OSConfigGuestPolicy
| Property | Value |
|---|---|
| Google Cloud Service Name | OS Config |
| Google Cloud Service Documentation | /compute/docs/osconfig/rest/ |
| Google Cloud REST Resource Name | v1beta.projects.guestPolicies |
| Google Cloud REST Resource Documentation | /compute/docs/osconfig/rest/v1beta/projects.guestPolicies |
| Config Connector Resource Short Names | gcposconfigguestpolicy gcposconfigguestpolicies osconfigguestpolicy |
| Config Connector Service Name | osconfig.googleapis.com |
| Config Connector Resource Fully Qualified Name | osconfigguestpolicies.osconfig.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Annotations
| Fields | |
|---|---|
cnrm.cloud.google.com/project-id |
|
Spec
Schema
assignment:
groupLabels:
- labels:
string: string
instanceNamePrefixes:
- string
instances:
- external: string
name: string
namespace: string
osTypes:
- osArchitecture: string
osShortName: string
osVersion: string
zones:
- string
description: string
packageRepositories:
- apt:
archiveType: string
components:
- string
distribution: string
gpgKey: string
uri: string
goo:
name: string
url: string
yum:
baseUrl: string
displayName: string
gpgKeys:
- string
id: string
zypper:
baseUrl: string
displayName: string
gpgKeys:
- string
id: string
packages:
- desiredState: string
manager: string
name: string
recipes:
- artifacts:
- allowInsecure: boolean
gcs:
bucketRef:
external: string
name: string
namespace: string
generation: integer
object: string
id: string
remote:
checksum: string
uri: string
desiredState: string
installSteps:
- archiveExtraction:
artifactId: string
destination: string
type: string
dpkgInstallation:
artifactId: string
fileCopy:
artifactId: string
destination: string
overwrite: boolean
permissions: string
fileExec:
allowedExitCodes:
- integer
args:
- string
artifactId: string
localPath: string
msiInstallation:
allowedExitCodes:
- integer
artifactId: string
flags:
- string
rpmInstallation:
artifactId: string
scriptRun:
allowedExitCodes:
- integer
interpreter: string
script: string
name: string
updateSteps:
- archiveExtraction:
artifactId: string
destination: string
type: string
dpkgInstallation:
artifactId: string
fileCopy:
artifactId: string
destination: string
overwrite: boolean
permissions: string
fileExec:
allowedExitCodes:
- integer
args:
- string
artifactId: string
localPath: string
msiInstallation:
allowedExitCodes:
- integer
artifactId: string
flags:
- string
rpmInstallation:
artifactId: string
scriptRun:
allowedExitCodes:
- integer
interpreter: string
script: string
version: string
resourceID: string
| Fields | |
|---|---|
|
Optional |
Specifies the VMs that are assigned this policy. This allows you to target sets or groups of VMs by different parameters such as labels, names, OS, or zones. Empty assignments will target ALL VMs underneath this policy. Conflict Management Policies that exist higher up in the resource hierarchy (closer to the Org) will override those lower down if there is a conflict. At the same level in the resource hierarchy (ie. within a project), the service will prevent the creation of multiple policies that conflict with each other. If there are multiple policies that specify the same config (eg. package, software recipe, repository, etc.), the service will ensure that no VM could potentially receive instructions from both policies. To create multiple policies that specify different versions of a package or different configs for different Operating Systems, each policy must be mutually exclusive in their targeting according to labels, OS, or other criteria. Different configs are identified for conflicts in different ways. Packages are identified by their name and the package manager(s) they target. Package repositories are identified by their unique id where applicable. Some package managers don't have a unique identifier for repositories and where that's the case, no uniqueness is validated by the service. Note that if OS Inventory is disabled, a VM will not be assigned a policy that targets by OS because the service will see this VM's OS as unknown. |
|
Optional |
Targets instances matching at least one of these label sets. This allows an assignment to target disparate groups, for example "env=prod or env=staging". |
|
Optional |
|
|
Optional |
Google Compute Engine instance labels that must be present for an instance to be included in this assignment group. |
|
Optional |
Targets VM instances whose name starts with one of these prefixes. Like labels, this is another way to group VM instances when targeting configs, for example prefix="prod-". Only supported for project-level policies. |
|
Optional |
|
|
Optional |
|
|
Optional |
|
|
Optional |
Allowed value: The `selfLink` field of a `ComputeInstance` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Targets VM instances matching at least one of the following OS types. VM instances must match all supplied criteria for a given OsType to be included. |
|
Optional |
|
|
Optional |
Targets VM instances with OS Inventory enabled and having the following OS architecture. |
|
Optional |
Targets VM instances with OS Inventory enabled and having the following OS short name, for example "debian" or "windows". |
|
Optional |
Targets VM instances with OS Inventory enabled and having the following following OS version. |
|
Optional |
Targets instances in any of these zones. Leave empty to target instances in any zone. Zonal targeting is uncommon and is supported to facilitate the management of changes by zone. |
|
Optional |
|
|
Optional |
Description of the GuestPolicy. Length of the description is limited to 1024 characters. |
|
Optional |
List of package repository configurations assigned to the VM instance. |
|
Optional |
|
|
Optional |
An Apt Repository. |
|
Optional |
Type of archive files in this repository. The default behavior is DEB. Possible values: ARCHIVE_TYPE_UNSPECIFIED, DEB, DEB_SRC |
|
Optional |
Required. List of components for this repository. Must contain at least one item. |
|
Optional |
|
|
Required* |
Required. Distribution of this repository. |
|
Optional |
URI of the key file for this repository. The agent maintains a keyring at `/etc/apt/trusted.gpg.d/osconfig_agent_managed.gpg` containing all the keys in any applied guest policy. |
|
Required* |
Required. URI for this repository. |
|
Optional |
A Goo Repository. |
|
Required* |
Required. The name of the repository. |
|
Required* |
Required. The url of the repository. |
|
Optional |
A Yum Repository. |
|
Required* |
Required. The location of the repository directory. |
|
Optional |
The display name of the repository. |
|
Optional |
URIs of GPG keys. |
|
Optional |
|
|
Required* |
Required. A one word, unique name for this repository. This is the `repo id` in the Yum config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for guest policy conflicts. |
|
Optional |
A Zypper Repository. |
|
Required* |
Required. The location of the repository directory. |
|
Optional |
The display name of the repository. |
|
Optional |
URIs of GPG keys. |
|
Optional |
|
|
Required* |
Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for guest policy conflicts. |
|
Optional |
List of package configurations assigned to the VM instance. |
|
Optional |
|
|
Optional |
The desired_state the agent should maintain for this package. The default is to ensure the package is installed. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED |
|
Optional |
Type of package manager that can be used to install this package. If a system does not have the package manager, the package is not installed or removed no error message is returned. By default, or if you specify `ANY`, the agent attempts to install and remove this package using the default package manager. This is useful when creating a policy that applies to different types of systems. The default behavior is ANY. Possible values: MANAGER_UNSPECIFIED, ANY, APT, YUM, ZYPPER, GOO |
|
Optional |
Required. The name of the package. A package is uniquely identified for conflict validation by checking the package name and the manager(s) that the package targets. |
|
Optional |
Optional. A list of Recipes to install on the VM. |
|
Optional |
|
|
Optional |
Resources available to be used in the steps in the recipe. |
|
Optional |
|
|
Optional |
Defaults to false. When false, recipes are subject to validations based on the artifact type: Remote: A checksum must be specified, and only protocols with transport-layer security are permitted. GCS: An object generation number must be specified. |
|
Optional |
A Google Cloud Storage artifact. |
|
Optional |
|
|
Optional |
Bucket of the Google Cloud Storage object. Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567` this value would be `my-bucket`. Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Must be provided if allow_insecure is false. Generation number of the Google Cloud Storage object. `https://storage.googleapis.com/my-bucket/foo/bar#1234567` this value would be `1234567`. |
|
Optional |
Name of the Google Cloud Storage object. As specified [here] (https://cloud.google.com/storage/docs/naming#objectnames) Given an example URL: `https://storage.googleapis.com/my-bucket/foo/bar#1234567` this value would be `foo/bar`. |
|
Optional |
Required. Id of the artifact, which the installation and update steps of this recipe can reference. Artifacts in a recipe cannot have the same id. |
|
Optional |
A generic remote artifact. |
|
Optional |
Must be provided if `allow_insecure` is `false`. SHA256 checksum in hex format, to compare to the checksum of the artifact. If the checksum is not empty and it doesn't match the artifact then the recipe installation fails before running any of the steps. |
|
Optional |
URI from which to fetch the object. It should contain both the protocol and path following the format: {protocol}://{location}. |
|
Optional |
Default is INSTALLED. The desired state the agent should maintain for this recipe. INSTALLED: The software recipe is installed on the instance but won't be updated to new versions. UPDATED: The software recipe is installed on the instance. The recipe is updated to a higher version, if a higher version of the recipe is assigned to this instance. REMOVE: Remove is unsupported for software recipes and attempts to create or update a recipe to the REMOVE state is rejected. Possible values: DESIRED_STATE_UNSPECIFIED, INSTALLED, REMOVED |
|
Optional |
Actions to be taken for installing this recipe. On failure it stops executing steps and does not attempt another installation. Any steps taken (including partially completed steps) are not rolled back. |
|
Optional |
|
|
Optional |
Extracts an archive into the specified directory. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Directory to extract archive to. Defaults to `/` on Linux or `C:` on Windows. |
|
Optional |
Required. The type of the archive to extract. Possible values: TYPE_UNSPECIFIED, VALIDATION, DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT, DESIRED_STATE_CHECK_POST_ENFORCEMENT |
|
Optional |
Installs a deb file via dpkg. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Copies a file onto the instance. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Required. The absolute path on the instance to put the file. |
|
Optional |
Whether to allow this step to overwrite existing files. If this is false and the file already exists the file is not overwritten and the step is considered a success. Defaults to false. |
|
Optional |
Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 |
|
Optional |
Executes an artifact or local file. |
|
Optional |
Defaults to [0]. A list of possible return values that the program can return to indicate a success. |
|
Optional |
|
|
Optional |
Arguments to be passed to the provided executable. |
|
Optional |
|
|
Optional |
The id of the relevant artifact in the recipe. |
|
Optional |
The absolute path of the file on the local filesystem. |
|
Optional |
Installs an MSI file. |
|
Optional |
Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] |
|
Optional |
|
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
The flags to use when installing the MSI defaults to ["/i"] (i.e. the install flag). |
|
Optional |
|
|
Optional |
Installs an rpm file via the rpm utility. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Runs commands in a shell. |
|
Optional |
Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] |
|
Optional |
|
|
Optional |
The script interpreter to use to run the script. If no interpreter is specified the script is executed directly, which likely only succeed for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)). Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL |
|
Optional |
Required. The shell script to be executed. |
|
Optional |
Required. Unique identifier for the recipe. Only one recipe with a given name is installed on an instance. Names are also used to identify resources which helps to determine whether guest policies have conflicts. This means that requests to create multiple recipes with the same name and version are rejected since they could potentially have conflicting assignments. |
|
Optional |
Actions to be taken for updating this recipe. On failure it stops executing steps and does not attempt another update for this recipe. Any steps taken (including partially completed steps) are not rolled back. |
|
Optional |
|
|
Optional |
Extracts an archive into the specified directory. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Directory to extract archive to. Defaults to `/` on Linux or `C:` on Windows. |
|
Optional |
Required. The type of the archive to extract. Possible values: TYPE_UNSPECIFIED, VALIDATION, DESIRED_STATE_CHECK, DESIRED_STATE_ENFORCEMENT, DESIRED_STATE_CHECK_POST_ENFORCEMENT |
|
Optional |
Installs a deb file via dpkg. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Copies a file onto the instance. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Required. The absolute path on the instance to put the file. |
|
Optional |
Whether to allow this step to overwrite existing files. If this is false and the file already exists the file is not overwritten and the step is considered a success. Defaults to false. |
|
Optional |
Consists of three octal digits which represent, in order, the permissions of the owner, group, and other users for the file (similarly to the numeric mode used in the linux chmod utility). Each digit represents a three bit number with the 4 bit corresponding to the read permissions, the 2 bit corresponds to the write bit, and the one bit corresponds to the execute permission. Default behavior is 755. Below are some examples of permissions and their associated values: read, write, and execute: 7 read and execute: 5 read and write: 6 read only: 4 |
|
Optional |
Executes an artifact or local file. |
|
Optional |
Defaults to [0]. A list of possible return values that the program can return to indicate a success. |
|
Optional |
|
|
Optional |
Arguments to be passed to the provided executable. |
|
Optional |
|
|
Optional |
The id of the relevant artifact in the recipe. |
|
Optional |
The absolute path of the file on the local filesystem. |
|
Optional |
Installs an MSI file. |
|
Optional |
Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] |
|
Optional |
|
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
The flags to use when installing the MSI defaults to ["/i"] (i.e. the install flag). |
|
Optional |
|
|
Optional |
Installs an rpm file via the rpm utility. |
|
Optional |
Required. The id of the relevant artifact in the recipe. |
|
Optional |
Runs commands in a shell. |
|
Optional |
Return codes that indicate that the software installed or updated successfully. Behaviour defaults to [0] |
|
Optional |
|
|
Optional |
The script interpreter to use to run the script. If no interpreter is specified the script is executed directly, which likely only succeed for scripts with [shebang lines](https://en.wikipedia.org/wiki/Shebang_(Unix)). Possible values: INTERPRETER_UNSPECIFIED, NONE, SHELL, POWERSHELL |
|
Optional |
Required. The shell script to be executed. |
|
Optional |
The version of this software recipe. Version can be up to 4 period separated numbers (e.g. 12.34.56.78). |
|
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
etag: string
observedGeneration: integer
updateTime: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
Output only. Time this GuestPolicy was created. |
etag |
The etag for this GuestPolicy. If this is provided on update, it must match the server's etag. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
updateTime |
Output only. Last time this GuestPolicy was updated. |
Sample YAML(s)
Typical Use Case
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: osconfig.cnrm.cloud.google.com/v1beta1
kind: OSConfigGuestPolicy
metadata:
name: osconfigguestpolicy-sample
spec:
description: An example OSConfigGuestPolicy for installing a web application on assigned instances.
assignment:
groupLabels:
- labels:
env: prod
app: web
- labels:
env: staging
app: web
instanceNamePrefixes:
- webappprod-
- webappstaging-
osTypes:
- osArchitecture: x86_64
osShortName: debian
osVersion: "10"
- osArchitecture: x86_64
osShortName: windows
osVersion: 10.0.14393
packageRepositories:
- apt:
archiveType: DEB
distribution: aiy-debian-buster
components:
- main
uri: https://packages.cloud.google.com/apt
gpgKey: https://packages.cloud.google.com/apt/dists/aiy-debian-buster/Release.gpg
- yum:
id: liamtest
displayName: Liam Test
baseUrl: https://packages.cloud.google.com/yum/repos/liamtest
gpgKeys:
- https://packages.cloud.google.com/yum/doc/yum-key.gpg
- https://packages.cloud.google.com/yum/doc/rpm-pkg-key.gpg
packages:
- desiredState: INSTALLED
manager: APT
name: add-apt-key
- desiredState: REMOVED
manager: YUM
name: ssl
- desiredState: UPDATED
manager: ANY
name: ansible-doc
recipes:
- name: latest-ansible
version: 1.0.0.1
artifacts:
- id: ansible
remote:
uri: https://releases.ansible.com/ansible-tower/setup/ansible-tower-setup-latest.tar.gz
allowInsecure: true
desiredState: INSTALLED
installSteps:
- fileCopy:
artifactId: ansible
destination: /installbackups/ansible
overwrite: true
permissions: "555"
- archiveExtraction:
destination: /var/ansible/
type: TAR_GZIP
artifactId: ansible
- name: prod-web-app
version: 2.5.27
artifacts:
- id: web-app
allowInsecure: false
gcs:
generation: 1829485032948520
object: latest/prod
bucketRef:
external: https://storage.googleapis.com/storage/v1/b/webapp
desiredState: UPDATED
installSteps:
- fileCopy:
overwrite: false
permissions: "777"
artifactId: web-app
destination: /installbackups/prod
- fileExec:
localPath: /installbackups/prod
allowedExitCodes:
- 0
args:
- prodcompile
updateSteps:
- fileCopy:
permissions: "755"
artifactId: web-app
destination: /installbackups/prod
- fileExec:
localPath: /installbackups/prod
allowedExitCodes:
- 0
- 4
args:
- updatecompile