I am trying to disable port 10255 as per Google recently.
My terraform configuration is as follows:
resource "google_container_cluster" "cluster" {
name = "k8s-cluster"
project = ...
location = ...
network = ...
subnetwork ...
remove_default_node_pool = true
initial_node_count = 1
enable_l4_i1b_subsetting = true
ip_allocation_policy {}
deletion_protection = false
node_pool_defaults {
node_config_defaults {
insecure_kubelet_readonly_port_enabled = "FALSE"
}
}
private_cluster_config {
enable_private_endpoint = false
enable_private_nodes = true
master_ipv4_cidr_block = ...
}
master_authorized_networks_config {
cidr_blocks {
cidr_block = ...
}
}
}
When I describe the config of the cluster after creation (gcloud container cluster describe…) then I see that nodePools.config.kubeletConfig.insecureKubeletReadonlyPortEnabled: false
but nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig: {}.
Shouldn’t nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig be false? Why is this configuration not correct?
I am using terraform version 6.6.0.
1 Like
I worked on adding this to the provider. It’s a little confusing how many different places this setting can be, especially since there are subtle differences in the naming / path depending on context.
You didn’t include your nodepool’s config, but I think this looks correct.
At the API level, an empty response is sometimes omitted, which might explain what you’re seeing. With the default being different for different GKE nodepools (and with the default having flipped to true for some GKE versions), it’s possible that this inconsistency is expected. There is a minor issue that may or may not be related in provider setting false values in google_container_node_pool kubelet_config, breaking tf apply · Issue #19792 · hashicorp/terraform-provider-google · GitHub which there should be a fix for soon.
That said, it sounds to me like things are behaving with the node_pool_defaults setting if a newly created nodepool has the right settings without having it set explicitly. It wouldn’t hurt to also set config.kubelet_config.insecure_kubelet_readonly_port_enabled explicitly to false on the nodepool as well, though seems like that’s already working out Ok?
Also, in some GKE versions, I believe this will default to false almost everywhere, so at some point in the future, hopefully people should generally not need to worry about explicitly disabling this anymore.