feat: enable binauthz for autopilot (#2030)

Author: apeabody

autogen/main/cluster.tf.tmpl

@@ -208,13 +208,15 @@ resource "google_container_cluster" "primary" {
  {% if autopilot_cluster != true %}
  default_max_pods_per_node = var.default_max_pods_per_node
  enable_shielded_nodes = var.enable_shielded_nodes
+ {% endif %}
 
  dynamic "binary_authorization" {
  for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
  content {
  evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
  }
  }
+ {% if autopilot_cluster != true %}
 
  dynamic "identity_service_config" {
  for_each = var.enable_identity_service ? [var.enable_identity_service] : []
@@ -248,7 +250,7 @@ resource "google_container_cluster" "primary" {
  enabled = secret_manager_config.value
  }
  }
- 
+
  enable_fqdn_network_policy = var.enable_fqdn_network_policy
 {% endif %}
 {% if autopilot_cluster %}
@@ -1039,7 +1041,7 @@ resource "google_container_node_pool" "windows_pools" {
  for_each = length(merge(
  local.node_pools_linux_node_configs_sysctls["all"],
  local.node_pools_linux_node_configs_sysctls[each.value["name"]],
- local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} 
+ local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]}
  )) != 0 ? [1] : []
 
  content {

autogen/main/variables.tf.tmpl

@@ -743,12 +743,14 @@ variable "enable_shielded_nodes" {
  default = true
 }
 
+{% endif %}
 variable "enable_binary_authorization" {
  type = bool
  description = "Enable BinAuthZ Admission controller"
  default = false
 }
 
+{% if autopilot_cluster != true %}
 variable "node_metadata" {
  description = "Specifies how node metadata is exposed to the workload running on the node"
  default = "GKE_METADATA"

examples/autopilot_private_firewalls/main.tf

@@ -52,6 +52,7 @@ module "gke" {
  add_shadow_firewall_rules = true
  network_tags = ["allow-google-apis"]
  deletion_protection = false
+ enable_binary_authorization = true
 
  master_authorized_networks = [
  {

modules/beta-autopilot-private-cluster/README.md

@@ -88,6 +88,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |

modules/beta-autopilot-private-cluster/cluster.tf

@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
  enabled = var.enable_vertical_pod_autoscaling
  }
 
+ dynamic "binary_authorization" {
+ for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+ content {
+ evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }
+ }
+
  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
  enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

modules/beta-autopilot-private-cluster/variables.tf

@@ -469,6 +469,12 @@ variable "database_encryption" {
  }]
 }
 
+variable "enable_binary_authorization" {
+ type = bool
+ description = "Enable BinAuthZ Admission controller"
+ default = false
+}
+
 
 variable "gke_backup_agent_config" {
  type = bool

modules/beta-autopilot-public-cluster/README.md

@@ -81,6 +81,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |

modules/beta-autopilot-public-cluster/cluster.tf

@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
  enabled = var.enable_vertical_pod_autoscaling
  }
 
+ dynamic "binary_authorization" {
+ for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+ content {
+ evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+ }
+ }
+
  enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
  enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy

modules/beta-autopilot-public-cluster/variables.tf

@@ -433,6 +433,12 @@ variable "database_encryption" {
  }]
 }
 
+variable "enable_binary_authorization" {
+ type = bool
+ description = "Enable BinAuthZ Admission controller"
+ default = false
+}
+
 
 variable "gke_backup_agent_config" {
  type = bool