Index
GkeHubDomainFeatureService(interface)AnthosObservabilityFeatureSpec(message)AnthosObservabilityFeatureState(message)AnthosObservabilityMembershipSpec(message)AppDevExperienceFeatureSpec(message)AppDevExperienceFeatureState(message)AppDevExperienceFeatureState.Code(enum)AppDevExperienceFeatureState.Status(message)AuthorizerFeatureSpec(message)AuthorizerFeatureState(message)Billing(enum) (deprecated)BinauthzConfig(message)BinauthzState(message)BinauthzVersion(message)BundleInstallSpec(message)CloudAuditLoggingFeatureSpec(message)CloudAuditLoggingFeatureState(message)CloudBuildFeatureSpec(message)CloudBuildMembershipConfig(message)CloudBuildMembershipConfig.SecurityPolicy(enum)ConfigManagementFeatureSpec(message)ConfigManagementFeatureState(message)ConfigSync(message)ConfigSyncDeploymentState(message)ConfigSyncError(message)ConfigSyncState(message)ConfigSyncVersion(message)CreateFeatureRequest(message)DataplaneV2FeatureSpec(message)DataplaneV2FeatureState(message)DeleteFeatureRequest(message)DeploymentState(enum)ErrorResource(message)Feature(message)FeatureState(message)FeatureState.LifecycleState(enum)FeatureStateDetails(message)FeatureStateDetails.Code(enum)FleetDefaultMemberConfig(message)FleetObservabilityBaseFeatureState(message)FleetObservabilityBaseFeatureState.Code(enum)FleetObservabilityBaseFeatureState.FeatureError(message)FleetObservabilityFeatureSpec(message)FleetObservabilityFeatureState(message)FleetObservabilityLoggingState(message)FleetObservabilityMonitoringState(message)GatekeeperDeploymentState(message)GetFeatureRequest(message)GitConfig(message)GroupVersionKind(message)HierarchyControllerConfig(message)HierarchyControllerDeploymentState(message)HierarchyControllerState(message)HierarchyControllerVersion(message)IdentityServiceFeatureSpec(message)IdentityServiceFeatureState(message)IdentityServiceFeatureState.DeploymentState(enum)InstallError(message)ListFeaturesRequest(message)ListFeaturesResponse(message)LoggingConfig(message)MemberConfig(message)MemberConfig.AuthMethod(message)MemberConfig.AuthMethod.AzureADConfig(message)MemberConfig.AuthMethod.GoogleConfig(message)MemberConfig.AuthMethod.LdapConfig(message)MemberConfig.AuthMethod.LdapConfig.GroupConfig(message)MemberConfig.AuthMethod.LdapConfig.ServerConfig(message)MemberConfig.AuthMethod.LdapConfig.ServiceAccountConfig(message)MemberConfig.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials(message)MemberConfig.AuthMethod.LdapConfig.UserConfig(message)MemberConfig.AuthMethod.OidcConfig(message)MemberConfig.AuthMethod.SamlConfig(message)MembershipConfig(message)MeteringFeatureSpec(message)MeteringFeatureState(message)MultiClusterIngressFeatureSpec(message)MultiClusterIngressFeatureState(message)MultiClusterServiceDiscoveryFeatureSpec(message)MultiClusterServiceDiscoveryFeatureState(message)OciConfig(message)OnClusterState(message)OperationMetadata(message)OperatorState(message)PolicyContentSpec(message)PolicyContentState(message)PolicyController(message)PolicyControllerDeploymentConfig(message)PolicyControllerDeploymentConfig.Affinity(enum)PolicyControllerDeploymentConfig.Toleration(message)PolicyControllerFeatureSpec(message)PolicyControllerFeatureState(message)PolicyControllerFeatureState.LifecycleState(enum)PolicyControllerHubConfig(message)PolicyControllerHubConfig.InstallSpec(enum)PolicyControllerMembershipSpec(message)PolicyControllerMigration(message)PolicyControllerMigration.Stage(enum)PolicyControllerMonitoring(message)PolicyControllerMonitoring.MonitoringBackend(enum)PolicyControllerMonitoringConfig(message)PolicyControllerMonitoringConfig.MonitoringBackend(enum)PolicyControllerState(message)PolicyControllerVersion(message)ResourceList(message)ResourceRequirements(message)RoutingConfig(message)RoutingConfig.Mode(enum)ServiceDirectoryFeatureSpec(message)ServiceDirectoryFeatureState(message)ServiceMeshAnalysisMessage(message)ServiceMeshAnalysisMessageBase(message)ServiceMeshAnalysisMessageBase.Level(enum)ServiceMeshAnalysisMessageBase.Type(message)ServiceMeshFeatureSpec(message)ServiceMeshFeatureState(message)ServiceMeshFeatureState.ControlPlaneManagement(message)ServiceMeshFeatureState.DataPlaneManagement(message)ServiceMeshFeatureState.LifecycleState(enum)ServiceMeshMembershipSpec(message)ServiceMeshMembershipSpec.ControlPlaneManagement(enum)ServiceMeshMembershipSpec.Management(enum)StatusDetails(message)SyncError(message)SyncState(message)SyncState.SyncCode(enum)TemplateLibraryConfig(message)TemplateLibraryConfig.Installation(enum)UpdateFeatureRequest(message)WorkloadCertificateFeatureSpec(message)WorkloadCertificateFeatureSpec.GoogleCAProvisioning(enum)WorkloadCertificateFeatureState(message)WorkloadCertificateMembershipSpec(message)WorkloadCertificateMembershipSpec.CertificateManagement(enum)
GkeHubDomainFeatureService
GKE Hub CRUD API for the Feature resources
| CreateFeature |
|---|
|
Adds a new Feature.
|
| DeleteFeature |
|---|
|
Removes a Feature.
|
| GetFeature |
|---|
|
Gets details of a single Feature.
|
| ListFeatures |
|---|
|
Lists Features in a given project and location.
|
| UpdateFeature |
|---|
|
Updates an existing Feature.
|
AnthosObservabilityFeatureSpec
Spec for Anthos Observability. This is required since Feature proto requires a spec.
| Fields | |
|---|---|
membership_specs |
Per-membership spec that determines the spec in Stackdriver CR |
default_membership_spec |
Default membership spec when nothing is specified. |
AnthosObservabilityFeatureState
This type has no fields.
An empty state for Anthos Observability. This is required since FeatureStateDetails requires a state.
AnthosObservabilityMembershipSpec
Anthosobservability: Per-Membership Feature spec.
| Fields | |
|---|---|
enable_stackdriver_on_applications |
Enable collecting and reporting metrics and logs from user apps. |
do_not_optimize_metrics |
Use full of metrics rather than optimized metrics. See https://cloud.google.com/anthos/clusters/docs/on-prem/1.8/concepts/logging-and-monitoring#optimized_metrics_default_metrics |
version |
the version of stackdriver operator used by this feature |
AppDevExperienceFeatureSpec
This type has no fields.
Spec for App Dev Experience Feature.
AppDevExperienceFeatureState
State for App Dev Exp Feature.
| Fields | |
|---|---|
networking_install_succeeded |
Status of subcomponent that detects configured Service Mesh resources. |
Code
Code specifies the ready state for a AppDevExperienceFeature subcomponent.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Not set. |
OK |
AppDevExperienceFeature's specified subcomponent is ready. |
FAILED |
AppDevExperienceFeature's specified subcomponent ready state is false. This means AppDevExperienceFeature has encountered an issue that blocks all, or a portion, of its normal operation. See the description for more details. |
UNKNOWN |
AppDevExperienceFeature's specified subcomponent has a pending or unknown state. |
Status
Status specifies state for the subcomponent.
| Fields | |
|---|---|
code |
Code specifies AppDevExperienceFeature's subcomponent ready state. |
description |
Description is populated if Code is Failed, explaining why it has failed. |
AuthorizerFeatureSpec
This type has no fields.
AuthorizerFeatureSpec contains options and specifications for the Authorizer Feature.
AuthorizerFeatureState
This type has no fields.
AuthorizerFeatureState contains the current detailed state of the Authorizer Feature.
Billing
Deprecated: The FeatureSpec.billing field is no longer used. Billing identifies which billing structure the customer is using.
| Enums | |
|---|---|
BILLING_UNSPECIFIED |
Unknown |
PAY_AS_YOU_GO |
User pays a fee per-endpoint. |
ANTHOS_LICENSE |
User is paying for Anthos as a whole. |
BinauthzConfig
Configuration for Binauthz
| Fields | |
|---|---|
enabled |
Whether binauthz is enabled in this cluster. |
BinauthzState
State for Binauthz
| Fields | |
|---|---|
webhook |
The state of the binauthz webhook. |
version |
The version of binauthz that is installed. |
BinauthzVersion
The version of binauthz.
| Fields | |
|---|---|
webhook_version |
The version of the binauthz webhook. |
BundleInstallSpec
BundleInstallSpec is the specification configuration for a single managed bundle.
| Fields | |
|---|---|
exempted_namespaces[] |
The set of namespaces to be exempted from the bundle. |
CloudAuditLoggingFeatureSpec
Spec for Audit Logging Allowlisting.
| Fields | |
|---|---|
allowlisted_service_accounts[] |
Service account that should be allowlisted to send the audit logs; eg cloudauditlogging@gcp-project.iam.gserviceaccount.com. These accounts must already exist, but do not need to have any permissions granted to them. The customer's entitlements will be checked prior to allowlisting (i.e. the customer must be an Anthos customer.) |
CloudAuditLoggingFeatureState
This type has no fields.
An empty state for Audit Logging Allowlisting. This is required since FeatureStateDetails requires a state.
CloudBuildFeatureSpec
Cloud Build for Anthos feature spec. This is required since Feature proto requires a spec.
| Fields | |
|---|---|
membership_configs |
The map from membership path (e.g. projects/foo-proj/locations/global/memberships/bar) to the CloudBuildMembershipConfig that is chosen for that member cluster. If CloudBuild feature is enabled for a hub and the membership path of a cluster in that hub exists in this map then it has Cloud Build hub feature enabled for that particular cluster. |
CloudBuildMembershipConfig
Configurations for each Cloud Build enabled cluster.
| Fields | |
|---|---|
version |
Version of the cloud build software on the cluster. |
security_policy |
Whether it is allowed to run the privileged builds on the cluster or not. |
SecurityPolicy
Different security policies we can apply to the cluster.
| Enums | |
|---|---|
SECURITY_POLICY_UNSPECIFIED |
Unspecified policy |
NON_PRIVILEGED |
Privileged build pods are disallowed |
PRIVILEGED |
Privileged build pods are allowed |
ConfigManagementFeatureSpec
Spec for Anthos Config Management (ACM).
| Fields | |
|---|---|
membership_configs |
Map of Membership IDs to individual configs. |
ConfigManagementFeatureState
State for Anthos Config Management
| Fields | |
|---|---|
cluster_name |
This field is set to the |
membership_config |
Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipConfig in the FeatureSpec represents the intended state |
operator_state |
Current install status of ACM's Operator |
config_sync_state |
Current sync status |
policy_controller_state |
PolicyController status |
binauthz_state |
Binauthz status |
hierarchy_controller_state |
Hierarchy Controller status |
ConfigSync
Configuration for Config Sync
| Fields | |
|---|---|
git |
Git repo configuration for the cluster. |
source_format |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
prevent_drift |
Set to true to enable the Config Sync admission webhook to prevent drifts. Defaults to false which disables the Config Sync admission webhook and does not prevent drifts. |
oci |
OCI repo configuration for the cluster |
allow_vertical_scale |
Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated. |
metrics_gcp_service_account_email |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount |
enabled |
Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. |
ConfigSyncDeploymentState
The state of ConfigSync's deployment on a cluster
| Fields | |
|---|---|
importer |
Deployment state of the importer pod |
syncer |
Deployment state of the syncer pod |
git_sync |
Deployment state of the git-sync pod |
monitor |
Deployment state of the monitor pod |
reconciler_manager |
Deployment state of reconciler-manager pod |
root_reconciler |
Deployment state of root-reconciler |
admission_webhook |
Deployment state of admission-webhook |
ConfigSyncError
Errors pertaining to the installation of Config Sync
| Fields | |
|---|---|
error_message |
A string representing the user facing error message |
ConfigSyncState
State information for ConfigSync
| Fields | |
|---|---|
version |
The version of ConfigSync deployed |
deployment_state |
Information about the deployment of ConfigSync, including the version of the various Pods deployed |
sync_state |
The state of ConfigSync's process to sync configs to a cluster |
errors[] |
Errors pertaining to the installation of Config Sync. |
ConfigSyncVersion
Specific versioning information pertaining to ConfigSync's Pods
| Fields | |
|---|---|
importer |
Version of the deployed importer pod |
syncer |
Version of the deployed syncer pod |
git_sync |
Version of the deployed git-sync pod |
monitor |
Version of the deployed monitor pod |
reconciler_manager |
Version of the deployed reconciler-manager pod |
root_reconciler |
Version of the deployed reconciler container in root-reconciler pod |
admission_webhook |
Version of the deployed admission_webhook pod |
CreateFeatureRequest
Request message for the GkeHubDomainFeatureService.CreateFeature method.
| Fields | |
|---|---|
parent |
Required. The parent (project and location) where the Feature will be created. Specified in the format Authorization requires the following IAM permission on the specified resource
|
feature_id |
The ID of the feature to create. |
resource |
The Feature resource to create. |
DataplaneV2FeatureSpec
Spec for multi-cluster dataplane-v2 feature. This is required since Feature proto requires a spec.
| Fields | |
|---|---|
enable_encryption |
Enable dataplane-v2 based encryption for multiple clusters. |
DataplaneV2FeatureState
This type has no fields.
An empty state for multi-cluster dataplane-v2 feature. This is required since FeatureStateDetails requires a state.
DeleteFeatureRequest
Request message for GkeHubDomainFeatureService.DeleteFeature method.
| Fields | |
|---|---|
name |
Required. The Feature resource name in the format Authorization requires the following IAM permission on the specified resource
|
force |
If set to true, the delete will ignore any outstanding resources for this Feature (that is, |
DeploymentState
Enum representing the state of an ACM's deployment on a cluster
| Enums | |
|---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Deployment's state cannot be determined |
NOT_INSTALLED |
Deployment is not installed |
INSTALLED |
Deployment is installed |
ERROR |
Deployment was attempted to be installed, but has errors |
PENDING |
Deployment is installing or terminating |
ErrorResource
Model for a config file in the git repo with an associated Sync error
| Fields | |
|---|---|
source_path |
Path in the git repo of the erroneous config |
resource_name |
Metadata name of the resource that is causing an error |
resource_namespace |
Namespace of the resource that is causing an error |
resource_gvk |
Group/version/kind of the resource that is causing an error |
Feature
Feature represents the settings and status of any feature.
| Fields | |
|---|---|
name |
Output only. The full, unique name of this Feature resource in the format |
labels |
Labels for this feature. |
description |
Description of the feature, limited to 63 characters. |
feature_state |
Output only. State of the Feature resource itself. |
fleet_default_member_config |
FleetDefaultMemberConfig describes the default member configuration at the fleet level. |
create_time |
Output only. When the Feature was created. |
update_time |
Output only. When the Feature was last updated. |
delete_time |
Output only. When the Feature was deleted. |
Union field
|
|
servicemesh_feature_spec |
The specification for the Service Mesh Feature. |
authorizer_feature_spec |
The specification for the Authorizer Feature. |
multiclusteringress_feature_spec |
The specification for Ingress for Anthos. |
metering_feature_spec |
The specification for the Metering feature. |
multiclusterservicediscovery_feature_spec |
The specification for GKE Multi-Cluster Service Discovery. |
configmanagement_feature_spec |
The specification for Anthos Config Management. |
appdevexperience_feature_spec |
The specification for App Dev Experience. |
cloudauditlogging_feature_spec |
The specification for Anthos Cloud Audit Logging. |
cloudbuild_feature_spec |
The specification for Cloud Build for Anthos. |
servicedirectory_feature_spec |
The specification for Service Directory. |
identityservice_feature_spec |
The specification for Anthos Identity Service. |
anthosobservability_feature_spec |
The specification for Anthos Observability. |
workloadcertificate_feature_spec |
The specification for Workload Certificate. |
policycontroller_feature_spec |
The specification for Policy Controller. |
dataplanev2_feature_spec |
The specification for multi-cluster dataplane-v2. |
fleetobservability_feature_spec |
The specification for FleetObservability feature. |
FeatureState
FeatureState describes the state of a Feature resource.
| Fields | |
|---|---|
lifecycle_state |
The current state of the Feature resource. |
details |
Aggregate status message of the feature. |
details_by_membership |
FeatureState for each Membership. Keys are the fully-qualified Membership name in the format |
has_resources |
Whether this Feature has outstanding resources that need to be cleaned up before it can be disabled. |
LifecycleState
LifecycleState describes the lifecycle status of a feature.
| Enums | |
|---|---|
LIFECYCLE_STATE_UNSPECIFIED |
State is unknown or not set. |
ENABLING |
The Feature is being enabled. |
ENABLED |
The Feature is active. |
DISABLING |
The Feature is being disabled. |
UPDATING |
The Feature is being updated. |
SERVICE_UPDATING |
The Feature is being updated by the Hub Service. |
FeatureStateDetails
FeatureStateDetails is a semi-structured status message for a declarative resource in the API.
| Fields | |
|---|---|
code |
The code describes, at a high level, if the Feature is operating correctly. Non- |
description |
Human readable description of the issue. |
update_time |
The last update time of this status by the controllers |
Union field state. Structured information about the feature's status. state can be only one of the following: |
|
servicemesh_feature_state |
State for the Service Mesh Feature. |
authorizer_feature_state |
State for the Authorizer Feature. |
multiclusteringress_feature_state |
State for the Ingress for Anthos Feature. |
metering_feature_state |
State for the Metering Feature. |
multiclusterservicediscovery_feature_state |
State for the Multi-cluster Service Discovery Feature. |
configmanagement_feature_state |
State for the Config Management Feature. |
appdevexperience_feature_state |
State for the AppDevExperience Feature. |
cloudauditlogging_feature_state |
The state of the Anthos Cloud Audit Logging feature. |
servicedirectory_feature_state |
State for the Service Directory Feature. |
identityservice_feature_state |
State for the AIS Feature. |
anthosobservability_feature_state |
State for the Anthos Observability Feature |
workloadcertificate_feature_state |
State for the Workload Certificate Feature |
policycontroller_feature_state |
State for the Policy Controller Feature. |
dataplanev2_feature_state |
State for multi-cluster dataplane-v2 feature. |
fleetobservability_feature_state |
State for the FleetObservability Feature. |
Code
The Code describes the error state and severity for this Feature.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Not set. |
OK |
No error. |
FAILED |
The Feature has encountered an issue that blocks all, or a significant portion, of its normal operation. See the description for more details. |
WARNING |
The Feature is in a state, or has encountered an issue, that impacts its normal operation. This state may or may not require intervention to resolve, see the description for more details. |
FleetDefaultMemberConfig
FleetDefaultMemberConfig contains default configuration information for memberships of a fleet.
| Fields | |
|---|---|
Union field
|
|
service_mesh |
Spec for ServiceMesh. |
identity_service |
Spec for IdentityService. |
FleetObservabilityBaseFeatureState
Base state for fleet observability feature.
| Fields | |
|---|---|
code |
The high-level, machine-readable status of this Feature. |
errors[] |
Errors after reconciling the monitoring and logging feature if the code is not OK. |
Code
Code represents a machine-readable, high-level status of the Feature.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The Feature is operating normally. |
ERROR |
The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
FeatureError
All error details of the fleet observability feature.
| Fields | |
|---|---|
code |
The code of the error. |
description |
A human-readable description of the current status. |
FleetObservabilityFeatureSpec
Spec for FleetObservability feature. This is required since Feature proto requires a spec.
| Fields | |
|---|---|
logging_config |
Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet. |
FleetObservabilityFeatureState
An empty state for FleetObservability feature. This is required since FeatureStateDetails requires a state.
| Fields | |
|---|---|
logging |
The feature state of fleet logging. |
monitoring |
The feature state of fleet monitoring. |
FleetObservabilityLoggingState
Feature state for logging feature.
| Fields | |
|---|---|
default_log |
The base feature state of fleet default log. |
scope_log |
The base feature state of fleet scope log. |
FleetObservabilityMonitoringState
Feature state for monitoring feature.
| Fields | |
|---|---|
state |
The base feature state of fleet monitoring feature. |
GatekeeperDeploymentState
State of Policy Controller installation.
| Fields | |
|---|---|
gatekeeper_controller_manager_state |
Status of gatekeeper-controller-manager pod. |
gatekeeper_audit |
Status of gatekeeper-audit deployment. |
gatekeeper_mutation |
Status of the pod serving the mutation webhook. |
GetFeatureRequest
Request message for GkeHubDomainFeatureService.GetFeature method.
| Fields | |
|---|---|
name |
Required. The Feature resource name in the format Authorization requires the following IAM permission on the specified resource
|
GitConfig
Git repo configuration for a single cluster.
| Fields | |
|---|---|
sync_repo |
The URL of the Git repository to use as the source of truth. |
sync_branch |
The branch of the repository to sync from. Default: master. |
policy_dir |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
sync_wait_secs |
Period in seconds between consecutive syncs. Default: 15. |
sync_rev |
Git revision (tag or hash) to check out. Default HEAD. |
secret_type |
Type of secret configured for access to the Git repo. |
https_proxy |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
gcp_service_account_email |
The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. |
GroupVersionKind
A Kubernetes object's GVK
| Fields | |
|---|---|
group |
Kubernetes Group |
version |
Kubernetes Version |
kind |
Kubernetes Kind |
HierarchyControllerConfig
Configuration for Hierarchy Controller
| Fields | |
|---|---|
enabled |
Whether Hierarchy Controller is enabled in this cluster. |
enable_pod_tree_labels |
Whether pod tree labels are enabled in this cluster. |
enable_hierarchical_resource_quota |
Whether hierarchical resource quota is enabled in this cluster. |
HierarchyControllerDeploymentState
Deployment state for Hierarchy Controller
| Fields | |
|---|---|
hnc |
The deployment state for open source HNC (e.g. v0.7.0-hc.0) |
extension |
The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1) |
HierarchyControllerState
State for Hierarchy Controller
| Fields | |
|---|---|
version |
The version for Hierarchy Controller |
state |
The deployment state for Hierarchy Controller |
HierarchyControllerVersion
Version for Hierarchy Controller
| Fields | |
|---|---|
hnc |
Version for open source HNC |
extension |
Version for Hierarchy Controller extension |
IdentityServiceFeatureSpec
Spec for Annthos Identity Service.
| Fields | |
|---|---|
member_configs |
A map between member ids to their configurations. The ID needs to be the full path to the membership e.g., /projects/p/locations/l/memberships/m. |
IdentityServiceFeatureState
State for Anthos Identity Service
| Fields | |
|---|---|
installed_version |
Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. |
state |
Deployment state on this member |
failure_reason |
The reason of the failure. |
member_config |
Membership config state on this member |
DeploymentState
Deployment state enum
| Enums | |
|---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Unspecified state |
OK |
deployment succeeds |
ERROR |
Failure with error. |
InstallError
Errors pertaining to the installation of ACM
| Fields | |
|---|---|
error_message |
A string representing the user facing error message |
ListFeaturesRequest
Request message for GkeHubDomainFeatureService.ListFeatures method.
| Fields | |
|---|---|
parent |
Required. The parent (project and location) where the Features will be listed. Specified in the format Authorization requires the following IAM permission on the specified resource
|
page_size |
When requesting a 'page' of resources, |
page_token |
Token returned by previous call to |
filter |
Lists Features that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Examples:
|
order_by |
One or more fields to compare and use to sort the output. See https://google.aip.dev/132#ordering. |
ListFeaturesResponse
Response message for the GkeHubDomainFeatureService.ListFeatures method.
| Fields | |
|---|---|
resources[] |
The list of matching Features |
next_page_token |
A token to request the next page of resources from the |
LoggingConfig
LoggingConfig defines the configuration for different types of logs.
| Fields | |
|---|---|
default_config |
Specified if applying the default routing config to logs not specified in other configs. |
fleet_scope_logs_config |
Specified if applying the routing config to all logs for all fleet scopes. |
MemberConfig
The configuration for a member/cluster
| Fields | |
|---|---|
auth_methods[] |
A member may support multiple auth methods. |
AuthMethod
Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.
| Fields | |
|---|---|
name |
Identifier for auth config. |
proxy |
Proxy server address to use for auth method. |
Union field auth_config. supported auth configurations. auth_config can be only one of the following: |
|
oidc_config |
OIDC specific configuration. |
azuread_config |
AzureAD specific configuration. |
google_config |
GoogleConfig specific configuration |
saml_config |
Optional. SAML specific configuration. |
ldap_config |
Optional. LDAP specific configuration. |
AzureADConfig
Configuration for the AzureAD Auth flow.
| Fields | |
|---|---|
client_id |
ID for the registered client application that makes authentication requests to the Azure AD identity provider. |
tenant |
Kind of Azure AD account to be authenticated. Supported values are |
kubectl_redirect_uri |
The redirect URL that kubectl uses for authorization. |
client_secret |
Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. |
encrypted_client_secret |
Output only. Encrypted AzureAD client secret. |
user_claim |
Optional. Claim in the AzureAD ID Token that holds the user details. |
group_format |
Optional. Format of the AzureAD groups that the client wants for auth. |
GoogleConfig
Configuration for the Google Plugin Auth flow.
| Fields | |
|---|---|
disable |
Disable automatic configuration of Google Plugin on supported platforms. |
LdapConfig
Configuration for the LDAP Auth flow.
| Fields | |
|---|---|
server |
Required. Server settings for the external LDAP server. |
user |
Required. Defines where users exist in the LDAP directory. |
group |
Optional. Contains the properties for locating and authenticating groups in the directory. |
service_account |
Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. |
GroupConfig
Contains the properties for locating and authenticating groups in the directory.
| Fields | |
|---|---|
base_dn |
Required. The location of the subtree in the LDAP directory to search for group entries. |
id_attribute |
Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". |
filter |
Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". |
ServerConfig
Server settings for the external LDAP server.
| Fields | |
|---|---|
host |
Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". |
connection_type |
Optional. Defines the connection type to communicate with the LDAP server. If |
certificate_authority_data |
Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. |
ServiceAccountConfig
Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
| Fields | |
|---|---|
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following: |
|
simple_bind_credentials |
Credentials for basic auth. |
SimpleBindCredentials
The structure holds the LDAP simple binding credential.
| Fields | |
|---|---|
dn |
Required. The distinguished name(DN) of the service account object/user. |
password |
Required. Input only. The password of the service account object/user. |
encrypted_password |
Output only. The encrypted password of the service account object/user. |
UserConfig
Defines where users exist in the LDAP directory.
| Fields | |
|---|---|
base_dn |
Required. The location of the subtree in the LDAP directory to search for user entries. |
login_attribute |
Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "( |
id_attribute |
Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". |
filter |
Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". |
OidcConfig
Configuration for OIDC Auth flow.
| Fields | |
|---|---|
client_id |
ID for OIDC client application. |
certificate_authority_data |
PEM-encoded CA for OIDC provider. |
issuer_uri |
URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. |
kubectl_redirect_uri |
Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. |
scopes |
Comma-separated list of identifiers. |
extra_params |
Comma-separated list of key-value pairs. |
user_claim |
Claim in OIDC ID token that holds username. |
user_prefix |
Prefix to prepend to user name. |
groups_claim |
Claim in OIDC ID token that holds group information. |
group_prefix |
Prefix to prepend to group name. |
deploy_cloud_console_proxy |
Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. |
client_secret |
Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. |
encrypted_client_secret |
Output only. Encrypted OIDC Client secret |
enable_access_token |
Enable access token. |
SamlConfig
Configuration for the SAML Auth flow.
| Fields | |
|---|---|
identity_provider_id |
Required. The entity ID of the SAML IdP. |
identity_provider_sso_uri |
Required. The URI where the SAML IdP exposes the SSO service. |
identity_provider_certificates[] |
Required. The list of IdP certificates to validate the SAML response against. |
user_attribute |
Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
groups_attribute |
Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
user_prefix |
Optional. Prefix to prepend to user name. |
group_prefix |
Optional. Prefix to prepend to group name. |
attribute_mapping |
Optional. The mapping of additional user attributes like nickname, birthday and address etc.. |
MembershipConfig
Configuration for a single cluster. Intended to parallel the ConfigManagement CR.
| Fields | |
|---|---|
config_sync |
Config Sync configuration for the cluster. |
policy_controller |
Policy Controller configuration for the cluster. |
binauthz |
Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set. |
hierarchy_controller |
Hierarchy Controller configuration for the cluster. |
version |
Version of ACM installed. |
cluster |
The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. |
MeteringFeatureSpec
This type has no fields.
An empty spec for metering feature. This is required since Feature proto requires a spec.
MeteringFeatureState
Metering Feature State.
| Fields | |
|---|---|
last_measurement_time |
The time stamp of the most recent measurement of the number of vCPUs in the cluster. |
precise_last_measured_cluster_vcpu_capacity |
The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision). |
MultiClusterIngressFeatureSpec
MultiClusterIngressFeatureSpec contains the input for the MultiClusterIngress feature.
| Fields | |
|---|---|
config_membership |
Fully-qualified member name which hosts the MultiClusterIngress CRD. Example member name: |
billing |
Deprecated: This field will be ignored and should not be set. Customer's billing structure |
MultiClusterIngressFeatureState
This type has no fields.
MultiClusterIngressFeatureState contains the status fields specific to the MultiClusterIngress feature. This is just a placeholder and more fields will be added when we have more state information to report for this feature.
MultiClusterServiceDiscoveryFeatureSpec
This type has no fields.
An empty spec for multi-cluster service discovery feature. This is required since Feature proto requires a spec.
MultiClusterServiceDiscoveryFeatureState
This type has no fields.
An empty state for multi-cluster service discovery feature. This is required since FeatureStateDetails requires a state.
OciConfig
OCI repo configuration for a single cluster
| Fields | |
|---|---|
sync_repo |
The OCI image repository URL for the package to sync from. e.g. |
policy_dir |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
sync_wait_secs |
Period in seconds between consecutive syncs. Default: 15. |
secret_type |
Type of secret configured for access to the Git repo. |
gcp_service_account_email |
The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. |
OnClusterState
OnClusterState represents the state of a sub-component of Policy Controller.
| Fields | |
|---|---|
state |
The lifecycle state of this component. |
details |
Surface potential errors or information logs. |
OperationMetadata
Represents the metadata of the long-running operation.
| Fields | |
|---|---|
create_time |
Output only. The time the operation was created. |
end_time |
Output only. The time the operation finished running. |
target |
Output only. Server-defined resource path for the target of the operation. |
verb |
Output only. Name of the verb executed by the operation. |
status_detail |
Output only. Human-readable status of the operation, if any. |
cancel_requested |
Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a |
api_version |
Output only. API version used to start the operation. |
OperatorState
State information for an ACM's Operator
| Fields | |
|---|---|
version |
The semenatic version number of the operator |
deployment_state |
The state of the Operator's deployment |
errors[] |
Install errors. |
PolicyContentSpec
PolicyContentSpec defines the user's desired content configuration on the cluster.
| Fields | |
|---|---|
bundles |
map of bundle name to BundleInstallSpec. The bundle name maps to the |
template_library |
Configures the installation of the Template Library. |
PolicyContentState
The state of the policy controller policy content
| Fields | |
|---|---|
template_library_state |
The state of the template library |
bundle_states |
The state of the any bundles included in the chosen version of the manifest |
referential_sync_config_state |
The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user. |
PolicyController
Configuration for Policy Controller
| Fields | |
|---|---|
enabled |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
exemptable_namespaces[] |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential_rules_enabled |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log_denies_enabled |
Logs all denies and dry run failures. |
mutation_enabled |
Enable users to try out mutation for PolicyController. |
monitoring |
Monitoring specifies the configuration of monitoring. |
update_time |
Output only. Last time this membership spec was updated. |
Union field
|
|
template_library_installed |
Installs the default template library along with Policy Controller. |
Union field
|
|
audit_interval_seconds |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
PolicyControllerDeploymentConfig
Deployment-specific configuration.
| Fields | |
|---|---|
pod_tolerations[] |
Pod tolerations of node taints. |
pod_affinity |
Pod affinity configuration. |
replica_count |
Pod replica count. |
container_resources |
Container resource requirements. |
pod_anti_affinity |
Pod anti-affinity enablement. Deprecated: use |
Affinity
The pod affinity configuration used by a deployment.
| Enums | |
|---|---|
AFFINITY_UNSPECIFIED |
No affinity configuration has been specified. |
NO_AFFINITY |
Affinity configurations will be removed from the deployment. |
ANTI_AFFINITY |
Anti-affinity configuration will be applied to this deployment. Default for admissions deployment. |
Toleration
Toleration of a node taint.
| Fields | |
|---|---|
key |
Matches a taint key (not necessarily unique). |
operator |
Matches a taint operator. |
value |
Matches a taint value. |
effect |
Matches a taint effect. |
PolicyControllerFeatureSpec
Spec for Policy Controller.
| Fields | |
|---|---|
membership_specs |
Map of Membership IDs to individual specs. |
PolicyControllerFeatureState
State for PolicyController
| Fields | |
|---|---|
state |
The overall Policy Controller lifecycle state observed by the Hub Feature controller. |
component_states |
On-cluster states of the components we would like to track. Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation" |
policy_content_state |
The overall content state observed by the Hub Feature controller. |
LifecycleState
The set of states Policy Controller can exist in.
| Enums | |
|---|---|
LIFECYCLE_STATE_UNSPECIFIED |
The lifecycle state is unspecified. |
NOT_INSTALLED |
Policy Controller (PC) does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the Hub Feature controller. |
INSTALLING |
The Hub Feature controller possesses a Membership, however Policy Controller is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster. |
ACTIVE |
Policy Controller (PC) is fully installed on the cluster and in an operational mode. In this state the Hub Feature controller will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the Hub Feature controller expects. |
UPDATING |
Policy Controller (PC) is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The Hub Feature controller has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version. |
DECOMMISSIONING |
Policy Controller (PC) may have resources on the cluster, but the Hub Feature controller wishes to remove the Membership. The Membership still exists. |
CLUSTER_ERROR |
Policy Controller (PC) is not operational, and the Hub Feature controller is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the Hub Feature controller to administer the cluster but has nevertheless been given an instruction to do so (such as 'install'). |
HUB_ERROR |
In this state, the PC may still be operational, and only the Hub Feature controller is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the Hub Feature controller determines the hub is in an unhealthy state and it wishes to 'take hands off' to avoid corrupting the PC or other data. |
SUSPENDED |
Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit). |
DETACHED |
PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub. |
PolicyControllerHubConfig
Configuration for Policy Controller.
| Fields | |
|---|---|
install_spec |
The install_spec represents the intended state specified by the latest request that mutated install_spec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state. |
exemptable_namespaces[] |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential_rules_enabled |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log_denies_enabled |
Logs all denies and dry run failures. |
mutation_enabled |
Enables the ability to mutate resources using Policy Controller. |
monitoring |
Monitoring specifies the configuration of monitoring. |
policy_content |
Specifies the desired policy content on the cluster |
deployment_configs |
Map of deployment configs to deployments (“admission”, “audit”, “mutation”). |
audit_interval_seconds |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
constraint_violation_limit |
The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used. |
InstallSpec
The set of installation specs that the Hub Feature controller may actuate.
| Enums | |
|---|---|
INSTALL_SPEC_UNSPECIFIED |
Spec is unknown. |
INSTALL_SPEC_NOT_INSTALLED |
Request to uninstall Policy Controller. |
INSTALL_SPEC_ENABLED |
Request to install and enable Policy Controller. |
INSTALL_SPEC_SUSPENDED |
Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended. |
INSTALL_SPEC_DETACHED |
Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources. |
PolicyControllerMembershipSpec
Configuration for a single cluster. Intended to parallel the PolicyController CR.
| Fields | |
|---|---|
policy_controller_hub_config |
Policy Controller configuration for the cluster, managed by the Policy Controller Hub Feature controller. |
version |
The version of the Policy Controller Feature. |
PolicyControllerMigration
State for the migration of PolicyController from ACM -> PoCo Hub.
| Fields | |
|---|---|
stage |
Stage of the migration. |
copy_time |
Last time this membership spec was copied to PoCo feature. |
Stage
Stage marks what stage of the migration ACM hub is in.
| Enums | |
|---|---|
STAGE_UNSPECIFIED |
Unknown state of migration. |
ACM_MANAGED |
ACM Hub/Operator manages policycontroller. No migration yet completed. |
POCO_MANAGED |
All migrations steps complete; Poco Hub now manages policycontroller. |
PolicyControllerMonitoring
PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
| Fields | |
|---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringBackend
Supported backend options for monitoring
| Enums | |
|---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyControllerMonitoringConfig
PolicyControllerMonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["prometheus", "cloudmonitoring"]
| Fields | |
|---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringBackend
Supported backend options for monitoring
| Enums | |
|---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyControllerState
State for PolicyControllerState.
| Fields | |
|---|---|
version |
The version of Gatekeeper Policy Controller deployed. |
deployment_state |
The state about the policy controller installation. |
migration |
Record state of ACM -> PoCo Hub migration for this feature. |
PolicyControllerVersion
The build version of Gatekeeper Policy Controller is using.
| Fields | |
|---|---|
version |
The gatekeeper image tag that is composed of ACM version, git tag, build number. |
ResourceList
ResourceList contains container resource requirements.
| Fields | |
|---|---|
memory |
Memory requirement expressed in Kubernetes resource units. |
cpu |
CPU requirement expressed in Kubernetes resource units. |
ResourceRequirements
ResourceRequirements describes the compute resource requirements.
| Fields | |
|---|---|
limits |
Limits describes the maximum amount of compute resources allowed for use by the running container. |
requests |
Requests describes the amount of compute resources reserved for the container by the kube-scheduler. |
RoutingConfig
RoutingConfig configures the behaviour of fleet logging feature.
| Fields | |
|---|---|
mode |
mode configures the logs routing mode. |
Mode
Specified if fleet logging feature is enabled.
| Enums | |
|---|---|
MODE_UNSPECIFIED |
If UNSPECIFIED, fleet logging feature is disabled. |
COPY |
logs will be copied to the destination project. |
MOVE |
logs will be moved to the destination project. |
ServiceDirectoryFeatureSpec
This type has no fields.
An empty spec for service directory feature. This is required since Feature proto requires a spec.
ServiceDirectoryFeatureState
This type has no fields.
An empty state for service directory feature. This is rqeuired since FeatureStateDetails requires a state.
ServiceMeshAnalysisMessage
ServiceMeshAnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.
| Fields | |
|---|---|
message_base |
Details common to all types of Istio and ServiceMesh analysis messages. |
description |
A human readable description of what the error means. It is suitable for non-internationalize display purposes. |
resource_paths[] |
A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster |
args |
A UI can combine these args with a template (based on message_base.type) to produce an internationalized message. |
ServiceMeshAnalysisMessageBase
ServiceMeshAnalysisMessageBase describes some common information that is needed for all messages.
| Fields | |
|---|---|
type |
Represents the specific type of a message. |
level |
Represents how severe a message is. |
documentation_url |
A url pointing to the Service Mesh or Istio documentation for this specific error type. |
Level
The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level
| Enums | |
|---|---|
LEVEL_UNSPECIFIED |
Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN. |
ERROR |
ERROR represents a misconfiguration that must be fixed. |
WARNING |
WARNING represents a misconfiguration that should be fixed. |
INFO |
INFO represents an informational finding. |
Type
A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between display_name and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type
| Fields | |
|---|---|
display_name |
A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the |
code |
A 7 character code matching |
ServiceMeshFeatureSpec
ServiceMeshFeatureSpec contains the input for the service mesh feature.
| Fields | |
|---|---|
membership_specs |
Optional. Map from full path to the membership, to its individual config. |
ServiceMeshFeatureState
ServiceMeshFeatureState describes the state of the Service Mesh hub feature as analyzed by the Service Mesh Hub Controller.
| Fields | |
|---|---|
analysis_messages[] |
Output only. Results of running Service Mesh analyzers against member clusters, or the entire mesh. |
control_plane_management |
Output only. Status of control plane management |
data_plane_management |
Output only. Status of data plane management. |
config_api_version |
The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the |
ControlPlaneManagement
Status of control plane management. Only reported per-member.
| Fields | |
|---|---|
details[] |
Explanation of state. |
state |
State of control plane management. |
DataPlaneManagement
Status of data plane management. Only reported per-member.
| Fields | |
|---|---|
state |
Lifecycle status of data plane management. |
details[] |
Explanation of the status. |
LifecycleState
Lifecycle state of Service Mesh components.
| Enums | |
|---|---|
LIFECYCLE_STATE_UNSPECIFIED |
Unspecified |
DISABLED |
DISABLED means that the component is not enabled. |
FAILED_PRECONDITION |
FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster. |
PROVISIONING |
PROVISIONING means that provisioning is in progress. |
ACTIVE |
ACTIVE means that the component is ready for use. |
STALLED |
STALLED means that provisioning could not be done. |
NEEDS_ATTENTION |
NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.) |
DEGRADED |
DEGRADED means that the component is ready, but operating in a degraded state. |
ServiceMeshMembershipSpec
Service Mesh: Spec for a single Membership for the servicemesh feature
| Fields | |
|---|---|
control_plane |
Enables automatic control plane management. |
management |
Enables automatic Service Mesh management. |
ControlPlaneManagement
Whether to automatically manage Service Mesh control planes.
| Enums | |
|---|---|
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED |
Unspecified |
AUTOMATIC |
Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install. |
MANUAL |
User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API) |
Management
Whether to automatically manage Service Mesh.
| Enums | |
|---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google should manage my Service Mesh for the cluster. |
MANAGEMENT_MANUAL |
User will manually configure their service mesh components. |
StatusDetails
Structured and human-readable details for a status.
| Fields | |
|---|---|
code |
A machine-readable code that further describes a broad status. |
details |
Human-readable explanation of code. |
SyncError
An ACM created error representing a problem syncing configurations
| Fields | |
|---|---|
code |
An ACM defined error code |
error_message |
A description of the error |
error_resources[] |
A list of config(s) associated with the error, if any |
SyncState
State indicating an ACM's progress syncing configurations to a cluster
| Fields | |
|---|---|
source_token |
Token indicating the state of the repo. |
import_token |
Token indicating the state of the importer. |
sync_token |
Token indicating the state of the syncer. |
last_sync |
Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String This field is being deprecated. Use last_sync_time instead. |
last_sync_time |
Timestamp type of when ACM last successfully synced the repo |
code |
Sync status code |
errors[] |
A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. |
SyncCode
An enum representing Config Sync's status of syncing configs to a cluster.
| Enums | |
|---|---|
SYNC_CODE_UNSPECIFIED |
Config Sync cannot determine a sync code |
SYNCED |
Config Sync successfully synced the git Repo with the cluster |
PENDING |
Config Sync is in the progress of syncing a new change |
ERROR |
Indicates an error configuring Config Sync, and user action is required |
NOT_CONFIGURED |
Config Sync has been installed but not configured |
NOT_INSTALLED |
Config Sync has not been installed |
UNAUTHORIZED |
Error authorizing with the cluster |
UNREACHABLE |
Cluster could not be reached |
TemplateLibraryConfig
The config specifying which default library templates to install.
| Fields | |
|---|---|
installation |
Configures the manner in which the template library is installed on the cluster. |
Installation
How the template library should be installed
| Enums | |
|---|---|
INSTALLATION_UNSPECIFIED |
No installation strategy has been specified. |
NOT_INSTALLED |
Do not install the template library. |
ALL |
Install the entire template library. |
UpdateFeatureRequest
Request message for GkeHubDomainFeatureService.UpdateFeature method.
| Fields | |
|---|---|
name |
Required. The Feature resource name in the format Authorization requires the following IAM permission on the specified resource
|
update_mask |
Mask of fields to update. |
resource |
Only fields specified in update_mask are updated. If you specify a field in the update_mask but don't specify its value here that field will be deleted. If you are updating a map field, set the value of a key to null or empty string to delete the key from the map. It's not possible to update a key's value to the empty string. |
WorkloadCertificateFeatureSpec
WorkloadCertificateFeatureSpec contains the input for the workload identity platform feature. This is required since Feature proto requires a spec.
| Fields | |
|---|---|
provision_google_ca |
Immutable. Specifies CA configuration. |
default_config |
Default membership spec. Users can override the default in the member_configs for each member. |
member_configs |
Per-member configuration of workload certificate. |
GoogleCAProvisioning
Specifies if a default Google managed CA should be provisioned. If UNSPECIFIED, Google managed CA feature is disabled. If set to UNSPECIFIED/DISABLED, the "certificate_authority_config" field in WorkloadCertificateConfig must specify a CA endpoint.
| Enums | |
|---|---|
GOOGLE_CA_PROVISIONING_UNSPECIFIED |
Disable default Google managed CA. |
DISABLED |
Disable default Google managed CA. |
ENABLED |
Use default Google managed CA. |
ENABLED_WITH_MANAGED_CA |
Workload certificate feature is enabled, and the entire certificate provisioning process is managed by Google with managed CAS which is more secure than the default CA. |
ENABLED_WITH_DEFAULT_CA |
Workload certificate feature is enabled, and the entire certificate provisioning process is using the default CA which is free. |
WorkloadCertificateFeatureState
This type has no fields.
WorkloadCertificateFeatureState describes the state of the workload certificate feature. This is required since FeatureStateDetails requires a state.
WorkloadCertificateMembershipSpec
WorkloadCertificateMembershipSpec contains the membership-specific input for WorkloadCertificate feature.
| Fields | |
|---|---|
certificate_management |
Specifies workload certificate management. |
CertificateManagement
Specifies whether or not the feature is enabled on the member cluster.
| Enums | |
|---|---|
CERTIFICATE_MANAGEMENT_UNSPECIFIED |
Disable workload certificate feature. |
DISABLED |
Disable workload certificate feature. |
ENABLED |
Enable workload certificate feature. |