GKEHubMembership


Property Value
Google Cloud Service Name GKE Hub
Google Cloud Service Documentation /anthos/multicluster-management/connect/overview
Google Cloud REST Resource Name v1beta1.projects.locations.memberships
Google Cloud REST Resource Documentation https://gkehub.googleapis.com/$discovery/rest?version=v1beta1
Config Connector Resource Short Names gcpgkehubmembership
gcpgkehubmemberships
gkehubmembership
Config Connector Service Name gkehub.googleapis.com
Config Connector Resource Fully Qualified Name gkehubmemberships.gkehub.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id
cnrm.cloud.google.com/state-into-spec

Spec

Schema

authority:
  issuer: string
description: string
endpoint:
  gkeCluster:
    resourceRef:
      external: string
      name: string
      namespace: string
  kubernetesResource:
    membershipCrManifest: string
    resourceOptions:
      connectVersion: string
      v1beta1Crd: boolean
externalId: string
infrastructureType: string
location: string
resourceID: string
Fields

authority

Optional

object

Optional. How to identify workloads from this Membership. See the documentation on Workload Identity for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

authority.issuer

Optional

string

Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and be a valid URL with length <2000 characters. If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer. Clearing `issuer` disables Workload Identity. `issuer` cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).

description

Optional

string

Description of this membership, limited to 63 characters. Must match the regex: `*` This field is present for legacy purposes.

endpoint

Optional

object

Optional. Endpoint information to reach this member.

endpoint.gkeCluster

Optional

object

Optional. GKE-specific information. Only present if this Membership is a GKE cluster.

endpoint.gkeCluster.resourceRef

Optional

object

endpoint.gkeCluster.resourceRef.external

Optional

string

Immutable. Self-link of the GCP resource for the GKE cluster. For example: //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster Zonal clusters are also supported. Allowed value: The `selfLink` field of a `ContainerCluster` resource.

endpoint.gkeCluster.resourceRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

endpoint.gkeCluster.resourceRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

endpoint.kubernetesResource

Optional

object

Optional. The in-cluster Kubernetes Resources that should be applied for a correctly registered cluster, in the steady state. These resources: * Ensure that the cluster is exclusively registered to one and only one Hub Membership. * Propagate Workload Pool Information available in the Membership Authority field. * Ensure proper initial configuration of default Hub Features.

endpoint.kubernetesResource.membershipCrManifest

Optional

string

Input only. The YAML representation of the Membership CR. This field is ignored for GKE clusters where Hub can read the CR directly. Callers should provide the CR that is currently present in the cluster during CreateMembership or UpdateMembership, or leave this field empty if none exists. The CR manifest is used to validate the cluster has not been registered with another Membership.

endpoint.kubernetesResource.resourceOptions

Optional

object

Optional. Options for Kubernetes resource generation.

endpoint.kubernetesResource.resourceOptions.connectVersion

Optional

string

Optional. The Connect agent version to use for connect_resources. Defaults to the latest GKE Connect version. The version must be a currently supported version, obsolete versions will be rejected.

endpoint.kubernetesResource.resourceOptions.v1beta1Crd

Optional

boolean

Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for CustomResourceDefinition resources. This option should be set for clusters with Kubernetes apiserver versions <1.16.

externalId

Optional

string

Optional. An externally-generated and managed ID for this Membership. This ID may be modified after creation, but this is not recommended. The ID must match the regex: `*` If this Membership represents a Kubernetes cluster, this value should be set to the UID of the `kube-system` namespace object.

infrastructureType

Optional

string

Optional. The infrastructure type this Membership is running on. Possible values: INFRASTRUCTURE_TYPE_UNSPECIFIED, ON_PREM, MULTI_CLOUD

location

Required

string

Immutable. The location for the resource

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

Status

Schema

authority:
  identityProvider: string
  workloadIdentityPool: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createTime: string
deleteTime: string
endpoint:
  kubernetesMetadata:
    kubernetesApiServerVersion: string
    memoryMb: integer
    nodeCount: integer
    nodeProviderId: string
    updateTime: string
    vcpuCount: integer
  kubernetesResource:
    connectResources:
    - clusterScoped: boolean
      manifest: string
    membershipResources:
    - clusterScoped: boolean
      manifest: string
lastConnectionTime: string
observedGeneration: integer
state:
  code: string
uniqueId: string
updateTime: string
Fields
authority

object

authority.identityProvider

string

Output only. An identity provider that reflects the `issuer` in the workload identity pool.

authority.workloadIdentityPool

string

Output only. The name of the workload identity pool in which `issuer` will be recognized. There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in: {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`, although this is subject to change in newer versions of this API.

conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

createTime

string

Output only. When the Membership was created.

deleteTime

string

Output only. When the Membership was deleted.

endpoint

object

endpoint.kubernetesMetadata

object

Output only. Useful Kubernetes-specific metadata.

endpoint.kubernetesMetadata.kubernetesApiServerVersion

string

Output only. Kubernetes API server version string as reported by `/version`.

endpoint.kubernetesMetadata.memoryMb

integer

Output only. The total memory capacity as reported by the sum of all Kubernetes nodes resources, defined in MB.

endpoint.kubernetesMetadata.nodeCount

integer

Output only. Node count as reported by Kubernetes nodes resources.

endpoint.kubernetesMetadata.nodeProviderId

string

Output only. Node providerID as reported by the first node in the list of nodes on the Kubernetes endpoint. On Kubernetes platforms that support zero-node clusters (like GKE-on-GCP), the node_count will be zero and the node_provider_id will be empty.

endpoint.kubernetesMetadata.updateTime

string

Output only. The time at which these details were last updated. This update_time is different from the Membership-level update_time since EndpointDetails are updated internally for API consumers.

endpoint.kubernetesMetadata.vcpuCount

integer

Output only. vCPU count as reported by Kubernetes nodes resources.

endpoint.kubernetesResource

object

endpoint.kubernetesResource.connectResources

list (object)

Output only. The Kubernetes resources for installing the GKE Connect agent This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.

endpoint.kubernetesResource.connectResources[]

object

endpoint.kubernetesResource.connectResources[].clusterScoped

boolean

Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.

endpoint.kubernetesResource.connectResources[].manifest

string

YAML manifest of the resource.

endpoint.kubernetesResource.membershipResources

list (object)

Output only. Additional Kubernetes resources that need to be applied to the cluster after Membership creation, and after every update. This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.

endpoint.kubernetesResource.membershipResources[]

object

endpoint.kubernetesResource.membershipResources[].clusterScoped

boolean

Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster.

endpoint.kubernetesResource.membershipResources[].manifest

string

YAML manifest of the resource.

lastConnectionTime

string

Output only. For clusters using Connect, the timestamp of the most recent connection established with Google Cloud. This time is updated every several minutes, not continuously. For clusters that do not use GKE Connect, or that have never connected successfully, this field will be unset.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

state

object

Output only. State of the Membership resource.

state.code

string

Output only. The current state of the Membership resource. Possible values: CODE_UNSPECIFIED, CREATING, READY, DELETING, UPDATING, SERVICE_UPDATING

uniqueId

string

Output only. Google-generated UUID for this resource. This is unique across all Membership resources. If a Membership resource is deleted and another resource with the same name is created, it gets a different unique_id.

updateTime

string

Output only. When the Membership was last updated.

Sample YAML(s)

Typical Use Case

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubMembership
metadata:
  labels:
    label-one: value-one
  name: gkehubmembership-sample
spec:
  location: global
  authority:
    # Issuer must contain a link to a valid JWT issuer. Your ContainerCluster is one. To use it, replace ${PROJECT_ID?} with your project ID.
    issuer: https://container.googleapis.com/v1/projects/${PROJECT_ID?}/locations/us-central1-a/clusters/gkehubmembership-dep
  description: A sample GKE Hub membership
  endpoint:
    gkeCluster:
      resourceRef:
        name: gkehubmembership-dep
---
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
  name: gkehubmembership-dep
spec:
  location: us-central1-a
  initialNodeCount: 1
  workloadIdentityConfig:
    # Workload Identity supports only a single namespace based on your project name.
    # Replace ${PROJECT_ID?} below with your project ID.
    workloadPool: ${PROJECT_ID?}.svc.id.goog