A customized version based on https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master/modules/beta-private-cluster
- Outbound internet access flag (
outbound_access = true
) - Automatic add your public IP to the authorized master networks
- Security Groups RBAC on by default (must be passed to
authenticator_security_group
and the format isgke-security-groups@YOUR_DOMAIN
. More information here) - Pod Security Policy via
enable_pod_security_policy
variable (default tofalse
). Please check deprecation notes here. If you want to enable it, have a look and tweak thepsp.tf
file to your needs. - If
ingress_nginx_enabled
is set totrue
, a firewall rule is automatically created to facilitate ingress-nginx deployment (andhttp_load_balancer
is set tofalse
).
It takes all the inputs from the GKE Beta Private Cluster module mentioned above. Please refer to that page for detailed information.
This module uses version 15.0.0
of the aforementioned module.
The followings are mandatory and need to be specified:
project_id
region
zones
name
authenticator_security_group
- endpoint (sensitive)
- get_credentials
The following example will create a GKE zonal cluster with a initial nodes count of 3. Nodes will not have public IP addresses but still be able to communicate to the internet via outbound connections. Finally, access to Google Registry is granted, in order to pull images during a k8s deployment.
module "priv_gke" {
source = "github.com/davinerd/tf_hardened_gke"
project_id = "test-new-project-301409"
region = "europe-west1"
zones = ["europe-west1-c"]
regional = false
name = "test-terraform"
# To disable Groups RBAC just type authenticator_security_group = null (unquoted)
# Create the Group before running this module.
authenticator_security_group = "gke-security-groups@YOUR_DOMAIN"
# Cluster is private by default, which means nodes will not have public IPs.
# Bear in mind that the cluster can be accessed via the authorized_master_networks.
# To completely make your cluster private, set enable_private_entpoint = true
# To create a public cluster, uncomment the following variable.
# private = true
# Nodes will have outbound internet access.
outbound_access = true
# Granting access to Google Registry.
grant_registry_access = true
}