From 2b5ff79deaf29af5c7caf544624bfad607991cda Mon Sep 17 00:00:00 2001 From: alaincormier-ssc <94859304+alaincormier-ssc@users.noreply.github.com> Date: Wed, 13 Mar 2024 12:38:57 -0300 Subject: [PATCH] feat: distinct VPC host prep gke-cluster-autopilot BREAKING CHANGE (#893) --- .../gke-cluster-autopilot/README.md | 47 ++++++++++--------- .../firewall.yaml | 6 +-- .../gke-cluster-autopilot/gke.yaml | 2 +- .../host-project/firewall.yaml | 2 +- .../host-project/subnet.yaml | 2 +- .../gke-cluster-autopilot/securitycontrols.md | 16 +++---- .../gke-cluster-autopilot/setters.yaml | 20 +++++--- 7 files changed, 52 insertions(+), 43 deletions(-) rename solutions/gke/configconnector/gke-cluster-autopilot/{application-infrastructure-folder => app-infra-classification-folder}/firewall.yaml (88%) diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/README.md b/solutions/gke/configconnector/gke-cluster-autopilot/README.md index 93f133bb9..114394376 100755 --- a/solutions/gke/configconnector/gke-cluster-autopilot/README.md +++ b/solutions/gke/configconnector/gke-cluster-autopilot/README.md @@ -61,17 +61,18 @@ To fix this, you update the `root-sync` resource to include the override section | Name | Value | Type | Count | |---------------------------------|------------------------------------------------------|-------|-------| +| classification | nonp | str | 3 | | client-name | client1 | str | 18 | | cluster-name | autopilot1-gke | str | 36 | | gke-to-azdo-priority | 2000 | int | 1 | | gke-to-docker-priority | 2002 | int | 1 | | gke-to-github-priority | 2001 | int | 1 | -| host-project-id | host-project-12345 | str | 6 | -| host-project-vpc | host-project-vpc | str | 2 | +| host-project-id | host-project-12345 | str | 8 | | location | northamerica-northeast1 | str | 5 | | master-authorized-networks-cidr | [cidrBlock: 10.1.1.5/32displayName: gke-admin-proxy] | array | 1 | | masterIpv4CidrBlock | 192.168.0.0/28 | str | 1 | | masterIpv4Range | ["192.168.0.0/28"] | array | 0 | +| network-connectivity-profile | standard | str | 6 | | networktags | | str | 0 | | networktags-enabled | false | str | 0 | | podIpv4Range | ["172.16.0.0/23"] | array | 1 | @@ -91,27 +92,27 @@ This package has no sub-packages. ## Resources -| File | APIVersion | Kind | Name | Namespace | -|-------------------------------------------------|-----------------------------------------|---------------------------|---------------------------------------------------------------------|------------------| -| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-azdo | project-id-tier3 | -| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-github | project-id-tier3 | -| application-infrastructure-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-docker | project-id-tier3 | -| gke.yaml | container.cnrm.cloud.google.com/v1beta1 | ContainerCluster | cluster-name | project-id-tier3 | -| gkehub-featuremembership-acm.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubFeatureMembership | cluster-name-acm-hubfeaturemembership | project-id-tier3 | -| gkehub-membership.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubMembership | cluster-name | project-id-tier3 | -| host-project/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | project-id-cluster-name-lb-health-check | | -| host-project/subnet.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeSubnetwork | project-id-cluster-name-snet | | -| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSKeyRing | cluster-name-kmskeyring | project-id-tier3 | -| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSCryptoKey | cluster-name-etcd-key | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | cluster-name-sa | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-logwriter-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-metricwriter-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-monitoring-viewer-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-storage-object-viewer-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-stackdriver-metadata-writer-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-artifactregistry-reader-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-secretmanager-secretaccessor-permissions | project-id-tier3 | -| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions | project-id-tier3 | +| File | APIVersion | Kind | Name | Namespace | +|-----------------------------------------------|-----------------------------------------|---------------------------|---------------------------------------------------------------------|------------------| +| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-azdo | project-id-tier3 | +| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-github | project-id-tier3 | +| app-infra-classification-folder/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewallPolicyRule | project-id-cluster-name-egress-allow-docker | project-id-tier3 | +| gke.yaml | container.cnrm.cloud.google.com/v1beta1 | ContainerCluster | cluster-name | project-id-tier3 | +| gkehub-featuremembership-acm.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubFeatureMembership | cluster-name-acm-hubfeaturemembership | project-id-tier3 | +| gkehub-membership.yaml | gkehub.cnrm.cloud.google.com/v1beta1 | GKEHubMembership | cluster-name | project-id-tier3 | +| host-project/firewall.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeFirewall | project-id-cluster-name-lb-health-check | | +| host-project/subnet.yaml | compute.cnrm.cloud.google.com/v1beta1 | ComputeSubnetwork | project-id-cluster-name-snet | | +| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSKeyRing | cluster-name-kmskeyring | project-id-tier3 | +| kms.yaml | kms.cnrm.cloud.google.com/v1beta1 | KMSCryptoKey | cluster-name-etcd-key | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMServiceAccount | cluster-name-sa | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-logwriter-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-metricwriter-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-monitoring-viewer-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-storage-object-viewer-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-stackdriver-metadata-writer-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-artifactregistry-reader-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | cluster-name-sa-secretmanager-secretaccessor-permissions | project-id-tier3 | +| service-account.yaml | iam.cnrm.cloud.google.com/v1beta1 | IAMPolicyMember | project-id-tier3-sa-serviceaccount-user-cluster-name-sa-permissions | project-id-tier3 | ## Resource References diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/app-infra-classification-folder/firewall.yaml similarity index 88% rename from solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml rename to solutions/gke/configconnector/gke-cluster-autopilot/app-infra-classification-folder/firewall.yaml index 5c250cbd8..0673df6f7 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/application-infrastructure-folder/firewall.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/app-infra-classification-folder/firewall.yaml @@ -31,7 +31,7 @@ spec: # AU-12 enableLogging: true firewallPolicyRef: - name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol + name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} @@ -63,7 +63,7 @@ spec: # AU-12 enableLogging: true firewallPolicyRef: - name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol + name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} @@ -95,7 +95,7 @@ spec: # AU-12 enableLogging: true firewallPolicyRef: - name: client-name-standard-applications-infrastructure-fwpol # kpt-set: ${client-name}-standard-applications-infrastructure-fwpol + name: client-name-network-connectivity-profile-app-infra-classification-fwpol # kpt-set: ${client-name}-${network-connectivity-profile}-app-infra-${classification}-fwpol namespace: client-name-networking # kpt-set: ${client-name}-networking match: srcIPRanges: # kpt-set: ${primaryIpv4Range} diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml index 036c4b066..6fec1b15a 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/gke.yaml @@ -75,7 +75,7 @@ spec: enableComponents: - "SYSTEM_COMPONENTS" networkRef: - name: host-project-vpc # kpt-set: ${host-project-vpc} + name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc namespace: client-name-networking # kpt-set: ${client-name}-networking networkingMode: VPC_NATIVE nodePoolAutoConfig: diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/firewall.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/firewall.yaml index 188c77abf..a77fd0268 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/firewall.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/firewall.yaml @@ -25,7 +25,7 @@ spec: allow: - protocol: tcp networkRef: - name: host-project-id-global-standard-vpc # kpt-set: ${host-project-id}-global-standard-vpc + name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc namespace: client-name-networking # kpt-set: ${client-name}-networking sourceRanges: - "35.191.0.0/16" diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml index 305243f5b..543d65d23 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/host-project/subnet.yaml @@ -45,7 +45,7 @@ spec: description: GKE Subnet privateIpGoogleAccess: true networkRef: - name: host-project-vpc # kpt-set: ${host-project-vpc} + name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc namespace: client-name-networking # kpt-set: ${client-name}-networking # AU-12 logConfig: diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md b/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md index 3afcb7933..246d41ef9 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md +++ b/solutions/gke/configconnector/gke-cluster-autopilot/securitycontrols.md @@ -52,10 +52,10 @@ |AC-4|./gke.yaml|cluster-name| |AC-4|./host-project/subnet.yaml|project-id-cluster-name-snet| |AC-4(21)|./host-project/subnet.yaml|project-id-cluster-name-snet| -|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| -|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| -|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker| -|AU-12|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-github| +|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker| +|AU-12|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-github| |AU-12|./gke.yaml|cluster-name| |AU-12|./gke.yaml|cluster-name| |AU-12|./host-project/firewall.yaml|project-id-cluster-name-lb-health-check| @@ -75,9 +75,9 @@ |SC-28(1)|./gke.yaml|cluster-name| |SC-7|./gke.yaml|cluster-name| |SC-7|./gke.yaml|cluster-name| -|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| -|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| -|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker| -|SC-7(9)|./application-infrastructure-folder/firewall.yaml|project-id-cluster-name-egress-allow-github| +|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-azdo| +|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-docker| +|SC-7(9)|./app-infra-classification-folder/firewall.yaml|project-id-cluster-name-egress-allow-github| diff --git a/solutions/gke/configconnector/gke-cluster-autopilot/setters.yaml b/solutions/gke/configconnector/gke-cluster-autopilot/setters.yaml index 8eaba4adb..b972fa1e1 100644 --- a/solutions/gke/configconnector/gke-cluster-autopilot/setters.yaml +++ b/solutions/gke/configconnector/gke-cluster-autopilot/setters.yaml @@ -38,10 +38,18 @@ data: ########################## # # The project id that was created by the client-project-setup. - # This id will also becomes the Anthos Fleet id + # The GKE cluster will be deployed in this project and the project id will also become the Anthos Fleet id # customization: required project-id: project-12345 # + # the classification of the project, accepted values are: 'pbmm' OR 'nonp' (unclassified) + # customization: required + classification: nonp + # + # the network connectivity profile of the project, accepted values are: 'standard' OR 'sc2g' (future releases) + # customization: optional + network-connectivity-profile: standard + # ########################## # Network Host Project ########################## @@ -50,11 +58,6 @@ data: # customization: required host-project-id: host-project-12345 # - # VPC to deploy the subnet, the value must match the kubernetes resources 'metadata.name' - # created in client-landing-zone package deployment - # customization: required - host-project-vpc: host-project-vpc - # ########################## # GKE ########################## @@ -124,6 +127,11 @@ data: networktags-enabled: false networktags: - ids + # + # The group to enable Google groups for GKE RBAC as described in the link below. + # The 'gke-security-groups@' must NOT be edited, only the domain. The group needs to be created manually. + # https://cloud.google.com/kubernetes-engine/docs/how-to/google-groups-rbac + # customization: required security-group: gke-security-groups@ # ##########################