.tf b/infra/gcp/terraform/k8s-infra-ii-sandbox/provider.tf index 8ca99ed0207..f29c5a4481b 100644 --- a/infra/gcp/terraform/k8s-infra-ii-sandbox/provider.tf +++ b/infra/gcp/terraform/k8s-infra-ii-sandbox/provider.tf @@ -33,11 +33,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-kubernetes-io/provider.tf b/infra/gcp/terraform/k8s-infra-kubernetes-io/provider.tf index ab6d3ece05c..7d0b57ae71b 100644 --- a/infra/gcp/terraform/k8s-infra-kubernetes-io/provider.tf +++ b/infra/gcp/terraform/k8s-infra-kubernetes-io/provider.tf @@ -30,11 +30,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-monitoring/provider.tf b/infra/gcp/terraform/k8s-infra-monitoring/provider.tf index 63f9775822f..138afed8617 100644 --- a/infra/gcp/terraform/k8s-infra-monitoring/provider.tf +++ b/infra/gcp/terraform/k8s-infra-monitoring/provider.tf @@ -25,11 +25,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-prow-build-trusted/00-provider.tf b/infra/gcp/terraform/k8s-infra-prow-build-trusted/00-provider.tf index 4584411c9b6..070a82e1482 100644 --- a/infra/gcp/terraform/k8s-infra-prow-build-trusted/00-provider.tf +++ b/infra/gcp/terraform/k8s-infra-prow-build-trusted/00-provider.tf @@ -30,11 +30,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-prow-build/00-provider.tf b/infra/gcp/terraform/k8s-infra-prow-build/00-provider.tf index b8ad07b3af8..78d7b7accbc 100644 --- a/infra/gcp/terraform/k8s-infra-prow-build/00-provider.tf +++ b/infra/gcp/terraform/k8s-infra-prow-build/00-provider.tf @@ -30,11 +30,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-public-pii/provider.tf b/infra/gcp/terraform/k8s-infra-public-pii/provider.tf index 8a54de9d39e..0c4ffffd657 100644 --- a/infra/gcp/terraform/k8s-infra-public-pii/provider.tf +++ b/infra/gcp/terraform/k8s-infra-public-pii/provider.tf @@ -31,11 +31,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/k8s-infra-sandbox-capg/provider.tf b/infra/gcp/terraform/k8s-infra-sandbox-capg/provider.tf index 27ae4bcf4e0..f14222ea3ad 100644 --- a/infra/gcp/terraform/k8s-infra-sandbox-capg/provider.tf +++ b/infra/gcp/terraform/k8s-infra-sandbox-capg/provider.tf @@ -31,11 +31,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/kubernetes-public/00-inputs.tf b/infra/gcp/terraform/kubernetes-public/00-inputs.tf index d174209a175..dfc1d9cf118 100644 --- a/infra/gcp/terraform/kubernetes-public/00-inputs.tf +++ b/infra/gcp/terraform/kubernetes-public/00-inputs.tf @@ -36,10 +36,10 @@ terraform { required_providers { google = { - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/kubernetes-public/10-cluster-configuration.tf b/infra/gcp/terraform/kubernetes-public/10-cluster-configuration.tf index b6b393afdce..f4f5bec04fb 100644 --- a/infra/gcp/terraform/kubernetes-public/10-cluster-configuration.tf +++ b/infra/gcp/terraform/kubernetes-public/10-cluster-configuration.tf @@ -102,16 +102,6 @@ resource "google_container_cluster" "cluster" { // objects remove_default_node_pool = true - // Disable local and certificate auth - master_auth { - username = "" - password = "" - - client_certificate_config { - issue_client_certificate = false - } - } - // Release Channel subscriptions. See https://cloud.google.com/kubernetes-engine/docs/concepts/release-channels release_channel { channel = "REGULAR" @@ -124,7 +114,7 @@ resource "google_container_cluster" "cluster" { // Enable workload identity for GCP IAM workload_identity_config { - identity_namespace = "${data.google_project.project.project_id}.svc.id.goog" + workload_pool = "${data.google_project.project.project_id}.svc.id.goog" } // Enable Stackdriver Kubernetes Monitoring @@ -169,6 +159,9 @@ resource "google_container_cluster" "cluster" { } } + // Enable Shielded nodes + enable_shielded_nodes = false + // Enable NAP cluster_autoscaling { enabled = true @@ -183,11 +176,6 @@ resource "google_container_cluster" "cluster" { } } - // Enable PodSecurityPolicy enforcement - pod_security_policy_config { - enabled = false // TODO: we should turn this on - } - // Enable VPA vertical_pod_autoscaling { enabled = true diff --git a/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf b/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf index 26caea21560..f34bf9b1768 100644 --- a/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf +++ b/infra/gcp/terraform/kubernetes-public/prowjob-buckets.tf @@ -26,9 +26,9 @@ locals { // Bucket for scalability tests results resource "google_storage_bucket" "scalability_tests_logs" { - project = data.google_project.project.project_id - name = local.scalability_tests_logs_bucket_name - + project = data.google_project.project.project_id + name = local.scalability_tests_logs_bucket_name + location = "US" uniform_bucket_level_access = true lifecycle_rule { @@ -88,9 +88,9 @@ resource "google_storage_bucket_iam_policy" "scalability_tests_logs_policy" { // Bucket used for Golang Scalability builds resource "google_storage_bucket" "scalability_golang_builds" { - project = data.google_project.project.project_id - name = local.scalability_golang_builds_bucket_name - + project = data.google_project.project.project_id + name = local.scalability_golang_builds_bucket_name + location = "US" uniform_bucket_level_access = true } @@ -141,9 +141,9 @@ resource "google_storage_bucket_iam_policy" "scalability_golang_builds_policy" { // Bucket for kops CI jobs results resource "google_storage_bucket" "kops_ci_bucket" { - project = data.google_project.project.project_id - name = local.kops_ci_bucket_name - + project = data.google_project.project.project_id + name = local.kops_ci_bucket_name + location = "US" uniform_bucket_level_access = true } diff --git a/infra/gcp/terraform/kubernetes-public/terraform.plan b/infra/gcp/terraform/kubernetes-public/terraform.plan new file mode 100644 index 00000000000..bbfe80c45dc Binary files /dev/null and b/infra/gcp/terraform/kubernetes-public/terraform.plan differ diff --git a/infra/gcp/terraform/modules/gke-cluster/main.tf b/infra/gcp/terraform/modules/gke-cluster/main.tf index bfddf0a4d2f..a615c80ccb5 100644 --- a/infra/gcp/terraform/modules/gke-cluster/main.tf +++ b/infra/gcp/terraform/modules/gke-cluster/main.tf @@ -93,7 +93,7 @@ resource "google_bigquery_dataset" "test_usage_metering" { // IMPORTANT: The prod_ and test_ forms of this resource MUST be kept in sync. // Any changes in one MUST be reflected in the other. resource "google_container_cluster" "prod_cluster" { - count = var.is_prod_cluster == "true" ? 1 : 0 + count = var.is_prod_cluster == "true" ? 1 : 0 name = var.cluster_name location = var.cluster_location @@ -117,16 +117,6 @@ resource "google_container_cluster" "prod_cluster" { // objects remove_default_node_pool = true - // Disable local and certificate auth - master_auth { - username = "" - password = "" - - client_certificate_config { - issue_client_certificate = false - } - } - // Enable google-groups for RBAC authenticator_groups_config { security_group = "gke-security-groups@kubernetes.io" @@ -134,7 +124,7 @@ resource "google_container_cluster" "prod_cluster" { // Enable workload identity for GCP IAM workload_identity_config { - identity_namespace = "${var.project_name}.svc.id.goog" + workload_pool = "${var.project_name}.svc.id.goog" } // Enable Stackdriver Kubernetes Monitoring @@ -185,6 +175,9 @@ resource "google_container_cluster" "prod_cluster" { } } + // Enable Shielded Nodes feature + enable_shielded_nodes = var.enable_shielded_nodes + release_channel { channel = var.release_channel } @@ -195,7 +188,7 @@ resource "google_container_cluster" "prod_cluster" { } } resource "google_container_cluster" "test_cluster" { - count = var.is_prod_cluster == "true" ? 0 : 1 + count = var.is_prod_cluster == "true" ? 0 : 1 name = var.cluster_name location = var.cluster_location @@ -218,16 +211,6 @@ resource "google_container_cluster" "test_cluster" { // objects remove_default_node_pool = true - // Disable local and certificate auth - master_auth { - username = "" - password = "" - - client_certificate_config { - issue_client_certificate = false - } - } - // Enable google-groups for RBAC authenticator_groups_config { security_group = "gke-security-groups@kubernetes.io" @@ -235,7 +218,7 @@ resource "google_container_cluster" "test_cluster" { // Enable workload identity for GCP IAM workload_identity_config { - identity_namespace = "${var.project_name}.svc.id.goog" + workload_pool = "${var.project_name}.svc.id.goog" } // Enable Stackdriver Kubernetes Monitoring diff --git a/infra/gcp/terraform/modules/gke-cluster/variables.tf b/infra/gcp/terraform/modules/gke-cluster/variables.tf index 049528248ca..8165d31c6c7 100644 --- a/infra/gcp/terraform/modules/gke-cluster/variables.tf +++ b/infra/gcp/terraform/modules/gke-cluster/variables.tf @@ -29,6 +29,12 @@ variable "cluster_location" { type = string } +variable "enable_shielded_nodes" { + type = bool + default = false + description = "Enable Shielded Nodes on all nodes in this cluster." +} + variable "bigquery_location" { description = "The bigquery specific location where the dataset should be created" type = string @@ -62,7 +68,7 @@ variable "dns_cache_enabled" { EOF type = string // TODO: default this true (and/or remove this option) once kubernetes-public/aaa uses this module - default = "false" + default = "false" } variable "cloud_shell_access" { diff --git a/infra/gcp/terraform/modules/gke-cluster/versions.tf b/infra/gcp/terraform/modules/gke-cluster/versions.tf index ade441948c5..e88d44e2095 100644 --- a/infra/gcp/terraform/modules/gke-cluster/versions.tf +++ b/infra/gcp/terraform/modules/gke-cluster/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/modules/gke-nodepool/versions.tf b/infra/gcp/terraform/modules/gke-nodepool/versions.tf index ade441948c5..e88d44e2095 100644 --- a/infra/gcp/terraform/modules/gke-nodepool/versions.tf +++ b/infra/gcp/terraform/modules/gke-nodepool/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/modules/gke-project/versions.tf b/infra/gcp/terraform/modules/gke-project/versions.tf index ade441948c5..e88d44e2095 100644 --- a/infra/gcp/terraform/modules/gke-project/versions.tf +++ b/infra/gcp/terraform/modules/gke-project/versions.tf @@ -21,11 +21,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } } diff --git a/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf b/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf index 8f5f6779b61..cd486e70569 100644 --- a/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf +++ b/infra/gcp/terraform/modules/workload-identity-service-account/versions.tf @@ -18,11 +18,11 @@ terraform { required_providers { google = { source = "hashicorp/google" - version = "~> 3.90.0" + version = "~> 3.90.1" } google-beta = { source = "hashicorp/google-beta" - version = "~> 3.90.0" + version = "~> 3.90.1" } } }