# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ###### # GKE Autopilot Cluster # AC-4, SC-7 - Authorized IP ranges are defined on Kubernetes services # SC-12(2) - The GCP key management is used to generate a symmetric key. This symemetric key is used to encrypt the kubernetes managed instance etcd database. # SC-28, SC-28(1) - Protection of ETCD database at rest # AU-12 - Enable Logging for GKE # https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc apiVersion: container.cnrm.cloud.google.com/v1beta1 kind: ContainerCluster metadata: name: cluster-name # kpt-set: ${cluster-name} namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} cnrm.cloud.google.com/state-into-spec: absent spec: addonsConfig: configConnectorConfig: enabled: false clusterAutoscaling: enabled: true autoProvisioningDefaults: serviceAccountRef: name: cluster-name-sa # kpt-set: ${cluster-name}-sa # SC-12(2), SC-28, SC-28(1) databaseEncryption: keyName: projects/project-id/locations/northamerica-northeast1/keyRings/cluster-name-kmskeyring/cryptoKeys/cluster-name-etcd-key # kpt-set: projects/${project-id}/locations/${location}/keyRings/${cluster-name}-kmskeyring/cryptoKeys/${cluster-name}-etcd-key state: ENCRYPTED # defaultMaxPodsPerNode is not working with GKE autopilot. # defaultMaxPodsPerNode: 16 defaultSnatStatus: disabled: true description: GKE Autopilot Cluster enableAutopilot: true # binaryAuthorization: # evaluationMode: PROJECT_SINGLETON_POLICY_ENFORCE # With IntranodeVisibility, pod-to-pod traffic is sent to the VPC. Autopilot clusters must have intranode visibility enabled enableIntranodeVisibility: true gatewayApiConfig: channel: CHANNEL_STANDARD initialNodeCount: 1 ipAllocationPolicy: clusterSecondaryRangeName: podrange servicesSecondaryRangeName: servicesrange location: northamerica-northeast1 # kpt-set: ${location} # AU-12 loggingConfig: enableComponents: - "SYSTEM_COMPONENTS" - "WORKLOADS" maintenancePolicy: # GMT timezone dailyMaintenanceWindow: startTime: 05:00 duration: 04:00 # AC-4, SC-7 masterAuthorizedNetworksConfig: cidrBlocks: # kpt-set: ${master-authorized-networks-cidr} - cidrBlock: 10.1.1.5/32 displayName: bastion monitoringConfig: enableComponents: - "SYSTEM_COMPONENTS" networkRef: name: host-project-id-global-network-connectivity-profile-vpc # kpt-set: ${host-project-id}-global-${network-connectivity-profile}-vpc namespace: client-name-networking # kpt-set: ${client-name}-networking networkingMode: VPC_NATIVE nodePoolAutoConfig: # network tags are defined in setters.yaml and updated by the starlark function starlark-update-containercluster.yaml networkTags: tags: - ids notificationConfig: pubsub: enabled: true topicRef: name: project-id-gke-cluster-notification-pubsub-topic # kpt-set: ${project-id}-gke-cluster-notification-pubsub-topic namespace: client-name-logging # kpt-set: ${client-name}-logging podSecurityPolicyConfig: enabled: false privateClusterConfig: enablePrivateEndpoint: true enablePrivateNodes: true masterIpv4CidrBlock: 192.168.0.0/28 # kpt-set: ${masterIpv4CidrBlock} masterGlobalAccessConfig: enabled: true releaseChannel: channel: REGULAR subnetworkRef: name: project-id-cluster-name-snet # kpt-set: ${project-id}-${cluster-name}-snet verticalPodAutoscaling: enabled: true # Enable google group for rbac authentication in GKE authenticatorGroupsConfig: securityGroup: gke-security-groups@yourdomain.com # kpt-set: ${security-group}