REST Resource: projects.locations.features

Resource: Feature

Feature represents the settings and status of any Hub Feature.

JSON representation
{
  "name": string,
  "labels": {
    string: string,
    ...
  },
  "resourceState": {
    object (FeatureResourceState)
  },
  "spec": {
    object (CommonFeatureSpec)
  },
  "membershipSpecs": {
    string: {
      object (MembershipFeatureSpec)
    },
    ...
  },
  "state": {
    object (CommonFeatureState)
  },
  "membershipStates": {
    string: {
      object (MembershipFeatureState)
    },
    ...
  },
  "createTime": string,
  "updateTime": string,
  "deleteTime": string,
  "fleetDefaultMemberConfig": {
    object (CommonFleetDefaultMemberConfigSpec)
  },
  "scopeSpecs": {
    string: {
      object (ScopeFeatureSpec)
    },
    ...
  },
  "scopeStates": {
    string: {
      object (ScopeFeatureState)
    },
    ...
  }
}
Fields
name

string

Output only. The full, unique name of this Feature resource in the format projects/*/locations/*/features/*.

labels

map (key: string, value: string)

Labels for this Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

resourceState

object (FeatureResourceState)

Output only. State of the Feature resource itself.

spec

object (CommonFeatureSpec)

Optional. Hub-wide Feature configuration. If this Feature does not support any Hub-wide configuration, this field may be unused.

membershipSpecs

map (key: string, value: object (MembershipFeatureSpec))

Optional. Membership-specific configuration for this Feature. If this Feature does not support any per-Membership configuration, this field may be unused.

The keys indicate which Membership the configuration is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Membership is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

state

object (CommonFeatureState)

Output only. The Hub-wide Feature state.

membershipStates

map (key: string, value: object (MembershipFeatureState))

Output only. Membership-specific Feature status. If this Feature does report any per-Membership status, this field may be unused.

The keys indicate which Membership the state is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project number, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} MUST match the Feature's project number.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

createTime

string (Timestamp format)

Output only. When the Feature resource was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. When the Feature resource was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deleteTime

string (Timestamp format)

Output only. When the Feature resource was deleted.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

fleetDefaultMemberConfig

object (CommonFleetDefaultMemberConfigSpec)

Optional. Feature configuration applicable to all memberships of the fleet.

scopeSpecs

map (key: string, value: object (ScopeFeatureSpec))

Optional. Scope-specific configuration for this Feature. If this Feature does not support any per-Scope configuration, this field may be unused.

The keys indicate which Scope the configuration is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Scope is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

scopeStates

map (key: string, value: object (ScopeFeatureState))

Output only. Scope-specific Feature status. If this Feature does report any per-Scope status, this field may be unused.

The keys indicate which Scope the state is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

FeatureResourceState

FeatureResourceState describes the state of a Feature resource in the GkeHub API. See FeatureState for the "running state" of the Feature in the Hub and across Memberships.

JSON representation
{
  "state": enum (FeatureResourceState.State)
}
Fields
state

enum (FeatureResourceState.State)

The current state of the Feature resource in the Hub API.

FeatureResourceState.State

State describes the lifecycle status of a Feature.

Enums
STATE_UNSPECIFIED State is unknown or not set.
ENABLING The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Hub.
ACTIVE The Feature is enabled in this Hub, and the Feature resource is fully available.
DISABLING The Feature is being disabled in this Hub, and the Feature resource is being deleted.
UPDATING The Feature resource is being updated.
SERVICE_UPDATING The Feature resource is being updated by the Hub Service.

CommonFeatureSpec

CommonFeatureSpec contains Hub-wide configuration information

JSON representation
{

  // Union field feature_spec can be only one of the following:
  "multiclusteringress": {
    object (FeatureSpec)
  },
  "appdevexperience": {
    object (AppDevExperienceFeatureSpec)
  },
  "anthosobservability": {
    object (AnthosObservabilityFeatureSpec)
  },
  "fleetobservability": {
    object (FeatureSpec)
  },
  "clusterupgrade": {
    object (FleetSpec)
  },
  "dataplanev2": {
    object (FeatureSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields

Union field feature_spec.

feature_spec can be only one of the following:

multiclusteringress

object (FeatureSpec)

Multicluster Ingress-specific spec.

appdevexperience

object (AppDevExperienceFeatureSpec)

Appdevexperience specific spec.

anthosobservability

object (AnthosObservabilityFeatureSpec)

Anthos Observability spec

fleetobservability

object (FeatureSpec)

FleetObservability feature spec.

clusterupgrade

object (FleetSpec)

ClusterUpgrade (fleet-based) feature spec.

dataplanev2

object (FeatureSpec)

DataplaneV2 feature spec.

FeatureSpec

Multi-cluster Ingress: The configuration for the MultiClusterIngress feature.

JSON representation
{
  "configMembership": string,
  "billing": enum (Billing)
}
Fields
configMembership

string

Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: projects/foo-proj/locations/global/memberships/bar

billing
(deprecated)

enum (Billing)

Deprecated: This field will be ignored and should not be set. Customer's billing structure.

Billing

Deprecated: The FeatureSpec.billing field is no longer used. Billing identifies which billing structure the customer is using.

Enums
BILLING_UNSPECIFIED Unknown
PAY_AS_YOU_GO User pays a fee per-endpoint.
ANTHOS_LICENSE User is paying for Anthos as a whole.

AnthosObservabilityFeatureSpec

Anthos Observability: Spec

JSON representation
{
  "defaultMembershipSpec": {
    object (AnthosObservabilityMembershipSpec)
  }
}
Fields
defaultMembershipSpec

object (AnthosObservabilityMembershipSpec)

Default membership spec for unconfigured memberships

AnthosObservabilityMembershipSpec

Anthosobservability: Per-Membership Feature spec.

JSON representation
{
  "enableStackdriverOnApplications": boolean,
  "doNotOptimizeMetrics": boolean,
  "version": string
}
Fields
enableStackdriverOnApplications

boolean

Enable collecting and reporting metrics and logs from user apps.

doNotOptimizeMetrics

boolean

Use full of metrics rather than optimized metrics. See https://cloud.google.com/anthos/clusters/docs/on-prem/1.8/concepts/logging-and-monitoring#optimized_metrics_default_metrics

version

string

the version of stackdriver operator used by this feature

FeatureSpec

Fleet Observability: The Hub-wide input for the FleetObservability feature.

JSON representation
{
  "loggingConfig": {
    object (LoggingConfig)
  }
}
Fields
loggingConfig

object (LoggingConfig)

Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet.

LoggingConfig

LoggingConfig defines the configuration for different types of logs.

JSON representation
{
  "defaultConfig": {
    object (RoutingConfig)
  },
  "fleetScopeLogsConfig": {
    object (RoutingConfig)
  }
}
Fields
defaultConfig

object (RoutingConfig)

Specified if applying the default routing config to logs not specified in other configs.

fleetScopeLogsConfig

object (RoutingConfig)

Specified if applying the routing config to all logs for all fleet scopes.

RoutingConfig

RoutingConfig configures the behaviour of fleet logging feature.

JSON representation
{
  "mode": enum (RoutingConfig.Mode)
}
Fields
mode

enum (RoutingConfig.Mode)

mode configures the logs routing mode.

RoutingConfig.Mode

Specified if fleet logging feature is enabled.

Enums
MODE_UNSPECIFIED If UNSPECIFIED, fleet logging feature is disabled.
COPY logs will be copied to the destination project.
MOVE logs will be moved to the destination project.

FleetSpec

ClusterUpgrade: The configuration for the fleet-level ClusterUpgrade feature.

JSON representation
{
  "upstreamFleets": [
    string
  ],
  "postConditions": {
    object (PostConditions)
  },
  "gkeUpgradeOverrides": [
    {
      object (GKEUpgradeOverride)
    }
  ]
}
Fields
upstreamFleets[]

string

This fleet consumes upgrades that have COMPLETE status code in the upstream fleets. See UpgradeStatus.Code for code definitions.

The fleet name should be either fleet project number or id.

This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream fleet.

postConditions

object (PostConditions)

Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required.

gkeUpgradeOverrides[]

object (GKEUpgradeOverride)

Allow users to override some properties of each GKE upgrade.

PostConditions

Post conditional checks after an upgrade has been applied on all eligible clusters.

JSON representation
{
  "soaking": string
}
Fields
soaking

string (Duration format)

Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

GKEUpgradeOverride

Properties of a GKE upgrade that can be overridden by the user. For example, a user can skip soaking by overriding the soaking to 0.

JSON representation
{
  "upgrade": {
    object (GKEUpgrade)
  },
  "postConditions": {
    object (PostConditions)
  }
}
Fields
upgrade

object (GKEUpgrade)

Required. Which upgrade to override. Required.

postConditions

object (PostConditions)

Required. Post conditions to override for the specified upgrade (name + version). Required.

GKEUpgrade

GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.

JSON representation
{
  "name": string,
  "version": string
}
Fields
name

string

Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters.

version

string

Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters.

FeatureSpec

Dataplane V2: Spec

JSON representation
{
  "enableEncryption": boolean
}
Fields
enableEncryption

boolean

Enable dataplane-v2 based encryption for multiple clusters.

MembershipFeatureSpec

MembershipFeatureSpec contains configuration information for a single Membership. NOTE: Please use snake case in your feature name.

JSON representation
{
  "origin": {
    object (MembershipFeatureSpec.Origin)
  },

  // Union field feature_spec can be only one of the following:
  "configmanagement": {
    object (MembershipSpec)
  },
  "cloudbuild": {
    object (MembershipSpec)
  },
  "identityservice": {
    object (MembershipSpec)
  },
  "mesh": {
    object (MembershipSpec)
  },
  "anthosobservability": {
    object (AnthosObservabilityMembershipSpec)
  },
  "policycontroller": {
    object (MembershipSpec)
  },
  "fleetobservability": {
    object (MembershipSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields
origin

object (MembershipFeatureSpec.Origin)

Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly.

Union field feature_spec.

feature_spec can be only one of the following:

configmanagement

object (MembershipSpec)

Config Management-specific spec.

cloudbuild

object (MembershipSpec)

Cloud Build-specific spec

identityservice

object (MembershipSpec)

Identity Service-specific spec.

mesh

object (MembershipSpec)

Anthos Service Mesh-specific spec

anthosobservability

object (AnthosObservabilityMembershipSpec)

Anthos Observability-specific spec

policycontroller

object (MembershipSpec)

Policy Controller spec.

fleetobservability

object (MembershipSpec)

Fleet observability membership spec

MembershipSpec

Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.

JSON representation
{
  "configSync": {
    object (ConfigSync)
  },
  "policyController": {
    object (PolicyController)
  },
  "binauthz": {
    object (BinauthzConfig)
  },
  "hierarchyController": {
    object (HierarchyControllerConfig)
  },
  "version": string,
  "cluster": string
}
Fields
configSync

object (ConfigSync)

Config Sync configuration for the cluster.

policyController

object (PolicyController)

Policy Controller configuration for the cluster.

binauthz
(deprecated)

object (BinauthzConfig)

Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set.

hierarchyController

object (HierarchyControllerConfig)

Hierarchy Controller configuration for the cluster.

version

string

Version of ACM installed.

cluster

string

The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.

ConfigSync

Configuration for Config Sync

JSON representation
{
  "git": {
    object (GitConfig)
  },
  "sourceFormat": string,
  "preventDrift": boolean,
  "oci": {
    object (OciConfig)
  },
  "allowVerticalScale": boolean,
  "metricsGcpServiceAccountEmail": string,
  "enabled": boolean
}
Fields
git

object (GitConfig)

Git repo configuration for the cluster.

sourceFormat

string

Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

preventDrift

boolean

Set to true to enable the Config Sync admission webhook to prevent drifts. If set to false, disables the Config Sync admission webhook and does not prevent drifts.

oci

object (OciConfig)

OCI repo configuration for the cluster

allowVerticalScale
(deprecated)

boolean

Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated.

metricsGcpServiceAccountEmail

string

The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA.

enabled

boolean

Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.

GitConfig

Git repo configuration for a single cluster.

JSON representation
{
  "syncRepo": string,
  "syncBranch": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "syncRev": string,
  "secretType": string,
  "httpsProxy": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The URL of the Git repository to use as the source of truth.

syncBranch

string

The branch of the repository to sync from. Default: master.

policyDir

string

The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

syncRev

string

Git revision (tag or hash) to check out. Default HEAD.

secretType

string

Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required.

httpsProxy

string

URL for the HTTPS proxy to be used when communicating with the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

OciConfig

OCI repo configuration for a single cluster

JSON representation
{
  "syncRepo": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "secretType": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME.

policyDir

string

The absolute path of the directory that contains the local resources. Default: the root directory of the image.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

secretType

string

Type of secret configured for access to the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

PolicyController

Configuration for Policy Controller

JSON representation
{
  "enabled": boolean,
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "monitoring": {
    object (PolicyControllerMonitoring)
  },
  "updateTime": string,
  "templateLibraryInstalled": boolean,
  "auditIntervalSeconds": string
}
Fields
enabled

boolean

Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster.

monitoring

object (PolicyControllerMonitoring)

Monitoring specifies the configuration of monitoring.

updateTime

string (Timestamp format)

Output only. Last time this membership spec was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

templateLibraryInstalled

boolean

Installs the default template library along with Policy Controller.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

PolicyControllerMonitoring

PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (PolicyControllerMonitoring.MonitoringBackend)
  ]
}
Fields
backends[]

enum (PolicyControllerMonitoring.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

PolicyControllerMonitoring.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

BinauthzConfig

Configuration for Binauthz

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether binauthz is enabled in this cluster.

HierarchyControllerConfig

Configuration for Hierarchy Controller

JSON representation
{
  "enabled": boolean,
  "enablePodTreeLabels": boolean,
  "enableHierarchicalResourceQuota": boolean
}
Fields
enabled

boolean

Whether Hierarchy Controller is enabled in this cluster.

enablePodTreeLabels

boolean

Whether pod tree labels are enabled in this cluster.

enableHierarchicalResourceQuota

boolean

Whether hierarchical resource quota is enabled in this cluster.

MembershipSpec

Cloud Build: Configurations for each Cloud Build enabled cluster.

JSON representation
{
  "version": string,
  "securityPolicy": enum (MembershipSpec.SecurityPolicy)
}
Fields
version

string

Version of the cloud build software on the cluster.

securityPolicy

enum (MembershipSpec.SecurityPolicy)

Whether it is allowed to run the privileged builds on the cluster or not.

MembershipSpec.SecurityPolicy

Different security policies we can apply to the cluster.

Enums
SECURITY_POLICY_UNSPECIFIED Unspecified policy
NON_PRIVILEGED Privileged build pods are disallowed
PRIVILEGED Privileged build pods are allowed

MembershipSpec

Anthos Identity Service: Configuration for a single Membership.

JSON representation
{
  "authMethods": [
    {
      object (MembershipSpec.AuthMethod)
    }
  ]
}
Fields
authMethods[]

object (MembershipSpec.AuthMethod)

A member may support multiple auth methods.

MembershipSpec.AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

JSON representation
{
  "name": string,
  "proxy": string,

  // Union field auth_config can be only one of the following:
  "oidcConfig": {
    object (MembershipSpec.AuthMethod.OidcConfig)
  },
  "azureadConfig": {
    object (MembershipSpec.AuthMethod.AzureADConfig)
  },
  "googleConfig": {
    object (MembershipSpec.AuthMethod.GoogleConfig)
  }
  // End of list of possible types for union field auth_config.
}
Fields
name

string

Identifier for auth config.

proxy

string

Proxy server address to use for auth method.

Union field auth_config. supported auth configurations. auth_config can be only one of the following:
oidcConfig

object (MembershipSpec.AuthMethod.OidcConfig)

OIDC specific configuration.

azureadConfig

object (MembershipSpec.AuthMethod.AzureADConfig)

AzureAD specific Configuration.

googleConfig

object (MembershipSpec.AuthMethod.GoogleConfig)

GoogleConfig specific configuration.

MembershipSpec.AuthMethod.OidcConfig

Configuration for OIDC Auth flow.

JSON representation
{
  "clientId": string,
  "certificateAuthorityData": string,
  "issuerUri": string,
  "kubectlRedirectUri": string,
  "scopes": string,
  "extraParams": string,
  "userClaim": string,
  "userPrefix": string,
  "groupsClaim": string,
  "groupPrefix": string,
  "deployCloudConsoleProxy": boolean,
  "clientSecret": string,
  "encryptedClientSecret": string,
  "enableAccessToken": boolean
}
Fields
clientId

string

ID for OIDC client application.

certificateAuthorityData

string

PEM-encoded CA for OIDC provider.

issuerUri

string

URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.

kubectlRedirectUri

string

Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.

scopes

string

Comma-separated list of identifiers.

extraParams

string

Comma-separated list of key-value pairs.

userClaim

string

Claim in OIDC ID token that holds username.

userPrefix

string

Prefix to prepend to user name.

groupsClaim

string

Claim in OIDC ID token that holds group information.

groupPrefix

string

Prefix to prepend to group name.

deployCloudConsoleProxy

boolean

Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.

clientSecret

string

Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted OIDC Client secret

A base64-encoded string.

enableAccessToken

boolean

Enable access token.

MembershipSpec.AuthMethod.AzureADConfig

Configuration for the AzureAD Auth flow.

JSON representation
{
  "clientId": string,
  "tenant": string,
  "kubectlRedirectUri": string,
  "clientSecret": string,
  "encryptedClientSecret": string
}
Fields
clientId

string

ID for the registered client application that makes authentication requests to the Azure AD identity provider.

tenant

string

Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.

kubectlRedirectUri

string

The redirect URL that kubectl uses for authorization.

clientSecret

string

Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted AzureAD client secret.

A base64-encoded string.

MembershipSpec.AuthMethod.GoogleConfig

Configuration for the Google Plugin Auth flow.

JSON representation
{
  "disable": boolean
}
Fields
disable

boolean

Disable automatic configuration of Google Plugin on supported platforms.

MembershipSpec

Service Mesh: Spec for a single Membership for the servicemesh feature

JSON representation
{
  "controlPlane": enum (MembershipSpec.ControlPlaneManagement),
  "management": enum (MembershipSpec.Management)
}
Fields
controlPlane
(deprecated)

enum (MembershipSpec.ControlPlaneManagement)

Deprecated: use management instead Enables automatic control plane management.

management

enum (MembershipSpec.Management)

Enables automatic Service Mesh management.

MembershipSpec.ControlPlaneManagement

Whether to automatically manage Service Mesh control planes.

Enums
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED Unspecified
AUTOMATIC Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install.
MANUAL User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API)

MembershipSpec.Management

Whether to automatically manage Service Mesh.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google should manage my Service Mesh for the cluster.
MANAGEMENT_MANUAL User will manually configure their service mesh components.

MembershipSpec

Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.

JSON representation
{
  "policyControllerHubConfig": {
    object (HubConfig)
  },
  "version": string
}
Fields
policyControllerHubConfig

object (HubConfig)

Policy Controller configuration for the cluster.

version

string

Version of Policy Controller installed.

HubConfig

Configuration for Policy Controller

JSON representation
{
  "installSpec": enum (HubConfig.InstallSpec),
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "deploymentConfigs": {
    string: {
      object (PolicyControllerDeploymentConfig)
    },
    ...
  },
  "auditIntervalSeconds": string,
  "monitoring": {
    object (MonitoringConfig)
  },
  "policyContent": {
    object (PolicyContentSpec)
  },
  "constraintViolationLimit": string
}
Fields
installSpec

enum (HubConfig.InstallSpec)

The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enables the ability to mutate resources using Policy Controller.

deploymentConfigs

map (key: string, value: object (PolicyControllerDeploymentConfig))

Map of deployment configs to deployments ("admission", "audit", "mutation').

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

monitoring

object (MonitoringConfig)

Monitoring specifies the configuration of monitoring.

policyContent

object (PolicyContentSpec)

Specifies the desired policy content on the cluster

constraintViolationLimit

string (int64 format)

The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used.

HubConfig.InstallSpec

The set of installation specs that the Hub Feature controller may actuate.

Enums
INSTALL_SPEC_UNSPECIFIED Spec is unknown.
INSTALL_SPEC_NOT_INSTALLED Request to uninstall Policy Controller.
INSTALL_SPEC_ENABLED Request to install and enable Policy Controller.
INSTALL_SPEC_SUSPENDED Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended.
INSTALL_SPEC_DETACHED Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources.

MonitoringConfig

MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (MonitoringConfig.MonitoringBackend)
  ]
}
Fields
backends[]

enum (MonitoringConfig.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringConfig.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyContentSpec

PolicyContentSpec defines the user's desired content configuration on the cluster.

JSON representation
{
  "bundles": {
    string: {
      object (BundleInstallSpec)
    },
    ...
  },
  "templateLibrary": {
    object (TemplateLibraryConfig)
  }
}
Fields
bundles

map (key: string, value: object (BundleInstallSpec))

map of bundle name to BundleInstallSpec. The bundle name maps to the bundleName key in the policycontroller.gke.io/constraintData annotation on a constraint.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

templateLibrary

object (TemplateLibraryConfig)

Configures the installation of the Template Library.

BundleInstallSpec

BundleInstallSpec is the specification configuration for a single managed bundle.

JSON representation
{
  "exemptedNamespaces": [
    string
  ]
}
Fields
exemptedNamespaces[]

string

The set of namespaces to be exempted from the bundle.

TemplateLibraryConfig

The config specifying which default library templates to install.

JSON representation
{
  "installation": enum (TemplateLibraryConfig.Installation)
}
Fields
installation

enum (TemplateLibraryConfig.Installation)

Configures the manner in which the template library is installed on the cluster.

TemplateLibraryConfig.Installation

How the template library should be installed

Enums
INSTALLATION_UNSPECIFIED No installation strategy has been specified.
NOT_INSTALLED Do not install the template library.
ALL Install the entire template library.

PolicyControllerDeploymentConfig

Deployment-specific configuration.

JSON representation
{
  "podTolerations": [
    {
      object (PolicyControllerDeploymentConfig.Toleration)
    }
  ],
  "podAffinity": enum (PolicyControllerDeploymentConfig.Affinity),
  "replicaCount": string,
  "containerResources": {
    object (ResourceRequirements)
  },
  "podAntiAffinity": boolean
}
Fields
podTolerations[]

object (PolicyControllerDeploymentConfig.Toleration)

Pod tolerations of node taints.

podAffinity

enum (PolicyControllerDeploymentConfig.Affinity)

Pod affinity configuration.

replicaCount

string (int64 format)

Pod replica count.

containerResources

object (ResourceRequirements)

Container resource requirements.

podAntiAffinity
(deprecated)

boolean

Pod anti-affinity enablement. Deprecated: use podAffinity instead.

ResourceRequirements

ResourceRequirements describes the compute resource requirements.

JSON representation
{
  "limits": {
    object (ResourceList)
  },
  "requests": {
    object (ResourceList)
  }
}
Fields
limits

object (ResourceList)

Limits describes the maximum amount of compute resources allowed for use by the running container.

requests

object (ResourceList)

Requests describes the amount of compute resources reserved for the container by the kube-scheduler.

ResourceList

ResourceList contains container resource requirements.

JSON representation
{
  "memory": string,
  "cpu": string
}
Fields
memory

string

Memory requirement expressed in Kubernetes resource units.

cpu

string

CPU requirement expressed in Kubernetes resource units.

PolicyControllerDeploymentConfig.Toleration

Toleration of a node taint.

JSON representation
{
  "key": string,
  "operator": string,
  "value": string,
  "effect": string
}
Fields
key

string

Matches a taint key (not necessarily unique).

operator

string

Matches a taint operator.

value

string

Matches a taint value.

effect

string

Matches a taint effect.

PolicyControllerDeploymentConfig.Affinity

The pod affinity configuration used by a deployment.

Enums
AFFINITY_UNSPECIFIED No affinity configuration has been specified.
NO_AFFINITY Affinity configurations will be removed from the deployment.
ANTI_AFFINITY Anti-affinity configuration will be applied to this deployment. Default for admissions deployment.

MembershipSpec

This type has no fields.

FleetObservability: The membership-specific input for FleetObservability feature.

MembershipFeatureSpec.Origin

Origin defines where this MembershipFeatureSpec originated from.

JSON representation
{
  "type": enum (MembershipFeatureSpec.Origin.Type)
}
Fields
type

enum (MembershipFeatureSpec.Origin.Type)

Type specifies which type of origin is set.

MembershipFeatureSpec.Origin.Type

Type specifies the persona that persisted the config.

Enums
TYPE_UNSPECIFIED Type is unknown or not set.
FLEET Per-Membership spec was inherited from the fleet-level default.
FLEET_OUT_OF_SYNC Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default.
USER Per-Membership spec was inherited from a user specification.

CommonFeatureState

CommonFeatureState contains Hub-wide Feature status information.

JSON representation
{
  "state": {
    object (FeatureState)
  },

  // Union field feature_state can be only one of the following:
  "appdevexperience": {
    object (AppDevExperienceFeatureState)
  },
  "fleetobservability": {
    object (FeatureState)
  },
  "clusterupgrade": {
    object (FleetState)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (FeatureState)

Output only. The "running state" of the Feature in this Hub.

Union field feature_state.

feature_state can be only one of the following:

appdevexperience

object (AppDevExperienceFeatureState)

Appdevexperience specific state.

fleetobservability

object (FeatureState)

FleetObservability feature state.

clusterupgrade

object (FleetState)

ClusterUpgrade fleet-level state.

FeatureState

FleetObservability: Hub-wide Feature for FleetObservability feature. state.

JSON representation
{
  "logging": {
    object (FleetObservabilityLoggingState)
  },
  "monitoring": {
    object (FleetObservabilityMonitoringState)
  }
}
Fields
logging

object (FleetObservabilityLoggingState)

The feature state of default logging.

monitoring

object (FleetObservabilityMonitoringState)

The feature state of fleet monitoring.

FleetObservabilityLoggingState

Feature state for logging feature.

JSON representation
{
  "defaultLog": {
    object (FleetObservabilityBaseFeatureState)
  },
  "scopeLog": {
    object (FleetObservabilityBaseFeatureState)
  }
}
Fields
defaultLog

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet default log.

scopeLog

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet scope log.

FleetObservabilityBaseFeatureState

Base state for fleet observability feature.

JSON representation
{
  "code": enum (FleetObservabilityBaseFeatureState.Code),
  "errors": [
    {
      object (FleetObservabilityBaseFeatureState.FeatureError)
    }
  ]
}
Fields
code

enum (FleetObservabilityBaseFeatureState.Code)

The high-level, machine-readable status of this Feature.

errors[]

object (FleetObservabilityBaseFeatureState.FeatureError)

Errors after reconciling the monitoring and logging feature if the code is not OK.

FleetObservabilityBaseFeatureState.Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
ERROR The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

FleetObservabilityBaseFeatureState.FeatureError

All error details of the fleet observability feature.

JSON representation
{
  "code": string,
  "description": string
}
Fields
code

string

The code of the error.

description

string

A human-readable description of the current status.

FleetObservabilityMonitoringState

Feature state for monitoring feature.

JSON representation
{
  "state": {
    object (FleetObservabilityBaseFeatureState)
  }
}
Fields
state

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet monitoring feature.

FleetState

ClusterUpgrade: The state for the fleet-level ClusterUpgrade feature.

JSON representation
{
  "downstreamFleets": [
    string
  ],
  "ignored": {
    string: {
      object (IgnoredMembership)
    },
    ...
  },
  "gkeState": {
    object (GKEUpgradeFeatureState)
  }
}
Fields
downstreamFleets[]

string

This fleets whose upstreamFleets contain the current fleet.

The fleet name should be either fleet project number or id.

ignored

map (key: string, value: object (IgnoredMembership))

A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: projects/{p}/locations/{l}/membership/{m}.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

gkeState

object (GKEUpgradeFeatureState)

Feature state for GKE clusters.

IgnoredMembership

IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.

JSON representation
{
  "reason": string,
  "ignoredTime": string
}
Fields
reason

string

Reason why the membership is ignored.

ignoredTime

string (Timestamp format)

Time when the membership was first set to ignored.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

GKEUpgradeFeatureState

GKEUpgradeFeatureState contains feature states for GKE clusters in the scope.

JSON representation
{
  "upgradeState": [
    {
      object (GKEUpgradeState)
    }
  ],
  "conditions": [
    {
      object (GKEUpgradeFeatureCondition)
    }
  ]
}
Fields
upgradeState[]

object (GKEUpgradeState)

Upgrade state. It will eventually replace state.

conditions[]

object (GKEUpgradeFeatureCondition)

Current conditions of the feature.

GKEUpgradeState

GKEUpgradeState is a GKEUpgrade and its state at the scope and fleet level.

JSON representation
{
  "stats": {
    string: string,
    ...
  },
  "upgrade": {
    object (GKEUpgrade)
  },
  "status": {
    object (UpgradeStatus)
  }
}
Fields
stats

map (key: string, value: string (int64 format))

Number of GKE clusters in each status code.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

upgrade

object (GKEUpgrade)

Which upgrade to track the state.

status

object (UpgradeStatus)

Status of the upgrade.

UpgradeStatus

UpgradeStatus provides status information for each upgrade.

JSON representation
{
  "code": enum (UpgradeStatus.Code),
  "reason": string,
  "updateTime": string
}
Fields
code

enum (UpgradeStatus.Code)

Status code of the upgrade.

reason

string

Reason for this status.

updateTime

string (Timestamp format)

Last timestamp the status was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

UpgradeStatus.Code

Status code of an upgrade.

Enums
CODE_UNSPECIFIED Required by https://linter.aip.dev/126/unspecified.
INELIGIBLE The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope.
PENDING The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope.
IN_PROGRESS The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope.
SOAKING The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete.
FORCED_SOAKING A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status.
COMPLETE The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status.

GKEUpgradeFeatureCondition

GKEUpgradeFeatureCondition describes the condition of the feature for GKE clusters at a certain point of time.

JSON representation
{
  "type": string,
  "status": string,
  "reason": string,
  "updateTime": string
}
Fields
type

string

Type of the condition, for example, "ready".

status

string

Status of the condition, one of True, False, Unknown.

reason

string

Reason why the feature is in this status.

updateTime

string (Timestamp format)

Last timestamp the condition was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureState

FeatureState describes the high-level state of a Feature. It may be used to describe a Feature's state at the environ-level, or per-membershop, depending on the context.

JSON representation
{
  "code": enum (FeatureState.Code),
  "description": string,
  "updateTime": string
}
Fields
code

enum (FeatureState.Code)

The high-level, machine-readable status of this Feature.

description

string

A human-readable description of the current status.

updateTime

string (Timestamp format)

The time this status and any related Feature-specific details were updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureState.Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
WARNING The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.
ERROR The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

MembershipFeatureState

MembershipFeatureState contains Feature status information for a single Membership.

JSON representation
{
  "state": {
    object (FeatureState)
  },

  // Union field feature_state can be only one of the following:
  "servicemesh": {
    object (MembershipState)
  },
  "metering": {
    object (MembershipState)
  },
  "configmanagement": {
    object (MembershipState)
  },
  "identityservice": {
    object (MembershipState)
  },
  "appdevexperience": {
    object (AppDevExperienceFeatureState)
  },
  "policycontroller": {
    object (MembershipState)
  },
  "clusterupgrade": {
    object (MembershipState)
  },
  "fleetobservability": {
    object (MembershipState)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (FeatureState)

The high-level state of this Feature for a single membership.

Union field feature_state.

feature_state can be only one of the following:

servicemesh

object (MembershipState)

Service Mesh-specific state.

metering

object (MembershipState)

Metering-specific state.

configmanagement

object (MembershipState)

Config Management-specific state.

identityservice

object (MembershipState)

Identity Service-specific state.

appdevexperience

object (AppDevExperienceFeatureState)

Appdevexperience specific state.

policycontroller

object (MembershipState)

Policycontroller-specific state.

clusterupgrade

object (MembershipState)

ClusterUpgrade state.

fleetobservability

object (MembershipState)

Fleet observability membership state.

MembershipState

Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.

JSON representation
{
  "controlPlaneManagement": {
    object (MembershipState.ControlPlaneManagement)
  },
  "dataPlaneManagement": {
    object (MembershipState.DataPlaneManagement)
  }
}
Fields
controlPlaneManagement

object (MembershipState.ControlPlaneManagement)

Output only. Status of control plane management

dataPlaneManagement

object (MembershipState.DataPlaneManagement)

Output only. Status of data plane management.

MembershipState.ControlPlaneManagement

Status of control plane management.

JSON representation
{
  "details": [
    {
      object (StatusDetails)
    }
  ],
  "state": enum (MembershipState.LifecycleState)
}
Fields
details[]

object (StatusDetails)

Explanation of state.

state

enum (MembershipState.LifecycleState)

LifecycleState of control plane management.

StatusDetails

Structured and human-readable details for a status.

JSON representation
{
  "code": string,
  "details": string
}
Fields
code

string

A machine-readable code that further describes a broad status.

details

string

Human-readable explanation of code.

MembershipState.LifecycleState

Lifecycle state of Service Mesh components.

Enums
LIFECYCLE_STATE_UNSPECIFIED Unspecified
DISABLED DISABLED means that the component is not enabled.
FAILED_PRECONDITION FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster.
PROVISIONING PROVISIONING means that provisioning is in progress.
ACTIVE ACTIVE means that the component is ready for use.
STALLED STALLED means that provisioning could not be done.
NEEDS_ATTENTION NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.)
DEGRADED DEGRADED means that the component is ready, but operating in a degraded state.

MembershipState.DataPlaneManagement

Status of data plane management. Only reported per-member.

JSON representation
{
  "state": enum (MembershipState.LifecycleState),
  "details": [
    {
      object (StatusDetails)
    }
  ]
}
Fields
state

enum (MembershipState.LifecycleState)

Lifecycle status of data plane management.

details[]

object (StatusDetails)

Explanation of the status.

MembershipState

Metering: Per-Membership Feature State.

JSON representation
{
  "lastMeasurementTime": string,
  "preciseLastMeasuredClusterVcpuCapacity": number
}
Fields
lastMeasurementTime

string (Timestamp format)

The time stamp of the most recent measurement of the number of vCPUs in the cluster.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

preciseLastMeasuredClusterVcpuCapacity

number

The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision).

MembershipState

Anthos Config Management: State for a single cluster.

JSON representation
{
  "clusterName": string,
  "membershipSpec": {
    object (MembershipSpec)
  },
  "operatorState": {
    object (OperatorState)
  },
  "configSyncState": {
    object (ConfigSyncState)
  },
  "policyControllerState": {
    object (PolicyControllerState)
  },
  "binauthzState": {
    object (BinauthzState)
  },
  "hierarchyControllerState": {
    object (HierarchyControllerState)
  }
}
Fields
clusterName

string

This field is set to the clusterName field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name.

membershipSpec

object (MembershipSpec)

Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state

operatorState

object (OperatorState)

Current install status of ACM's Operator

configSyncState

object (ConfigSyncState)

Current sync status

policyControllerState

object (PolicyControllerState)

PolicyController status

binauthzState

object (BinauthzState)

Binauthz status

hierarchyControllerState

object (HierarchyControllerState)

Hierarchy Controller status

OperatorState

State information for an ACM's Operator

JSON representation
{
  "version": string,
  "deploymentState": enum (DeploymentState),
  "errors": [
    {
      object (InstallError)
    }
  ]
}
Fields
version

string

The semenatic version number of the operator

deploymentState

enum (DeploymentState)

The state of the Operator's deployment

errors[]

object (InstallError)

Install errors.

DeploymentState

Enum representing the state of an ACM's deployment on a cluster

Enums
DEPLOYMENT_STATE_UNSPECIFIED Deployment's state cannot be determined
NOT_INSTALLED Deployment is not installed
INSTALLED Deployment is installed
ERROR Deployment was attempted to be installed, but has errors
PENDING Deployment is installing or terminating

InstallError

Errors pertaining to the installation of ACM

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message

ConfigSyncState

State information for ConfigSync

JSON representation
{
  "version": {
    object (ConfigSyncVersion)
  },
  "deploymentState": {
    object (ConfigSyncDeploymentState)
  },
  "syncState": {
    object (SyncState)
  },
  "errors": [
    {
      object (ConfigSyncError)
    }
  ]
}
Fields
version

object (ConfigSyncVersion)

The version of ConfigSync deployed

deploymentState

object (ConfigSyncDeploymentState)

Information about the deployment of ConfigSync, including the version of the various Pods deployed

syncState

object (SyncState)

The state of ConfigSync's process to sync configs to a cluster

errors[]

object (ConfigSyncError)

Errors pertaining to the installation of Config Sync.

ConfigSyncVersion

Specific versioning information pertaining to ConfigSync's Pods

JSON representation
{
  "importer": string,
  "syncer": string,
  "gitSync": string,
  "monitor": string,
  "reconcilerManager": string,
  "rootReconciler": string,
  "admissionWebhook": string
}
Fields
importer

string

Version of the deployed importer pod

syncer

string

Version of the deployed syncer pod

gitSync

string

Version of the deployed git-sync pod

monitor

string

Version of the deployed monitor pod

reconcilerManager

string

Version of the deployed reconciler-manager pod

rootReconciler

string

Version of the deployed reconciler container in root-reconciler pod

admissionWebhook

string

Version of the deployed admissionWebhook pod

ConfigSyncDeploymentState

The state of ConfigSync's deployment on a cluster

JSON representation
{
  "importer": enum (DeploymentState),
  "syncer": enum (DeploymentState),
  "gitSync": enum (DeploymentState),
  "monitor": enum (DeploymentState),
  "reconcilerManager": enum (DeploymentState),
  "rootReconciler": enum (DeploymentState),
  "admissionWebhook": enum (DeploymentState)
}
Fields
importer

enum (DeploymentState)

Deployment state of the importer pod

syncer

enum (DeploymentState)

Deployment state of the syncer pod

gitSync

enum (DeploymentState)

Deployment state of the git-sync pod

monitor

enum (DeploymentState)

Deployment state of the monitor pod

reconcilerManager

enum (DeploymentState)

Deployment state of reconciler-manager pod

rootReconciler

enum (DeploymentState)

Deployment state of root-reconciler

admissionWebhook

enum (DeploymentState)

Deployment state of admission-webhook

SyncState

State indicating an ACM's progress syncing configurations to a cluster

JSON representation
{
  "sourceToken": string,
  "importToken": string,
  "syncToken": string,
  "lastSync": string,
  "lastSyncTime": string,
  "code": enum (SyncState.SyncCode),
  "errors": [
    {
      object (SyncError)
    }
  ]
}
Fields
sourceToken

string

Token indicating the state of the repo.

importToken

string

Token indicating the state of the importer.

syncToken

string

Token indicating the state of the syncer.

lastSync
(deprecated)

string

Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String

lastSyncTime

string (Timestamp format)

Timestamp type of when ACM last successfully synced the repo

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

code

enum (SyncState.SyncCode)

Sync status code

errors[]

object (SyncError)

A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist.

SyncState.SyncCode

An enum representing Config Sync's status of syncing configs to a cluster.

Enums
SYNC_CODE_UNSPECIFIED Config Sync cannot determine a sync code
SYNCED Config Sync successfully synced the git Repo with the cluster
PENDING Config Sync is in the progress of syncing a new change
ERROR Indicates an error configuring Config Sync, and user action is required
NOT_CONFIGURED Config Sync has been installed but not configured
NOT_INSTALLED Config Sync has not been installed
UNAUTHORIZED Error authorizing with the cluster
UNREACHABLE Cluster could not be reached

SyncError

An ACM created error representing a problem syncing configurations

JSON representation
{
  "code": string,
  "errorMessage": string,
  "errorResources": [
    {
      object (ErrorResource)
    }
  ]
}
Fields
code

string

An ACM defined error code

errorMessage

string

A description of the error

errorResources[]

object (ErrorResource)

A list of config(s) associated with the error, if any

ErrorResource

Model for a config file in the git repo with an associated Sync error

JSON representation
{
  "sourcePath": string,
  "resourceName": string,
  "resourceNamespace": string,
  "resourceGvk": {
    object (GroupVersionKind)
  }
}
Fields
sourcePath

string

Path in the git repo of the erroneous config

resourceName

string

Metadata name of the resource that is causing an error

resourceNamespace

string

Namespace of the resource that is causing an error

resourceGvk

object (GroupVersionKind)

Group/version/kind of the resource that is causing an error

GroupVersionKind

A Kubernetes object's GVK

JSON representation
{
  "group": string,
  "version": string,
  "kind": string
}
Fields
group

string

Kubernetes Group

version

string

Kubernetes Version

kind

string

Kubernetes Kind

ConfigSyncError

Errors pertaining to the installation of Config Sync

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message

PolicyControllerState

State for PolicyControllerState.

JSON representation
{
  "version": {
    object (PolicyControllerVersion)
  },
  "deploymentState": {
    object (GatekeeperDeploymentState)
  },
  "migration": {
    object (PolicyControllerMigration)
  }
}
Fields
version

object (PolicyControllerVersion)

The version of Gatekeeper Policy Controller deployed.

deploymentState

object (GatekeeperDeploymentState)

The state about the policy controller installation.

migration

object (PolicyControllerMigration)

Record state of ACM -> PoCo Hub migration for this feature.

PolicyControllerVersion

The build version of Gatekeeper Policy Controller is using.

JSON representation
{
  "version": string
}
Fields
version

string

The gatekeeper image tag that is composed of ACM version, git tag, build number.

GatekeeperDeploymentState

State of Policy Controller installation.

JSON representation
{
  "gatekeeperControllerManagerState": enum (DeploymentState),
  "gatekeeperAudit": enum (DeploymentState),
  "gatekeeperMutation": enum (DeploymentState)
}
Fields
gatekeeperControllerManagerState

enum (DeploymentState)

Status of gatekeeper-controller-manager pod.

gatekeeperAudit

enum (DeploymentState)

Status of gatekeeper-audit deployment.

gatekeeperMutation

enum (DeploymentState)

Status of the pod serving the mutation webhook.

PolicyControllerMigration

State for the migration of PolicyController from ACM -> PoCo Hub.

JSON representation
{
  "stage": enum (PolicyControllerMigration.Stage),
  "copyTime": string
}
Fields
stage

enum (PolicyControllerMigration.Stage)

Stage of the migration.

copyTime

string (Timestamp format)

Last time this membership spec was copied to PoCo feature.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

PolicyControllerMigration.Stage

Stage marks what stage of the migration ACM hub is in.

Enums
STAGE_UNSPECIFIED Unknown state of migration.
ACM_MANAGED ACM Hub/Operator manages policycontroller. No migration yet completed.
POCO_MANAGED All migrations steps complete; Poco Hub now manages policycontroller.

BinauthzState

State for Binauthz

JSON representation
{
  "webhook": enum (DeploymentState),
  "version": {
    object (BinauthzVersion)
  }
}
Fields
webhook

enum (DeploymentState)

The state of the binauthz webhook.

version

object (BinauthzVersion)

The version of binauthz that is installed.

BinauthzVersion

The version of binauthz.

JSON representation
{
  "webhookVersion": string
}
Fields
webhookVersion

string

The version of the binauthz webhook.

HierarchyControllerState

State for Hierarchy Controller

JSON representation
{
  "version": {
    object (HierarchyControllerVersion)
  },
  "state": {
    object (HierarchyControllerDeploymentState)
  }
}
Fields
version

object (HierarchyControllerVersion)

The version for Hierarchy Controller

state

object (HierarchyControllerDeploymentState)

The deployment state for Hierarchy Controller

HierarchyControllerVersion

Version for Hierarchy Controller

JSON representation
{
  "hnc": string,
  "extension": string
}
Fields
hnc

string

Version for open source HNC

extension

string

Version for Hierarchy Controller extension

HierarchyControllerDeploymentState

Deployment state for Hierarchy Controller

JSON representation
{
  "hnc": enum (DeploymentState),
  "extension": enum (DeploymentState)
}
Fields
hnc

enum (DeploymentState)

The deployment state for open source HNC (e.g. v0.7.0-hc.0)

extension

enum (DeploymentState)

The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1)

MembershipState

Anthos Identity Service: State for a single Membership.

JSON representation
{
  "installedVersion": string,
  "state": enum (MembershipState.DeploymentState),
  "failureReason": string,
  "memberConfig": {
    object (MembershipSpec)
  }
}
Fields
installedVersion

string

Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.

state

enum (MembershipState.DeploymentState)

Deployment state on this member

failureReason

string

The reason of the failure.

memberConfig

object (MembershipSpec)

Last reconciled membership configuration

MembershipState.DeploymentState

Deployment state enum

Enums
DEPLOYMENT_STATE_UNSPECIFIED Unspecified state
OK deployment succeeds
ERROR Failure with error.

MembershipState

Policy Controller: State for a single cluster.

JSON representation
{
  "componentStates": {
    string: {
      object (OnClusterState)
    },
    ...
  },
  "state": enum (MembershipState.LifecycleState),
  "policyContentState": {
    object (PolicyContentState)
  }
}
Fields
componentStates

map (key: string, value: object (OnClusterState))

Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation"

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

state

enum (MembershipState.LifecycleState)

The overall Policy Controller lifecycle state observed by the Hub Feature controller.

policyContentState

object (PolicyContentState)

The overall content state observed by the Hub Feature controller.

OnClusterState

OnClusterState represents the state of a sub-component of Policy Controller.

JSON representation
{
  "state": enum (MembershipState.LifecycleState),
  "details": string
}
Fields
state

enum (MembershipState.LifecycleState)

The lifecycle state of this component.

details

string

Surface potential errors or information logs.

MembershipState.LifecycleState

The set of states Policy Controller can exist in.

Enums
LIFECYCLE_STATE_UNSPECIFIED The lifecycle state is unspecified.
NOT_INSTALLED The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH.
INSTALLING The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster.
ACTIVE The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects.
UPDATING The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version.
DECOMMISSIONING The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists.
CLUSTER_ERROR