Skip to content

A terraform module to create a managed Kubernetes cluster on Yandex Cloud.

License

Notifications You must be signed in to change notification settings

sport24ru/terraform-yandex-managed-kubernetes

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Terraform Yandex Managed Kubernetes Module

A terraform module to create a managed Kubernetes cluster on Yandex Cloud. Module will manage

  • service accounts for managing cluster resources,
  • Kubernetes cluster itself,
  • node groups in the cluster.

This module is meant for use with Terraform >= 0.13.

Upgrade to 2.x

The module version 1.x uses the yandex_resourcemanager_folder_iam_binding resource to manage permissions of the service account.

The problem is that when you delete this resource, the bindings of all service accounts with similar permissions are deleted.

Since version 2.x this resource has been replaced with yandex_resourcemanager_folder_iam_member, which has no such side effects.

If you manage service accounts using the 1.x module, you may need to manually remove legacy yandex_resourcemanager_folder_iam_binding resources from state to protect the current bindings. For example:

terraform state rm 'yandex_resourcemanager_folder_iam_binding.service_account[0]'
terraform state rm 'yandex_resourcemanager_folder_iam_binding.node_service_account[0]'

Example Usage

resource "yandex_vpc_network" "default" {
  name = "default"
}

resource "yandex_vpc_subnet" "a" {
  network_id = yandex_vpc_network.default.id

  name = "a"
  zone = "ru-central1-a"

  v4_cidr_blocks = ["10.1.0.0/16"]
}

module "kubernetes" {
  source = "sport24ru/managed-kubernetes/yandex"

  name = "default"

  folder_id        = var.folder_id
  network_id       = yandex_vpc_network.default.id
  master_locations = [
    {
      subnet_id = yandex_vpc_subnet.a.id
      zone      = yandex_vpc_subnet.a.zone
    }
  ]

  service_account_name      = "k8s-manager"
  node_service_account_name = "k8s-node-manager"

  master_version  = var.kubernetes_version
  release_channel = var.kubernetes_release_channel

  node_groups = {
    "default" = {
      cores         = 4
      core_fraction = 100
      memory        = 8
      fixed_scale   = {
        size = 3
      }
      boot_disk_type = "network-hdd"
      boot_disk_size = 64
    }
  }
}

Inputs

Name Description Type Default Required
cluster_ipv4_range CIDR block. IP range for allocating pod addresses. It should not overlap with
any subnet in the network the Kubernetes cluster located in. Static routes will
be set up for this CIDR blocks in node subnets.
string null no
cluster_ipv6_range Identical to cluster_ipv4_range but for IPv6 protocol. string null no
description A description of the Kubernetes cluster. string null no
folder_id The ID of the folder that the Kubernetes cluster belongs to. string n/a yes
kms_provider_key_id KMS key ID. any null no
labels A set of key/value label pairs to assign to the Kubernetes cluster. map(string) {} no
master_auto_upgrade Boolean flag that specifies if master can be upgraded automatically. bool true no
master_locations List of locations where cluster will be created. If list contains only one
location, will be created zonal cluster, if more than one -- regional.
list(object({
zone = string
subnet_id = string
}))
n/a yes
master_maintenance_windows List of structures that specifies maintenance windows, when auto update for master is allowed. list(map(string)) [] no
master_public_ip Boolean flag. When true, Kubernetes master will have visible ipv4 address. bool true no
master_security_group_ids List of security group IDs to which the Kubernetes cluster belongs. set(string) null no
master_region Name of region where cluster will be created. Required for regional cluster,
not used for zonal cluster.
string null no
master_version Version of Kubernetes that will be used for master. string null no
name Name of a specific Kubernetes cluster. string null no
network_id The ID of the cluster network. string n/a yes
network_policy_provider Network policy provider for the cluster. Possible values: CALICO. string null no
node_groups Parameters of Kubernetes node groups. map {} no
node_groups_default_locations Default locations of Kubernetes node groups.

If ommited, master_locations will be used.
list(object({
subnet_id = string
zone = string
}))
null no
node_groups_default_ssh_keys Map containing SSH keys to install on all Kubernetes node servers by default. map(list(string)) {} no
node_groups_locations Locations of Kubernetes node groups.

Use it to override default locations of certain node groups.
map(list(object({
subnet_id = string
zone = string
})))
{} no
node_ipv4_cidr_mask_size Size of the masks that are assigned to each node in the cluster. Effectively
limits maximum number of pods for each node.
number null no
node_service_account_id ID of service account to be used by the worker nodes of the Kubernetes
cluster to access Container Registry or to push node logs and metrics.

If omitted or equal to service_account_id, service account will be used
as node service account.
string null no
node_service_account_name Name of service account to create to be used by the worker nodes of
the Kubernetes cluster to access Container Registry or to push node logs
and metrics.

If omitted or equal to service_account_name, service account
will be used as node service account.

node_service_account_name is ignored if node_service_account_id is set.
string null no
release_channel Cluster release channel. string "STABLE" no
service_account_id ID of existing service account to be used for provisioning Compute Cloud
and VPC resources for Kubernetes cluster. Selected service account should have
edit role on the folder where the Kubernetes cluster will be located and on the
folder where selected network resides.
string null no
service_account_name Name of service account to create to be used for provisioning Compute Cloud
and VPC resources for Kubernetes cluster.

service_account_name is ignored if service_account_id is set.
string null no
service_ipv4_range CIDR block. IP range Kubernetes service Kubernetes cluster IP addresses
will be allocated from. It should not overlap with any subnet in the network
the Kubernetes cluster located in.
string null no

node_groups attributes

node_groups is a map where each key is a name of node group and a corresponding value is a map of node group attributes.

Name Description Type Default Required
description A description of the Kubernetes node group string no
labels A set of key/value label pairs assigned to the Kubernetes node group map(string) no
version Version of Kubernetes that will be used for Kubernetes node group string Value of master_version variable no
node_labels A set of key/value label pairs, that are assigned to all the nodes of this Kubernetes node group map(string) no
node_taints A list of Kubernetes taints, that are applied to all the nodes of this Kubernetes node group list(string) no
allowed_unsafe_sysctls A list of allowed unsafe sysctl parameters for this node group list(string) no
platform_id The ID of the hardware platform configuration for the node group compute instances string no
nat Boolean flag, enables NAT for node group compute instances bool no
metadata The set of metadata key:value pairs assigned to this instance template. This includes custom metadata and predefined keys map(string) no
cores Number of CPU cores allocated to the instance number 2 no
core_fraction Baseline core performance as a percent number 100 no
memory The memory size allocated to the instance number 2 no
gpus Number of GPU cores allocated to the instance. number null no
boot_disk_type The boot disk type string "network-hdd" no
boot_disk_size The size of the boot disk in GB. Allowed minimal size: 64 GB number 64 no
preemptible Specifies if the instance is preemptible bool false no
placement_group_id Specifies the id of the Placement Group to assign to the instances. string null no
fixed_scale Scale policy for a fixed scale node group
object({
size = number
})
One of fixed_scale or auto_scale must be defined
auto_scale Scale policy for an autoscaled node group
object({
min = number
max = number
initial = number
})
One of fixed_scale or auto_scale must be defined
auto_upgrade Boolean flag that specifies if node group can be upgraded automatically. bool true no
auto_repair Boolean flag that specifies if node group can be repaired automatically. bool true no
maintenance_windows List of day intervals, when maintenance is allowed for this node group. list(map(string)) [] no
security_group_ids Security group ids for network interface. set(string) no
network_acceleration_type Type of network acceleration. Values: standard, software_accelerated. string null no
max_expansion The maximum number of instances that can be temporarily allocated above the group's target size during the update. number null no
max_unavailable The maximum number of running instances that can be taken offline during update. number null no

Outputs

Name Description
cluster_ca_certificate PEM-encoded public certificate that is the root of trust for
the Kubernetes cluster.
cluster_id ID of a new Kubernetes cluster.
external_v4_endpoint An IPv4 external network address that is assigned to the master.
internal_v4_endpoint An IPv4 internal network address that is assigned to the master.
node_groups Attributes of yandex_node_group resources created in cluster
node_service_account_id ID of service account to be used by the worker nodes of the Kubernetes cluster
to access Container Registry or to push node logs and metrics
service_account_id ID of service account used for provisioning Compute Cloud and VPC resources
for Kubernetes cluster

Requirements

Name Version
terraform > = 0.13.0
yandex > = 0.105.0

Providers

Name Version
yandex > = 0.105.0