Skip to content

Commit

Permalink
feat: distinct VPC host prep gke-cluster-autopilot BREAKING CHANGE (#893
Browse files Browse the repository at this point in the history
)
  • Loading branch information
alaincormier-ssc authored Mar 13, 2024
1 parent ee1e954 commit 2b5ff79
Show file tree
Hide file tree
Showing 7 changed files with 52 additions and 43 deletions.
47 changes: 24 additions & 23 deletions solutions/gke/configconnector/gke-cluster-autopilot/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,17 +61,18 @@ To fix this, you update the `root-sync` resource to include the override section

| Name | Value | Type | Count |
|---------------------------------|------------------------------------------------------|-------|-------|
| classification | nonp | str | 3 |
| client-name | client1 | str | 18 |
| cluster-name | autopilot1-gke | str | 36 |
| gke-to-azdo-priority | 2000 | int | 1 |
| gke-to-docker-priority | 2002 | int | 1 |
| gke-to-github-priority | 2001 | int | 1 |
| host-project-id | host-project-12345 | str | 6 |
| host-project-vpc | host-project-vpc | str | 2 |
| host-project-id | host-project-12345 | str | 8 |
| location | northamerica-northeast1 | str | 5 |
| master-authorized-networks-cidr | [cidrBlock: 10.1.1.5/32displayName: gke-admin-proxy] | array | 1 |
| masterIpv4CidrBlock | 192.168.0.0/28 | str | 1 |
| masterIpv4Range | ["192.168.0.0/28"] | array | 0 |
| network-connectivity-profile | standard | str | 6 |
| networktags | | str | 0 |
| networktags-enabled | false | str | 0 |
| podIpv4Range | ["172.16.0.0/23"] | array | 1 |
Expand All @@ -91,27 +92,27 @@ This package has no sub-packages.

## Resources

| File | APIVersion | Kind | Name | Namespace |
|-------------------------------------------------|-----------------------------------------|---------------------------|---------------------------------------------------------------------|------------------|
| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-azdo | project-id-tier3 |
| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-github | project-id-tier3 |
| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-docker | project-id-tier3 |
| gke.yaml | container.cnrm.cloud.google.com/v1beta1 | ContainerCluster | cluster-name | project-id-tier3 |
| gkehub-featuremembership-acm.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubFeatureMembership | cluster-name-acm-hubfeaturemembership | project-id-tier3 |
| gkehub-membership.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubMembership | cluster-name | project-id-tier3 |
| host-project/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | project-id-cluster-name-lb-health-check | |
| host-project/subnet.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeSubnetwork | project-id-cluster-name-snet | |
| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSKeyRing | cluster-name-kmskeyring | project-id-tier3 |
| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSCryptoKey | cluster-name-etcd-key | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | cluster-name-sa | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-logwriter-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-metricwriter-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-monitoring-viewer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-storage-object-viewer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-stackdriver-metadata-writer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-artifactregistry-reader-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-secretmanager-secretaccessor-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions | project-id-tier3 |
| File | APIVersion | Kind | Name | Namespace |
|-----------------------------------------------|-----------------------------------------|---------------------------|---------------------------------------------------------------------|------------------|
| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-azdo | project-id-tier3 |
| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-github | project-id-tier3 |
| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-docker | project-id-tier3 |
| gke.yaml | container.cnrm.cloud.google.com/v1beta1 | ContainerCluster | cluster-name | project-id-tier3 |
| gkehub-featuremembership-acm.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubFeatureMembership | cluster-name-acm-hubfeaturemembership | project-id-tier3 |
| gkehub-membership.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubMembership | cluster-name | project-id-tier3 |
| host-project/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | project-id-cluster-name-lb-health-check | |
| host-project/subnet.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeSubnetwork | project-id-cluster-name-snet | |
| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSKeyRing | cluster-name-kmskeyring | project-id-tier3 |
| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSCryptoKey | cluster-name-etcd-key | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | cluster-name-sa | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-logwriter-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-metricwriter-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-monitoring-viewer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-storage-object-viewer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-stackdriver-metadata-writer-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-artifactregistry-reader-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-secretmanager-secretaccessor-permissions | project-id-tier3 |
| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions | project-id-tier3 |

## Resource References

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ spec:
# AU-12
enableLogging: true
firewallPolicyRef:
name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol
name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol
namespace: client-name-networking # kpt-set: ${client-name}-networking
match:
srcIPRanges: # kpt-set: ${primaryIpv4Range}
Expand Down Expand Up @@ -63,7 +63,7 @@ spec:
# AU-12
enableLogging: true
firewallPolicyRef:
name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol
name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol
namespace: client-name-networking # kpt-set: ${client-name}-networking
match:
srcIPRanges: # kpt-set: ${primaryIpv4Range}
Expand Down Expand Up @@ -95,7 +95,7 @@ spec:
# AU-12
enableLogging: true
firewallPolicyRef:
name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol
name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol
namespace: client-name-networking # kpt-set: ${client-name}-networking
match:
srcIPRanges: # kpt-set: ${primaryIpv4Range}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ spec:
enableComponents:
- "SYSTEM_COMPONENTS"
networkRef:
name: host-project-vpc # kpt-set: ${host-project-vpc}
name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc
namespace: client-name-networking # kpt-set: ${client-name}-networking
networkingMode: VPC_NATIVE
nodePoolAutoConfig:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ spec:
allow:
- protocol: tcp
networkRef:
name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc
name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc
namespace: client-name-networking # kpt-set: ${client-name}-networking
sourceRanges:
- "35.191.0.0/16"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ spec:
description: GKE Subnet
privateIpGoogleAccess: true
networkRef:
name: host-project-vpc # kpt-set: ${host-project-vpc}
name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc
namespace: client-name-networking # kpt-set: ${client-name}-networking
# AU-12
logConfig:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,10 @@
|AC-4|./gke.yaml|cluster-name|
|AC-4|./host-project/subnet.yaml|project-id-cluster-name-snet|
|AC-4(21)|./host-project/subnet.yaml|project-id-cluster-name-snet|
|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker|
|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-github|
|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker|
|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-github|
|AU-12|./gke.yaml|cluster-name|
|AU-12|./gke.yaml|cluster-name|
|AU-12|./host-project/firewall.yaml|project-id-cluster-name-lb-health-check|
Expand All @@ -75,9 +75,9 @@
|SC-28(1)|./gke.yaml|cluster-name|
|SC-7|./gke.yaml|cluster-name|
|SC-7|./gke.yaml|cluster-name|
|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker|
|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-github|
|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo|
|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker|
|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-github|

<!-- END OF SECURITY CONTROLS LIST -->
20 changes: 14 additions & 6 deletions solutions/gke/configconnector/gke-cluster-autopilot/setters.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,18 @@ data:
##########################
#
# The project id that was created by the client-project-setup.
# This id will also becomes the Anthos Fleet id
# The GKE cluster will be deployed in this project and the project id will also become the Anthos Fleet id
# customization: required
project-id: project-12345
#
# the classification of the project, accepted values are: 'pbmm' OR 'nonp' (unclassified)
# customization: required
classification: nonp
#
# the network connectivity profile of the project, accepted values are: 'standard' OR 'sc2g' (future releases)
# customization: optional
network-connectivity-profile: standard
#
##########################
# Network Host Project
##########################
Expand All @@ -50,11 +58,6 @@ data:
# customization: required
host-project-id: host-project-12345
#
# VPC to deploy the subnet, the value must match the kubernetes resources 'metadata.name'
# created in client-landing-zone package deployment
# customization: required
host-project-vpc: host-project-vpc
#
##########################
# GKE
##########################
Expand Down Expand Up @@ -124,6 +127,11 @@ data:
networktags-enabled: false
networktags:
- ids
#
# The group to enable Google groups for GKE RBAC as described in the link below.
# The 'gke-security-groups@' must NOT be edited, only the domain. The group needs to be created manually.
# https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac
# customization: required
security-group: gke-security-groups@<yourdomain.com>
#
##########################
Expand Down

0 comments on commit 2b5ff79

Please sign in to comment.