diff --git a/examples/simple_zonal_with_acm/README.md b/examples/simple_zonal_with_acm/README.md index 986b66e3cd..40e3686485 100644 --- a/examples/simple_zonal_with_acm/README.md +++ b/examples/simple_zonal_with_acm/README.md @@ -1,6 +1,6 @@ # Simple Zonal Cluster -This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/)'s [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview) and [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) with the [Policy Essentials v2022 policy bundle](https://cloud.google.com/anthos-config-management/docs/how-to/using-policy-essentials-v2022). +This example illustrates how to create a simple cluster and install [Anthos Config Management](https://cloud.google.com/anthos-config-management/docs/)'s [Config Sync](https://cloud.google.com/anthos-config-management/docs/config-sync-overview). It incorporates the standard cluster module and the [ACM install module](../../modules/acm). @@ -27,12 +27,6 @@ After applying the Terraform configuration, you can run the following commands t kubectl describe ns shipping-dev ``` -4. You can also use `kubectl` to view any policy violations on the cluster: - - ``` - kubectl get constraint -l policycontroller.gke.io/bundleName=policy-essentials-v2022 -o json | jq -cC '.items[]| [.metadata.name,.status.totalViolations]' - ``` - ## Inputs diff --git a/examples/simple_zonal_with_acm/acm.tf b/examples/simple_zonal_with_acm/acm.tf index 3c15a155ea..acf6aba34a 100644 --- a/examples/simple_zonal_with_acm/acm.tf +++ b/examples/simple_zonal_with_acm/acm.tf @@ -26,6 +26,8 @@ module "acm" { sync_branch = "1.0.0" policy_dir = "foo-corp" + enable_policy_controller = false + enable_fleet_feature = var.enable_fleet_feature secret_type = "ssh" diff --git a/examples/simple_zonal_with_poco/README.md b/examples/simple_zonal_with_poco/README.md new file mode 100644 index 0000000000..b8bfd18509 --- /dev/null +++ b/examples/simple_zonal_with_poco/README.md @@ -0,0 +1,37 @@ +# Simple Zonal Cluster + +This example illustrates how to create a simple cluster and install [Policy Controller](https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller) with the [Pod Security Standards Baseline policy bundle](https://cloud.google.com/kubernetes-engine/enterprise/policy-controller/docs/how-to/using-pss-baseline). + + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| cluster\_name\_suffix | A suffix to append to the default cluster name | `string` | `""` | no | +| enable\_fleet\_feature | Whether to enable the Policy Controller feature on the fleet. | `bool` | `true` | no | +| project\_id | The project ID to host the cluster in | `string` | n/a | yes | +| region | The region to host the cluster in | `string` | `"us-central1"` | no | +| zone | The zone to host the cluster in | `string` | `"us-central1-a"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| cluster\_name | Cluster name | +| ip\_range\_pods | The secondary IP range used for pods | +| ip\_range\_services | The secondary IP range used for services | +| location | n/a | +| network | n/a | +| project\_id | Standard test outputs | +| region | n/a | +| service\_account | The default service account used for running nodes. | +| subnetwork | n/a | +| zones | List of zones in which the cluster resides | + + + +To provision this example, run the following from within this directory: +- `terraform init` to get the plugins +- `terraform plan` to see the infrastructure plan +- `terraform apply` to apply the infrastructure build +- `terraform destroy` to destroy the built infrastructure diff --git a/examples/simple_zonal_with_poco/main.tf b/examples/simple_zonal_with_poco/main.tf new file mode 100644 index 0000000000..37f806a5ef --- /dev/null +++ b/examples/simple_zonal_with_poco/main.tf @@ -0,0 +1,53 @@ +/** + * Copyright 2018-2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +locals { + cluster_type = "simple-zonal-poco" +} + +provider "google" { + region = var.region +} + +module "gke" { + source = "terraform-google-modules/kubernetes-engine/google" + version = "~> 33.0" + + project_id = var.project_id + fleet_project = var.project_id + regional = false + region = var.region + zones = [var.zone] + + name = "${local.cluster_type}-cluster${var.cluster_name_suffix}" + + network = google_compute_network.main.name + subnetwork = google_compute_subnetwork.main.name + ip_range_pods = google_compute_subnetwork.main.secondary_ip_range[0].range_name + ip_range_services = google_compute_subnetwork.main.secondary_ip_range[1].range_name + + service_account = "create" + deletion_protection = false + node_pools = [ + { + name = "poco-node-pool" + autoscaling = false + auto_upgrade = true + node_count = 4 + machine_type = "e2-standard-4" + }, + ] +} diff --git a/examples/simple_zonal_with_poco/network.tf b/examples/simple_zonal_with_poco/network.tf new file mode 100644 index 0000000000..0f2a3d3e84 --- /dev/null +++ b/examples/simple_zonal_with_poco/network.tf @@ -0,0 +1,45 @@ +/** + * Copyright 2021 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "random_string" "suffix" { + length = 4 + special = false + upper = false +} + +resource "google_compute_network" "main" { + project = var.project_id + name = "cft-gke-test-${random_string.suffix.result}" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "main" { + project = var.project_id + name = "cft-gke-test-${random_string.suffix.result}" + ip_cidr_range = "10.0.0.0/17" + region = var.region + network = google_compute_network.main.self_link + + secondary_ip_range { + range_name = "cft-gke-test-pods-${random_string.suffix.result}" + ip_cidr_range = "192.168.0.0/18" + } + + secondary_ip_range { + range_name = "cft-gke-test-services-${random_string.suffix.result}" + ip_cidr_range = "192.168.64.0/18" + } +} diff --git a/examples/simple_zonal_with_poco/outputs.tf b/examples/simple_zonal_with_poco/outputs.tf new file mode 100644 index 0000000000..f161d5bc89 --- /dev/null +++ b/examples/simple_zonal_with_poco/outputs.tf @@ -0,0 +1,61 @@ +/** + * Copyright 2018-2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "service_account" { + description = "The default service account used for running nodes." + value = module.gke.service_account +} + +# Standard test outputs +output "project_id" { + value = var.project_id +} + +output "region" { + value = module.gke.region +} + +output "cluster_name" { + description = "Cluster name" + value = module.gke.name +} + +output "network" { + value = google_compute_network.main.name +} + +output "subnetwork" { + value = google_compute_subnetwork.main.name +} + +output "location" { + value = module.gke.location +} + +output "ip_range_pods" { + description = "The secondary IP range used for pods" + value = google_compute_subnetwork.main.secondary_ip_range[0].range_name +} + +output "ip_range_services" { + description = "The secondary IP range used for services" + value = google_compute_subnetwork.main.secondary_ip_range[1].range_name +} + +output "zones" { + description = "List of zones in which the cluster resides" + value = module.gke.zones +} diff --git a/examples/simple_zonal_with_poco/policy.tf b/examples/simple_zonal_with_poco/policy.tf new file mode 100644 index 0000000000..cfbb98cd85 --- /dev/null +++ b/examples/simple_zonal_with_poco/policy.tf @@ -0,0 +1,51 @@ +/** + * Copyright 2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +resource "google_gke_hub_feature" "poco_feature" { + name = "policycontroller" + project = var.project_id + location = "global" + + count = var.enable_fleet_feature ? 1 : 0 +} + +resource "google_gke_hub_feature_membership" "poco_feature_member" { + project = var.project_id + location = "global" + + feature = "policycontroller" + membership = module.gke.fleet_membership + membership_location = module.gke.region + + policycontroller { + policy_controller_hub_config { + install_spec = "INSTALL_SPEC_ENABLED" + policy_content { + template_library { + installation = "ALL" + } + bundles { + bundle_name = "pss-baseline-v2022" + } + } + referential_rules_enabled = true + } + } + + depends_on = [ + google_gke_hub_feature.poco_feature + ] +} diff --git a/examples/simple_zonal_with_poco/variables.tf b/examples/simple_zonal_with_poco/variables.tf new file mode 100644 index 0000000000..9a3bb7461e --- /dev/null +++ b/examples/simple_zonal_with_poco/variables.tf @@ -0,0 +1,44 @@ +/** + * Copyright 2018-2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project ID to host the cluster in" + type = string +} + +variable "cluster_name_suffix" { + description = "A suffix to append to the default cluster name" + type = string + default = "" +} + +variable "region" { + description = "The region to host the cluster in" + type = string + default = "us-central1" +} + +variable "zone" { + type = string + description = "The zone to host the cluster in" + default = "us-central1-a" +} + +variable "enable_fleet_feature" { + description = "Whether to enable the Policy Controller feature on the fleet." + type = bool + default = true +} diff --git a/examples/simple_zonal_with_poco/versions.tf b/examples/simple_zonal_with_poco/versions.tf new file mode 100644 index 0000000000..2e21959c69 --- /dev/null +++ b/examples/simple_zonal_with_poco/versions.tf @@ -0,0 +1,27 @@ +/** + * Copyright 2021-2024 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_providers { + google = { + source = "hashicorp/google" + } + random = { + source = "hashicorp/random" + } + } + required_version = ">= 1.3" +} diff --git a/test/integration/simple_zonal/simple_zonal_test.go b/test/integration/simple_zonal/simple_zonal_test.go index cb5c796995..a29082134f 100644 --- a/test/integration/simple_zonal/simple_zonal_test.go +++ b/test/integration/simple_zonal/simple_zonal_test.go @@ -79,10 +79,6 @@ func TestSimpleZonal(t *testing.T) { assert.NoError(err) configkubeNS := testutils.ParseKubectlJSONResult(t, configNameSpace) assert.Contains(configkubeNS.Get("metadata.name").String(), "config-management-system", "Namespace is Functional") - gateKeeperNameSpace, err := k8s.RunKubectlAndGetOutputE(t, &k8sOpts, "get", "ns", "gatekeeper-system", "-o", "json") - assert.NoError(err) - gateKeeperkubeNS := testutils.ParseKubectlJSONResult(t, gateKeeperNameSpace) - assert.Contains(gateKeeperkubeNS.Get("metadata.name").String(), "gatekeeper-system", "Namespace is Functional") }) bpt.Test()