diff --git a/modules/gke-cluster/README.md b/modules/gke-cluster/README.md
index c62ea616..1cd25413 100644
--- a/modules/gke-cluster/README.md
+++ b/modules/gke-cluster/README.md
@@ -4,6 +4,8 @@ This module allows simplified creation and management of GKE clusters and should
## Example
+### GKE Cluster
+
```hcl
module "cluster-1" {
source = "./modules/gke-cluster"
@@ -31,6 +33,36 @@ module "cluster-1" {
# tftest:modules=1:resources=1
```
+### GKE Cluster with Dataplane V2 enabled
+
+```hcl
+module "cluster-1" {
+ source = "./modules/gke-cluster"
+ project_id = "myproject"
+ name = "cluster-1"
+ location = "europe-west1-b"
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ secondary_range_pods = "pods"
+ secondary_range_services = "services"
+ default_max_pods_per_node = 32
+ enable_dataplane_v2 = true
+ master_authorized_ranges = {
+ internal-vms = "10.0.0.0/8"
+ }
+ private_cluster_config = {
+ enable_private_nodes = true
+ enable_private_endpoint = true
+ master_ipv4_cidr_block = "192.168.0.0/28"
+ master_global_access = false
+ }
+ labels = {
+ environment = "dev"
+ }
+}
+# tftest:modules=1:resources=1
+```
+
## Variables
@@ -50,6 +82,7 @@ module "cluster-1" {
| *default_max_pods_per_node* | Maximum number of pods per node in this cluster. | number | | 110 |
| *description* | Cluster description. | string | | null |
| *enable_binary_authorization* | Enable Google Binary Authorization. | bool | | null |
+| *enable_dataplane_v2* | Enable Dataplane V2 on the cluster, will disable network_policy addons config | bool | | false |
| *enable_intranode_visibility* | Enable intra-node visibility to make same node pod to pod traffic visible. | bool | | null |
| *enable_shielded_nodes* | Enable Shielded Nodes features on all nodes in this cluster. | bool | | null |
| *enable_tpu* | Enable Cloud TPU resources in this cluster. | bool | | null |
diff --git a/modules/gke-cluster/main.tf b/modules/gke-cluster/main.tf
index a86b2726..37988790 100644
--- a/modules/gke-cluster/main.tf
+++ b/modules/gke-cluster/main.tf
@@ -49,7 +49,8 @@ resource "google_container_cluster" "cluster" {
enable_tpu = var.enable_tpu
initial_node_count = 1
remove_default_node_pool = true
-
+ datapath_provider = var.enable_dataplane_v2 ? "ADVANCED_DATAPATH" : "DATAPATH_PROVIDER_UNSPECIFIED"
+
# node_config {}
# NOTE: Default node_pool is deleted, so node_config (here) is extranneous.
# Specify that node_config as an parameter to gke-nodepool module instead.
@@ -120,11 +121,12 @@ resource "google_container_cluster" "cluster" {
}
}
+ #the network_policy block is enabled if network_policy_config and network_dataplane_v2 is set to false. Dataplane V2 has built-in network policies.
dynamic "network_policy" {
for_each = var.addons.network_policy_config ? [""] : []
content {
- enabled = true
- provider = "CALICO"
+ enabled = var.enable_dataplane_v2 ? false : true
+ provider = var.enable_dataplane_v2 ? "PROVIDER_UNSPECIFIED" : "CALICO"
}
}
diff --git a/modules/gke-cluster/variables.tf b/modules/gke-cluster/variables.tf
index 3c998072..8999946f 100644
--- a/modules/gke-cluster/variables.tf
+++ b/modules/gke-cluster/variables.tf
@@ -25,7 +25,9 @@ variable "addons" {
enabled = bool
tls = bool
})
+
network_policy_config = bool
+
gce_persistent_disk_csi_driver_config = bool
})
default = {
@@ -42,6 +44,12 @@ variable "addons" {
}
}
+variable "enable_dataplane_v2" {
+ description = "Enable Dataplane V2 on the cluster, will disable network_policy addons config"
+ type = bool
+ default = false
+}
+
variable "authenticator_security_group" {
description = "RBAC security group for Google Groups for GKE, format is gke-security-groups@yourdomain.com."
type = string