Squashing relevant changes from fast-dev-gke-marzi
Co-authored-by: Daniel Marzini <dmarzi@google.com>
This commit is contained in:
parent
d28dfc40b0
commit
110d94067d
|
@ -0,0 +1,3 @@
|
|||
The cluster/ directory contains configs that apply to entire clusters, rather than to namespaces. By default, any config in the cluster/ directory applies to every cluster enrolled in Config Sync. You can limit which clusters a config can affect by using a ClusterSelector.
|
||||
|
||||
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#cluster
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: dev-namespace-viewer
|
||||
rules:
|
||||
- apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
|
||||
resources:
|
||||
- "pods"
|
||||
- "pods/log"
|
||||
- "events"
|
||||
- "deployments"
|
||||
- "replicasets"
|
||||
verbs: ["get", "watch", "list"]
|
|
@ -0,0 +1,43 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: constraints.gatekeeper.sh/v1beta1
|
||||
kind: K8sRequiredLabels
|
||||
metadata:
|
||||
name: ns-must-have-geo
|
||||
annotations:
|
||||
configsync.gke.io/cluster-name-selector: gke-1
|
||||
spec:
|
||||
enforcementAction: dryrun
|
||||
match:
|
||||
excludedNamespaces:
|
||||
- "kube-system"
|
||||
- "kube-public"
|
||||
- "kube-node-lease"
|
||||
- "resource-group-system"
|
||||
- "config-management-monitoring"
|
||||
- "config-management-system"
|
||||
- "cos-auditd"
|
||||
- "gatekeeper-system"
|
||||
- "kube-node-lease"
|
||||
- "cnrm-system"
|
||||
- "gke-mcs"
|
||||
- "configconnector-operator-system"
|
||||
kinds:
|
||||
- apiGroups: [""]
|
||||
kinds: ["Namespace"]
|
||||
parameters:
|
||||
labels:
|
||||
- key: "geo"
|
|
@ -0,0 +1,47 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: high-priority-system
|
||||
value: 1000000
|
||||
globalDefault: false
|
||||
description: "This priority class will cause other pods to be preempted."
|
||||
---
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: high-priority
|
||||
value: 1000
|
||||
globalDefault: false
|
||||
description: "This priority class will cause other pods to be preempted."
|
||||
---
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: mid-priority
|
||||
value: 100
|
||||
globalDefault: false
|
||||
# preemptionPolicy: Never
|
||||
description: "This priority class will cause other pods to be preempted."
|
||||
---
|
||||
apiVersion: scheduling.k8s.io/v1
|
||||
kind: PriorityClass
|
||||
metadata:
|
||||
name: low-priority
|
||||
value: 10
|
||||
globalDefault: true
|
||||
# preemptionPolicy: Never
|
||||
description: "This priority class will cause other pods to be preempted."
|
|
@ -0,0 +1,7 @@
|
|||
|
||||
|
||||
The namespaces/ directory contains configs for namespaces and namespace-scoped objects.
|
||||
|
||||
The structure within namespaces/ is the mechanism that drives namespace inheritance. You can limit which namespaces can inherit a config, by using a NamespaceSelector.
|
||||
|
||||
Doc ref: https://cloud.google.com/anthos-config-management/docs/concepts/hierarchical-repo#namespaces
|
|
@ -0,0 +1,54 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: fluentd-gcp-config-cos-auditd
|
||||
namespace: cos-auditd
|
||||
annotations:
|
||||
kubernetes.io/description: 'ConfigMap for Linux auditd logging daemonset on COS nodes.'
|
||||
data:
|
||||
google-fluentd.conf: |-
|
||||
<source>
|
||||
@type systemd
|
||||
filters [{ "SYSLOG_IDENTIFIER": "audit" }]
|
||||
pos_file /var/log/gcp-journald-audit.pos
|
||||
read_from_head true
|
||||
tag linux-auditd
|
||||
</source>
|
||||
|
||||
# Do not collect fluentd's own logs to avoid infinite loops.
|
||||
<match fluent.**>
|
||||
@type null
|
||||
</match>
|
||||
|
||||
<match **>
|
||||
@type google_cloud
|
||||
|
||||
enable_monitoring false
|
||||
split_logs_by_tag false
|
||||
detect_subservice false
|
||||
buffer_type file
|
||||
buffer_path /var/log/fluentd-buffers/system.audit.buffer
|
||||
buffer_queue_full_action block
|
||||
buffer_chunk_limit 512k
|
||||
buffer_queue_limit 2
|
||||
flush_interval 5s
|
||||
max_retry_wait 30
|
||||
disable_retry_limit
|
||||
num_threads 2
|
||||
use_grpc true
|
||||
</match>
|
|
@ -0,0 +1,128 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: cos-auditd-logging
|
||||
namespace: cos-auditd
|
||||
annotations:
|
||||
kubernetes.io/description: 'DaemonSet that enables Linux auditd logging on COS nodes.'
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
name: cos-auditd-logging
|
||||
template:
|
||||
metadata:
|
||||
annotations:
|
||||
scheduler.alpha.kubernetes.io/critical-pod: ""
|
||||
labels:
|
||||
name: cos-auditd-logging
|
||||
spec:
|
||||
hostNetwork: true
|
||||
hostPID: true
|
||||
nodeSelector:
|
||||
cloud.google.com/gke-os-distribution: cos
|
||||
volumes:
|
||||
- hostPath:
|
||||
path: /
|
||||
name: host
|
||||
- hostPath:
|
||||
path: /var/log
|
||||
name: varlog
|
||||
- hostPath:
|
||||
path: /usr/lib64
|
||||
name: libsystemddir
|
||||
- configMap:
|
||||
defaultMode: 420
|
||||
name: fluentd-gcp-config-cos-auditd
|
||||
name: config-volume
|
||||
initContainers:
|
||||
- name: cos-auditd-setup
|
||||
image: ubuntu
|
||||
command: ["chroot", "/host", "systemctl", "start", "cloud-audit-setup"]
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: host
|
||||
mountPath: /host
|
||||
resources:
|
||||
requests:
|
||||
memory: "10Mi"
|
||||
cpu: "10m"
|
||||
priorityClassName: high-priority-system
|
||||
containers:
|
||||
- name: fluentd-gcp-cos-auditd
|
||||
env:
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
apiVersion: v1
|
||||
fieldPath: spec.nodeName
|
||||
image: gcr.io/stackdriver-agents/stackdriver-logging-agent:0.6-1.6.0-1
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
exec:
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
LIVENESS_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-300}; STUCK_THRESHOLD_SECONDS=${LIVENESS_THRESHOLD_SECONDS:-900}; if [[ ! -e /var/log/fluentd-buffers ]]; then
|
||||
exit 1;
|
||||
fi; touch -d "${STUCK_THRESHOLD_SECONDS} seconds ago" /tmp/marker-stuck; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-stuck -print -quit)" ]]; then
|
||||
rm -rf /var/log/fluentd-buffers;
|
||||
exit 1;
|
||||
fi; touch -d "${LIVENESS_THRESHOLD_SECONDS} seconds ago" /tmp/marker-liveness; if [[ -z "$(find /var/log/fluentd-buffers -type f -newer /tmp/marker-liveness -print -quit)" ]]; then
|
||||
exit 1;
|
||||
fi;
|
||||
failureThreshold: 3
|
||||
initialDelaySeconds: 600
|
||||
periodSeconds: 60
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 1
|
||||
resources:
|
||||
limits:
|
||||
cpu: "1"
|
||||
memory: 500Mi
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 200Mi
|
||||
terminationMessagePath: /dev/termination-log
|
||||
terminationMessagePolicy: File
|
||||
volumeMounts:
|
||||
- mountPath: /var/log
|
||||
name: varlog
|
||||
- mountPath: /host/lib
|
||||
name: libsystemddir
|
||||
readOnly: true
|
||||
- mountPath: /etc/google-fluentd/google-fluentd.conf
|
||||
subPath: google-fluentd.conf
|
||||
name: config-volume
|
||||
dnsPolicy: Default
|
||||
restartPolicy: Always
|
||||
terminationGracePeriodSeconds: 30
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
key: node.alpha.kubernetes.io/ismaster
|
||||
- effect: NoExecute
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
key: sandbox.gke.io/runtime
|
||||
operator: Equal
|
||||
value: gvisor
|
||||
updateStrategy:
|
||||
rollingUpdate:
|
||||
maxUnavailable: 1
|
||||
type: RollingUpdate
|
|
@ -0,0 +1,19 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: cos-auditd
|
|
@ -0,0 +1,34 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# LimitRange Reference: https://kubernetes.io/docs/concepts/policy/limit-range/
|
||||
apiVersion: v1
|
||||
kind: LimitRange
|
||||
metadata:
|
||||
name: default-limits
|
||||
spec:
|
||||
limits:
|
||||
- type: Container
|
||||
default:
|
||||
cpu: "1"
|
||||
memory: 512Mi
|
||||
defaultRequest:
|
||||
memory: 256Mi
|
||||
cpu: "0.5"
|
||||
max:
|
||||
cpu: "2"
|
||||
memory: 1Gi
|
||||
- type: PersistentVolumeClaim
|
||||
max:
|
||||
storage: 2Gi
|
|
@ -0,0 +1,22 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# apiVersion: networking.k8s.io/v1
|
||||
# kind: NetworkPolicy
|
||||
# metadata:
|
||||
# name: default-deny-egress
|
||||
# spec:
|
||||
# podSelector: {}
|
||||
# policyTypes:
|
||||
# - Egress
|
|
@ -0,0 +1,18 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: team-a
|
|
@ -0,0 +1,30 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This Namespace is configured with RepoSync
|
||||
# Doc ref: https://cloud.google.com/anthos-config-management/docs/how-to/namespace-repositories#namespace-root
|
||||
|
||||
apiVersion: configsync.gke.io/v1beta1
|
||||
kind: RepoSync
|
||||
metadata:
|
||||
name: repo-sync
|
||||
namespace: team-a
|
||||
spec:
|
||||
sourceFormat: unstructured
|
||||
git:
|
||||
repo: "https://github.com/danielmarzini/configsync-application-example"
|
||||
branch: main
|
||||
revision: HEAD
|
||||
dir: "configsync/team-a"
|
||||
auth: none
|
|
@ -0,0 +1,35 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# ResourceQuota Reference: https://kubernetes.io/docs/concepts/policy/resource-quotas/
|
||||
kind: ResourceQuota
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
namespace: team-a
|
||||
name: pvc
|
||||
spec:
|
||||
hard:
|
||||
persistentvolumeclaims: "3"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ResourceQuota
|
||||
metadata:
|
||||
namespace: team-a
|
||||
name: mem-cpu-store
|
||||
spec:
|
||||
hard:
|
||||
requests.cpu: "1"
|
||||
requests.memory: 1Gi
|
||||
limits.cpu: "2"
|
||||
limits.memory: 2Gi
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: namespace-viewer
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: dev-namespace-viewer
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: Group
|
||||
name: team-a@marzi.gcp-pso-italy.net
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
namespace: team-a
|
|
@ -0,0 +1,28 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# ROOT_REPO/namespaces/NAMESPACE/sync-rolebinding.yaml
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: syncs-repo
|
||||
namespace: team-a
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: ns-reconciler-team-a
|
||||
namespace: config-management-system
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: edit
|
||||
apiGroup: rbac.authorization.k8s.io
|
|
@ -0,0 +1,44 @@
|
|||
|
||||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
namespace: team-b
|
||||
name: whereami
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: whereami
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: whereami
|
||||
version: v1
|
||||
spec:
|
||||
containers:
|
||||
- name: whereami
|
||||
image: us-docker.pkg.dev/google-samples/containers/gke/whereami:v1.2.7
|
||||
resources:
|
||||
limits:
|
||||
cpu: "0.5"
|
||||
memory: 128Mi
|
||||
requests:
|
||||
cpu: "0.5"
|
||||
memory: 128Mi
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
|
@ -0,0 +1,20 @@
|
|||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: team-b
|
||||
labels:
|
||||
geo: "europe-west1"
|
|
@ -0,0 +1,23 @@
|
|||
# Copyright 2022 Google LLC
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
# For the mono-repo mode, declaring a Repo resource under system/ directory is required.
|
||||
# For the multi-repo mode, declaring a Repo resource under system/ directory is optional.
|
||||
apiVersion: configmanagement.gke.io/v1
|
||||
kind: Repo
|
||||
metadata:
|
||||
name: repo
|
||||
spec:
|
||||
version: 1.0.0
|
|
@ -63,6 +63,9 @@ everything else is in RBAC (second part of this stage)
|
|||
|
||||
## Addresses for ILBs
|
||||
|
||||
### Private Cluster
|
||||
WARNING: do not use run this stage with GKE-HUB and private clusters enabled from a machine outside the clusters network
|
||||
|
||||
## Filestore
|
||||
|
||||
- later
|
||||
|
|
|
@ -43,6 +43,7 @@ module "gke-cluster" {
|
|||
horizontal_pod_autoscaling = true
|
||||
config_connector_config = true
|
||||
kalm_config = false
|
||||
gcp_filestore_csi_driver_config = false
|
||||
# enable only if enable_dataplane_v2 is changed to false below
|
||||
network_policy_config = false
|
||||
istio_config = {
|
||||
|
@ -51,15 +52,15 @@ module "gke-cluster" {
|
|||
}
|
||||
}
|
||||
# change these here for all clusters if absolutely needed
|
||||
# authenticator_security_group = var.authenticator_security_group
|
||||
enable_dataplane_v2 = true
|
||||
enable_l4_ilb_subsetting = false
|
||||
enable_intranode_visibility = true
|
||||
enable_shielded_nodes = true
|
||||
workload_identity = true
|
||||
authenticator_security_group = var.authenticator_security_group
|
||||
enable_dataplane_v2 = true
|
||||
enable_l4_ilb_subsetting = false
|
||||
enable_intranode_visibility = true
|
||||
enable_shielded_nodes = true
|
||||
workload_identity = true
|
||||
private_cluster_config = {
|
||||
enable_private_nodes = true
|
||||
enable_private_endpoint = true
|
||||
enable_private_endpoint = false
|
||||
master_ipv4_cidr_block = each.value.net.master_range
|
||||
master_global_access = true
|
||||
}
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
module "gke-hub" {
|
||||
source = "../../../../modules/gke-hub"
|
||||
project_id = module.gke-project-0.project_id
|
||||
features = {
|
||||
configmanagement = true
|
||||
mc_ingress = true
|
||||
mc_servicediscovery = true
|
||||
}
|
||||
member_clusters = {
|
||||
for cluster_id in keys(var.clusters) :
|
||||
cluster_id => module.gke-cluster[cluster_id].id
|
||||
}
|
||||
member_features = {
|
||||
configmanagement = {
|
||||
binauthz = false
|
||||
config_sync = {
|
||||
gcp_service_account_email = null
|
||||
https_proxy = null
|
||||
policy_dir = "fast/stages/03-gke-multitenant/config"
|
||||
secret_type = "none"
|
||||
source_format = "hierarchy"
|
||||
sync_branch = "fast-dev-gke-marzi"
|
||||
sync_repo = "https://github.com/GoogleCloudPlatform/cloud-foundation-fabric"
|
||||
sync_rev = null
|
||||
}
|
||||
hierarchy_controller = null
|
||||
policy_controller = {
|
||||
exemptable_namespaces = [
|
||||
"asm-system",
|
||||
"config-management-system",
|
||||
"config-management-monitoring",
|
||||
"gatekeeper-system",
|
||||
"kube-system",
|
||||
"cos-auditd"
|
||||
]
|
||||
log_denies_enabled = true
|
||||
referential_rules_enabled = false
|
||||
template_library_installed = true
|
||||
}
|
||||
version = "1.10.2"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -35,7 +35,9 @@ module "gke-project-0" {
|
|||
"gkehub.googleapis.com",
|
||||
"stackdriver.googleapis.com",
|
||||
"container.googleapis.com",
|
||||
# "trafficdirector.googleapis.com"
|
||||
"multiclusterservicediscovery.googleapis.com",
|
||||
"multiclusteringress.googleapis.com",
|
||||
"trafficdirector.googleapis.com"
|
||||
]
|
||||
# add here any other service ids and keys for robot accounts which are needed
|
||||
# service_encryption_key_ids = {
|
||||
|
@ -66,6 +68,9 @@ module "gke-project-0" {
|
|||
# values = ["projects/fl01-prod-iac-core-0"]
|
||||
# }
|
||||
# }
|
||||
iam = {
|
||||
"roles/container.clusterViewer" = var.cluster_viewer_users
|
||||
}
|
||||
}
|
||||
|
||||
module "gke-dataset-resource-usage" {
|
||||
|
|
|
@ -18,11 +18,11 @@
|
|||
# 1 project, m clusters
|
||||
# cloud dns for gke?
|
||||
|
||||
# variable "authenticator_security_group" {
|
||||
# description = "Optional group used for Groups for GKE."
|
||||
# type = string
|
||||
# default = null
|
||||
# }
|
||||
variable "authenticator_security_group" {
|
||||
description = "Optional group used for Groups for GKE."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "billing_account" {
|
||||
# tfdoc:variable:source 00-bootstrap
|
||||
|
@ -36,14 +36,15 @@ variable "billing_account" {
|
|||
variable "cluster_defaults" {
|
||||
description = "Default values for optional cluster configurations."
|
||||
type = object({
|
||||
cloudrun_config = bool
|
||||
database_encryption_key = string
|
||||
enable_binary_authorization = bool
|
||||
master_authorized_ranges = map(string)
|
||||
max_pods_per_node = number
|
||||
pod_security_policy = bool
|
||||
release_channel = string
|
||||
vertical_pod_autoscaling = bool
|
||||
cloudrun_config = bool
|
||||
database_encryption_key = string
|
||||
enable_binary_authorization = bool
|
||||
master_authorized_ranges = map(string)
|
||||
max_pods_per_node = number
|
||||
pod_security_policy = bool
|
||||
release_channel = string
|
||||
vertical_pod_autoscaling = bool
|
||||
gcp_filestore_csi_driver_config = bool
|
||||
})
|
||||
default = {
|
||||
# TODO: review defaults
|
||||
|
@ -55,10 +56,11 @@ variable "cluster_defaults" {
|
|||
rfc1918_2 = "172.16.0.0/12"
|
||||
rfc1918_3 = "192.168.0.0/16"
|
||||
}
|
||||
max_pods_per_node = 110
|
||||
pod_security_policy = false
|
||||
release_channel = "STABLE"
|
||||
vertical_pod_autoscaling = false
|
||||
max_pods_per_node = 110
|
||||
pod_security_policy = false
|
||||
release_channel = "STABLE"
|
||||
vertical_pod_autoscaling = false
|
||||
gcp_filestore_csi_driver_config = false
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -82,18 +84,25 @@ variable "clusters" {
|
|||
subnet = string
|
||||
})
|
||||
overrides = object({
|
||||
cloudrun_config = bool
|
||||
database_encryption_key = string
|
||||
enable_binary_authorization = bool
|
||||
master_authorized_ranges = map(string)
|
||||
max_pods_per_node = number
|
||||
pod_security_policy = bool
|
||||
release_channel = string
|
||||
vertical_pod_autoscaling = bool
|
||||
cloudrun_config = bool
|
||||
database_encryption_key = string
|
||||
enable_binary_authorization = bool
|
||||
master_authorized_ranges = map(string)
|
||||
max_pods_per_node = number
|
||||
pod_security_policy = bool
|
||||
release_channel = string
|
||||
vertical_pod_autoscaling = bool
|
||||
gcp_filestore_csi_driver_config = bool
|
||||
})
|
||||
}))
|
||||
}
|
||||
|
||||
variable "cluster_viewer_users" {
|
||||
description = "list of users to be granted as container.clusterViewer"
|
||||
type = list(any)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "dns_domain" {
|
||||
description = "Domain name used for clusters, prefix by each cluster name. Leave null to disable Cloud DNS for GKE."
|
||||
type = string
|
||||
|
|
|
@ -40,7 +40,7 @@ resource "google_gke_hub_feature" "configmanagement" {
|
|||
|
||||
resource "google_gke_hub_feature" "mci" {
|
||||
provider = google-beta
|
||||
for_each = var.features.mc_ingress ? var.member_clusters : {}
|
||||
for_each = var.features.mc_ingress ? try(var.member_clusters[0], {}) : {}
|
||||
project = var.project_id
|
||||
name = "multiclusteringress"
|
||||
location = "global"
|
||||
|
@ -67,6 +67,12 @@ resource "google_gke_hub_feature_membership" "feature_member" {
|
|||
feature = google_gke_hub_feature.configmanagement["1"].name
|
||||
membership = google_gke_hub_membership.membership[each.key].membership_id
|
||||
|
||||
depends_on = [
|
||||
google_gke_hub_feature.configmanagement,
|
||||
google_gke_hub_feature.mci,
|
||||
google_gke_hub_feature.mcs,
|
||||
]
|
||||
|
||||
dynamic "configmanagement" {
|
||||
for_each = (
|
||||
try(var.member_features.configmanagement, null) != null
|
||||
|
|
|
@ -84,7 +84,7 @@ resource "google_container_node_pool" "nodepool" {
|
|||
location = var.location
|
||||
name = var.name
|
||||
|
||||
initial_node_count = var.initial_node_count
|
||||
initial_node_count = var.node_count == null ? var.initial_node_count : null // (dmarzi) TOFIX
|
||||
max_pods_per_node = var.max_pods_per_node
|
||||
node_count = var.autoscaling_config == null ? var.node_count : null
|
||||
node_locations = var.node_locations
|
||||
|
|
Loading…
Reference in New Issue