From 522213bbc7e7c37d0148bf23913f8baac06048f1 Mon Sep 17 00:00:00 2001 From: Nick Stroud Date: Fri, 7 Apr 2023 16:05:52 -0700 Subject: [PATCH 1/2] Fix: missing flag for adding master-authorized-networks --- community/modules/scheduler/gke-cluster/outputs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/community/modules/scheduler/gke-cluster/outputs.tf b/community/modules/scheduler/gke-cluster/outputs.tf index c519e8b328..27e08117f1 100644 --- a/community/modules/scheduler/gke-cluster/outputs.tf +++ b/community/modules/scheduler/gke-cluster/outputs.tf @@ -33,6 +33,7 @@ locals { gcloud container clusters update ${google_container_cluster.gke_cluster.name} \ --region ${google_container_cluster.gke_cluster.location} \ --project ${var.project_id} \ + --enable-master-authorized-networks \ --master-authorized-networks /32 EOT ) From 912174df360ccfbec3c86423ec31cb80c4d147e6 Mon Sep 17 00:00:00 2001 From: Nick Stroud Date: Wed, 19 Apr 2023 17:04:21 -0700 Subject: [PATCH 2/2] Allow user to specify authorized networks in settings --- community/modules/scheduler/gke-cluster/README.md | 1 + community/modules/scheduler/gke-cluster/main.tf | 7 +++++++ community/modules/scheduler/gke-cluster/outputs.tf | 10 +++++++++- community/modules/scheduler/gke-cluster/variables.tf | 9 +++++++++ 4 files changed, 26 insertions(+), 1 deletion(-) diff --git a/community/modules/scheduler/gke-cluster/README.md b/community/modules/scheduler/gke-cluster/README.md index 88895e88a1..4fa790ca07 100644 --- a/community/modules/scheduler/gke-cluster/README.md +++ b/community/modules/scheduler/gke-cluster/README.md @@ -118,6 +118,7 @@ No modules. | [labels](#input\_labels) | GCE resource labels to be applied to resources. Key-value pairs. | `map(string)` | n/a | yes | | [maintenance\_exclusions](#input\_maintenance\_exclusions) | List of maintenance exclusions. A cluster can have up to three. | 
list(object({
    name            = string
    start_time      = string
    end_time        = string
    exclusion_scope = string
  }))
| `[]` | no | | [maintenance\_start\_time](#input\_maintenance\_start\_time) | Start time for daily maintenance operations. Specified in GMT with `HH:MM` format. | `string` | `"09:00"` | no | +| [master\_authorized\_networks](#input\_master\_authorized\_networks) | External network that can access Kubernetes master through HTTPS. Must be specified in CIDR notation. | 
list(object({
    cidr_block   = string
    display_name = string
  }))
| `[]` | no | | [master\_ipv4\_cidr\_block](#input\_master\_ipv4\_cidr\_block) | (Beta) The IP range in CIDR notation to use for the hosted master network. | `string` | `"172.16.0.32/28"` | no | | [name\_suffix](#input\_name\_suffix) | Custom cluster name postpended to the `deployment_name`. See `prefix_with_deployment_name`. | `string` | `""` | no | | [network\_id](#input\_network\_id) | The ID of the GCE VPC network to host the cluster given in the format: `projects//global/networks/`. | `string` | n/a | yes | diff --git a/community/modules/scheduler/gke-cluster/main.tf b/community/modules/scheduler/gke-cluster/main.tf index 1f614b5bb2..5afbab5248 100644 --- a/community/modules/scheduler/gke-cluster/main.tf +++ b/community/modules/scheduler/gke-cluster/main.tf @@ -49,6 +49,13 @@ resource "google_container_cluster" "gke_cluster" { # Note: the existence of the "master_authorized_networks_config" block enables # the master authorized networks even if it's empty. master_authorized_networks_config { + dynamic "cidr_blocks" { + for_each = var.master_authorized_networks + content { + cidr_block = cidr_blocks.value.cidr_block + display_name = cidr_blocks.value.display_name + } + } } private_ipv6_google_access = var.enable_private_ipv6_google_access ? "PRIVATE_IPV6_GOOGLE_ACCESS_TO_GOOGLE" : null diff --git a/community/modules/scheduler/gke-cluster/outputs.tf b/community/modules/scheduler/gke-cluster/outputs.tf index 27e08117f1..00d718c693 100644 --- a/community/modules/scheduler/gke-cluster/outputs.tf +++ b/community/modules/scheduler/gke-cluster/outputs.tf @@ -27,9 +27,15 @@ locals { One way to access this cluster is from a VM created in the GKE cluster subnet. EOT ) + master_authorized_networks_message = length(var.master_authorized_networks) == 0 ? "" : trimspace( + <<-EOT + The following networks have been authorized to access this cluster: + ${join("\n", [for x in var.master_authorized_networks : " ${x.display_name}: ${x.cidr_block}"])}" + EOT + ) public_endpoint_message = trimspace( <<-EOT - To access this cluster from a public IP address you must allowlist your IP: + To add authorized networks you can allowlist your IP with this command: gcloud container clusters update ${google_container_cluster.gke_cluster.name} \ --region ${google_container_cluster.gke_cluster.location} \ --project ${var.project_id} \ @@ -44,6 +50,8 @@ output "instructions" { description = "Instructions on how to connect to the created cluster." value = trimspace( <<-EOT + ${local.master_authorized_networks_message} + ${local.allowlist_your_ip_message} Use the following command to fetch credentials for the created cluster: diff --git a/community/modules/scheduler/gke-cluster/variables.tf b/community/modules/scheduler/gke-cluster/variables.tf index ca524d118e..c97c0a1977 100644 --- a/community/modules/scheduler/gke-cluster/variables.tf +++ b/community/modules/scheduler/gke-cluster/variables.tf @@ -165,6 +165,15 @@ variable "enable_master_global_access" { default = false } +variable "master_authorized_networks" { + description = "External network that can access Kubernetes master through HTTPS. Must be specified in CIDR notation." + type = list(object({ + cidr_block = string + display_name = string + })) + default = [] +} + variable "service_account" { description = "Service account to use with the system node pool" type = object({