Set security relevant settings on default node pool to comply with Sentinel #1038
Conversation
MajorBreakfast
requested review from
bharathkkb,
Jberlinsky and
a team
as code owners
|
Thanks for the PR! 🚀 |
|
Can you share what the ci failure is about? Prior to raising the PR I planned the private-beta-cluster variant successfully. |
There was a problem hiding this comment.
This is the error:
Error: googleapi: Error 400: Cannot use default machine type (e2-medium) with gVisor; choose a different machine type., badRequest
with module.example.module.gke.google_container_cluster.primary,
on ../../../modules/beta-public-cluster/cluster.tf line 22, in resource "google_container_cluster" "primary":
22: resource "google_container_cluster" "primary" {
6410e7f to
856293d
Compare
|
@morgante Thank you for the quick feedback! I've removed the sandbox from the PR to make the tests pass. Sentinel policy enforcement currently only happens for the integrity monitoring, so it's not necessary at this point. |
|
/gcpbuild |
MajorBreakfast
force-pushed
the
sentinel-node-pool-config
branch
from
856293d to
d215fac
Compare
|
Change of strategy: Now setting the machine type and image as well based on the value of node pool 0. This should fix it and make it so that even the gvisor can be activated. It makes also a bit more sense that the temporary default node pool uses a machine type matching what's actually used in a real node pool. |
|
Green tests ✌️ |
…l to comply with validation policies (terraform-google-modules#1038)
This PR adds some security relevant settings to the default node pool that exists temporarily during cluster creation to satisfy Terraform Enterprise Sentinel policies defined by CSO at my project.