# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # GKE Autopilot Cluster apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: name: cluster-name # kpt-set: ${cluster-name} namespace: config-control # kpt-set: ${project-namespace} annotations: cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} spec: addonsConfig: configConnectorConfig: enabled: false dnsCacheConfig: enabled: true description: cluster-description # kpt-set: ${cluster-description} enableAutopilot: true binaryAuthorization: evaluationMode: PROJECT_SINGLETON_POLICY_ENFORCE enableIntranodeVisibility: true enableShieldedNodes: true initialNodeCount: 1 ipAllocationPolicy: clusterSecondaryRangeName: podrange servicesSecondaryRangeName: servicesrange location: northamerica-northeast1 # kpt-set: ${region} maintenancePolicy: dailyMaintenanceWindow: startTime: 01:00 masterAuthorizedNetworksConfig: cidrBlocks: # kpt-set: ${auth-network} - cidrBlock: 0.0.0.0/0 displayName: private-net networkRef: external: compute.cnrm.cloud.google.com/projects/scemu-sp-kcc-exp/global/networks/global-vpc1-vpc # kpt-set: compute.cnrm.cloud.google.com/projects/${project-id}/global/networks/global-vpc1-vpc networkingMode: VPC_NATIVE podSecurityPolicyConfig: enabled: false privateClusterConfig: enablePrivateEndpoint: false enablePrivateNodes: true masterGlobalAccessConfig: enabled: false # External IP addess will be auto-created and assigned as the public endpoint publicEndpoint: "" masterIpv4CidrBlock: 172.16.0.32/28 subnetworkRef: external: subnetwork-name # kpt-set: compute.cnrm.cloud.google.com/projects/${project-id}/regions/${region}/subnetworks/${subnetwork-name} verticalPodAutoscaling: enabled: true workloadIdentityConfig: # Workload Identity supports only a single namespace based on your project name. # Replace ${PROJECT_ID?} below with your project ID. identityNamespace: ${project-id}.svc.id.goog # kpt-set: ${project-id}.svc.id.goog nodeConfig: shieldedInstanceConfig: enableIntegrityMonitoring: true enableSecureBoot: true # Autopilot node configuration # Allow for egress internet traffic nodePoolAutoConfig: networkTags: tags: - internet-egress-route