Introducing our best-practice GKE Terraform module

Jetstack works with many customers using Google Cloud’s Kubernetes Engine (GKE). We work closely with teams to configure their clusters to conform with best practices. While GKE’s robust default settings provide an excellent abstraction of the lower level details of control plane configuration, there are still many more considerations when automating the build of a production grade cluster.

Automating Cluster Deployments

To ensure deployments of clusters are as reliable as possible it’s best to automate as much as possible. The aim is for infrastructure deployment to be easy and repeatable. As well as helping reduce human error, this codifies the infrastructure setup, allowing it to be version controlled and more easily reviewed.

Terraform is an excellent tool for automating infrastructure deployment. If you’re not already using it we’d highly recommend it; it’s widely used both internally at Jetstack, and by our customers.

When it comes to managing clusters with Terraform, it’s not just about creating the cluster, a key feature is also performing cluster upgrades. Terraform is the best infrastructure-as-code tool for managing cluster lifecycle.

Another benefit of Terraform is that it features modules, which are a way to group resources. Modules can be dropped into your Terraform projects for easy reuse of resources, or to share and include resources configured by someone else.

Enter: Terraform GKE Module

cover image of code from the module

To consolidate Jetstack’s extensive production experience with GKE and as an artefact that can form part of an automated deployment, we created our Terraform GKE cluster module.

We’ve been developing and testing it over the past few months and are excited to have just released version 0.1.0 on GitHub!

The module currently uses Terraform version 0.11. However with the recent release of Terraform 0.12, which overhauls the Terraform syntax, development of a 0.12 compatible version is already underway.

What can I tweak?

To get the most out of a GKE production cluster means making use of the more advanced security features, as well as using supporting Google Cloud Platform (GCP) products. The Terraform GKE module enables as many additional security features as possible. These include:

  • Enabling network policy
  • Disabling basic authentication and client certificate issuing
  • Disabling Kubernetes dashboard (Google Cloud Console should be used instead)
  • Setting the OAuth scope of nodes to cloud-platform to manage permissions with IAM
  • Disabling node legacy endpoints
  • Creating an IAM service account for nodes with the minimum required roles

While the module is opinionated, and designed to force strong security, there are many configurable parts too. These are provided to the module in the form of input variables. Configurable parts include (among many others):

  • GCP location (zonal/regional)
  • Node pool auto-repair & upgrade
  • VPC network and subnetwork names
  • Access to private GCR images
  • GCP HTTP load balancing configuration
  • Master authorized CIDR blocks

Looking for a place to start?

Included alongside the module is an example project in the module’s GitHub repository. The project creates the minimal resources required to support the cluster, and keep to best practices. This example can serve as a great starting point for your own Terraform project.

cover image of code from the module

The module is also available on the Terraform Registry so it can be used without having to manually download any dependencies. Terraform automatically fetches dependent modules from the Terraform Registry when you run terraform init. Just include the following in your project, proving the input variables as required.

module "gke-cluster" {
  source  = "jetstack/gke-cluster/google"
  version = "0.1.0"
  # insert the 9 required variables here
}

We’re actively maintaining this module, please open an issue if you run into any problems!