[GKE Hub]: Add Fleet default cluster config

GoogleCloudPlatform · Oct 28, 2023 · 64de94d · 64de94d
1 parent 5e824ac
commit 64de94d
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 2 deletions.
diff --git a/mmv1/products/gkehub2/Fleet.yaml b/mmv1/products/gkehub2/Fleet.yaml
@@ -95,3 +95,49 @@ properties:
           - READY
           - DELETING
           - UPDATING
+  - !ruby/object:Api::Type::NestedObject
+    name: "defaultClusterConfig"
+    description: The default cluster configurations to apply across the fleet.
+    properties:
+      - !ruby/object:Api::Type::NestedObject
+        name: "securityPostureConfig"
+        description: Enable/Disable Security Posture features for the cluster.
+        properties:
+          - !ruby/object:Api::Type::Enum
+            name: "mode"
+            description: Sets which mode to use for Security Posture features.
+            values:
+              - MODE_UNSPECIFIED
+              - DISABLED
+              - BASIC
+              - ENTERPRISE
+          - !ruby/object:Api::Type::Enum
+            name: "vulnerabilityMode"
+            description: Sets which mode to use for vulnerability scanning.
+            values:
+              - VULNERABILITY_MODE_UNSPECIFIED
+              - VULNERABILITY_DISABLED
+              - VULNERABILITY_BASIC
+              - VULNERABILITY_ENTERPRISE
+      - !ruby/object:Api::Type::NestedObject
+        name: "binaryAuthorizationConfig"
+        description: Enable/Disable binary authorization features for the cluster.
+        properties:
+          - !ruby/object:Api::Type::Enum
+            name: "evaluationMode"
+            description: Mode of operation for binauthz policy evaluation.
+            values:
+              - EVALUATION_MODE_UNSPECIFIED
+              - DISABLED
+              - POLICY_BINDINGS
+          - !ruby/object:Api::Type::Array
+            name: "policyBindings"
+            description:  Binauthz policies that apply to this cluster.
+            item_type: !ruby/object:Api::Type::NestedObject
+              properties:
+                - !ruby/object:Api::Type::String
+                  name: "name"
+                  description: |
+                    The relative resource name of the binauthz platform policy to audit. GKE
+                    platform policies have the following format:
+                    `projects/{project_number}/platforms/gke/policies/{policy_id}`.
diff --git a/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb b/mmv1/templates/terraform/examples/gkehub_fleet_basic.tf.erb
@@ -1,3 +1,12 @@
 resource "google_gke_hub_fleet" "default" {
   display_name = "my production fleet"
+  default_cluster_config {
+    security_posture_config {
+      mode = "DISABLED"
+      vulnerability_mode = "VULNERABILITY_DISABLED"
+    }
+    binary_authorization_config {
+      evaluation_mode = "DISABLED"
+    }
+  }
 }
diff --git a/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb b/mmv1/third_party/terraform/services/gkehub2/resource_gke_hub_fleet_test.go.erb
@@ -57,7 +57,15 @@ func testAccGKEHub2Fleet_basic(context map[string]interface{}) string {
 resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
   display_name = "my production fleet"
-
+  default_cluster_config { 
+	security_posture_config {
+		mode = "DISABLED"
+		vulnerability_mode = "VULNERABILITY_DISABLED"
+	}
+	binary_authorization_config {
+		evaluation_mode = "DISABLED"
+	}
+  }
   depends_on = [time_sleep.wait_for_gkehub_enablement]
 }
 `, context)
@@ -68,7 +76,15 @@ func testAccGKEHub2Fleet_update(context map[string]interface{}) string {
 resource "google_gke_hub_fleet" "default" {
   project = google_project.project.project_id
   display_name = "my staging fleet"
-
+  default_cluster_config {
+	security_posture_config {
+		mode = "BASIC"
+		vulnerability_mode = "VULNERABILITY_BASIC"
+	}
+	binary_authorization_config {
+		evaluation_mode = "BASIC"
+	}
+  }
   depends_on = [time_sleep.wait_for_gkehub_enablement]
 }
 `, context)