feat: add allow_net_admin support to standard cluster modules

[elayaraja-kv]

Description

allow_net_admin enables the NET_ADMIN capability on the cluster master and is fully supported by the google_container_cluster resource for all cluster types (see provider docs). However, the autogen template gated it behind {% if autopilot_cluster %}, making it unavailable for standard (non-autopilot) cluster modules.

This PR brings parity with the autopilot modules by exposing allow_net_admin across all standard cluster modules.

Changes

• autogen/main/cluster.tf.tmpl — removed {% if autopilot_cluster %} gate so allow_net_admin is included for all cluster types
• autogen/main/variables.tf.tmpl — same, moved variable declaration outside the autopilot condition, and aligned formatting (type / default spacing)
• All generated standard cluster modules — added allow_net_admin = var.allow_net_admin to cluster.tf and the variable declaration to variables.tf:
  • Root module
  • modules/private-cluster
  • modules/private-cluster-update-variant
  • modules/beta-private-cluster
  • modules/beta-private-cluster-update-variant
  • modules/beta-public-cluster
  • modules/beta-public-cluster-update-variant
• modules/gke-standard-cluster — changed hardcoded allow_net_admin = false to var.allow_net_admin and added the variable (default false to preserve existing behaviour)

Backward Compatibility

• All new variables default to null (or false for gke-standard-cluster to match the previous hardcoded value), so existing configurations are unaffected.

Related

• Autopilot modules already support this: modules/beta-autopilot-private-cluster, modules/beta-autopilot-public-cluster, modules/gke-autopilot-cluster

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances Google Kubernetes Engine (GKE) cluster configurations by enabling the allow_net_admin capability for all standard cluster modules. Previously, this setting was inadvertently restricted to Autopilot clusters due to conditional logic within the autogenerated Terraform templates. By modifying these templates and integrating the allow_net_admin variable across various standard cluster definitions, this change ensures that users can configure NET_ADMIN for their cluster masters regardless of their chosen GKE cluster type, thereby standardizing a critical networking feature.

Highlights

• Feature Parity: The allow_net_admin feature, previously exclusive to Autopilot GKE clusters, is now extended to all standard cluster modules, ensuring consistent functionality across cluster types.
• Template Logic Update: Conditional gating for allow_net_admin in autogenerated Terraform templates has been removed, making the option universally available.
• Backward Compatibility: New variables introduced default to null or false to prevent breaking existing configurations.

Changelog

• autogen/main/cluster.tf.tmpl
  • Removed the conditional {% if autopilot_cluster %} block that previously gated the allow_net_admin setting.
• autogen/main/variables.tf.tmpl
  • Moved the allow_net_admin variable declaration outside the {% if autopilot_cluster %} condition.
  • Aligned the formatting for type and default attributes of the allow_net_admin variable.
• cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/beta-private-cluster-update-variant/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/beta-private-cluster-update-variant/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• modules/beta-private-cluster/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/beta-private-cluster/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• modules/beta-public-cluster-update-variant/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/beta-public-cluster-update-variant/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• modules/beta-public-cluster/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/beta-public-cluster/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• modules/gke-standard-cluster/main.tf
  • Changed the hardcoded allow_net_admin = false to allow_net_admin = var.allow_net_admin.
• modules/gke-standard-cluster/variables.tf
  • Added the allow_net_admin variable with type bool and a false default.
• modules/private-cluster-update-variant/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/private-cluster-update-variant/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• modules/private-cluster/cluster.tf
  • Added allow_net_admin = var.allow_net_admin to the google_container_cluster resource definition.
• modules/private-cluster/variables.tf
  • Added the allow_net_admin variable with type bool and a null default.
• variables.tf
  • Added the allow_net_admin variable with type bool and a null default.

Activity

• No human activity has occurred on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request extends the allow_net_admin functionality, previously available only for Autopilot clusters, to all standard GKE cluster modules. The changes involve updating the Terraform templates to remove the conditional logic and then regenerating the module files. A manual update is also correctly applied to the gke-standard-cluster module. The changes are logical and maintain backward compatibility. My feedback focuses on improving the description of the new allow_net_admin variable to enhance security awareness for users, by making the potential risks of enabling this powerful capability more explicit. All comments have been kept as they do not contradict any provided rules.

_{Note: Security Review did not run due to the size of the PR.}

[gemini-code-assist]

For better security awareness, it's good practice to be more explicit about the implications of enabling this option. The NET_ADMIN capability is powerful and should be used with caution. I suggest expanding the description to include a brief warning and a link to the relevant documentation.

  description = "(Optional) Enable NET_ADMIN for containers in this cluster. This is a powerful capability. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_pod_permissions"

[gemini-code-assist]

For better security awareness, it's good practice to be more explicit about the implications of enabling this option. The NET_ADMIN capability is powerful and should be used with caution. I suggest expanding the description to include a brief warning and a link to the relevant documentation.

  description = "(Optional) Enable NET_ADMIN for containers in this cluster. This is a powerful capability. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_pod_permissions"

[apeabody]

Hi @elayaraja-kv

Per the provider documentation, it appears this field should only be enabled for Autopilot clusters.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#allow_net_admin-1
"allow_net_admin - (Optional) Enable NET_ADMIN for the cluster. Defaults to false. This field should only be enabled for Autopilot clusters (enable_autopilot set to true)."

[elayaraja-kv]

Thanks for the review, @apeabody!

You are right that the provider docs say "should only be enabled for Autopilot clusters" -- that is the primary and most impactful use case, and I have updated the variable description across all affected files to make that clear.

To clarify the distinction:

• Autopilot clusters: allow_net_admin = true is the only way to grant NET_ADMIN to workloads, since Autopilot's security model strips privileged capabilities by default. This is required for service meshes like Linkerd or Istio when running without CNI mode.
• Standard clusters: Workloads can grant NET_ADMIN at the pod level via securityContext.capabilities.add, so the cluster-level flag is not strictly necessary. However, the underlying GKE API and Terraform provider both accept it for standard clusters -- the autogen template was simply being more restrictive than the provider itself.

The intent of this PR is not to encourage use on standard clusters, but to remove an arbitrary autogen gate so that:

1. The module is not more restrictive than the Terraform provider
2. Users migrating between cluster types do not hit unexpected missing variables
3. The variable defaults to null (no change to existing behaviour)

The updated description now reads:

Primarily intended for Autopilot clusters, where Autopilot's security model prevents pods from requesting privileged capabilities and this flag is the only way to grant NET_ADMIN. On Standard clusters, workloads can grant NET_ADMIN at the pod level via securityContext (e.g. for service meshes such as Linkerd or Istio running without CNI mode).

Happy to make further adjustments if you prefer a different approach.