GKEHubMembership
Property | Value |
---|---|
Google Cloud Service Name | GKE Hub |
Google Cloud Service Documentation | /kubernetes-engine/fleet-management/docs/manage-features |
Google Cloud REST Resource Name | v1beta1.projects.locations.memberships |
Google Cloud REST Resource Documentation | https://gkehub.googleapis.com/$discovery/rest?version=v1beta1 |
Config Connector Resource Short Names | gcpgkehubmembership gcpgkehubmemberships gkehubmembership |
Config Connector Service Name | gkehub.googleapis.com |
Config Connector Resource Fully Qualified Name | gkehubmemberships.gkehub.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Annotations
Fields | |
---|---|
cnrm.cloud.google.com/project-id |
Spec
Schema
authority:
issuer: string
description: string
endpoint:
gkeCluster:
resourceRef:
external: string
name: string
namespace: string
kubernetesResource:
membershipCrManifest: string
resourceOptions:
connectVersion: string
v1beta1Crd: boolean
externalId: string
infrastructureType: string
location: string
resourceID: string
Fields | |
---|---|
Optional |
Optional. How to identify workloads from this Membership. See the documentation on Workload Identity for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity |
Optional |
Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and be a valid URL with length <2000 characters. If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer. Clearing `issuer` disables Workload Identity. `issuer` cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity). |
Optional |
Description of this membership, limited to 63 characters. Must match the regex: `*` This field is present for legacy purposes. |
Optional |
Optional. Endpoint information to reach this member. |
Optional |
Optional. GKE-specific information. Only present if this Membership is a GKE cluster. |
Optional |
|
Optional |
Immutable. Self-link of the GCP resource for the GKE cluster. For example: //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster Zonal clusters are also supported. Allowed value: The `selfLink` field of a `ContainerCluster` resource. |
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Optional |
Optional. The in-cluster Kubernetes Resources that should be applied for a correctly registered cluster, in the steady state. These resources: * Ensure that the cluster is exclusively registered to one and only one Hub Membership. * Propagate Workload Pool Information available in the Membership Authority field. * Ensure proper initial configuration of default Hub Features. |
Optional |
Input only. The YAML representation of the Membership CR. This field is ignored for GKE clusters where Hub can read the CR directly. Callers should provide the CR that is currently present in the cluster during CreateMembership or UpdateMembership, or leave this field empty if none exists. The CR manifest is used to validate the cluster has not been registered with another Membership. |
Optional |
Optional. Options for Kubernetes resource generation. |
Optional |
Optional. The Connect agent version to use for connect_resources. Defaults to the latest GKE Connect version. The version must be a currently supported version, obsolete versions will be rejected. |
Optional |
Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for CustomResourceDefinition resources. This option should be set for clusters with Kubernetes apiserver versions <1.16. |
Optional |
Optional. An externally-generated and managed ID for this Membership. This ID may be modified after creation, but this is not recommended. The ID must match the regex: `*` If this Membership represents a Kubernetes cluster, this value should be set to the UID of the `kube-system` namespace object. |
Optional |
Optional. The infrastructure type this Membership is running on. Possible values: INFRASTRUCTURE_TYPE_UNSPECIFIED, ON_PREM, MULTI_CLOUD |
Required |
Immutable. The location for the resource |
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
Status
Schema
authority:
identityProvider: string
workloadIdentityPool: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
deleteTime: string
endpoint:
kubernetesMetadata:
kubernetesApiServerVersion: string
memoryMb: integer
nodeCount: integer
nodeProviderId: string
updateTime: string
vcpuCount: integer
kubernetesResource:
connectResources:
- clusterScoped: boolean
manifest: string
membershipResources:
- clusterScoped: boolean
manifest: string
lastConnectionTime: string
observedGeneration: integer
state:
code: string
uniqueId: string
updateTime: string
Fields | |
---|---|
authority |
|
authority.identityProvider |
Output only. An identity provider that reflects the `issuer` in the workload identity pool. |
authority.workloadIdentityPool |
Output only. The name of the workload identity pool in which `issuer` will be recognized. There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in: {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`, although this is subject to change in newer versions of this API. |
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
Output only. When the Membership was created. |
deleteTime |
Output only. When the Membership was deleted. |
endpoint |
|
endpoint.kubernetesMetadata |
Output only. Useful Kubernetes-specific metadata. |
endpoint.kubernetesMetadata.kubernetesApiServerVersion |
Output only. Kubernetes API server version string as reported by `/version`. |
endpoint.kubernetesMetadata.memoryMb |
Output only. The total memory capacity as reported by the sum of all Kubernetes nodes resources, defined in MB. |
endpoint.kubernetesMetadata.nodeCount |
Output only. Node count as reported by Kubernetes nodes resources. |
endpoint.kubernetesMetadata.nodeProviderId |
Output only. Node providerID as reported by the first node in the list of nodes on the Kubernetes endpoint. On Kubernetes platforms that support zero-node clusters (like GKE-on-GCP), the node_count will be zero and the node_provider_id will be empty. |
endpoint.kubernetesMetadata.updateTime |
Output only. The time at which these details were last updated. This update_time is different from the Membership-level update_time since EndpointDetails are updated internally for API consumers. |
endpoint.kubernetesMetadata.vcpuCount |
Output only. vCPU count as reported by Kubernetes nodes resources. |
endpoint.kubernetesResource |
|
endpoint.kubernetesResource.connectResources |
Output only. The Kubernetes resources for installing the GKE Connect agent This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask. |
endpoint.kubernetesResource.connectResources[] |
|
endpoint.kubernetesResource.connectResources[].clusterScoped |
Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster. |
endpoint.kubernetesResource.connectResources[].manifest |
YAML manifest of the resource. |
endpoint.kubernetesResource.membershipResources |
Output only. Additional Kubernetes resources that need to be applied to the cluster after Membership creation, and after every update. This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask. |
endpoint.kubernetesResource.membershipResources[] |
|
endpoint.kubernetesResource.membershipResources[].clusterScoped |
Whether the resource provided in the manifest is `cluster_scoped`. If unset, the manifest is assumed to be namespace scoped. This field is used for REST mapping when applying the resource in a cluster. |
endpoint.kubernetesResource.membershipResources[].manifest |
YAML manifest of the resource. |
lastConnectionTime |
Output only. For clusters using Connect, the timestamp of the most recent connection established with Google Cloud. This time is updated every several minutes, not continuously. For clusters that do not use GKE Connect, or that have never connected successfully, this field will be unset. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
state |
Output only. State of the Membership resource. |
state.code |
Output only. The current state of the Membership resource. Possible values: CODE_UNSPECIFIED, CREATING, READY, DELETING, UPDATING, SERVICE_UPDATING |
uniqueId |
Output only. Google-generated UUID for this resource. This is unique across all Membership resources. If a Membership resource is deleted and another resource with the same name is created, it gets a different unique_id. |
updateTime |
Output only. When the Membership was last updated. |
Sample YAML(s)
Typical Use Case
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubMembership
metadata:
labels:
label-one: value-one
name: gkehubmembership-sample
spec:
location: global
authority:
# Issuer must contain a link to a valid JWT issuer. Your ContainerCluster is one. To use it, replace ${PROJECT_ID?} with your project ID.
issuer: https://container.googleapis.com/v1/projects/${PROJECT_ID?}/locations/us-central1-a/clusters/gkehubmembership-dep
description: A sample GKE Hub membership
endpoint:
gkeCluster:
resourceRef:
name: gkehubmembership-dep
---
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
name: gkehubmembership-dep
spec:
location: us-central1-a
initialNodeCount: 1
workloadIdentityConfig:
# Workload Identity supports only a single namespace based on your project name.
# Replace ${PROJECT_ID?} below with your project ID.
workloadPool: ${PROJECT_ID?}.svc.id.goog