Google Kubernetes (Container) Engine Node Pool
This page shows how to write Terraform for Kubernetes (Container) Engine Node Pool and write them securely.
google_container_node_pool (Terraform)
The Node Pool in Kubernetes (Container) Engine can be configured in Terraform with the resource name google_container_node_pool
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_container_node_pool" "default_regional" {
name = "default"
cluster = google_container_cluster.default_regional.id
}
resource "google_container_node_pool" "with_node_config_regional" {
resource "google_container_node_pool" "node_pool" {
provider = google-beta
name = "private-pool"
project = var.project
location = var.location
resource "google_container_node_pool" "positive1" {
name = "my-node-pool"
location = "us-central1-a"
cluster = google_container_cluster.primary.name
node_count = 3
resource "google_container_node_pool" "default_regional" {
name = "default"
cluster = google_container_cluster.default_regional.id
}
resource "google_container_node_pool" "with_node_config_regional" {
Security Best Practices for google_container_node_pool
There are 4 settings in google_container_node_pool that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure to use Container-Optimized OS (cos) for node images
It is better to use Container-Optimized OS (cos) for node images. GKE supports several OS image types. However, COS_CONTAINERD should be used for enhanced security.
Ensure Node metadata values of your GKE cluster is disabled
It's better to disable Node metadata values of the GKE cluster to prevent unnecessary exposure to set the default value "SECURE".
Ensure the auto repair of your GKE cluster is enabled
It is better to enable the auto repair of the GKE cluster for unexpected incidents.
Ensure the auto upgrade of your GKE cluster is enabled
It is better to enable the auto upgrade of the GKE cluster for keeping the nodes in the cluster up-to-date.
Parameters
-
cluster
required - string
The cluster to create the node pool for. Cluster must be present in location provided for zonal clusters.
-
id
optional computed - string -
initial_node_count
optional computed - number
The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource.
-
instance_group_urls
optional computed - list of string
The resource URLs of the managed instance groups associated with this node pool.
-
location
optional computed - string
The location (region or zone) of the cluster.
-
max_pods_per_node
optional computed - number
The maximum number of pods per node in this node pool. Note that this does not work on node pools which are "route-based" - that is, node pools belonging to clusters that do not have IP Aliasing enabled.
-
name
optional computed - string
The name of the node pool. If left blank, Terraform will auto-generate a unique name.
-
name_prefix
optional computed - string
Creates a unique name for the node pool beginning with the specified prefix. Conflicts with name.
-
node_count
optional computed - number
The number of nodes per instance group. This field can be used to update the number of nodes per instance group but should not be used alongside autoscaling.
-
node_locations
optional computed - set of string
The list of zones in which the node pool's nodes should be located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. If unspecified, the cluster-level node_locations will be used.
The ID of the project in which to create the node pool. If blank, the provider-configured project will be used.
-
version
optional computed - string
The Kubernetes version for the nodes in this pool. Note that if this field and auto_upgrade are both specified, they will fight each other for what the node version should be, so setting both is highly discouraged. While a fuzzy version can be specified, it's recommended that you specify explicit versions as Terraform will see spurious diffs when fuzzy versions are used. See the google_container_engine_versions data source's version_prefix field to approximate fuzzy versions in a Terraform-compatible way.
-
autoscaling
list block-
max_node_count
required - number
Maximum number of nodes in the NodePool. Must be >= min_node_count.
-
min_node_count
required - number
Minimum number of nodes in the NodePool. Must be >=0 and <= max_node_count.
-
-
management
list block-
auto_repair
optional - bool
Whether the nodes will be automatically repaired.
-
auto_upgrade
optional - bool
Whether the nodes will be automatically upgraded.
-
-
node_config
list block-
disk_size_gb
optional computed - number
Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB.
-
disk_type
optional computed - string
Type of the disk attached to each node.
-
guest_accelerator
optional computed - list of object
List of the type and count of accelerator cards attached to the instance.
-
count
- number -
type
- string -
image_type
optional computed - string
The image type to use for this node. Note that for a given image type, the latest version of it will be used.
-
labels
optional computed - map from string to string
The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node.
-
local_ssd_count
optional computed - number
The number of local SSD disks to be attached to the node.
-
machine_type
optional computed - string
The name of a Google Compute Engine machine type.
-
metadata
optional computed - map from string to string
The metadata key/value pairs assigned to instances in the cluster.
-
min_cpu_platform
optional - string
Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform.
-
oauth_scopes
optional computed - set of string
The set of Google API scopes to be made available on all of the node VMs.
-
preemptible
optional - bool
Whether the nodes are created as preemptible VM instances.
-
service_account
optional computed - string
The Google Cloud Platform Service Account to be used by the node VMs.
-
tags
optional - list of string
The list of instance tags applied to all nodes.
-
taint
optional computed - list of object
List of Kubernetes taints to be applied to each node.
-
effect
- string -
key
- string -
value
- string -
shielded_instance_config
list block-
enable_integrity_monitoring
optional - bool
Defines whether the instance has integrity monitoring enabled.
-
enable_secure_boot
optional - bool
Defines whether the instance has Secure Boot enabled.
-
-
workload_metadata_config
list block-
node_metadata
required - string
NodeMetadata is the configuration for how to expose metadata to the workloads running on the node.
-
-
-
timeouts
single block -
upgrade_settings
list block-
max_surge
required - number
The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater.
-
max_unavailable
required - number
The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater.
-
Explanation in Terraform Registry
-> See the Using GKE with Terraform guide for more information about using GKE with Terraform. Manages a node pool in a Google Kubernetes Engine (GKE) cluster separately from the cluster control plane. For more information see the official documentation and the API reference.
Tips: Best Practices for The Other Google Kubernetes (Container) Engine Resources
In addition to the google_container_cluster, Google Kubernetes (Container) Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_container_cluster
Ensure legacy authentication is disabled
The legacy authentication for your GKE cluster is enabled. It is better to use OAuth authentication instead.
Frequently asked questions
What is Google Kubernetes (Container) Engine Node Pool?
Google Kubernetes (Container) Engine Node Pool is a resource for Kubernetes (Container) Engine of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Kubernetes (Container) Engine Node Pool?
For Terraform, the infracost/infracost, UCDenver-ccp/Translator-TM-Provider-Infrastructure-Modules and Checkmarx/kics source code examples are useful. See the Terraform Example section for further details.