REST Resource: projects.locations.attachedClusters

Resource: AttachedCluster

An Anthos cluster running on customer own infrastructure.

JSON representation
{
  "name": string,
  "description": string,
  "oidcConfig": {
    object (AttachedOidcConfig)
  },
  "platformVersion": string,
  "distribution": string,
  "clusterRegion": string,
  "fleet": {
    object (Fleet)
  },
  "state": enum (State),
  "uid": string,
  "reconciling": boolean,
  "createTime": string,
  "updateTime": string,
  "etag": string,
  "kubernetesVersion": string,
  "annotations": {
    string: string,
    ...
  },
  "workloadIdentityConfig": {
    object (WorkloadIdentityConfig)
  },
  "loggingConfig": {
    object (LoggingConfig)
  },
  "errors": [
    {
      object (AttachedClusterError)
    }
  ],
  "authorization": {
    object (AttachedClustersAuthorization)
  },
  "monitoringConfig": {
    object (MonitoringConfig)
  },
  "proxyConfig": {
    object (AttachedProxyConfig)
  },
  "binaryAuthorization": {
    object (BinaryAuthorization)
  },
  "securityPostureConfig": {
    object (SecurityPostureConfig)
  },
  "tags": {
    string: string,
    ...
  }
}
Fields
name

string

The name of this resource.

Cluster names are formatted as projects/<project-number>/locations/<region>/attachedClusters/<cluster-id>.

See Resource Names for more details on Google Cloud Platform resource names.

description

string

Optional. A human readable description of this cluster. Cannot be longer than 255 UTF-8 encoded bytes.

oidcConfig

object (AttachedOidcConfig)

Required. OpenID Connect (OIDC) configuration for the cluster.

platformVersion

string

Required. The platform version for the cluster (e.g. 1.19.0-gke.1000).

You can list all supported versions on a given Google Cloud region by calling locations.getAttachedServerConfig.

distribution

string

Required. The Kubernetes distribution of the underlying attached cluster.

Supported values: ["eks", "aks", "generic"].

clusterRegion

string

Output only. The region where this cluster runs.

For EKS clusters, this is a AWS region. For AKS clusters, this is an Azure region.

fleet

object (Fleet)

Required. Fleet configuration.

state

enum (State)

Output only. The current state of the cluster.

uid

string

Output only. A globally unique identifier for the cluster.

reconciling

boolean

Output only. If set, there are currently changes in flight to the cluster.

createTime

string (Timestamp format)

Output only. The time at which this cluster was registered.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The time at which this cluster was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

etag

string

Allows clients to perform consistent read-modify-writes through optimistic concurrency control.

Can be sent on update and delete requests to ensure the client has an up-to-date value before proceeding.

kubernetesVersion

string

Output only. The Kubernetes version of the cluster.

annotations

map (key: string, value: string)

Optional. Annotations on the cluster.

This field has the same restrictions as Kubernetes annotations. The total size of all keys and values combined is limited to 256k. Key can have 2 segments: prefix (optional) and name (required), separated by a slash (/). Prefix must be a DNS subdomain. Name must be 63 characters or less, begin and end with alphanumerics, with dashes (-), underscores (_), dots (.), and alphanumerics between.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

workloadIdentityConfig

object (WorkloadIdentityConfig)

Output only. Workload Identity settings.

loggingConfig

object (LoggingConfig)

Optional. Logging configuration for this cluster.

errors[]

object (AttachedClusterError)

Output only. A set of errors found in the cluster.

authorization

object (AttachedClustersAuthorization)

Optional. Configuration related to the cluster RBAC settings.

monitoringConfig

object (MonitoringConfig)

Optional. Monitoring configuration for this cluster.

proxyConfig

object (AttachedProxyConfig)

Optional. Proxy configuration for outbound HTTP(S) traffic.

binaryAuthorization

object (BinaryAuthorization)

Optional. Binary Authorization configuration for this cluster.

securityPostureConfig

object (SecurityPostureConfig)

Optional. Security Posture configuration for this cluster.

tags

map (key: string, value: string)

Optional. Input only. Tag keys/values directly bound to this resource.

The short name of a tag key or value can have a maximum length of 256 characters. The permitted character set for the short name includes UTF-8 encoded Unicode characters except single quotes ('), double quotes ("), backslashes (), and forward slashes (/).

See Tags for more details on Google Cloud Platform tags.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

AttachedOidcConfig

OIDC discovery information of the target cluster.

Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster API server. This fields indicates how Google Cloud Platform services validate KSA tokens in order to allow system workloads (such as GKE Connect and telemetry agents) to authenticate back to Google Cloud Platform.

Both clusters with public and private issuer URLs are supported. Clusters with public issuers only need to specify the issuerUrl field while clusters with private issuers need to provide both issuerUrl and oidc_jwks.

JSON representation
{
  "issuerUrl": string,
  "jwks": string
}
Fields
issuerUrl

string

A JSON Web Token (JWT) issuer URI. issuer must start with https://.

jwks

string (bytes format)

Optional. OIDC verification keys in JWKS format (RFC 7517). It contains a list of OIDC verification keys that can be used to verify OIDC JWTs.

This field is required for cluster that doesn't have a publicly available discovery endpoint. When provided, it will be directly used to verify the OIDC JWT asserted by the IDP.

A base64-encoded string.

State

The lifecycle state of the cluster.

Enums
STATE_UNSPECIFIED Not set.
PROVISIONING The PROVISIONING state indicates the cluster is being registered.
RUNNING The RUNNING state indicates the cluster has been register and is fully usable.
RECONCILING The RECONCILING state indicates that some work is actively being done on the cluster, such as upgrading software components.
STOPPING The STOPPING state indicates the cluster is being de-registered.
ERROR The ERROR state indicates the cluster is in a broken unrecoverable state.
DEGRADED The DEGRADED state indicates the cluster requires user action to restore full functionality.

AttachedClusterError

AttachedClusterError describes errors found on attached clusters.

JSON representation
{
  "message": string
}
Fields
message

string

Human-friendly description of the error.

AttachedClustersAuthorization

Configuration related to the cluster RBAC settings.

JSON representation
{
  "adminUsers": [
    {
      object (AttachedClusterUser)
    }
  ],
  "adminGroups": [
    {
      object (AttachedClusterGroup)
    }
  ]
}
Fields
adminUsers[]

object (AttachedClusterUser)

Optional. Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the cluster-admin ClusterRole to the users. Up to ten admin users can be provided.

For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

adminGroups[]

object (AttachedClusterGroup)

Optional. Groups of users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the cluster-admin ClusterRole to the groups. Up to ten admin groups can be provided.

For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

AttachedClusterUser

Identities of a user-type subject for Attached clusters.

JSON representation
{
  "username": string
}
Fields
username

string

Required. The name of the user, e.g. my-gcp-id@gmail.com.

AttachedClusterGroup

Identities of a group-type subject for Attached clusters.

JSON representation
{
  "group": string
}
Fields
group

string

Required. The name of the group, e.g. my-group@domain.com.

AttachedProxyConfig

Details of a proxy config.

JSON representation
{
  "kubernetesSecret": {
    object (KubernetesSecret)
  }
}
Fields
kubernetesSecret

object (KubernetesSecret)

The Kubernetes Secret resource that contains the HTTP(S) proxy configuration. The secret must be a JSON encoded proxy configuration as described in https://cloud.google.com/kubernetes-engine/multi-cloud/docs/attached/eks/how-to/use-a-proxy#configure-proxy-support for EKS clusters and https://cloud.google.com/kubernetes-engine/multi-cloud/docs/attached/aks/how-to/use-a-proxy#configure-proxy-support for AKS clusters.

KubernetesSecret

Information about a Kubernetes Secret

JSON representation
{
  "name": string,
  "namespace": string
}
Fields
name

string

Name of the kubernetes secret.

namespace

string

Namespace in which the kubernetes secret is stored.

SecurityPostureConfig

SecurityPostureConfig defines the flags needed to enable/disable features for the Security Posture API.

JSON representation
{
  "vulnerabilityMode": enum (VulnerabilityMode)
}
Fields
vulnerabilityMode

enum (VulnerabilityMode)

Sets which mode to use for vulnerability scanning.

VulnerabilityMode

VulnerabilityMode defines enablement mode for vulnerability scanning.

Enums
VULNERABILITY_MODE_UNSPECIFIED Default value not specified.
VULNERABILITY_DISABLED Disables vulnerability scanning on the cluster.
VULNERABILITY_ENTERPRISE Applies the Security Posture's vulnerability on cluster Enterprise level features.

Methods

create

Creates a new AttachedCluster resource on a given Google Cloud Platform project and region.

delete

Deletes a specific AttachedCluster resource.

generateAttachedClusterAgentToken

Generates an access token for a cluster agent.

get

Describes a specific AttachedCluster resource.

import

Imports creates a new AttachedCluster resource by importing an existing Fleet Membership resource.

list

Lists all AttachedCluster resources on a given Google Cloud project and region.

patch

Updates an AttachedCluster.