terraform-google-modules · DrFaust92 · Sep 17, 2025 · Sep 21, 2025 · Sep 21, 2025 · Sep 28, 2025
@@ -254,6 +254,7 @@ Then perform the following commands on the root folder:
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
 | parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
+| pod\_cidr\_overprovision\_config | Configuration for cluster level pod cidr overprovision. | `object({ disabled = bool })` | <pre>{<br>  "disabled": false<br>}</pre> | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
 | ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br>    enabled            = bool<br>    logging_enabled    = optional(bool, false)<br>    monitoring_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "logging_enabled": false,<br>  "monitoring_enabled": false<br>}</pre> | no |
 | rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br>    enable_insecure_binding_system_unauthenticated = optional(bool, null)<br>    enable_insecure_binding_system_authenticated   = optional(bool, null)<br>  })</pre> | <pre>{<br>  "enable_insecure_binding_system_authenticated": null,<br>  "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |
@@ -405,6 +406,7 @@ The node_pools variable takes the following parameters:
 | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional |
 | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional |
 | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional |
+| pod_cidr_overprovision_config |  Configuration for node-pool level pod cidr overprovision. If not set, the cluster level setting will be inherited. |  | Optional |
 | total_egress_bandwidth_tier |  Specifies the total network bandwidth tier. Valid values are: "TIER_1" and "TIER_UNSPECIFIED". |  | Optional |
 | consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional |
 | reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional |

@@ -280,6 +280,7 @@ The node_pools variable takes the following parameters:
 | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional |
 | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional |
 | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional |
+| pod_cidr_overprovision_config |  Configuration for node-pool level pod cidr overprovision. If not set, the cluster level setting will be inherited. |  | Optional |
 | total_egress_bandwidth_tier |  Specifies the total network bandwidth tier. Valid values are: "TIER_1" and "TIER_UNSPECIFIED". |  | Optional |
 | consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional |
 | reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional |

@@ -562,6 +562,12 @@ resource "google_container_cluster" "primary" {
       }
     }
     stack_type                    = var.stack_type
+    dynamic "pod_cidr_overprovision_config" {
+      for_each = var.pod_cidr_overprovision_config
+      content {
+        disabled = var.pod_cidr_overprovision_config.disabled
+      }
+    }
   }
 
   maintenance_policy {
@@ -918,6 +924,7 @@ locals {
     "flex_start",
     "local_ssd_ephemeral_storage_count",
     "ephemeral_storage_local_ssd_data_cache_count",
+    "pod_cidr_overprovision_config",
   ]
 }
 
@@ -1047,6 +1054,13 @@ resource "google_container_node_pool" "windows_pools" {
       enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
       {% endif %}
 
+      dynamic "pod_cidr_overprovision_config" {
+        for_each = lookup(network_config.value, "pod_cidr_overprovision_config", "") != "" ? [1] : []
+        content {
+          disabled = lookup(network_config.value, "pod_cidr_overprovision_config", null)
+        }
+      }
+
       dynamic "network_performance_config" {
         for_each = lookup(network_config.value, "total_egress_bandwidth_tier", "") != "" ? [1] : []
         content {

@@ -180,6 +180,12 @@ variable "additional_ip_ranges_config" {
   default = []
 }
 
+variable "pod_cidr_overprovision_config" {
+  type        = object({ disabled = bool })
+  description = "Configuration for cluster level pod cidr overprovision."
+  default = { disabled = false }
+}
+
 variable "ip_range_services" {
   type        = string
   description = "The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used."

@@ -429,6 +429,12 @@ resource "google_container_cluster" "primary" {
       }
     }
     stack_type = var.stack_type
+    dynamic "pod_cidr_overprovision_config" {
+      for_each = var.pod_cidr_overprovision_config
+      content {
+        disabled = var.pod_cidr_overprovision_config.disabled
+      }
+    }
   }
 
   maintenance_policy {
@@ -747,6 +753,13 @@ resource "google_container_node_pool" "pools" {
       pod_range            = lookup(network_config.value, "pod_range", null)
       enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
 
+      dynamic "pod_cidr_overprovision_config" {
+        for_each = lookup(network_config.value, "pod_cidr_overprovision_config", "") != "" ? [1] : []
+        content {
+          disabled = lookup(network_config.value, "pod_cidr_overprovision_config", null)
+        }
+      }
+
       dynamic "network_performance_config" {
         for_each = lookup(network_config.value, "total_egress_bandwidth_tier", "") != "" ? [1] : []
         content {
@@ -1113,6 +1126,13 @@ resource "google_container_node_pool" "windows_pools" {
       pod_range            = lookup(network_config.value, "pod_range", null)
       enable_private_nodes = lookup(network_config.value, "enable_private_nodes", null)
 
+      dynamic "pod_cidr_overprovision_config" {
+        for_each = lookup(network_config.value, "pod_cidr_overprovision_config", "") != "" ? [1] : []
+        content {
+          disabled = lookup(network_config.value, "pod_cidr_overprovision_config", null)
+        }
+      }
+
       dynamic "network_performance_config" {
         for_each = lookup(network_config.value, "total_egress_bandwidth_tier", "") != "" ? [1] : []
         content {

@@ -372,6 +372,9 @@ spec:
         parallelstore_csi_driver:
           name: parallelstore_csi_driver
           title: Parallelstore Csi Driver
+        pod_cidr_overprovision_config:
+          name: pod_cidr_overprovision_config
+          title: Pod Cidr Overprovision Config
         project_id:
           name: project_id
           title: Project Id

@@ -263,6 +263,11 @@ spec:
         description: the configuration for individual additional subnetworks attached to the cluster
         varType: list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))
         defaultValue: []
+      - name: pod_cidr_overprovision_config
+        description: Configuration for cluster level pod cidr overprovision.
+        varType: object({ disabled = bool })
+        defaultValue:
+          disabled: false
       - name: ip_range_services
         description: The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used.
         varType: string

@@ -150,6 +150,7 @@ Then perform the following commands on the root folder:
 | node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
+| pod\_cidr\_overprovision\_config | Configuration for cluster level pod cidr overprovision. | `object({ disabled = bool })` | <pre>{<br>  "disabled": false<br>}</pre> | no |
 | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
 | ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br>    enabled            = bool<br>    logging_enabled    = optional(bool, false)<br>    monitoring_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "logging_enabled": false,<br>  "monitoring_enabled": false<br>}</pre> | no |

@@ -330,6 +330,12 @@ resource "google_container_cluster" "primary" {
       }
     }
     stack_type = var.stack_type
+    dynamic "pod_cidr_overprovision_config" {
+      for_each = var.pod_cidr_overprovision_config
+      content {
+        disabled = var.pod_cidr_overprovision_config.disabled
+      }
+    }
   }
 
   maintenance_policy {

@@ -274,6 +274,9 @@ spec:
         notification_filter_event_type:
           name: notification_filter_event_type
           title: Notification Filter Event Type
+        pod_cidr_overprovision_config:
+          name: pod_cidr_overprovision_config
+          title: Pod Cidr Overprovision Config
         private_endpoint_subnetwork:
           name: private_endpoint_subnetwork
           title: Private Endpoint Subnetwork

@@ -222,6 +222,11 @@ spec:
         description: the configuration for individual additional subnetworks attached to the cluster
         varType: list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))
         defaultValue: []
+      - name: pod_cidr_overprovision_config
+        description: Configuration for cluster level pod cidr overprovision.
+        varType: object({ disabled = bool })
+        defaultValue:
+          disabled: false
       - name: ip_range_services
         description: The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used.
         varType: string

@@ -170,6 +170,12 @@ variable "additional_ip_ranges_config" {
   default     = []
 }
 
+variable "pod_cidr_overprovision_config" {
+  type        = object({ disabled = bool })
+  description = "Configuration for cluster level pod cidr overprovision."
+  default     = { disabled = false }
+}
+
 variable "ip_range_services" {
   type        = string
   description = "The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used."

@@ -139,6 +139,7 @@ Then perform the following commands on the root folder:
 | node\_pools\_cgroup\_mode | Specifies the Linux cgroup mode for autopilot Kubernetes nodes in the cluster. Accepted values are `CGROUP_MODE_UNSPECIFIED`, `CGROUP_MODE_V1`, and `CGROUP_MODE_V2`, which determine the control group hierarchy used for resource management. | `string` | `null` | no |
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
+| pod\_cidr\_overprovision\_config | Configuration for cluster level pod cidr overprovision. | `object({ disabled = bool })` | <pre>{<br>  "disabled": false<br>}</pre> | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
 | ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br>    enabled            = bool<br>    logging_enabled    = optional(bool, false)<br>    monitoring_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "logging_enabled": false,<br>  "monitoring_enabled": false<br>}</pre> | no |
 | rbac\_binding\_config | RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created. | <pre>object({<br>    enable_insecure_binding_system_unauthenticated = optional(bool, null)<br>    enable_insecure_binding_system_authenticated   = optional(bool, null)<br>  })</pre> | <pre>{<br>  "enable_insecure_binding_system_authenticated": null,<br>  "enable_insecure_binding_system_unauthenticated": null<br>}</pre> | no |

@@ -330,6 +330,12 @@ resource "google_container_cluster" "primary" {
       }
     }
     stack_type = var.stack_type
+    dynamic "pod_cidr_overprovision_config" {
+      for_each = var.pod_cidr_overprovision_config
+      content {
+        disabled = var.pod_cidr_overprovision_config.disabled
+      }
+    }
   }
 
   maintenance_policy {

@@ -259,6 +259,9 @@ spec:
         notification_filter_event_type:
           name: notification_filter_event_type
           title: Notification Filter Event Type
+        pod_cidr_overprovision_config:
+          name: pod_cidr_overprovision_config
+          title: Pod Cidr Overprovision Config
         project_id:
           name: project_id
           title: Project Id

@@ -222,6 +222,11 @@ spec:
         description: the configuration for individual additional subnetworks attached to the cluster
         varType: list(object({ subnetwork = string, pod_ipv4_range_names = list(string) }))
         defaultValue: []
+      - name: pod_cidr_overprovision_config
+        description: Configuration for cluster level pod cidr overprovision.
+        varType: object({ disabled = bool })
+        defaultValue:
+          disabled: false
       - name: ip_range_services
         description: The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used.
         varType: string

@@ -170,6 +170,12 @@ variable "additional_ip_ranges_config" {
   default     = []
 }
 
+variable "pod_cidr_overprovision_config" {
+  type        = object({ disabled = bool })
+  description = "Configuration for cluster level pod cidr overprovision."
+  default     = { disabled = false }
+}
+
 variable "ip_range_services" {
   type        = string
   description = "The _name_ of the secondary subnet range to use for services. If not provided, the default `34.118.224.0/20` range will be used."

@@ -298,6 +298,7 @@ Then perform the following commands on the root folder:
 | notification\_config\_topic | The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}. | `string` | `""` | no |
 | notification\_filter\_event\_type | Choose what type of notifications you want to receive. If no filters are applied, you'll receive all notification types. Can be used to filter what notifications are sent. Accepted values are UPGRADE\_AVAILABLE\_EVENT, UPGRADE\_EVENT, and SECURITY\_BULLETIN\_EVENT. | `list(string)` | `[]` | no |
 | parallelstore\_csi\_driver | Whether the Parallelstore CSI driver Addon is enabled for this cluster. | `bool` | `null` | no |
+| pod\_cidr\_overprovision\_config | Configuration for cluster level pod cidr overprovision. | `object({ disabled = bool })` | <pre>{<br>  "disabled": false<br>}</pre> | no |
 | private\_endpoint\_subnetwork | The subnetwork to use for the hosted master network. | `string` | `null` | no |
 | project\_id | The project ID to host the cluster in (required) | `string` | n/a | yes |
 | ray\_operator\_config | The Ray Operator Addon configuration for this cluster. | <pre>object({<br>    enabled            = bool<br>    logging_enabled    = optional(bool, false)<br>    monitoring_enabled = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false,<br>  "logging_enabled": false,<br>  "monitoring_enabled": false<br>}</pre> | no |
@@ -459,6 +460,7 @@ The node_pools variable takes the following parameters:
 | queued_provisioning | Makes nodes obtainable through the ProvisioningRequest API exclusively. | | Optional |
 | gpu_sharing_strategy | The type of GPU sharing strategy to enable on the GPU node. Accepted values are: "TIME_SHARING" and "MPS". | | Optional |
 | max_shared_clients_per_gpu | The maximum number of containers that can share a GPU. | | Optional |
+| pod_cidr_overprovision_config |  Configuration for node-pool level pod cidr overprovision. If not set, the cluster level setting will be inherited. |  | Optional |
 | total_egress_bandwidth_tier |  Specifies the total network bandwidth tier. Valid values are: "TIER_1" and "TIER_UNSPECIFIED". |  | Optional |
 | consume_reservation_type | The type of reservation consumption. Accepted values are: "UNSPECIFIED": Default value (should not be specified). "NO_RESERVATION": Do not consume from any reserved capacity, "ANY_RESERVATION": Consume any reservation available, "SPECIFIC_RESERVATION": Must consume from a specific reservation. Must specify key value fields for specifying the reservations. | | Optional |
 | reservation_affinity_key | The label key of a reservation resource. To target a SPECIFIC_RESERVATION by name, specify "compute.googleapis.com/reservation-name" as the key and specify the name of your reservation as its value. | | Optional |