Google Kubernetes (Container) Engine Node Pool

google_container_node_pool (Terraform)

The Node Pool in Kubernetes (Container) Engine can be configured in Terraform with the resource name google_container_node_pool. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

infracost/infracost

resource "google_container_node_pool" "default_regional" {
  name    = "default"
  cluster = google_container_cluster.default_regional.id
}

resource "google_container_node_pool" "with_node_config_regional" {

UCDenver-ccp/Translator-TM-Provider-Infrastructure-Modules

resource "google_container_node_pool" "node_pool" {
  provider = google-beta

  name     = "private-pool"
  project  = var.project
  location = var.location

Checkmarx/kics

resource "google_container_node_pool" "positive1" {
  name       = "my-node-pool"
  location   = "us-central1-a"
  cluster    = google_container_cluster.primary.name
  node_count = 3

gilyas/infracost

resource "google_container_node_pool" "default_regional" {
  name    = "default"
  cluster = google_container_cluster.default_regional.id
}

resource "google_container_node_pool" "with_node_config_regional" {

Security Best Practices for google_container_node_pool

There are 4 settings in google_container_node_pool that should be taken care of for security reasons. The following section explain an overview and example code.

Ensure to use Container-Optimized OS (cos) for node images

It is better to use Container-Optimized OS (cos) for node images. GKE supports several OS image types. However, COS_CONTAINERD should be used for enhanced security.

Ensure Node metadata values of your GKE cluster is disabled

It's better to disable Node metadata values of the GKE cluster to prevent unnecessary exposure to set the default value "SECURE".

Ensure the auto repair of your GKE cluster is enabled

It is better to enable the auto repair of the GKE cluster for unexpected incidents.

Ensure the auto upgrade of your GKE cluster is enabled

It is better to enable the auto upgrade of the GKE cluster for keeping the nodes in the cluster up-to-date.

Parameters

• cluster required - string

The cluster to create the node pool for. Cluster must be present in location provided for zonal clusters.

• id optional computed - string
• initial_node_count optional computed - number

The initial number of nodes for the pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Changing this will force recreation of the resource.

• instance_group_urls optional computed - list of string

The resource URLs of the managed instance groups associated with this node pool.

• location optional computed - string

The location (region or zone) of the cluster.

• max_pods_per_node optional computed - number

The maximum number of pods per node in this node pool. Note that this does not work on node pools which are "route-based" - that is, node pools belonging to clusters that do not have IP Aliasing enabled.

• name optional computed - string

The name of the node pool. If left blank, Terraform will auto-generate a unique name.

• name_prefix optional computed - string

Creates a unique name for the node pool beginning with the specified prefix. Conflicts with name.

• node_count optional computed - number

The number of nodes per instance group. This field can be used to update the number of nodes per instance group but should not be used alongside autoscaling.

• node_locations optional computed - set of string

The list of zones in which the node pool's nodes should be located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. If unspecified, the cluster-level node_locations will be used.

• operation optional computed - string
• project optional computed - string

The ID of the project in which to create the node pool. If blank, the provider-configured project will be used.

• version optional computed - string

The Kubernetes version for the nodes in this pool. Note that if this field and auto_upgrade are both specified, they will fight each other for what the node version should be, so setting both is highly discouraged. While a fuzzy version can be specified, it's recommended that you specify explicit versions as Terraform will see spurious diffs when fuzzy versions are used. See the google_container_engine_versions data source's version_prefix field to approximate fuzzy versions in a Terraform-compatible way.

• autoscaling list block
  • max_node_count required - number

  Maximum number of nodes in the NodePool. Must be >= min_node_count.

  • min_node_count required - number

  Minimum number of nodes in the NodePool. Must be >=0 and <= max_node_count.

• management list block
  • auto_repair optional - bool

  Whether the nodes will be automatically repaired.

  • auto_upgrade optional - bool

  Whether the nodes will be automatically upgraded.

• node_config list block
  • disk_size_gb optional computed - number

  Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB.

  • disk_type optional computed - string

  Type of the disk attached to each node.

  • guest_accelerator optional computed - list of object

  List of the type and count of accelerator cards attached to the instance.

  • count - number
  • type - string
  • image_type optional computed - string

  The image type to use for this node. Note that for a given image type, the latest version of it will be used.

  • labels optional computed - map from string to string

  The map of Kubernetes labels (key/value pairs) to be applied to each node. These will added in addition to any default label(s) that Kubernetes may apply to the node.

  • local_ssd_count optional computed - number

  The number of local SSD disks to be attached to the node.

  • machine_type optional computed - string

  The name of a Google Compute Engine machine type.

  • metadata optional computed - map from string to string

  The metadata key/value pairs assigned to instances in the cluster.

  • min_cpu_platform optional - string

  Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform.

  • oauth_scopes optional computed - set of string

  The set of Google API scopes to be made available on all of the node VMs.

  • preemptible optional - bool

  Whether the nodes are created as preemptible VM instances.

  • service_account optional computed - string

  The Google Cloud Platform Service Account to be used by the node VMs.

  • tags optional - list of string

  The list of instance tags applied to all nodes.

  • taint optional computed - list of object

  List of Kubernetes taints to be applied to each node.

  • effect - string
  • key - string
  • value - string
  • shielded_instance_config list block
    • enable_integrity_monitoring optional - bool

    Defines whether the instance has integrity monitoring enabled.

    • enable_secure_boot optional - bool

    Defines whether the instance has Secure Boot enabled.

  • workload_metadata_config list block
    • node_metadata required - string

    NodeMetadata is the configuration for how to expose metadata to the workloads running on the node.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string
• upgrade_settings list block
  • max_surge required - number

  The number of additional nodes that can be added to the node pool during an upgrade. Increasing max_surge raises the number of nodes that can be upgraded simultaneously. Can be set to 0 or greater.

  • max_unavailable required - number

  The number of nodes that can be simultaneously unavailable during an upgrade. Increasing max_unavailable raises the number of nodes that can be upgraded in parallel. Can be set to 0 or greater.

Explanation in Terraform Registry

-> See the Using GKE with Terraform guide for more information about using GKE with Terraform. Manages a node pool in a Google Kubernetes Engine (GKE) cluster separately from the cluster control plane. For more information see the official documentation and the API reference.

Tips: Best Practices for The Other Google Kubernetes (Container) Engine Resources

In addition to the google_container_cluster, Google Kubernetes (Container) Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

google_container_cluster

Ensure legacy authentication is disabled

The legacy authentication for your GKE cluster is enabled. It is better to use OAuth authentication instead.