GKEHubFeatureMembership
| Property | Value |
|---|---|
| Google Cloud Service Name | GKE Hub |
| Google Cloud Service Documentation | /anthos/multicluster-management/connect/overview |
| Google Cloud REST Resource Name | v1beta1.projects.locations.features |
| Google Cloud REST Resource Documentation | https://gkehub.googleapis.com/$discovery/rest?version=v1beta |
| Config Connector Resource Short Names | gcpgkehubfeaturemembership gcpgkehubfeaturememberships gkehubfeaturemembership |
| Config Connector Service Name | gkehub.googleapis.com |
| Config Connector Resource Fully Qualified Name | gkehubfeaturememberships.gkehub.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Annotations
| Fields | |
|---|---|
cnrm.cloud.google.com/state-into-spec |
|
Spec
Schema
configmanagement:
binauthz:
enabled: boolean
configSync:
git:
gcpServiceAccountRef:
external: string
name: string
namespace: string
httpsProxy: string
policyDir: string
secretType: string
syncBranch: string
syncRepo: string
syncRev: string
syncWaitSecs: string
metricsGcpServiceAccountRef:
external: string
name: string
namespace: string
oci:
gcpServiceAccountRef:
external: string
name: string
namespace: string
policyDir: string
secretType: string
syncRepo: string
syncWaitSecs: string
preventDrift: boolean
sourceFormat: string
hierarchyController:
enableHierarchicalResourceQuota: boolean
enablePodTreeLabels: boolean
enabled: boolean
policyController:
auditIntervalSeconds: string
enabled: boolean
exemptableNamespaces:
- string
logDeniesEnabled: boolean
monitoring:
backends:
- string
mutationEnabled: boolean
referentialRulesEnabled: boolean
templateLibraryInstalled: boolean
version: string
featureRef:
external: string
name: string
namespace: string
location: string
membershipLocation: string
membershipRef:
external: string
name: string
namespace: string
mesh:
controlPlane: string
management: string
policycontroller:
policyControllerHubConfig:
auditIntervalSeconds: integer
constraintViolationLimit: integer
exemptableNamespaces:
- string
installSpec: string
logDeniesEnabled: boolean
monitoring:
backends:
- string
mutationEnabled: boolean
policyContent:
templateLibrary:
installation: string
referentialRulesEnabled: boolean
version: string
projectRef:
external: string
name: string
namespace: string
| Fields | |
|---|---|
|
Optional |
Config Management-specific spec. |
|
Optional |
**DEPRECATED** Binauthz configuration for the cluster. This field will be ignored and should not be set. |
|
Optional |
Whether binauthz is enabled in this cluster. |
|
Optional |
Config Sync configuration for the cluster. |
|
Optional |
|
|
Optional |
|
|
Optional |
The GCP Service Account Email used for auth when secretType is gcpServiceAccount. Allowed value: The `email` field of an `IAMServiceAccount` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
|
Optional |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
|
Optional |
Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. |
|
Optional |
The branch of the repository to sync from. Default: master. |
|
Optional |
The URL of the Git repository to use as the source of truth. |
|
Optional |
Git revision (tag or hash) to check out. Default HEAD. |
|
Optional |
Period in seconds between consecutive syncs. Default: 15. |
|
Optional |
|
|
Optional |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring. The GSA should have the Monitoring Metric Writer(roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA. Allowed value: The `email` field of an `IAMServiceAccount` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
|
|
Optional |
|
|
Optional |
The GCP Service Account Email used for auth when secret_type is gcpserviceaccount. Allowed value: The `email` field of an `IAMServiceAccount` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
|
Optional |
Type of secret configured for access to the OCI Image. Must be one of gcenode, gcpserviceaccount or none. The validation of this is case-sensitive. |
|
Optional |
The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME. |
|
Optional |
Period in seconds(int64 format) between consecutive syncs. Default: 15. |
|
Optional |
Set to true to enable the Config Sync admission webhook to prevent drifts. If set to `false`, disables the Config Sync admission webhook and does not prevent drifts. |
|
Optional |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
|
Optional |
Hierarchy Controller configuration for the cluster. |
|
Optional |
Whether hierarchical resource quota is enabled in this cluster. |
|
Optional |
Whether pod tree labels are enabled in this cluster. |
|
Optional |
Whether Hierarchy Controller is enabled in this cluster. |
|
Optional |
Policy Controller configuration for the cluster. |
|
Optional |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
|
Optional |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
|
Optional |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
|
Optional |
|
|
Optional |
Logs all denies and dry run failures. |
|
Optional |
Specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]. Default: ["cloudmonitoring", "prometheus"] |
|
Optional |
Specifies the list of backends Policy Controller will export to. Specifying an empty value `[]` disables metrics export. |
|
Optional |
|
|
Optional |
Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. |
|
Optional |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
|
Optional |
Installs the default template library along with Policy Controller. |
|
Optional |
Optional. Version of ACM to install. Defaults to the latest version. |
|
Required |
Immutable. |
|
Optional |
The name of the feature Allowed value: The Google Cloud resource name of a `GKEHubFeature` resource (format: `projects/{{project}}/locations/{{location}}/features/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Required |
Immutable. The location of the feature |
|
Optional |
Immutable. The location of the membership |
|
Required |
Immutable. |
|
Optional |
The name of the membership Allowed value: The Google Cloud resource name of a `GKEHubMembership` resource (format: `projects/{{project}}/locations/{{location}}/memberships/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Manage Mesh Features |
|
Optional |
**DEPRECATED** Whether to automatically manage Service Mesh control planes. Possible values: CONTROL_PLANE_MANAGEMENT_UNSPECIFIED, AUTOMATIC, MANUAL |
|
Optional |
Whether to automatically manage Service Mesh. Possible values: MANAGEMENT_UNSPECIFIED, MANAGEMENT_AUTOMATIC, MANAGEMENT_MANUAL |
|
Optional |
Policy Controller-specific spec. |
|
Required* |
Policy Controller configuration for the cluster. |
|
Optional |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
|
Optional |
The maximum number of audit violations to be stored in a constraint. If not set, the internal default of 20 will be used. |
|
Optional |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
|
Optional |
|
|
Optional |
Configures the mode of the Policy Controller installation. Possible values: INSTALL_SPEC_UNSPECIFIED, INSTALL_SPEC_NOT_INSTALLED, INSTALL_SPEC_ENABLED, INSTALL_SPEC_SUSPENDED, INSTALL_SPEC_DETACHED |
|
Optional |
Logs all denies and dry run failures. |
|
Optional |
Specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]. Default: ["cloudmonitoring", "prometheus"] |
|
Optional |
Specifies the list of backends Policy Controller will export to. Specifying an empty value `[]` disables metrics export. |
|
Optional |
|
|
Optional |
Enables the ability to mutate resources using Policy Controller. |
|
Optional |
Specifies the desired policy content on the cluster. |
|
Optional |
Configures the installation of the Template Library. |
|
Optional |
Configures the manner in which the template library is installed on the cluster. Possible values: INSTALLATION_UNSPECIFIED, NOT_INSTALLED, ALL |
|
Optional |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
|
Optional |
Optional. Version of Policy Controller to install. Defaults to the latest version. |
|
Required |
Immutable. The Project that this resource belongs to. |
|
Optional |
The project of the feature Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
observedGeneration: integer
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
Config Management Feature Membership
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeatureMembership
metadata:
name: gkehubfeaturemembership-sample
spec:
projectRef:
name: gkehubfeaturemembership-dep-acm
location: global
membershipRef:
name: gkehubfeaturemembership-dep-acm
featureRef:
name: gkehubfeaturemembership-dep-acm
configmanagement:
configSync:
sourceFormat: unstructured
git:
syncRepo: "https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit"
syncBranch: "master"
policyDir: "config-connector"
syncWaitSecs: "20"
syncRev: "HEAD"
secretType: "none"
policyController:
enabled: true
exemptableNamespaces:
- "test-namespace"
referentialRulesEnabled: true
logDeniesEnabled: true
templateLibraryInstalled: true
auditIntervalSeconds: "20"
hierarchyController:
enabled: true
enablePodTreeLabels: true
enableHierarchicalResourceQuota: true
---
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-acm
name: gkehubfeaturemembership-dep-acm
spec:
location: us-central1-a
initialNodeCount: 1
workloadIdentityConfig:
# Workload Identity supports only a single namespace based on your project name.
workloadPool: gkehubfeaturemembership-dep-acm.svc.id.goog
---
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeature
metadata:
name: gkehubfeaturemembership-dep-acm
spec:
projectRef:
name: gkehubfeaturemembership-dep-acm
location: global
# The resourceID must be "configmanagement" if you want to use Anthos config
# management feature.
resourceID: configmanagement
---
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubMembership
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-acm
name: gkehubfeaturemembership-dep-acm
spec:
location: global
authority:
# Issuer must contain a link to a valid JWT issuer. Your ContainerCluster is one.
issuer: https://container.googleapis.com/v1/projects/gkehubfeaturemembership-dep-acm/locations/us-central1-a/clusters/gkehubfeaturemembership-dep-acm
description: A sample GKE Hub membership
endpoint:
gkeCluster:
resourceRef:
name: gkehubfeaturemembership-dep-acm
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: gkehubfeaturemembership-dep-acm
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-acm
cnrm.cloud.google.com/disable-dependent-services: "false"
name: gkehubfeaturemembership-dep1-acm1
spec:
resourceID: container.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-acm
cnrm.cloud.google.com/disable-dependent-services: "false"
name: gkehubfeaturemembership-dep2-acm
spec:
resourceID: gkehub.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-acm
cnrm.cloud.google.com/disable-dependent-services: "false"
name: gkehubfeaturemembership-dep3-acm
spec:
resourceID: anthosconfigmanagement.googleapis.com
Service Mesh Feature Membership
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeatureMembership
metadata:
name: gkehubfeaturemembership-sample-asm
spec:
projectRef:
name: gkehubfeaturemembership-dep-asm
location: global
membershipRef:
name: gkehubfeaturemembership-dep-asm
featureRef:
name: gkehubfeaturemembership-dep-asm
mesh:
management: MANAGEMENT_AUTOMATIC
---
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-asm
labels:
# Replace ${PROJECT_NUMBER?} with the number of the project once created,
# this will give you access to the ASM UI in the Google Cloud Console
mesh_id: proj-${PROJECT_NUMBER?}
name: gkehubfeaturemembership-dep-asm
spec:
location: us-east4-a
initialNodeCount: 1
workloadIdentityConfig:
workloadPool: gkehubfeaturemembership-dep-asm.svc.id.goog
---
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubFeature
metadata:
name: gkehubfeaturemembership-dep-asm
spec:
projectRef:
name: gkehubfeaturemembership-dep-asm
location: global
# The resourceID must be "servicemesh" if you want to use Anthos Service Mesh feature.
resourceID: servicemesh
---
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubMembership
metadata:
annotations:
cnrm.cloud.google.com/project-id: gkehubfeaturemembership-dep-asm
name: gkehubfeaturemembership-dep-asm
spec:
location: global
authority:
issuer: https://container.googleapis.com/v1/projects/gkehubfeaturemembership-dep-asm/locations/us-east4-a/clusters/gkehubfeaturemembership-dep-asm
endpoint:
gkeCluster:
resourceRef:
name: gkehubfeaturemembership-dep-asm
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: gkehubfeaturemembership-dep-asm
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: gkehubfeaturemembership-dep-asm
spec:
resourceID: mesh.googleapis.com
projectRef:
name: gkehubfeaturemembership-dep-asm