AllowlistSynchronizer

AllowlistSynchronizer is a custom resource definition (CRD) that lets you install and synchronize allowlists for Google Kubernetes Engine (GKE) Autopilot partner workloads. To learn how to use this custom resource, see Run privileged workloads from GKE Autopilot partners.

apiVersion: cloud.google.com/v1
kind: AllowlistSynchronizer
metadata:
  name: example-allowlist-synchronizer
spec:
  allowlistPaths:
  - "example-partner/example-scanner/*"
  - "example-partner/example-logger/example-log-allowlist-1.1.7.yaml"
status:
  conditions:
  - type: Ready
    status: "False"
    reason: "SyncError"
    message: "some allowlists failed to sync: example-log-allowlist-1.1.7.yaml"
    lastTransitionTime: "2024-10-12T10:00:00Z"
    observedGeneration: 2
  managedAllowlistStatus:
    - filePath: "example-partner/example-scanner/example-scan-allowlist-1.0.0.yaml"
      generation: 1
      phase: Installed
      lastSuccessfulSync: "2024-10-10T10:00:00Z"
    - filePath: "example-partner/example-logger/example-log-allowlist-1.1.7.yaml"
      phase: Failed
      lastError: "Initial install failed: the contents of the allowlist are invalid"
      lastSuccessfulSync: "2024-10-08T10:00:00Z"
    - filePath: "example-partner/example-scanner/example-scan-allowlist-1.0.0.yaml"
      phase: Stale
      lastError: "Sync failed: the contents of the allowlist has been updated and is no longer valid."
      lastSuccessfulSync: "2024-10-08T10:00:00Z"
  lastSyncAttempt: "2024-10-12T10:00:00Z"

AllowlistSynchronizer specification

allowlistPaths: []string
Fields

allowlistPaths

required

string[]

A list of paths to specific files or to directories that contain allowlist files.

  • File: path/to/allowlist.yaml
  • Directory: path/to/allowlist/*

AllowlistSynchronizer status

conditions:
- type: string
  status: boolean
  reason: string
  message: string
  lastTransitionTime: string
  observedGeneration: int
managedAllowlistStatus:
- filePath: string
  generation: int
  phase: string
  lastSuccessfulSync: string
  lastError: string
lastSyncAttempt: string
Fields

conditions[]

object

List of status conditions for the AllowlistSynchronizer. CI/CD tooling can use this field to wait for the allowlist to install before deploying dependent workloads.

conditions.type

string

Condition type. The value is always Ready, which indicates that the most recent sync attempt was successful.

conditions.status

boolean

Condition status:

  • True: allowlists are installed and up to date.
  • False: allowlists are not installed or are out of date.

conditions.reason

string

Short description of the condition's status.

conditions.message

string

Detailed description of the condition's status.

conditions.lastTransitionTime

string

Timestamp of the most recent status change.

conditions.observedGeneration

int

The current version of the AllowlistSynchronizer object.

managedAllowlistStatus[]

object

Array that tracks the status of each allowlist file that the AllowlistSynchronizer is managing.

managedAllowlistStatus.filePath

string

The fully-qualified resource name of the allowlist file.

managedAllowlistStatus.generation

string

The current version of the allowlist file in the cluster.

managedAllowlistStatus.phase

string

The current state of the allowlist file.

  • Installed: the allowlist file is installed in the cluster and is up-to-date with the remote version.
  • Failed: the allowlist file failed to install.
  • Stale: the allowlist file is installed in the cluster, but is out of date with the remote version.

managedAllowlistStatus.lastSuccessfulSync

string

Timestamp of the most recent successful synchronization of the allowlist file.

managedAllowlistStatus.lastError

string

The most recent error message. This field isn't displayed if no errors occurred.

lastSyncAttempt

string

The timestamp of the last change to the conditions field.