1918 lines
87 KiB
Python
1918 lines
87 KiB
Python
# -*- coding: utf-8 -*- #
|
|
# Copyright 2015 Google LLC. All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Update cluster command."""
|
|
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
from apitools.base.py import exceptions as apitools_exceptions
|
|
from googlecloudsdk.api_lib.container import api_adapter
|
|
from googlecloudsdk.api_lib.container import kubeconfig as kconfig
|
|
from googlecloudsdk.api_lib.container import util
|
|
from googlecloudsdk.calliope import actions
|
|
from googlecloudsdk.calliope import arg_parsers
|
|
from googlecloudsdk.calliope import base
|
|
from googlecloudsdk.calliope import exceptions
|
|
from googlecloudsdk.command_lib.container import constants
|
|
from googlecloudsdk.command_lib.container import container_command_util
|
|
from googlecloudsdk.command_lib.container import flags
|
|
from googlecloudsdk.core import log
|
|
from googlecloudsdk.core.console import console_attr
|
|
from googlecloudsdk.core.console import console_io
|
|
from six.moves import input # pylint: disable=redefined-builtin
|
|
|
|
|
|
class InvalidAddonValueError(util.Error):
|
|
"""A class for invalid --update-addons input."""
|
|
|
|
def __init__(self, value):
|
|
message = (
|
|
'invalid --update-addons value {0}; '
|
|
'must be ENABLED or DISABLED.'.format(value)
|
|
)
|
|
super(InvalidAddonValueError, self).__init__(message)
|
|
|
|
|
|
class InvalidPasswordError(util.Error):
|
|
"""A class for invalid password input."""
|
|
|
|
def __init__(self, value, error):
|
|
message = 'invalid password value "{0}"; {1}'.format(value, error)
|
|
super(InvalidPasswordError, self).__init__(message)
|
|
|
|
|
|
def _ParseAddonDisabled(val):
|
|
if val == 'ENABLED':
|
|
return False
|
|
if val == 'DISABLED':
|
|
return True
|
|
raise InvalidAddonValueError(val)
|
|
|
|
|
|
def _AddCommonArgs(parser):
|
|
"""Register common flags for this command.
|
|
|
|
Args:
|
|
parser: An argparse.ArgumentParser-like object. It is mocked out in order to
|
|
capture some information, but behaves like an ArgumentParser.
|
|
"""
|
|
parser.add_argument(
|
|
'name', metavar='NAME', help='The name of the cluster to update.'
|
|
)
|
|
parser.add_argument('--node-pool', help='Node pool to be updated.')
|
|
# Timeout in seconds for the operation, default 3600 seconds (60 minutes)
|
|
parser.add_argument(
|
|
'--timeout',
|
|
type=int,
|
|
default=3600,
|
|
hidden=True,
|
|
help='Timeout (seconds) for waiting on the operation to complete.',
|
|
)
|
|
flags.AddAsyncFlag(parser)
|
|
|
|
|
|
def _AddMutuallyExclusiveArgs(mutex_group, release_track):
|
|
"""Add all arguments that need to be mutually exclusive from each other."""
|
|
if release_track == base.ReleaseTrack.ALPHA:
|
|
mutex_group.add_argument(
|
|
'--update-addons',
|
|
type=arg_parsers.ArgDict(
|
|
spec=dict(
|
|
{
|
|
api_adapter.INGRESS: _ParseAddonDisabled,
|
|
api_adapter.HPA: _ParseAddonDisabled,
|
|
api_adapter.DASHBOARD: _ParseAddonDisabled,
|
|
api_adapter.NETWORK_POLICY: _ParseAddonDisabled,
|
|
api_adapter.ISTIO: _ParseAddonDisabled,
|
|
api_adapter.APPLICATIONMANAGER: _ParseAddonDisabled,
|
|
api_adapter.BACKUPRESTORE: _ParseAddonDisabled,
|
|
api_adapter.CLOUDBUILD: _ParseAddonDisabled,
|
|
api_adapter.NODELOCALDNS: _ParseAddonDisabled,
|
|
api_adapter.GCEPDCSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCPFILESTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCSFUSECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.STATEFULHA: _ParseAddonDisabled,
|
|
api_adapter.PARALLELSTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.HIGHSCALECHECKPOINTING: _ParseAddonDisabled,
|
|
api_adapter.LUSTRECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.CONFIGCONNECTOR: _ParseAddonDisabled,
|
|
api_adapter.RAYOPERATOR: _ParseAddonDisabled,
|
|
},
|
|
**{k: _ParseAddonDisabled for k in api_adapter.CLOUDRUN_ADDONS}
|
|
),
|
|
),
|
|
dest='disable_addons',
|
|
metavar='ADDON=ENABLED|DISABLED',
|
|
help="""Cluster addons to enable or disable. Options are
|
|
{hpa}=ENABLED|DISABLED
|
|
{ingress}=ENABLED|DISABLED
|
|
{dashboard}=ENABLED|DISABLED
|
|
{istio}=ENABLED|DISABLED
|
|
{backuprestore}=ENABLED|DISABLED
|
|
{network_policy}=ENABLED|DISABLED
|
|
{cloudrun}=ENABLED|DISABLED
|
|
{cloudbuild}=ENABLED|DISABLED
|
|
{configconnector}=ENABLED|DISABLED
|
|
{nodelocaldns}=ENABLED|DISABLED
|
|
{gcepdcsidriver}=ENABLED|DISABLED
|
|
{gcpfilestoredriver}=ENABLED|DISABLED
|
|
{gcsfusecsidriver}=ENABLED|DISABLED""".format(
|
|
hpa=api_adapter.HPA,
|
|
ingress=api_adapter.INGRESS,
|
|
dashboard=api_adapter.DASHBOARD,
|
|
network_policy=api_adapter.NETWORK_POLICY,
|
|
istio=api_adapter.ISTIO,
|
|
backuprestore=api_adapter.BACKUPRESTORE,
|
|
cloudrun=api_adapter.CLOUDRUN_ADDONS[0],
|
|
cloudbuild=api_adapter.CLOUDBUILD,
|
|
configconnector=api_adapter.CONFIGCONNECTOR,
|
|
nodelocaldns=api_adapter.NODELOCALDNS,
|
|
gcepdcsidriver=api_adapter.GCEPDCSIDRIVER,
|
|
gcpfilestoredriver=api_adapter.GCPFILESTORECSIDRIVER,
|
|
gcsfusecsidriver=api_adapter.GCSFUSECSIDRIVER,
|
|
),
|
|
)
|
|
|
|
elif release_track == base.ReleaseTrack.BETA:
|
|
mutex_group.add_argument(
|
|
'--update-addons',
|
|
type=arg_parsers.ArgDict(
|
|
spec=dict(
|
|
{
|
|
api_adapter.INGRESS: _ParseAddonDisabled,
|
|
api_adapter.HPA: _ParseAddonDisabled,
|
|
api_adapter.DASHBOARD: _ParseAddonDisabled,
|
|
api_adapter.NETWORK_POLICY: _ParseAddonDisabled,
|
|
api_adapter.ISTIO: _ParseAddonDisabled,
|
|
api_adapter.APPLICATIONMANAGER: _ParseAddonDisabled,
|
|
api_adapter.BACKUPRESTORE: _ParseAddonDisabled,
|
|
api_adapter.NODELOCALDNS: _ParseAddonDisabled,
|
|
api_adapter.GCEPDCSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCPFILESTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCSFUSECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.STATEFULHA: _ParseAddonDisabled,
|
|
api_adapter.PARALLELSTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.HIGHSCALECHECKPOINTING: _ParseAddonDisabled,
|
|
api_adapter.LUSTRECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.CONFIGCONNECTOR: _ParseAddonDisabled,
|
|
api_adapter.RAYOPERATOR: _ParseAddonDisabled,
|
|
},
|
|
**{k: _ParseAddonDisabled for k in api_adapter.CLOUDRUN_ADDONS}
|
|
),
|
|
),
|
|
dest='disable_addons',
|
|
metavar='ADDON=ENABLED|DISABLED',
|
|
help="""Cluster addons to enable or disable. Options are
|
|
{hpa}=ENABLED|DISABLED
|
|
{ingress}=ENABLED|DISABLED
|
|
{dashboard}=ENABLED|DISABLED
|
|
{istio}=ENABLED|DISABLED
|
|
{backuprestore}=ENABLED|DISABLED
|
|
{network_policy}=ENABLED|DISABLED
|
|
{cloudrun}=ENABLED|DISABLED
|
|
{configconnector}=ENABLED|DISABLED
|
|
{nodelocaldns}=ENABLED|DISABLED
|
|
{gcepdcsidriver}=ENABLED|DISABLED
|
|
{gcpfilestoredriver}=ENABLED|DISABLED
|
|
{gcsfusecsidriver}=ENABLED|DISABLED""".format(
|
|
hpa=api_adapter.HPA,
|
|
ingress=api_adapter.INGRESS,
|
|
dashboard=api_adapter.DASHBOARD,
|
|
network_policy=api_adapter.NETWORK_POLICY,
|
|
istio=api_adapter.ISTIO,
|
|
backuprestore=api_adapter.BACKUPRESTORE,
|
|
cloudrun=api_adapter.CLOUDRUN_ADDONS[0],
|
|
configconnector=api_adapter.CONFIGCONNECTOR,
|
|
nodelocaldns=api_adapter.NODELOCALDNS,
|
|
gcepdcsidriver=api_adapter.GCEPDCSIDRIVER,
|
|
gcpfilestoredriver=api_adapter.GCPFILESTORECSIDRIVER,
|
|
gcsfusecsidriver=api_adapter.GCSFUSECSIDRIVER,
|
|
),
|
|
)
|
|
|
|
else:
|
|
mutex_group.add_argument(
|
|
'--update-addons',
|
|
type=arg_parsers.ArgDict(
|
|
spec=dict(
|
|
{
|
|
api_adapter.INGRESS: _ParseAddonDisabled,
|
|
api_adapter.HPA: _ParseAddonDisabled,
|
|
api_adapter.DASHBOARD: _ParseAddonDisabled,
|
|
api_adapter.NETWORK_POLICY: _ParseAddonDisabled,
|
|
api_adapter.BACKUPRESTORE: _ParseAddonDisabled,
|
|
api_adapter.NODELOCALDNS: _ParseAddonDisabled,
|
|
api_adapter.CONFIGCONNECTOR: _ParseAddonDisabled,
|
|
api_adapter.GCEPDCSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCPFILESTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.GCSFUSECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.STATEFULHA: _ParseAddonDisabled,
|
|
api_adapter.PARALLELSTORECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.HIGHSCALECHECKPOINTING: _ParseAddonDisabled,
|
|
api_adapter.LUSTRECSIDRIVER: _ParseAddonDisabled,
|
|
api_adapter.RAYOPERATOR: _ParseAddonDisabled,
|
|
},
|
|
**{k: _ParseAddonDisabled for k in api_adapter.CLOUDRUN_ADDONS}
|
|
),
|
|
),
|
|
dest='disable_addons',
|
|
metavar='ADDON=ENABLED|DISABLED',
|
|
help="""Cluster addons to enable or disable. Options are
|
|
{hpa}=ENABLED|DISABLED
|
|
{ingress}=ENABLED|DISABLED
|
|
{dashboard}=ENABLED|DISABLED
|
|
{network_policy}=ENABLED|DISABLED
|
|
{backuprestore}=ENABLED|DISABLED
|
|
{cloudrun}=ENABLED|DISABLED
|
|
{configconnector}=ENABLED|DISABLED
|
|
{nodelocaldns}=ENABLED|DISABLED
|
|
{gcepdcsidriver}=ENABLED|DISABLED
|
|
{gcpfilestoredriver}=ENABLED|DISABLED
|
|
{gcsfusecsidriver}=ENABLED|DISABLED
|
|
""".format(
|
|
hpa=api_adapter.HPA,
|
|
ingress=api_adapter.INGRESS,
|
|
dashboard=api_adapter.DASHBOARD,
|
|
network_policy=api_adapter.NETWORK_POLICY,
|
|
backuprestore=api_adapter.BACKUPRESTORE,
|
|
cloudrun=api_adapter.CLOUDRUN_ADDONS[0],
|
|
configconnector=api_adapter.CONFIGCONNECTOR,
|
|
nodelocaldns=api_adapter.NODELOCALDNS,
|
|
gcepdcsidriver=api_adapter.GCEPDCSIDRIVER,
|
|
gcpfilestoredriver=api_adapter.GCPFILESTORECSIDRIVER,
|
|
gcsfusecsidriver=api_adapter.GCSFUSECSIDRIVER,
|
|
),
|
|
)
|
|
|
|
mutex_group.add_argument(
|
|
'--generate-password',
|
|
action='store_true',
|
|
default=None,
|
|
help=(
|
|
'Ask the server to generate a secure password and use that as the '
|
|
'basic auth password, keeping the existing username.'
|
|
),
|
|
)
|
|
mutex_group.add_argument(
|
|
'--set-password',
|
|
action='store_true',
|
|
default=None,
|
|
help=(
|
|
'Set the basic auth password to the specified value, keeping the '
|
|
'existing username.'
|
|
),
|
|
)
|
|
|
|
flags.AddBasicAuthFlags(mutex_group)
|
|
|
|
|
|
def _AddAdditionalZonesArg(mutex_group, deprecated=True):
|
|
action = None
|
|
if deprecated:
|
|
action = actions.DeprecationAction(
|
|
'additional-zones',
|
|
warn=(
|
|
'This flag is deprecated. '
|
|
'Use --node-locations=PRIMARY_ZONE,[ZONE,...] instead.'
|
|
),
|
|
)
|
|
mutex_group.add_argument(
|
|
'--additional-zones',
|
|
type=arg_parsers.ArgList(),
|
|
action=action,
|
|
metavar='ZONE',
|
|
help="""\
|
|
The set of additional zones in which the cluster's node footprint should be
|
|
replicated. All zones must be in the same region as the cluster's primary zone.
|
|
|
|
Note that the exact same footprint will be replicated in all zones, such that
|
|
if you created a cluster with 4 nodes in a single zone and then use this option
|
|
to spread across 2 more zones, 8 additional nodes will be created.
|
|
|
|
Multiple locations can be specified, separated by commas. For example:
|
|
|
|
$ {command} example-cluster --zone us-central1-a --additional-zones us-central1-b,us-central1-c
|
|
|
|
To remove all zones other than the cluster's primary zone, pass the empty string
|
|
to the flag. For example:
|
|
|
|
$ {command} example-cluster --zone us-central1-a --additional-zones ""
|
|
""",
|
|
)
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.GA)
|
|
@base.UniverseCompatible
|
|
class Update(base.UpdateCommand):
|
|
"""Update cluster settings for an existing container cluster."""
|
|
|
|
detailed_help = {
|
|
'DESCRIPTION': '{description}',
|
|
'EXAMPLES': """\
|
|
To enable autoscaling for an existing cluster, run:
|
|
|
|
$ {command} sample-cluster --enable-autoscaling
|
|
""",
|
|
}
|
|
|
|
@staticmethod
|
|
def Args(parser):
|
|
"""Register flags for this command.
|
|
|
|
Args:
|
|
parser: An argparse.ArgumentParser-like object. It is mocked out in order
|
|
to capture some information, but behaves like an ArgumentParser.
|
|
"""
|
|
_AddCommonArgs(parser)
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
group_locations = group.add_mutually_exclusive_group()
|
|
_AddMutuallyExclusiveArgs(group, base.ReleaseTrack.GA)
|
|
flags.AddNodeLocationsFlag(group_locations)
|
|
flags.AddClusterAutoscalingFlags(parser, group)
|
|
flags.AddEnableLegacyAuthorizationFlag(group)
|
|
flags.AddStartIpRotationFlag(group)
|
|
flags.AddStartCredentialRotationFlag(group)
|
|
flags.AddCompleteIpRotationFlag(group)
|
|
flags.AddCompleteCredentialRotationFlag(group)
|
|
flags.AddCloudRunConfigFlag(parser)
|
|
flags.AddUpdateLabelsFlag(group)
|
|
flags.AddRemoveLabelsFlag(group)
|
|
flags.AddAutoprovisioningNetworkTagsUpdate(group)
|
|
flags.AddNetworkPolicyFlags(group)
|
|
flags.AddEnableIntraNodeVisibilityFlag(group)
|
|
group_logging_monitoring = group.add_group()
|
|
flags.AddLoggingServiceFlag(group_logging_monitoring)
|
|
flags.AddMonitoringServiceFlag(group_logging_monitoring)
|
|
group_logging_monitoring_config = group.add_group()
|
|
flags.AddLoggingFlag(group_logging_monitoring_config)
|
|
flags.AddMonitoringFlag(group_logging_monitoring_config)
|
|
flags.AddManagedPrometheusFlags(group_logging_monitoring_config)
|
|
flags.AddAutoMonitoringScopeFlags(
|
|
group_logging_monitoring_config, hidden=False
|
|
)
|
|
flags.AddBinauthzFlags(group, release_track=base.ReleaseTrack.GA)
|
|
flags.AddEnableStackdriverKubernetesFlag(group)
|
|
flags.AddDailyMaintenanceWindowFlag(group, add_unset_text=True)
|
|
flags.AddRecurringMaintenanceWindowFlags(group, is_update=True)
|
|
flags.AddResourceUsageExportFlags(group, is_update=True)
|
|
flags.AddReleaseChannelFlag(group, is_update=True, hidden=False)
|
|
flags.AddWorkloadIdentityFlags(group)
|
|
flags.AddWorkloadIdentityUpdateFlags(group)
|
|
flags.AddIdentityServiceFlag(group)
|
|
flags.AddDatabaseEncryptionFlag(group)
|
|
flags.AddDisableDatabaseEncryptionFlag(group)
|
|
flags.AddDisableDefaultSnatFlag(group, for_cluster_create=False)
|
|
flags.AddVerticalPodAutoscalingFlags(group)
|
|
flags.AddAutoprovisioningFlags(group)
|
|
flags.AddAutoscalingProfilesFlag(group)
|
|
flags.AddHPAProfilesFlag(group)
|
|
flags.AddEnableShieldedNodesFlags(group)
|
|
flags.AddPrivateIpv6GoogleAccessTypeFlag('v1', group, hidden=False)
|
|
flags.AddNotificationConfigFlag(group)
|
|
flags.AddDisableAutopilotFlag(group)
|
|
flags.AddAuthenticatorSecurityGroupFlags(group)
|
|
flags.AddILBSubsettingFlags(group, hidden=False)
|
|
flags.AddMeshCertificatesFlags(group)
|
|
flags.AddEnableImageStreamingFlag(group)
|
|
group_dataplane_v2_observability = group.add_group()
|
|
flags.AddDataplaneV2MetricsFlag(group_dataplane_v2_observability)
|
|
flags.AddDataplaneV2ObservabilityFlags(group_dataplane_v2_observability)
|
|
flags.AddClusterDNSFlags(group, hidden=False)
|
|
flags.AddEnableServiceExternalIPs(group)
|
|
flags.AddLoggingVariantFlag(group)
|
|
group_add_pod_ipv4_ranges = group.add_group(hidden=False)
|
|
flags.AddAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddRemoveAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddStackTypeFlag(group)
|
|
flags.AddCostManagementConfigFlag(group, is_update=True)
|
|
flags.AddGatewayFlags(group, hidden=False)
|
|
flags.AddComplianceFlags(group, hidden=True)
|
|
flags.AddSecurityPostureFlag(group)
|
|
flags.AddClusterNetworkPerformanceConfigFlags(group)
|
|
flags.AddEnableK8sBetaAPIs(group)
|
|
flags.AddSecurityPostureEnumFlag(group)
|
|
flags.AddWorkloadVulnScanningEnumFlag(group)
|
|
flags.AddRuntimeVulnerabilityInsightFlag(group)
|
|
flags.AddWorkloadPoliciesFlag(group)
|
|
flags.AddAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddEnableMultiNetworkingFlag(group)
|
|
flags.AddContainerdConfigFlag(group)
|
|
flags.AddAutoprovisioningResourceManagerTagsUpdate(group)
|
|
group_fleet_flags = group.add_group()
|
|
flags.AddFleetProjectFlag(group_fleet_flags, is_update=True)
|
|
flags.AddMembershipTypeFlags(group_fleet_flags, is_update=True)
|
|
flags.AddInTransitEncryptionFlag(group)
|
|
flags.AddEnableCiliumClusterwideNetworkPolicyFlag(group, is_update=True)
|
|
flags.AddEnableFqdnNetworkPolicyFlag(group)
|
|
flags.AddEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddAutoprovisioningEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddEnableRayClusterLogging(group, is_update=True)
|
|
flags.AddEnableRayClusterMonitoring(group, is_update=True)
|
|
flags.AddSecretManagerEnableFlagGroup(group, is_update=True)
|
|
flags.AddInsecureRBACBindingFlags(group, hidden=False)
|
|
group_add_additional_ip_ranges = group.add_group()
|
|
flags.AddAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
flags.AddRemoveAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
group_add_drain_additional_ip_ranges = group.add_group(hidden=True)
|
|
flags.AddDrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddUndrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddClusterEnablePrivateNodesFlag(group)
|
|
flags.AddDisableL4LbFirewallReconciliationFlag(group, is_update=True)
|
|
flags.AddClusterTierFlag(group)
|
|
flags.AddAutoprovisioningCgroupModeFlag(group)
|
|
flags.AddEnableAutopilotCompatibilityAuditingFlag(group)
|
|
flags.AddAnonymousAuthenticationConfigFlag(group)
|
|
|
|
group_for_control_plane_endpoints = group.add_group()
|
|
flags.AddMasterAuthorizedNetworksFlags(group_for_control_plane_endpoints)
|
|
flags.AddEnableIPAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddMasterGlobalAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnablePrivateEndpoint(group_for_control_plane_endpoints)
|
|
flags.AddEnableGoogleCloudAccess(group_for_control_plane_endpoints)
|
|
flags.AddAauthorizedNetworksOnPrivateEndpointFlag(
|
|
group_for_control_plane_endpoints
|
|
)
|
|
flags.AddEnableDNSAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sTokensViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sCertsViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddServiceAccountVerificationKeysFlag(group)
|
|
flags.AddServiceAccountSigningKeysFlag(group)
|
|
flags.AddControlPlaneDiskEncryptionKeyFlag(group)
|
|
flags.AddPatchUpdateFlag(group)
|
|
flags.AddAutoIpamFlag(group, is_update=True)
|
|
flags.AddEnableLegacyLustrePortFlag(group, hidden=False)
|
|
flags.AddDisableMultiNicLustreFlag(group, hidden=True)
|
|
flags.AddEnableDefaultComputeClassFlag(group)
|
|
flags.AddNetworkTierFlag(group)
|
|
flags.AddControlPlaneEgressFlag(group)
|
|
flags.AddAutopilotPrivilegedAdmissionFlag(group, hidden=True)
|
|
flags.AddEnableKernelModuleSignatureEnforcementFlag(group)
|
|
flags.AddEnableSliceControllerFlag(group, hidden=True)
|
|
|
|
def ParseUpdateOptions(self, args, locations):
|
|
get_default = lambda key: getattr(args, key)
|
|
flags.ValidateNotificationConfigFlag(args)
|
|
flags.WarnForEnablingBetaAPIs(args)
|
|
opts = container_command_util.ParseUpdateOptionsBase(args, locations)
|
|
opts.resource_usage_bigquery_dataset = args.resource_usage_bigquery_dataset
|
|
opts.clear_resource_usage_bigquery_dataset = (
|
|
args.clear_resource_usage_bigquery_dataset)
|
|
opts.enable_network_egress_metering = args.enable_network_egress_metering
|
|
opts.enable_resource_consumption_metering = (
|
|
args.enable_resource_consumption_metering)
|
|
opts.enable_intra_node_visibility = args.enable_intra_node_visibility
|
|
opts.enable_l4_ilb_subsetting = args.enable_l4_ilb_subsetting
|
|
if opts.enable_l4_ilb_subsetting:
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling L4 ILB Subsetting is a one-way operation.'
|
|
'Once enabled, this configuration cannot be disabled.'
|
|
'Existing ILB services should be recreated to use Subsetting.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
opts.enable_master_global_access = args.enable_master_global_access
|
|
opts.enable_shielded_nodes = args.enable_shielded_nodes
|
|
opts.release_channel = args.release_channel
|
|
opts.autoscaling_profile = args.autoscaling_profile
|
|
opts.hpa_profile = args.hpa_profile
|
|
opts.disable_autopilot = args.disable_autopilot
|
|
opts.cloud_run_config = flags.GetLegacyCloudRunFlag(
|
|
'{}_config', args, get_default
|
|
)
|
|
flags.ValidateCloudRunConfigUpdateArgs(
|
|
opts.cloud_run_config, args.disable_addons
|
|
)
|
|
if args.disable_addons and api_adapter.NODELOCALDNS in args.disable_addons:
|
|
# NodeLocalDNS is being enabled or disabled
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling/Disabling NodeLocal DNSCache causes a re-creation '
|
|
'of all cluster nodes at versions 1.15 or above. '
|
|
'This operation is long-running and will block other '
|
|
'operations on the cluster (including delete) until it has run '
|
|
'to completion.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
opts.disable_default_snat = args.disable_default_snat
|
|
opts.notification_config = args.notification_config
|
|
opts.security_group = args.security_group
|
|
opts.autoprovisioning_network_tags = args.autoprovisioning_network_tags
|
|
opts.enable_image_streaming = args.enable_image_streaming
|
|
opts.enable_dataplane_v2_metrics = args.enable_dataplane_v2_metrics
|
|
opts.disable_dataplane_v2_metrics = args.disable_dataplane_v2_metrics
|
|
opts.enable_dataplane_v2_flow_observability = (
|
|
args.enable_dataplane_v2_flow_observability
|
|
)
|
|
opts.disable_dataplane_v2_flow_observability = (
|
|
args.disable_dataplane_v2_flow_observability
|
|
)
|
|
opts.dataplane_v2_observability_mode = args.dataplane_v2_observability_mode
|
|
opts.cluster_dns = args.cluster_dns
|
|
opts.cluster_dns_scope = args.cluster_dns_scope
|
|
opts.cluster_dns_domain = args.cluster_dns_domain
|
|
opts.disable_additive_vpc_scope = args.disable_additive_vpc_scope
|
|
opts.additive_vpc_scope_dns_domain = args.additive_vpc_scope_dns_domain
|
|
opts.enable_service_externalips = args.enable_service_externalips
|
|
opts.enable_identity_service = args.enable_identity_service
|
|
opts.enable_private_endpoint = args.enable_private_endpoint
|
|
opts.enable_google_cloud_access = args.enable_google_cloud_access
|
|
opts.binauthz_evaluation_mode = args.binauthz_evaluation_mode
|
|
opts.binauthz_policy_bindings = None
|
|
opts.logging_variant = args.logging_variant
|
|
opts.additional_pod_ipv4_ranges = args.additional_pod_ipv4_ranges
|
|
opts.removed_additional_pod_ipv4_ranges = (
|
|
args.remove_additional_pod_ipv4_ranges
|
|
)
|
|
opts.additional_ip_ranges = args.additional_ip_ranges
|
|
opts.remove_additional_ip_ranges = args.remove_additional_ip_ranges
|
|
opts.drain_additional_ip_ranges = args.drain_additional_ip_ranges
|
|
opts.undrain_additional_ip_ranges = args.undrain_additional_ip_ranges
|
|
opts.stack_type = args.stack_type
|
|
opts.enable_cost_allocation = args.enable_cost_allocation
|
|
opts.gateway_api = args.gateway_api
|
|
opts.enable_managed_prometheus = args.enable_managed_prometheus
|
|
opts.disable_managed_prometheus = args.disable_managed_prometheus
|
|
opts.auto_monitoring_scope = args.auto_monitoring_scope
|
|
opts.enable_security_posture = args.enable_security_posture
|
|
opts.network_performance_config = args.network_performance_configs
|
|
opts.enable_k8s_beta_apis = args.enable_kubernetes_unstable_apis
|
|
opts.compliance = args.compliance
|
|
opts.compliance_standards = args.compliance_standards
|
|
opts.security_posture = args.security_posture
|
|
opts.workload_vulnerability_scanning = args.workload_vulnerability_scanning
|
|
opts.enable_runtime_vulnerability_insight = (
|
|
args.enable_runtime_vulnerability_insight
|
|
)
|
|
opts.workload_policies = args.workload_policies
|
|
opts.remove_workload_policies = args.remove_workload_policies
|
|
opts.enable_multi_networking = args.enable_multi_networking
|
|
opts.containerd_config_from_file = args.containerd_config_from_file
|
|
opts.fleet_project = args.fleet_project
|
|
opts.enable_fleet = args.enable_fleet
|
|
opts.clear_fleet_project = args.clear_fleet_project
|
|
opts.membership_type = args.membership_type
|
|
opts.unset_membership_type = args.unset_membership_type
|
|
opts.enable_cilium_clusterwide_network_policy = (
|
|
args.enable_cilium_clusterwide_network_policy
|
|
)
|
|
opts.enable_fqdn_network_policy = args.enable_fqdn_network_policy
|
|
opts.enable_insecure_kubelet_readonly_port = (
|
|
args.enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.autoprovisioning_enable_insecure_kubelet_readonly_port = (
|
|
args.autoprovisioning_enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.enable_ray_cluster_logging = args.enable_ray_cluster_logging
|
|
opts.enable_ray_cluster_monitoring = args.enable_ray_cluster_monitoring
|
|
opts.enable_secret_manager = args.enable_secret_manager
|
|
opts.enable_secret_manager_rotation = args.enable_secret_manager_rotation
|
|
opts.secret_manager_rotation_interval = (
|
|
args.secret_manager_rotation_interval
|
|
)
|
|
opts.enable_insecure_binding_system_authenticated = (
|
|
args.enable_insecure_binding_system_authenticated
|
|
)
|
|
opts.enable_insecure_binding_system_unauthenticated = (
|
|
args.enable_insecure_binding_system_unauthenticated
|
|
)
|
|
opts.enable_private_nodes = args.enable_private_nodes
|
|
opts.enable_dns_access = args.enable_dns_access
|
|
opts.disable_l4_lb_firewall_reconciliation = (
|
|
args.disable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.enable_l4_lb_firewall_reconciliation = (
|
|
args.enable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.tier = args.tier
|
|
opts.enable_ip_access = args.enable_ip_access
|
|
opts.enable_authorized_networks_on_private_endpoint = (
|
|
args.enable_authorized_networks_on_private_endpoint
|
|
)
|
|
opts.enable_autopilot_compatibility_auditing = (
|
|
args.enable_autopilot_compatibility_auditing
|
|
)
|
|
opts.service_account_verification_keys = (
|
|
args.service_account_verification_keys
|
|
)
|
|
opts.service_account_signing_keys = args.service_account_signing_keys
|
|
opts.control_plane_disk_encryption_key = (
|
|
args.control_plane_disk_encryption_key
|
|
)
|
|
opts.anonymous_authentication_config = args.anonymous_authentication_config
|
|
opts.patch_update = args.patch_update
|
|
opts.enable_auto_ipam = args.enable_auto_ipam
|
|
opts.disable_auto_ipam = args.disable_auto_ipam
|
|
opts.enable_k8s_tokens_via_dns = args.enable_k8s_tokens_via_dns
|
|
opts.enable_k8s_certs_via_dns = args.enable_k8s_certs_via_dns
|
|
opts.enable_legacy_lustre_port = args.enable_legacy_lustre_port
|
|
opts.disable_multi_nic_lustre = args.disable_multi_nic_lustre
|
|
opts.enable_default_compute_class = args.enable_default_compute_class
|
|
opts.network_tier = args.network_tier
|
|
opts.control_plane_egress_mode = args.control_plane_egress
|
|
opts.autopilot_privileged_admission = (
|
|
args.autopilot_privileged_admission
|
|
)
|
|
opts.enable_pod_snapshots = getattr(args, 'pod_snapshots_enabled', None)
|
|
opts.enable_kernel_module_signature_enforcement = (
|
|
args.enable_kernel_module_signature_enforcement
|
|
)
|
|
opts.enable_slice_controller = args.enable_slice_controller
|
|
return opts
|
|
|
|
def Run(self, args):
|
|
"""This is what gets called when the user runs this command.
|
|
|
|
Args:
|
|
args: an argparse namespace. All the arguments that were provided to this
|
|
command invocation.
|
|
|
|
Returns:
|
|
Some value that we want to have printed later.
|
|
"""
|
|
adapter = self.context['api_adapter']
|
|
location_get = self.context['location_get']
|
|
location = location_get(args)
|
|
cluster_ref = adapter.ParseCluster(args.name, location)
|
|
cluster_name = args.name
|
|
cluster_node_count = None
|
|
cluster_zone = cluster_ref.zone
|
|
cluster_is_required = self.IsClusterRequired(args)
|
|
try:
|
|
# Attempt to get cluster for better prompts and to validate args.
|
|
# Error is a warning but not fatal. Should only exit with a failure on
|
|
# the actual update API calls below.
|
|
cluster = adapter.GetCluster(cluster_ref)
|
|
cluster_name = cluster.name
|
|
cluster_node_count = cluster.currentNodeCount
|
|
cluster_zone = cluster.zone
|
|
except (
|
|
exceptions.HttpException,
|
|
apitools_exceptions.HttpForbiddenError,
|
|
util.Error,
|
|
) as error:
|
|
if cluster_is_required:
|
|
raise
|
|
log.warning(
|
|
(
|
|
'Problem loading details of cluster to update:\n\n{}\n\n'
|
|
'You can still attempt updates to the cluster.\n'
|
|
).format(console_attr.SafeText(error))
|
|
)
|
|
|
|
if getattr(args, 'enable_pod_security_policy', None):
|
|
log.status.Print(
|
|
'Kubernetes has officially deprecated PodSecurityPolicy in version '
|
|
'1.21 and will be removed in 1.25 with no upgrade path available '
|
|
'with this feature enabled. For additional details, please refer to '
|
|
'https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies'
|
|
)
|
|
|
|
container_command_util.CheckReleaseChannel(args)
|
|
|
|
# locations will be None if additional-zones was specified, an empty list
|
|
# if it was specified with no argument, or a populated list if zones were
|
|
# provided. We want to distinguish between the case where it isn't
|
|
# specified (and thus shouldn't be passed on to the API) and the case where
|
|
# it's specified as wanting no additional zones, in which case we must pass
|
|
# the cluster's primary zone to the API.
|
|
# TODO(b/29578401): Remove the hasattr once the flag is GA.
|
|
locations = None
|
|
if hasattr(args, 'additional_zones') and args.additional_zones is not None:
|
|
locations = sorted([cluster_ref.zone] + args.additional_zones)
|
|
if hasattr(args, 'node_locations') and args.node_locations is not None:
|
|
locations = sorted(args.node_locations)
|
|
|
|
if args.IsSpecified('username') or args.IsSpecified('enable_basic_auth'):
|
|
flags.MungeBasicAuthFlags(args)
|
|
options = api_adapter.SetMasterAuthOptions(
|
|
action=api_adapter.SetMasterAuthOptions.SET_USERNAME,
|
|
username=args.username,
|
|
password=args.password,
|
|
)
|
|
|
|
try:
|
|
op_ref = adapter.SetMasterAuth(cluster_ref, options)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
args.generate_password
|
|
or args.set_password
|
|
or args.IsSpecified('password')
|
|
):
|
|
if args.generate_password:
|
|
password = ''
|
|
options = api_adapter.SetMasterAuthOptions(
|
|
action=api_adapter.SetMasterAuthOptions.GENERATE_PASSWORD,
|
|
password=password,
|
|
)
|
|
else:
|
|
password = args.password
|
|
if not args.IsSpecified('password'):
|
|
password = input('Please enter the new password:')
|
|
options = api_adapter.SetMasterAuthOptions(
|
|
action=api_adapter.SetMasterAuthOptions.SET_PASSWORD,
|
|
password=password,
|
|
)
|
|
|
|
try:
|
|
op_ref = adapter.SetMasterAuth(cluster_ref, options)
|
|
del password
|
|
del options
|
|
except apitools_exceptions.HttpError as error:
|
|
del password
|
|
del options
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.enable_network_policy is not None:
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling/Disabling Network Policy causes a rolling '
|
|
'update of all cluster nodes, similar to performing a cluster '
|
|
'upgrade. This operation is long-running and will block other '
|
|
'operations on the cluster (including delete) until it has run '
|
|
'to completion.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
options = api_adapter.SetNetworkPolicyOptions(
|
|
enabled=args.enable_network_policy
|
|
)
|
|
try:
|
|
op_ref = adapter.SetNetworkPolicy(cluster_ref, options)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.start_ip_rotation or args.start_credential_rotation:
|
|
if args.start_ip_rotation:
|
|
msg_tmpl = """This will start an IP Rotation on cluster [{name}]. The \
|
|
master will be updated to serve on a new IP address in addition to the current \
|
|
IP address. Kubernetes Engine will then schedule recreation of all nodes \
|
|
({num_nodes} nodes) to point to the new IP address. If maintenence window is \
|
|
used, nodes are not recreated until a maintenance window occurs. See \
|
|
documentation \
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation on how to \
|
|
manually update nodes. This operation is long-running and will block other \
|
|
operations on the cluster (including delete) until it has run to completion."""
|
|
rotate_credentials = False
|
|
elif args.start_credential_rotation:
|
|
msg_tmpl = """This will start an IP and Credentials Rotation on cluster\
|
|
[{name}]. The master will be updated to serve on a new IP address in addition \
|
|
to the current IP address, and cluster credentials will be rotated. Kubernetes \
|
|
Engine will then schedule recreation of all nodes ({num_nodes} nodes) to point \
|
|
to the new IP address. If maintenence window is used, nodes are not recreated \
|
|
until a maintenance window occurs. See documentation \
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation \
|
|
on how to manually update nodes. This operation is long-running and will block \
|
|
other operations on the cluster (including delete) until it has run to \
|
|
completion."""
|
|
rotate_credentials = True
|
|
console_io.PromptContinue(
|
|
message=msg_tmpl.format(
|
|
name=cluster_name,
|
|
num_nodes=cluster_node_count if cluster_node_count else '?',
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
try:
|
|
op_ref = adapter.StartIpRotation(
|
|
cluster_ref, rotate_credentials=rotate_credentials
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.complete_ip_rotation or args.complete_credential_rotation:
|
|
msg_tmpl = None
|
|
if args.complete_ip_rotation:
|
|
msg_tmpl = """This will complete the in-progress IP Rotation on \
|
|
cluster [{name}]. The master will be updated to stop serving on the old IP \
|
|
address and only serve on the new IP address. Make sure all API clients have \
|
|
been updated to communicate with the new IP address (e.g. by running `gcloud \
|
|
container clusters get-credentials --project {project} --location {zone} \
|
|
{name}`). If maintenence window is used, nodes are not recreated until a \
|
|
maintenance window occurs. See documentation \
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation on how to \
|
|
manually update nodes. This operation is long-running and will block other \
|
|
operations on the cluster (including delete) until it has run to \
|
|
completion."""
|
|
elif args.complete_credential_rotation:
|
|
msg_tmpl = """This will complete the in-progress Credential Rotation on\
|
|
cluster [{name}]. The master will be updated to stop serving on the old IP \
|
|
address and only serve on the new IP address. Old cluster credentials will be \
|
|
invalidated. Make sure all API clients have been updated to communicate with \
|
|
the new IP address (e.g. by running `gcloud container clusters get-credentials \
|
|
--project {project} --location {zone} {name}`). If maintenence window is used, \
|
|
nodes are not recreated until a maintenance window occurs. See documentation \
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation \
|
|
on how to manually update nodes. This operation is long-running and \
|
|
will block other operations on the cluster (including delete) until it has run \
|
|
to completion."""
|
|
console_io.PromptContinue(
|
|
message=msg_tmpl.format(
|
|
name=cluster_name,
|
|
project=cluster_ref.projectId,
|
|
zone=cluster_zone,
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
try:
|
|
op_ref = adapter.CompleteIpRotation(cluster_ref)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.update_labels is not None:
|
|
try:
|
|
op_ref = adapter.UpdateLabels(cluster_ref, args.update_labels)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.remove_labels is not None:
|
|
try:
|
|
op_ref = adapter.RemoveLabels(cluster_ref, args.remove_labels)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.logging_service is not None and args.monitoring_service is None:
|
|
try:
|
|
op_ref = adapter.SetLoggingService(cluster_ref, args.logging_service)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.maintenance_window is not None:
|
|
try:
|
|
op_ref = adapter.SetDailyMaintenanceWindow(
|
|
cluster_ref, cluster.maintenancePolicy, args.maintenance_window
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'maintenance_window_start', None) is not None:
|
|
try:
|
|
op_ref = adapter.SetRecurringMaintenanceWindow(
|
|
cluster_ref,
|
|
cluster.maintenancePolicy,
|
|
args.maintenance_window_start,
|
|
args.maintenance_window_end,
|
|
args.maintenance_window_recurrence,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'clear_maintenance_window', None):
|
|
try:
|
|
op_ref = adapter.RemoveMaintenanceWindow(
|
|
cluster_ref, cluster.maintenancePolicy
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'add_maintenance_exclusion_end', None) is not None:
|
|
try:
|
|
op_ref = adapter.AddMaintenanceExclusion(
|
|
cluster_ref,
|
|
cluster.maintenancePolicy,
|
|
args.add_maintenance_exclusion_name,
|
|
args.add_maintenance_exclusion_start,
|
|
args.add_maintenance_exclusion_end,
|
|
args.add_maintenance_exclusion_scope,
|
|
args.add_maintenance_exclusion_until_end_of_support,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif args.add_maintenance_exclusion_until_end_of_support is not None:
|
|
try:
|
|
op_ref = adapter.AddMaintenanceExclusion(
|
|
cluster_ref,
|
|
cluster.maintenancePolicy,
|
|
args.add_maintenance_exclusion_name,
|
|
args.add_maintenance_exclusion_start,
|
|
None,
|
|
args.add_maintenance_exclusion_scope,
|
|
args.add_maintenance_exclusion_until_end_of_support,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'remove_maintenance_exclusion', None) is not None:
|
|
try:
|
|
op_ref = adapter.RemoveMaintenanceExclusion(
|
|
cluster_ref,
|
|
cluster.maintenancePolicy,
|
|
args.remove_maintenance_exclusion,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'add_cross_connect_subnetworks', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyCrossConnectSubnetworks(
|
|
cluster_ref,
|
|
cluster.privateClusterConfig.crossConnectConfig,
|
|
add_subnetworks=args.add_cross_connect_subnetworks,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'remove_cross_connect_subnetworks', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyCrossConnectSubnetworks(
|
|
cluster_ref,
|
|
cluster.privateClusterConfig.crossConnectConfig,
|
|
remove_subnetworks=args.remove_cross_connect_subnetworks,
|
|
)
|
|
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'clear_cross_connect_subnetworks', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyCrossConnectSubnetworks(
|
|
cluster_ref,
|
|
cluster.privateClusterConfig.crossConnectConfig,
|
|
clear_all_subnetworks=True,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
getattr(args, 'enable_insecure_kubelet_readonly_port', None) is not None
|
|
):
|
|
try:
|
|
op_ref = adapter.ModifyInsecureKubeletReadonlyPortEnabled(
|
|
cluster_ref,
|
|
args.enable_insecure_kubelet_readonly_port,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
getattr(
|
|
args, 'autoprovisioning_enable_insecure_kubelet_readonly_port', None
|
|
)
|
|
is not None
|
|
):
|
|
try:
|
|
op_ref = (
|
|
adapter.ModifyAutoprovisioningInsecureKubeletReadonlyPortEnabled(
|
|
cluster_ref,
|
|
args.autoprovisioning_enable_insecure_kubelet_readonly_port,
|
|
)
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
|
|
elif getattr(args, 'complete_convert_to_autopilot', None) is not None:
|
|
try:
|
|
op_ref = adapter.CompleteConvertToAutopilot(cluster_ref)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
getattr(args, 'enable_binauthz', None) is not None
|
|
or getattr(args, 'binauthz_evaluation_mode', None) is not None
|
|
or getattr(args, 'binauthz_policy_bindings', None) is not None
|
|
):
|
|
try:
|
|
op_ref = adapter.ModifyBinaryAuthorization(
|
|
cluster_ref,
|
|
cluster.binaryAuthorization,
|
|
args.enable_binauthz,
|
|
args.binauthz_evaluation_mode,
|
|
# TODO(b/287101245): switch this to args.binauthz_policy_bindings
|
|
# once that flag is GA.
|
|
getattr(args, 'binauthz_policy_bindings', None),
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'enable_ray_cluster_logging', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyRayClusterLoggingConfig(
|
|
cluster_ref,
|
|
args.enable_ray_cluster_logging,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'enable_ray_cluster_monitoring', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyRayClusterMonitoringConfig(
|
|
cluster_ref,
|
|
args.enable_ray_cluster_monitoring,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'enable_legacy_lustre_port', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyLegacyLustrePortEnabled(
|
|
cluster_ref,
|
|
args.enable_legacy_lustre_port,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'disable_multi_nic_lustre', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyMultiNicLustreDisabled(
|
|
cluster_ref,
|
|
args.disable_multi_nic_lustre,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
getattr(args, 'enable_insecure_binding_system_authenticated', None)
|
|
is not None
|
|
or getattr(args, 'enable_insecure_binding_system_unauthenticated', None)
|
|
is not None
|
|
):
|
|
try:
|
|
op_ref = adapter.ModifyRBACBindingConfig(
|
|
cluster_ref,
|
|
args.enable_insecure_binding_system_authenticated,
|
|
args.enable_insecure_binding_system_unauthenticated,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'autoprovisioning_cgroup_mode', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyAutoprovisioningCgroupMode(
|
|
cluster_ref,
|
|
args.autoprovisioning_cgroup_mode,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'anonymous_authentication_config', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyAnonymousAuthenticationConfig(
|
|
cluster_ref,
|
|
args.anonymous_authentication_config,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif getattr(args, 'control_plane_egress', None) is not None:
|
|
try:
|
|
op_ref = adapter.ModifyControlPlaneEgress(
|
|
cluster_ref,
|
|
args.control_plane_egress,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
elif (
|
|
getattr(args, 'enable_kernel_module_signature_enforcement', None)
|
|
is not None
|
|
):
|
|
try:
|
|
op_ref = adapter.ModifyKernelModuleSignatureEnforcement(
|
|
cluster_ref,
|
|
args.enable_kernel_module_signature_enforcement,
|
|
)
|
|
except apitools_exceptions.HttpError as error:
|
|
raise exceptions.HttpException(error, util.HTTP_ERROR_FORMAT)
|
|
else:
|
|
if args.enable_legacy_authorization is not None:
|
|
op_ref = adapter.SetLegacyAuthorization(
|
|
cluster_ref, args.enable_legacy_authorization
|
|
)
|
|
else:
|
|
options = self.ParseUpdateOptions(args, locations)
|
|
|
|
# Image streaming feature requires Container File System API to be
|
|
# enabled.
|
|
# Checking whether the API has been enabled, and warning if not.
|
|
if options.enable_image_streaming:
|
|
util.CheckForContainerFileSystemApiEnablementWithPrompt(
|
|
cluster_ref.projectId
|
|
)
|
|
|
|
if options.logging == ['NONE']:
|
|
if console_io.CanPrompt():
|
|
console_io.PromptContinue(
|
|
message=constants.LOGGING_DISABLED_WARNING,
|
|
cancel_on_no=True,
|
|
)
|
|
else:
|
|
log.status.Print(constants.LOGGING_DISABLED_WARNING)
|
|
|
|
if options.monitoring == ['NONE']:
|
|
if console_io.CanPrompt():
|
|
console_io.PromptContinue(
|
|
message=constants.MONITORING_DISABLED_WARNING,
|
|
cancel_on_no=True,
|
|
)
|
|
else:
|
|
log.status.Print(constants.MONITORING_DISABLED_WARNING)
|
|
|
|
op_ref = adapter.UpdateCluster(cluster_ref, options)
|
|
|
|
if not args.async_:
|
|
adapter.WaitForOperation(
|
|
op_ref,
|
|
'Updating {0}'.format(cluster_ref.clusterId),
|
|
timeout_s=args.timeout,
|
|
)
|
|
|
|
log.UpdatedResource(cluster_ref)
|
|
cluster_url = util.GenerateClusterUrl(cluster_ref)
|
|
log.status.Print(
|
|
'To inspect the contents of your cluster, go to: ' + cluster_url
|
|
)
|
|
|
|
if (
|
|
args.start_ip_rotation
|
|
or args.complete_ip_rotation
|
|
or args.start_credential_rotation
|
|
or args.complete_credential_rotation
|
|
):
|
|
cluster = adapter.GetCluster(cluster_ref)
|
|
try:
|
|
util.ClusterConfig.Persist(cluster, cluster_ref.projectId)
|
|
except kconfig.MissingEnvVarError as error:
|
|
log.warning(error)
|
|
for node_pool in cluster.nodePools:
|
|
util.CheckForCgroupModeV1(node_pool)
|
|
else:
|
|
try:
|
|
cluster = adapter.GetCluster(cluster_ref)
|
|
for node_pool in cluster.nodePools:
|
|
util.CheckForCgroupModeV1(node_pool)
|
|
except (
|
|
exceptions.HttpException,
|
|
apitools_exceptions.HttpForbiddenError,
|
|
util.Error,
|
|
) as error:
|
|
log.warning(
|
|
util.CGROUPV1_CHECKING_FAILURE_MSG.format(
|
|
console_attr.SafeText(error)
|
|
)
|
|
)
|
|
|
|
def IsClusterRequired(self, args):
|
|
"""Returns if failure getting the cluster should be an error."""
|
|
return bool(
|
|
getattr(args, 'maintenance_window_end', False)
|
|
or getattr(args, 'clear_maintenance_window', False)
|
|
or getattr(args, 'add_maintenance_exclusion_end', False)
|
|
or getattr(args, 'remove_maintenance_exclusion', False)
|
|
or getattr(args, 'add_cross_connect_subnetworks', False)
|
|
or getattr(args, 'remove_cross_connect_subnetworks', False)
|
|
or getattr(args, 'clear_cross_connect_subnetworks', False)
|
|
or getattr(args, 'enable_google_cloud_access', False)
|
|
)
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.BETA)
|
|
class UpdateBeta(Update):
|
|
"""Update cluster settings for an existing container cluster."""
|
|
|
|
@staticmethod
|
|
def Args(parser):
|
|
_AddCommonArgs(parser)
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
_AddMutuallyExclusiveArgs(group, base.ReleaseTrack.BETA)
|
|
flags.AddClusterAutoscalingFlags(parser, group)
|
|
group_locations = group.add_mutually_exclusive_group()
|
|
_AddAdditionalZonesArg(group_locations, deprecated=True)
|
|
flags.AddNodeLocationsFlag(group_locations)
|
|
group_logging_monitoring = group.add_group()
|
|
flags.AddLoggingServiceFlag(group_logging_monitoring)
|
|
flags.AddMonitoringServiceFlag(group_logging_monitoring)
|
|
group_logging_monitoring_config = group.add_group()
|
|
flags.AddLoggingFlag(group_logging_monitoring_config)
|
|
flags.AddMonitoringFlag(group_logging_monitoring_config)
|
|
flags.AddManagedPrometheusFlags(group_logging_monitoring_config)
|
|
flags.AddAutoMonitoringScopeFlags(
|
|
group_logging_monitoring_config, hidden=False
|
|
)
|
|
flags.AddManagedOTelScopeFlags(group_logging_monitoring_config, hidden=True)
|
|
flags.AddEnableStackdriverKubernetesFlag(group)
|
|
flags.AddEnableLoggingMonitoringSystemOnlyFlag(group)
|
|
flags.AddEnableWorkloadMonitoringEapFlag(group)
|
|
flags.AddEnableMasterSignalsFlags(group)
|
|
flags.AddEnableLegacyAuthorizationFlag(group)
|
|
flags.AddStartIpRotationFlag(group)
|
|
flags.AddStartCredentialRotationFlag(group)
|
|
flags.AddCompleteIpRotationFlag(group)
|
|
flags.AddCompleteCredentialRotationFlag(group)
|
|
flags.AddUpdateLabelsFlag(group)
|
|
flags.AddRemoveLabelsFlag(group)
|
|
flags.AddNetworkPolicyFlags(group)
|
|
flags.AddDailyMaintenanceWindowFlag(group, add_unset_text=True)
|
|
flags.AddRecurringMaintenanceWindowFlags(group, is_update=True)
|
|
flags.AddPodSecurityPolicyFlag(group)
|
|
flags.AddBinauthzFlags(group, release_track=base.ReleaseTrack.BETA)
|
|
flags.AddAutoprovisioningFlags(group, napless=True)
|
|
flags.AddAutoscalingProfilesFlag(group)
|
|
flags.AddVerticalPodAutoscalingFlags(group, experimental=True)
|
|
flags.AddResourceUsageExportFlags(group, is_update=True)
|
|
flags.AddIstioConfigFlag(parser)
|
|
flags.AddCloudRunConfigFlag(parser)
|
|
flags.AddEnableIntraNodeVisibilityFlag(group)
|
|
flags.AddWorkloadAltsFlags(group)
|
|
flags.AddWorkloadCertificatesFlags(group)
|
|
flags.AddMeshCertificatesFlags(group)
|
|
flags.AddWorkloadIdentityFlags(group, use_identity_provider=True)
|
|
flags.AddWorkloadIdentityUpdateFlags(group)
|
|
flags.AddGkeOidcFlag(group)
|
|
flags.AddIdentityServiceFlag(group)
|
|
flags.AddDatabaseEncryptionFlag(group)
|
|
flags.AddDisableDatabaseEncryptionFlag(group)
|
|
flags.AddReleaseChannelFlag(group, is_update=True, hidden=False)
|
|
flags.AddEnableShieldedNodesFlags(group)
|
|
flags.AddTpuFlags(group, enable_tpu_service_networking=True)
|
|
flags.AddDisableDefaultSnatFlag(group, for_cluster_create=False)
|
|
flags.AddNotificationConfigFlag(group)
|
|
flags.AddPrivateIpv6GoogleAccessTypeFlag('v1beta1', group, hidden=False)
|
|
flags.AddKubernetesObjectsExportConfig(group)
|
|
flags.AddDisableAutopilotFlag(group)
|
|
flags.AddILBSubsettingFlags(group, hidden=False)
|
|
flags.AddClusterDNSFlags(group, hidden=False)
|
|
flags.AddCrossConnectSubnetworksMutationFlags(group)
|
|
flags.AddEnableServiceExternalIPs(group)
|
|
flags.AddAuthenticatorSecurityGroupFlags(group)
|
|
flags.AddEnableGcfsFlag(group)
|
|
flags.AddAutoprovisioningNetworkTagsUpdate(group)
|
|
flags.AddEnableImageStreamingFlag(group)
|
|
flags.AddMaintenanceIntervalFlag(group)
|
|
flags.AddDataplaneV2Flag(group, hidden=True)
|
|
group_dataplane_v2_observability = group.add_group()
|
|
flags.AddDataplaneV2MetricsFlag(group_dataplane_v2_observability)
|
|
flags.AddDataplaneV2ObservabilityFlags(group_dataplane_v2_observability)
|
|
flags.AddWorkloadConfigAuditFlag(group)
|
|
flags.AddHPAProfilesFlag(group)
|
|
flags.AddWorkloadVulnScanningFlag(group)
|
|
flags.AddCostManagementConfigFlag(group, is_update=True)
|
|
flags.AddStackTypeFlag(group)
|
|
flags.AddLoggingVariantFlag(group)
|
|
group_add_pod_ipv4_ranges = group.add_group(hidden=False)
|
|
flags.AddAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddRemoveAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddGatewayFlags(group, hidden=False)
|
|
flags.AddComplianceFlags(group, hidden=True)
|
|
flags.AddSecurityPostureFlag(group)
|
|
flags.AddClusterNetworkPerformanceConfigFlags(group)
|
|
flags.AddEnableK8sBetaAPIs(group)
|
|
flags.AddSecurityPostureEnumFlag(group)
|
|
flags.AddWorkloadVulnScanningEnumFlag(group)
|
|
flags.AddRuntimeVulnerabilityInsightFlag(group)
|
|
flags.AddWorkloadPoliciesFlag(group)
|
|
flags.AddAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddEnableFqdnNetworkPolicyFlag(group)
|
|
flags.AddHostMaintenanceIntervalFlag(group)
|
|
flags.AddInTransitEncryptionFlag(group)
|
|
flags.AddEnableMultiNetworkingFlag(group)
|
|
flags.AddContainerdConfigFlag(group)
|
|
flags.AddAutoprovisioningResourceManagerTagsUpdate(group)
|
|
flags.AddConvertToAutopilotFlag(group)
|
|
flags.AddCompleteConvertToAutopilotFlag(group)
|
|
flags.AddConvertToStandardFlag(group)
|
|
flags.AddSecretManagerEnableFlagGroup(group, is_update=True)
|
|
flags.AddSecretSyncFlagGroup(group, hidden=False, is_update=True)
|
|
flags.AddEnableCiliumClusterwideNetworkPolicyFlag(group, is_update=True)
|
|
flags.AddEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddAutoprovisioningEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddEnableRayClusterLogging(group, is_update=True)
|
|
flags.AddEnableRayClusterMonitoring(group, is_update=True)
|
|
flags.AddInsecureRBACBindingFlags(group, hidden=False)
|
|
group_add_additional_ip_ranges = group.add_group()
|
|
flags.AddAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
flags.AddRemoveAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
group_add_drain_additional_ip_ranges = group.add_group(hidden=True)
|
|
flags.AddDrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddUndrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddClusterEnablePrivateNodesFlag(group)
|
|
flags.AddDisableL4LbFirewallReconciliationFlag(group, is_update=True)
|
|
flags.AddClusterTierFlag(group)
|
|
flags.AddAutoprovisioningCgroupModeFlag(group)
|
|
flags.AddEnableAutopilotCompatibilityAuditingFlag(group)
|
|
flags.AddAnonymousAuthenticationConfigFlag(group)
|
|
|
|
group_for_control_plane_endpoints = group.add_group()
|
|
flags.AddMasterAuthorizedNetworksFlags(group_for_control_plane_endpoints)
|
|
flags.AddEnableIPAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddMasterGlobalAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnablePrivateEndpoint(group_for_control_plane_endpoints)
|
|
flags.AddEnableGoogleCloudAccess(group_for_control_plane_endpoints)
|
|
flags.AddAauthorizedNetworksOnPrivateEndpointFlag(
|
|
group_for_control_plane_endpoints
|
|
)
|
|
flags.AddEnableDNSAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sTokensViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sCertsViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddServiceAccountVerificationKeysFlag(group)
|
|
flags.AddServiceAccountSigningKeysFlag(group)
|
|
flags.AddControlPlaneDiskEncryptionKeyFlag(group)
|
|
flags.AddPatchUpdateFlag(group)
|
|
flags.AddAutoIpamFlag(group, is_update=True)
|
|
flags.AddEnableLegacyLustrePortFlag(group, hidden=False)
|
|
flags.AddDisableMultiNicLustreFlag(group, hidden=True)
|
|
flags.AddEnableDefaultComputeClassFlag(group)
|
|
group_fleet_flags = group.add_group()
|
|
flags.AddFleetProjectFlag(group_fleet_flags, is_update=True)
|
|
flags.AddMembershipTypeFlags(group_fleet_flags, is_update=True)
|
|
flags.AddNetworkTierFlag(group)
|
|
flags.AddControlPlaneEgressFlag(group)
|
|
flags.AddAutopilotPrivilegedAdmissionFlag(group, hidden=True)
|
|
flags.AddPodSnapshotConfigFlags(group, hidden=False)
|
|
flags.AddEnableKernelModuleSignatureEnforcementFlag(group)
|
|
flags.AddEnableSliceControllerFlag(group, hidden=True)
|
|
flags.AddAutopilotGeneralProfileFlag(group)
|
|
|
|
def ParseUpdateOptions(self, args, locations):
|
|
get_default = lambda key: getattr(args, key)
|
|
flags.ValidateNotificationConfigFlag(args)
|
|
opts = container_command_util.ParseUpdateOptionsBase(args, locations)
|
|
opts.enable_pod_security_policy = args.enable_pod_security_policy
|
|
opts.istio_config = args.istio_config
|
|
opts.cloud_run_config = flags.GetLegacyCloudRunFlag(
|
|
'{}_config', args, get_default
|
|
)
|
|
opts.resource_usage_bigquery_dataset = args.resource_usage_bigquery_dataset
|
|
opts.enable_intra_node_visibility = args.enable_intra_node_visibility
|
|
opts.clear_resource_usage_bigquery_dataset = (
|
|
args.clear_resource_usage_bigquery_dataset
|
|
)
|
|
opts.enable_network_egress_metering = args.enable_network_egress_metering
|
|
opts.enable_resource_consumption_metering = (
|
|
args.enable_resource_consumption_metering
|
|
)
|
|
opts.enable_workload_certificates = args.enable_workload_certificates
|
|
opts.enable_alts = args.enable_alts
|
|
opts.enable_experimental_vertical_pod_autoscaling = (
|
|
args.enable_experimental_vertical_pod_autoscaling
|
|
)
|
|
flags.ValidateIstioConfigUpdateArgs(args.istio_config, args.disable_addons)
|
|
flags.ValidateCloudRunConfigUpdateArgs(
|
|
opts.cloud_run_config, args.disable_addons
|
|
)
|
|
if args.disable_addons and api_adapter.NODELOCALDNS in args.disable_addons:
|
|
# NodeLocalDNS is being enabled or disabled
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling/Disabling NodeLocal DNSCache causes a re-creation of'
|
|
' all cluster nodes at versions 1.15 or above. This operation is'
|
|
' long-running and will block other operations on the cluster'
|
|
' (including delete) until it has run to completion.If you use'
|
|
' maintenance windows, cluster nodes will only be re-created'
|
|
' during a maintenance window. If you prefer not to wait, you can'
|
|
' manually "upgrade" your node pools to the same version they are'
|
|
' already using, by setting the --cluster-version flag to the'
|
|
' same GKE version the nodes are already running.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
|
|
opts.enable_stackdriver_kubernetes = args.enable_stackdriver_kubernetes
|
|
opts.enable_logging_monitoring_system_only = (
|
|
args.enable_logging_monitoring_system_only
|
|
)
|
|
opts.master_logs = args.master_logs
|
|
opts.no_master_logs = args.no_master_logs
|
|
opts.enable_master_metrics = args.enable_master_metrics
|
|
opts.release_channel = args.release_channel
|
|
opts.autoscaling_profile = args.autoscaling_profile
|
|
|
|
# Top-level update options are automatically forced to be
|
|
# mutually-exclusive, so we don't need special handling for these two.
|
|
opts.identity_provider = args.identity_provider
|
|
opts.enable_shielded_nodes = args.enable_shielded_nodes
|
|
opts.enable_tpu = args.enable_tpu
|
|
opts.tpu_ipv4_cidr = args.tpu_ipv4_cidr
|
|
opts.enable_tpu_service_networking = args.enable_tpu_service_networking
|
|
opts.enable_master_global_access = args.enable_master_global_access
|
|
opts.disable_default_snat = args.disable_default_snat
|
|
opts.notification_config = args.notification_config
|
|
opts.kubernetes_objects_changes_target = (
|
|
args.kubernetes_objects_changes_target
|
|
)
|
|
opts.kubernetes_objects_snapshots_target = (
|
|
args.kubernetes_objects_snapshots_target
|
|
)
|
|
opts.enable_gke_oidc = args.enable_gke_oidc
|
|
opts.enable_identity_service = args.enable_identity_service
|
|
opts.enable_workload_monitoring_eap = args.enable_workload_monitoring_eap
|
|
opts.enable_managed_prometheus = args.enable_managed_prometheus
|
|
opts.disable_managed_prometheus = args.disable_managed_prometheus
|
|
opts.auto_monitoring_scope = args.auto_monitoring_scope
|
|
opts.disable_autopilot = args.disable_autopilot
|
|
opts.enable_l4_ilb_subsetting = args.enable_l4_ilb_subsetting
|
|
if opts.enable_l4_ilb_subsetting:
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling L4 ILB Subsetting is a one-way operation.'
|
|
'Once enabled, this configuration cannot be disabled.'
|
|
'Existing ILB services should be recreated to use Subsetting.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
opts.cluster_dns = args.cluster_dns
|
|
opts.cluster_dns_scope = args.cluster_dns_scope
|
|
opts.cluster_dns_domain = args.cluster_dns_domain
|
|
opts.disable_additive_vpc_scope = args.disable_additive_vpc_scope
|
|
opts.additive_vpc_scope_dns_domain = args.additive_vpc_scope_dns_domain
|
|
opts.enable_service_externalips = args.enable_service_externalips
|
|
opts.security_group = args.security_group
|
|
opts.enable_gcfs = args.enable_gcfs
|
|
opts.autoprovisioning_network_tags = args.autoprovisioning_network_tags
|
|
opts.enable_image_streaming = args.enable_image_streaming
|
|
opts.maintenance_interval = args.maintenance_interval
|
|
opts.dataplane_v2 = args.enable_dataplane_v2
|
|
opts.enable_dataplane_v2_metrics = args.enable_dataplane_v2_metrics
|
|
opts.disable_dataplane_v2_metrics = args.disable_dataplane_v2_metrics
|
|
opts.enable_dataplane_v2_flow_observability = (
|
|
args.enable_dataplane_v2_flow_observability
|
|
)
|
|
opts.disable_dataplane_v2_flow_observability = (
|
|
args.disable_dataplane_v2_flow_observability
|
|
)
|
|
opts.dataplane_v2_observability_mode = args.dataplane_v2_observability_mode
|
|
opts.enable_workload_config_audit = args.enable_workload_config_audit
|
|
opts.hpa_profile = args.hpa_profile
|
|
opts.enable_workload_vulnerability_scanning = (
|
|
args.enable_workload_vulnerability_scanning
|
|
)
|
|
opts.enable_private_endpoint = args.enable_private_endpoint
|
|
opts.enable_google_cloud_access = args.enable_google_cloud_access
|
|
opts.enable_cost_allocation = args.enable_cost_allocation
|
|
opts.binauthz_evaluation_mode = args.binauthz_evaluation_mode
|
|
opts.binauthz_policy_bindings = args.binauthz_policy_bindings
|
|
opts.stack_type = args.stack_type
|
|
opts.logging_variant = args.logging_variant
|
|
opts.additional_pod_ipv4_ranges = args.additional_pod_ipv4_ranges
|
|
opts.removed_additional_pod_ipv4_ranges = (
|
|
args.remove_additional_pod_ipv4_ranges
|
|
)
|
|
opts.additional_ip_ranges = args.additional_ip_ranges
|
|
opts.remove_additional_ip_ranges = args.remove_additional_ip_ranges
|
|
opts.drain_additional_ip_ranges = args.drain_additional_ip_ranges
|
|
opts.undrain_additional_ip_ranges = args.undrain_additional_ip_ranges
|
|
opts.gateway_api = args.gateway_api
|
|
opts.fleet_project = args.fleet_project
|
|
opts.enable_fleet = args.enable_fleet
|
|
opts.membership_type = args.membership_type
|
|
opts.unset_membership_type = args.unset_membership_type
|
|
opts.clear_fleet_project = args.clear_fleet_project
|
|
opts.enable_security_posture = args.enable_security_posture
|
|
opts.network_performance_config = args.network_performance_configs
|
|
opts.enable_k8s_beta_apis = args.enable_kubernetes_unstable_apis
|
|
opts.compliance = args.compliance
|
|
opts.compliance_standards = args.compliance_standards
|
|
opts.security_posture = args.security_posture
|
|
opts.workload_vulnerability_scanning = args.workload_vulnerability_scanning
|
|
opts.enable_runtime_vulnerability_insight = (
|
|
args.enable_runtime_vulnerability_insight
|
|
)
|
|
opts.workload_policies = args.workload_policies
|
|
opts.remove_workload_policies = args.remove_workload_policies
|
|
opts.enable_fqdn_network_policy = args.enable_fqdn_network_policy
|
|
opts.host_maintenance_interval = args.host_maintenance_interval
|
|
opts.enable_multi_networking = args.enable_multi_networking
|
|
opts.containerd_config_from_file = args.containerd_config_from_file
|
|
opts.convert_to_autopilot = args.convert_to_autopilot
|
|
opts.complete_convert_to_autopilot = args.complete_convert_to_autopilot
|
|
opts.convert_to_standard = args.convert_to_standard
|
|
opts.enable_secret_manager = args.enable_secret_manager
|
|
opts.enable_secret_manager_rotation = args.enable_secret_manager_rotation
|
|
opts.secret_manager_rotation_interval = (
|
|
args.secret_manager_rotation_interval
|
|
)
|
|
opts.enable_secret_sync = args.enable_secret_sync
|
|
opts.enable_secret_sync_rotation = args.enable_secret_sync_rotation
|
|
opts.secret_sync_rotation_interval = args.secret_sync_rotation_interval
|
|
opts.enable_cilium_clusterwide_network_policy = (
|
|
args.enable_cilium_clusterwide_network_policy
|
|
)
|
|
opts.enable_insecure_kubelet_readonly_port = (
|
|
args.enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.autoprovisioning_enable_insecure_kubelet_readonly_port = (
|
|
args.autoprovisioning_enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.enable_ray_cluster_logging = args.enable_ray_cluster_logging
|
|
opts.enable_ray_cluster_monitoring = args.enable_ray_cluster_monitoring
|
|
opts.enable_insecure_binding_system_authenticated = (
|
|
args.enable_insecure_binding_system_authenticated
|
|
)
|
|
opts.enable_insecure_binding_system_unauthenticated = (
|
|
args.enable_insecure_binding_system_unauthenticated
|
|
)
|
|
opts.enable_private_nodes = args.enable_private_nodes
|
|
opts.enable_dns_access = args.enable_dns_access
|
|
opts.disable_l4_lb_firewall_reconciliation = (
|
|
args.disable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.enable_l4_lb_firewall_reconciliation = (
|
|
args.enable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.tier = args.tier
|
|
opts.enable_ip_access = args.enable_ip_access
|
|
opts.enable_authorized_networks_on_private_endpoint = (
|
|
args.enable_authorized_networks_on_private_endpoint
|
|
)
|
|
opts.enable_autopilot_compatibility_auditing = (
|
|
args.enable_autopilot_compatibility_auditing
|
|
)
|
|
opts.service_account_verification_keys = (
|
|
args.service_account_verification_keys
|
|
)
|
|
opts.service_account_signing_keys = args.service_account_signing_keys
|
|
opts.control_plane_disk_encryption_key = (
|
|
args.control_plane_disk_encryption_key
|
|
)
|
|
opts.anonymous_authentication_config = args.anonymous_authentication_config
|
|
opts.patch_update = args.patch_update
|
|
opts.enable_auto_ipam = args.enable_auto_ipam
|
|
opts.disable_auto_ipam = args.disable_auto_ipam
|
|
opts.enable_k8s_tokens_via_dns = args.enable_k8s_tokens_via_dns
|
|
opts.enable_k8s_certs_via_dns = args.enable_k8s_certs_via_dns
|
|
opts.enable_legacy_lustre_port = args.enable_legacy_lustre_port
|
|
opts.disable_multi_nic_lustre = args.disable_multi_nic_lustre
|
|
opts.enable_default_compute_class = args.enable_default_compute_class
|
|
opts.network_tier = args.network_tier
|
|
opts.control_plane_egress_mode = args.control_plane_egress
|
|
opts.managed_otel_scope = args.managed_otel_scope
|
|
opts.autopilot_privileged_admission = (
|
|
args.autopilot_privileged_admission
|
|
)
|
|
opts.enable_kernel_module_signature_enforcement = (
|
|
args.enable_kernel_module_signature_enforcement
|
|
)
|
|
opts.autopilot_general_profile = args.autopilot_general_profile
|
|
return opts
|
|
|
|
|
|
@base.ReleaseTracks(base.ReleaseTrack.ALPHA)
|
|
class UpdateAlpha(Update):
|
|
"""Update cluster settings for an existing container cluster."""
|
|
|
|
@staticmethod
|
|
def Args(parser):
|
|
_AddCommonArgs(parser)
|
|
group = parser.add_mutually_exclusive_group(required=True)
|
|
_AddMutuallyExclusiveArgs(group, base.ReleaseTrack.ALPHA)
|
|
flags.AddClusterAutoscalingFlags(parser, group)
|
|
group_locations = group.add_mutually_exclusive_group()
|
|
_AddAdditionalZonesArg(group_locations, deprecated=True)
|
|
flags.AddNodeLocationsFlag(group_locations)
|
|
group_logging_monitoring = group.add_group()
|
|
flags.AddLoggingServiceFlag(group_logging_monitoring)
|
|
flags.AddMonitoringServiceFlag(group_logging_monitoring)
|
|
group_logging_monitoring_config = group.add_group()
|
|
flags.AddLoggingFlag(group_logging_monitoring_config)
|
|
flags.AddMonitoringFlag(group_logging_monitoring_config)
|
|
flags.AddManagedPrometheusFlags(group_logging_monitoring_config)
|
|
flags.AddAutoMonitoringScopeFlags(
|
|
group_logging_monitoring_config, hidden=False
|
|
)
|
|
flags.AddManagedOTelScopeFlags(group_logging_monitoring_config, hidden=True)
|
|
flags.AddEnableStackdriverKubernetesFlag(group)
|
|
flags.AddEnableLoggingMonitoringSystemOnlyFlag(group)
|
|
flags.AddEnableWorkloadMonitoringEapFlag(group)
|
|
flags.AddEnableMasterSignalsFlags(group)
|
|
flags.AddEnableLegacyAuthorizationFlag(group)
|
|
flags.AddStartIpRotationFlag(group)
|
|
flags.AddStartCredentialRotationFlag(group)
|
|
flags.AddCompleteIpRotationFlag(group)
|
|
flags.AddCompleteCredentialRotationFlag(group)
|
|
flags.AddUpdateLabelsFlag(group)
|
|
flags.AddRemoveLabelsFlag(group)
|
|
flags.AddNetworkPolicyFlags(group)
|
|
flags.AddAutoprovisioningFlags(group, hidden=False, napless=True)
|
|
flags.AddAutoscalingProfilesFlag(group)
|
|
flags.AddDailyMaintenanceWindowFlag(group, add_unset_text=True)
|
|
flags.AddRecurringMaintenanceWindowFlags(group, is_update=True)
|
|
flags.AddPodSecurityPolicyFlag(group)
|
|
flags.AddBinauthzFlags(group, release_track=base.ReleaseTrack.ALPHA)
|
|
flags.AddResourceUsageExportFlags(group, is_update=True)
|
|
flags.AddVerticalPodAutoscalingFlags(group, experimental=True)
|
|
flags.AddSecurityProfileForUpdateFlag(group)
|
|
flags.AddIstioConfigFlag(parser)
|
|
flags.AddCloudRunConfigFlag(parser)
|
|
flags.AddEnableIntraNodeVisibilityFlag(group)
|
|
flags.AddWorkloadAltsFlags(group)
|
|
flags.AddWorkloadCertificatesFlags(group)
|
|
flags.AddMeshCertificatesFlags(group)
|
|
flags.AddWorkloadIdentityFlags(group, use_identity_provider=True)
|
|
flags.AddWorkloadIdentityUpdateFlags(group)
|
|
flags.AddGkeOidcFlag(group)
|
|
flags.AddIdentityServiceFlag(group)
|
|
flags.AddDisableDefaultSnatFlag(group, for_cluster_create=False)
|
|
flags.AddDatabaseEncryptionFlag(group)
|
|
flags.AddDisableDatabaseEncryptionFlag(group)
|
|
flags.AddCostManagementConfigFlag(group, is_update=True)
|
|
flags.AddReleaseChannelFlag(group, is_update=True, hidden=False)
|
|
flags.AddEnableShieldedNodesFlags(group)
|
|
flags.AddTpuFlags(group, enable_tpu_service_networking=True)
|
|
flags.AddNotificationConfigFlag(group)
|
|
flags.AddPrivateIpv6GoogleAccessTypeFlag('v1alpha1', group, hidden=False)
|
|
flags.AddKubernetesObjectsExportConfig(group)
|
|
flags.AddDisableAutopilotFlag(group)
|
|
flags.AddILBSubsettingFlags(group, hidden=False)
|
|
flags.AddClusterDNSFlags(group, hidden=False)
|
|
flags.AddCrossConnectSubnetworksMutationFlags(group)
|
|
flags.AddEnableServiceExternalIPs(group)
|
|
flags.AddAuthenticatorSecurityGroupFlags(group)
|
|
flags.AddEnableGcfsFlag(group)
|
|
flags.AddAutoprovisioningNetworkTagsUpdate(group)
|
|
flags.AddEnableImageStreamingFlag(group)
|
|
flags.AddMaintenanceIntervalFlag(group)
|
|
flags.AddDataplaneV2Flag(group, hidden=True)
|
|
group_dataplane_v2_observability = group.add_group()
|
|
flags.AddDataplaneV2MetricsFlag(group_dataplane_v2_observability)
|
|
flags.AddDataplaneV2ObservabilityFlags(group_dataplane_v2_observability)
|
|
flags.AddWorkloadConfigAuditFlag(group)
|
|
flags.AddHPAProfilesFlag(group)
|
|
flags.AddWorkloadVulnScanningFlag(group)
|
|
flags.AddStackTypeFlag(group)
|
|
flags.AddGatewayFlags(group, hidden=False)
|
|
flags.AddLoggingVariantFlag(group)
|
|
group_add_pod_ipv4_ranges = group.add_group(hidden=False)
|
|
flags.AddAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddRemoveAdditionalPodIpv4RangesFlag(group_add_pod_ipv4_ranges)
|
|
flags.AddComplianceFlags(group, hidden=True)
|
|
flags.AddSecurityPostureFlag(group)
|
|
flags.AddClusterNetworkPerformanceConfigFlags(group)
|
|
flags.AddEnableK8sBetaAPIs(group)
|
|
flags.AddSecurityPostureEnumFlag(group)
|
|
flags.AddWorkloadVulnScanningEnumFlag(group)
|
|
flags.AddRuntimeVulnerabilityInsightFlag(group)
|
|
flags.AddWorkloadPoliciesFlag(group)
|
|
flags.AddAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveWorkloadPoliciesFlag(group)
|
|
flags.AddRemoveAutopilotWorkloadPoliciesFlag(group)
|
|
flags.AddEnableFqdnNetworkPolicyFlag(group)
|
|
flags.AddHostMaintenanceIntervalFlag(group)
|
|
flags.AddInTransitEncryptionFlag(group)
|
|
flags.AddEnableMultiNetworkingFlag(group)
|
|
flags.AddContainerdConfigFlag(group)
|
|
flags.AddAutoprovisioningResourceManagerTagsUpdate(group)
|
|
flags.AddConvertToAutopilotFlag(group)
|
|
flags.AddCompleteConvertToAutopilotFlag(group)
|
|
flags.AddConvertToStandardFlag(group)
|
|
flags.AddSecretManagerEnableFlagGroup(group, is_update=True)
|
|
flags.AddSecretSyncFlagGroup(group, hidden=False, is_update=True)
|
|
flags.AddEnableCiliumClusterwideNetworkPolicyFlag(group, is_update=True)
|
|
flags.AddEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddAutoprovisioningEnableKubeletReadonlyPortFlag(group)
|
|
flags.AddEnableRayClusterLogging(group, is_update=True)
|
|
flags.AddEnableRayClusterMonitoring(group, is_update=True)
|
|
flags.AddInsecureRBACBindingFlags(group, hidden=False)
|
|
group_add_additional_ip_ranges = group.add_group()
|
|
flags.AddAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
flags.AddRemoveAdditionalIpRangesFlag(group_add_additional_ip_ranges)
|
|
group_add_drain_additional_ip_ranges = group.add_group(hidden=True)
|
|
flags.AddDrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddUndrainAdditionalIpRangesFlag(group_add_drain_additional_ip_ranges)
|
|
flags.AddClusterEnablePrivateNodesFlag(group)
|
|
flags.AddDisableL4LbFirewallReconciliationFlag(group, is_update=True)
|
|
flags.AddClusterTierFlag(group)
|
|
flags.AddAutoprovisioningCgroupModeFlag(group)
|
|
flags.AddEnableAutopilotCompatibilityAuditingFlag(group)
|
|
flags.AddAnonymousAuthenticationConfigFlag(group)
|
|
|
|
group_for_control_plane_endpoints = group.add_group()
|
|
flags.AddMasterAuthorizedNetworksFlags(group_for_control_plane_endpoints)
|
|
flags.AddEnableIPAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddMasterGlobalAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnablePrivateEndpoint(group_for_control_plane_endpoints)
|
|
flags.AddEnableGoogleCloudAccess(group_for_control_plane_endpoints)
|
|
flags.AddAauthorizedNetworksOnPrivateEndpointFlag(
|
|
group_for_control_plane_endpoints
|
|
)
|
|
flags.AddEnableDNSAccessFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sTokensViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddEnableK8sCertsViaDnsFlag(group_for_control_plane_endpoints)
|
|
flags.AddServiceAccountVerificationKeysFlag(group)
|
|
flags.AddServiceAccountSigningKeysFlag(group)
|
|
flags.AddControlPlaneDiskEncryptionKeyFlag(group)
|
|
flags.AddPatchUpdateFlag(group)
|
|
flags.AddAutoIpamFlag(group, is_update=True)
|
|
flags.AddEnableLegacyLustrePortFlag(group, hidden=False)
|
|
flags.AddDisableMultiNicLustreFlag(group, hidden=True)
|
|
flags.AddEnableDefaultComputeClassFlag(group)
|
|
group_fleet_flags = group.add_group()
|
|
flags.AddFleetProjectFlag(group_fleet_flags, is_update=True)
|
|
flags.AddMembershipTypeFlags(group_fleet_flags, is_update=True)
|
|
flags.AddNetworkTierFlag(group)
|
|
flags.AddControlPlaneEgressFlag(group)
|
|
flags.AddAutopilotPrivilegedAdmissionFlag(group, hidden=True)
|
|
flags.AddPodSnapshotConfigFlags(group, hidden=False)
|
|
flags.AddEnableKernelModuleSignatureEnforcementFlag(group)
|
|
flags.AddEnableSliceControllerFlag(group, hidden=True)
|
|
flags.AddAutopilotGeneralProfileFlag(group)
|
|
|
|
def ParseUpdateOptions(self, args, locations):
|
|
get_default = lambda key: getattr(args, key)
|
|
flags.ValidateNotificationConfigFlag(args)
|
|
opts = container_command_util.ParseUpdateOptionsBase(args, locations)
|
|
opts.autoscaling_profile = args.autoscaling_profile
|
|
opts.enable_pod_security_policy = args.enable_pod_security_policy
|
|
opts.resource_usage_bigquery_dataset = args.resource_usage_bigquery_dataset
|
|
opts.clear_resource_usage_bigquery_dataset = (
|
|
args.clear_resource_usage_bigquery_dataset
|
|
)
|
|
opts.security_profile = args.security_profile
|
|
opts.istio_config = args.istio_config
|
|
opts.cloud_run_config = flags.GetLegacyCloudRunFlag(
|
|
'{}_config', args, get_default
|
|
)
|
|
opts.enable_intra_node_visibility = args.enable_intra_node_visibility
|
|
opts.enable_network_egress_metering = args.enable_network_egress_metering
|
|
opts.enable_resource_consumption_metering = (
|
|
args.enable_resource_consumption_metering
|
|
)
|
|
opts.enable_workload_certificates = args.enable_workload_certificates
|
|
opts.enable_alts = args.enable_alts
|
|
opts.enable_experimental_vertical_pod_autoscaling = (
|
|
args.enable_experimental_vertical_pod_autoscaling
|
|
)
|
|
flags.ValidateIstioConfigUpdateArgs(args.istio_config, args.disable_addons)
|
|
flags.ValidateCloudRunConfigUpdateArgs(
|
|
opts.cloud_run_config, args.disable_addons
|
|
)
|
|
if args.disable_addons and api_adapter.NODELOCALDNS in args.disable_addons:
|
|
# NodeLocalDNS is being enabled or disabled
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling/Disabling NodeLocal DNSCache causes a re-creation '
|
|
'of all cluster nodes at versions 1.15 or above. '
|
|
'This operation is long-running and will block other '
|
|
'operations on the cluster (including delete) until it has run '
|
|
'to completion.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
opts.enable_stackdriver_kubernetes = args.enable_stackdriver_kubernetes
|
|
opts.enable_logging_monitoring_system_only = (
|
|
args.enable_logging_monitoring_system_only
|
|
)
|
|
opts.no_master_logs = args.no_master_logs
|
|
opts.master_logs = args.master_logs
|
|
opts.enable_master_metrics = args.enable_master_metrics
|
|
opts.release_channel = args.release_channel
|
|
opts.enable_tpu = args.enable_tpu
|
|
opts.tpu_ipv4_cidr = args.tpu_ipv4_cidr
|
|
opts.enable_tpu_service_networking = args.enable_tpu_service_networking
|
|
|
|
# Top-level update options are automatically forced to be
|
|
# mutually-exclusive, so we don't need special handling for these two.
|
|
opts.identity_provider = args.identity_provider
|
|
opts.enable_shielded_nodes = args.enable_shielded_nodes
|
|
opts.disable_default_snat = args.disable_default_snat
|
|
opts.enable_cost_allocation = args.enable_cost_allocation
|
|
opts.enable_master_global_access = args.enable_master_global_access
|
|
opts.notification_config = args.notification_config
|
|
opts.kubernetes_objects_changes_target = (
|
|
args.kubernetes_objects_changes_target
|
|
)
|
|
opts.kubernetes_objects_snapshots_target = (
|
|
args.kubernetes_objects_snapshots_target
|
|
)
|
|
opts.enable_gke_oidc = args.enable_gke_oidc
|
|
opts.enable_identity_service = args.enable_identity_service
|
|
opts.enable_workload_monitoring_eap = args.enable_workload_monitoring_eap
|
|
opts.enable_managed_prometheus = args.enable_managed_prometheus
|
|
opts.disable_managed_prometheus = args.disable_managed_prometheus
|
|
opts.auto_monitoring_scope = args.auto_monitoring_scope
|
|
opts.disable_autopilot = args.disable_autopilot
|
|
opts.enable_l4_ilb_subsetting = args.enable_l4_ilb_subsetting
|
|
if opts.enable_l4_ilb_subsetting:
|
|
console_io.PromptContinue(
|
|
message=(
|
|
'Enabling L4 ILB Subsetting is a one-way operation.'
|
|
'Once enabled, this configuration cannot be disabled.'
|
|
'Existing ILB services should be recreated to use Subsetting.'
|
|
),
|
|
cancel_on_no=True,
|
|
)
|
|
opts.cluster_dns = args.cluster_dns
|
|
opts.cluster_dns_scope = args.cluster_dns_scope
|
|
opts.cluster_dns_domain = args.cluster_dns_domain
|
|
opts.disable_additive_vpc_scope = args.disable_additive_vpc_scope
|
|
opts.additive_vpc_scope_dns_domain = args.additive_vpc_scope_dns_domain
|
|
opts.enable_service_externalips = args.enable_service_externalips
|
|
opts.security_group = args.security_group
|
|
opts.enable_gcfs = args.enable_gcfs
|
|
opts.autoprovisioning_network_tags = args.autoprovisioning_network_tags
|
|
opts.enable_image_streaming = args.enable_image_streaming
|
|
opts.maintenance_interval = args.maintenance_interval
|
|
opts.dataplane_v2 = args.enable_dataplane_v2
|
|
opts.enable_dataplane_v2_metrics = args.enable_dataplane_v2_metrics
|
|
opts.disable_dataplane_v2_metrics = args.disable_dataplane_v2_metrics
|
|
opts.enable_dataplane_v2_flow_observability = (
|
|
args.enable_dataplane_v2_flow_observability
|
|
)
|
|
opts.disable_dataplane_v2_flow_observability = (
|
|
args.disable_dataplane_v2_flow_observability
|
|
)
|
|
opts.dataplane_v2_observability_mode = args.dataplane_v2_observability_mode
|
|
opts.enable_workload_config_audit = args.enable_workload_config_audit
|
|
opts.hpa_profile = args.hpa_profile
|
|
opts.enable_workload_vulnerability_scanning = (
|
|
args.enable_workload_vulnerability_scanning
|
|
)
|
|
opts.enable_private_endpoint = args.enable_private_endpoint
|
|
opts.enable_google_cloud_access = args.enable_google_cloud_access
|
|
opts.binauthz_evaluation_mode = args.binauthz_evaluation_mode
|
|
opts.binauthz_policy_bindings = args.binauthz_policy_bindings
|
|
opts.stack_type = args.stack_type
|
|
opts.gateway_api = args.gateway_api
|
|
opts.logging_variant = args.logging_variant
|
|
opts.additional_pod_ipv4_ranges = args.additional_pod_ipv4_ranges
|
|
opts.removed_additional_pod_ipv4_ranges = (
|
|
args.remove_additional_pod_ipv4_ranges
|
|
)
|
|
opts.additional_ip_ranges = args.additional_ip_ranges
|
|
opts.remove_additional_ip_ranges = args.remove_additional_ip_ranges
|
|
opts.drain_additional_ip_ranges = args.drain_additional_ip_ranges
|
|
opts.undrain_additional_ip_ranges = args.undrain_additional_ip_ranges
|
|
opts.fleet_project = args.fleet_project
|
|
opts.enable_fleet = args.enable_fleet
|
|
opts.membership_type = args.membership_type
|
|
opts.unset_membership_type = args.unset_membership_type
|
|
opts.clear_fleet_project = args.clear_fleet_project
|
|
opts.enable_security_posture = args.enable_security_posture
|
|
opts.network_performance_config = args.network_performance_configs
|
|
opts.enable_k8s_beta_apis = args.enable_kubernetes_unstable_apis
|
|
opts.compliance = args.compliance
|
|
opts.compliance_standards = args.compliance_standards
|
|
opts.security_posture = args.security_posture
|
|
opts.workload_vulnerability_scanning = args.workload_vulnerability_scanning
|
|
opts.enable_runtime_vulnerability_insight = (
|
|
args.enable_runtime_vulnerability_insight
|
|
)
|
|
opts.workload_policies = args.workload_policies
|
|
opts.remove_workload_policies = args.remove_workload_policies
|
|
opts.enable_fqdn_network_policy = args.enable_fqdn_network_policy
|
|
opts.host_maintenance_interval = args.host_maintenance_interval
|
|
opts.enable_multi_networking = args.enable_multi_networking
|
|
opts.containerd_config_from_file = args.containerd_config_from_file
|
|
opts.convert_to_autopilot = args.convert_to_autopilot
|
|
opts.complete_convert_to_autopilot = args.complete_convert_to_autopilot
|
|
opts.convert_to_standard = args.convert_to_standard
|
|
opts.enable_secret_manager = args.enable_secret_manager
|
|
opts.enable_secret_manager_rotation = args.enable_secret_manager_rotation
|
|
opts.secret_manager_rotation_interval = (
|
|
args.secret_manager_rotation_interval
|
|
)
|
|
opts.enable_secret_sync = args.enable_secret_sync
|
|
opts.enable_secret_sync_rotation = args.enable_secret_sync_rotation
|
|
opts.secret_sync_rotation_interval = args.secret_sync_rotation_interval
|
|
opts.enable_cilium_clusterwide_network_policy = (
|
|
args.enable_cilium_clusterwide_network_policy
|
|
)
|
|
opts.enable_insecure_kubelet_readonly_port = (
|
|
args.enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.autoprovisioning_enable_insecure_kubelet_readonly_port = (
|
|
args.autoprovisioning_enable_insecure_kubelet_readonly_port
|
|
)
|
|
opts.enable_ray_cluster_logging = args.enable_ray_cluster_logging
|
|
opts.enable_ray_cluster_monitoring = args.enable_ray_cluster_monitoring
|
|
opts.enable_insecure_binding_system_authenticated = (
|
|
args.enable_insecure_binding_system_authenticated
|
|
)
|
|
opts.enable_insecure_binding_system_unauthenticated = (
|
|
args.enable_insecure_binding_system_unauthenticated
|
|
)
|
|
opts.enable_private_nodes = args.enable_private_nodes
|
|
opts.enable_dns_access = args.enable_dns_access
|
|
opts.disable_l4_lb_firewall_reconciliation = (
|
|
args.disable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.enable_l4_lb_firewall_reconciliation = (
|
|
args.enable_l4_lb_firewall_reconciliation
|
|
)
|
|
opts.tier = args.tier
|
|
opts.enable_ip_access = args.enable_ip_access
|
|
opts.enable_authorized_networks_on_private_endpoint = (
|
|
args.enable_authorized_networks_on_private_endpoint
|
|
)
|
|
opts.enable_autopilot_compatibility_auditing = (
|
|
args.enable_autopilot_compatibility_auditing
|
|
)
|
|
opts.service_account_verification_keys = (
|
|
args.service_account_verification_keys
|
|
)
|
|
opts.service_account_signing_keys = args.service_account_signing_keys
|
|
opts.control_plane_disk_encryption_key = (
|
|
args.control_plane_disk_encryption_key
|
|
)
|
|
opts.anonymous_authentication_config = args.anonymous_authentication_config
|
|
opts.patch_update = args.patch_update
|
|
opts.enable_auto_ipam = args.enable_auto_ipam
|
|
opts.disable_auto_ipam = args.disable_auto_ipam
|
|
opts.enable_k8s_tokens_via_dns = args.enable_k8s_tokens_via_dns
|
|
opts.enable_k8s_certs_via_dns = args.enable_k8s_certs_via_dns
|
|
opts.enable_legacy_lustre_port = args.enable_legacy_lustre_port
|
|
opts.disable_multi_nic_lustre = args.disable_multi_nic_lustre
|
|
opts.enable_default_compute_class = args.enable_default_compute_class
|
|
opts.network_tier = args.network_tier
|
|
opts.control_plane_egress_mode = args.control_plane_egress
|
|
opts.managed_otel_scope = args.managed_otel_scope
|
|
opts.autopilot_privileged_admission = (
|
|
args.autopilot_privileged_admission
|
|
)
|
|
opts.enable_kernel_module_signature_enforcement = (
|
|
args.enable_kernel_module_signature_enforcement
|
|
)
|
|
opts.autopilot_general_profile = args.autopilot_general_profile
|
|
return opts
|