fix: Add the nodepool cgroup mode to the NAP config (#2356)

davidholsgrove · web-flow · commit eeaf95d511a9 · 2025-09-05T11:35:08.000-07:00
diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
@@ -356,10 +356,20 @@ resource "google_container_cluster" "primary" {
 
 {% if autopilot_cluster != true %}
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/cluster.tf b/cluster.tf
@@ -265,10 +265,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/examples/node_pool/main.tf b/examples/node_pool/main.tf
@@ -163,8 +163,8 @@ module "gke" {
   }
 
   node_pools_cgroup_mode = {
-    all     = "CGROUP_MODE_V1"
-    pool-01 = "CGROUP_MODE_V2"
+    all = "CGROUP_MODE_V2"
+    pool-01 = "CGROUP_MODE_V1"
   }
 
   node_pools_hugepage_size_2m = {
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -278,10 +278,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
@@ -278,10 +278,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -278,10 +278,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
@@ -278,10 +278,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
@@ -265,10 +265,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
@@ -265,10 +265,20 @@ resource "google_container_cluster" "primary" {
   }
 
   dynamic "node_pool_auto_config" {
-    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+    for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules || local.node_pools_cgroup_mode != null) ? [1] : []
     content {
-      network_tags {
-        tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+      dynamic "network_tags" {
+        for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 || var.add_cluster_firewall_rules) ? [1] : []
+        content {
+          tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags
+        }
+      }
+
+      dynamic "linux_node_config" {
+        for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []
+        content {
+          cgroup_mode = local.node_pools_cgroup_mode["all"]
+        }
       }
     }
   }
diff --git a/test/integration/node_pool/testdata/TestNodePool.json b/test/integration/node_pool/testdata/TestNodePool.json
@@ -203,7 +203,7 @@
       "config": {
         "diskSizeGb": 100,
         "diskType": "pd-balanced",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
         "gcfsConfig": {},
         "imageType": "COS_CONTAINERD",
         "loggingConfig": {
@@ -267,7 +267,7 @@
       "config": {
         "diskSizeGb": 100,
         "diskType": "pd-standard",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
         "imageType": "COS_CONTAINERD",
         "machineType": "e2-medium",
         "metadata": {
@@ -320,7 +320,7 @@
       "config": {
         "diskSizeGb": 100,
         "diskType": "pd-standard",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
         "gcfsConfig": {},
         "imageType": "COS_CONTAINERD",
         "labels": {
@@ -423,7 +423,7 @@
         ],
         "diskSizeGb": 30,
         "diskType": "pd-standard",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
         "imageType": "COS_CONTAINERD",
         "labels": {
           "all-pools-example": "true",
@@ -505,7 +505,7 @@
       "config": {
         "diskSizeGb": 100,
         "diskType": "pd-standard",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
         "imageType": "COS_CONTAINERD",
         "kubeletConfig": {
           "cpuCfsQuota": true,
@@ -605,7 +605,7 @@
       "config": {
         "diskSizeGb": 100,
         "diskType": "pd-standard",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
         "imageType": "COS_CONTAINERD",
         "kubeletConfig": {
           "insecureKubeletReadonlyPortEnabled": false
@@ -704,7 +704,7 @@
         },
         "diskSizeGb": 100,
         "diskType": "pd-balanced",
-        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V1",
+        "effectiveCgroupMode": "EFFECTIVE_CGROUP_MODE_V2",
         "imageType": "COS_CONTAINERD",
         "labels": {
           "all-pools-example": "true",

Original file line number	Diff line number	Diff line change
`@@ -265,10 +265,20 @@ resource "google_container_cluster" "primary" {`
`265`	`265`	`}`
`266`	`266`
`267`	`267`	`dynamic "node_pool_auto_config" {`
`268`		`- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules) ? [1] : []`
	`268`	`+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules \|\| local.node_pools_cgroup_mode != null) ? [1] : []`
`269`	`269`	`content {`
`270`		`- network_tags {`
`271`		`- tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags`
	`270`	`+ dynamic "network_tags" {`
	`271`	`+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules) ? [1] : []`
	`272`	`+ content {`
	`273`	`+ tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags`
	`274`	`+ }`
	`275`	`+ }`
	`276`	`+`
	`277`	`+ dynamic "linux_node_config" {`
	`278`	`+ for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []`
	`279`	`+ content {`
	`280`	`+ cgroup_mode = local.node_pools_cgroup_mode["all"]`
	`281`	`+ }`
`272`	`282`	`}`
`273`	`283`	`}`
`274`	`284`	`}`
Original file line number	Diff line number	Diff line change
`@@ -163,8 +163,8 @@ module "gke" {`
`163`	`163`	`}`
`164`	`164`
`165`	`165`	`node_pools_cgroup_mode = {`
`166`		`- all = "CGROUP_MODE_V1"`
`167`		`- pool-01 = "CGROUP_MODE_V2"`
	`166`	`+ all = "CGROUP_MODE_V2"`
	`167`	`+ pool-01 = "CGROUP_MODE_V1"`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`node_pools_hugepage_size_2m = {`
Original file line number	Diff line number	Diff line change
`@@ -278,10 +278,20 @@ resource "google_container_cluster" "primary" {`
`278`	`278`	`}`
`279`	`279`
`280`	`280`	`dynamic "node_pool_auto_config" {`
`281`		`- for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules) ? [1] : []`
	`281`	`+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules \|\| local.node_pools_cgroup_mode != null) ? [1] : []`
`282`	`282`	`content {`
`283`		`- network_tags {`
`284`		`- tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags`
	`283`	`+ dynamic "network_tags" {`
	`284`	`+ for_each = var.cluster_autoscaling.enabled && (length(var.network_tags) > 0 \|\| var.add_cluster_firewall_rules) ? [1] : []`
	`285`	`+ content {`
	`286`	`+ tags = var.add_cluster_firewall_rules ? (concat(var.network_tags, [local.cluster_network_tag])) : var.network_tags`
	`287`	`+ }`
	`288`	`+ }`
	`289`	`+`
	`290`	`+ dynamic "linux_node_config" {`
	`291`	`+ for_each = local.node_pools_cgroup_mode["all"] != "" ? [1] : []`
	`292`	`+ content {`
	`293`	`+ cgroup_mode = local.node_pools_cgroup_mode["all"]`
	`294`	`+ }`
`285`	`295`	`}`
`286`	`296`	`}`
`287`	`297`	`}`