- Resource: Feature
- FeatureResourceState
- FeatureResourceState.State
- CommonFeatureSpec
- FeatureSpec
- FeatureSpec
- LoggingConfig
- RoutingConfig
- RoutingConfig.Mode
- FleetSpec
- PostConditions
- GKEUpgradeOverride
- GKEUpgrade
- FeatureSpec
- MembershipFeatureSpec
- MembershipSpec
- ConfigSync
- GitConfig
- OciConfig
- PolicyController
- PolicyControllerMonitoring
- PolicyControllerMonitoring.MonitoringBackend
- HierarchyControllerConfig
- MembershipSpec.Management
- MembershipSpec
- MembershipSpec.AuthMethod
- MembershipSpec.AuthMethod.OidcConfig
- MembershipSpec.AuthMethod.AzureADConfig
- MembershipSpec.AuthMethod.GoogleConfig
- MembershipSpec.AuthMethod.SamlConfig
- MembershipSpec.AuthMethod.LdapConfig
- MembershipSpec.AuthMethod.LdapConfig.ServerConfig
- MembershipSpec.AuthMethod.LdapConfig.UserConfig
- MembershipSpec.AuthMethod.LdapConfig.GroupConfig
- MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig
- MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials
- MembershipSpec.IdentityServiceOptions
- MembershipSpec.IdentityServiceOptions.DiagnosticInterface
- MembershipSpec
- MembershipSpec.ControlPlaneManagement
- MembershipSpec.Management
- MembershipSpec.ConfigApi
- MembershipSpec
- HubConfig
- HubConfig.InstallSpec
- MonitoringConfig
- MonitoringConfig.MonitoringBackend
- PolicyContentSpec
- BundleInstallSpec
- TemplateLibraryConfig
- TemplateLibraryConfig.Installation
- PolicyControllerDeploymentConfig
- ResourceRequirements
- ResourceList
- PolicyControllerDeploymentConfig.Toleration
- PolicyControllerDeploymentConfig.Affinity
- MembershipSpec
- MembershipFeatureSpec.Origin
- MembershipFeatureSpec.Origin.Type
- CommonFeatureState
- FeatureState
- FleetObservabilityLoggingState
- FleetObservabilityBaseFeatureState
- FleetObservabilityBaseFeatureState.Code
- FleetObservabilityBaseFeatureState.FeatureError
- FleetObservabilityMonitoringState
- FleetState
- IgnoredMembership
- GKEUpgradeFeatureState
- GKEUpgradeState
- UpgradeStatus
- UpgradeStatus.Code
- GKEUpgradeFeatureCondition
- FeatureState
- FeatureState.Code
- MembershipFeatureState
- MembershipState
- MembershipState.ControlPlaneManagement
- StatusDetails
- MembershipState.LifecycleState
- MembershipState.ControlPlaneManagement.Implementation
- MembershipState.DataPlaneManagement
- MembershipState.Condition
- MembershipState.Condition.Code
- MembershipState.Condition.Severity
- MembershipState
- OperatorState
- DeploymentState
- InstallError
- ConfigSyncState
- ConfigSyncVersion
- ConfigSyncDeploymentState
- SyncState
- SyncState.SyncCode
- SyncError
- ErrorResource
- GroupVersionKind
- ConfigSyncError
- ConfigSyncState.CRDState
- ConfigSyncState.State
- ConfigSyncState.StopSyncingState
- PolicyControllerState
- PolicyControllerVersion
- GatekeeperDeploymentState
- PolicyControllerMigration
- PolicyControllerMigration.Stage
- HierarchyControllerState
- HierarchyControllerVersion
- HierarchyControllerDeploymentState
- MembershipState
- MembershipState.DeploymentState
- MembershipState
- OnClusterState
- MembershipState.LifecycleState
- PolicyContentState
- MembershipState
- MembershipGKEUpgradeState
- MembershipState
- CommonFleetDefaultMemberConfigSpec
- ScopeFeatureSpec
- ScopeFeatureState
- Methods
Resource: Feature
Feature represents the settings and status of any Fleet Feature.
| JSON representation |
|---|
{ "name": string, "labels": { string: string, ... }, "resourceState": { object ( |
| Fields | |
|---|---|
name |
Output only. The full, unique name of this Feature resource in the format |
labels |
Labels for this Feature. An object containing a list of |
resource |
Output only. State of the Feature resource itself. |
spec |
Optional. Fleet-wide Feature configuration. If this Feature does not support any Fleet-wide configuration, this field may be unused. |
membership |
Optional. Membership-specific configuration for this Feature. If this Feature does not support any per-Membership configuration, this field may be unused. The keys indicate which Membership the configuration is for, in the form:
Where {p} is the project, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} WILL match the Feature's project. {p} will always be returned as the project number, but the project ID is also accepted during input. If the same Membership is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature. An object containing a list of |
state |
Output only. The Fleet-wide Feature state. |
membership |
Output only. Membership-specific Feature status. If this Feature does report any per-Membership status, this field may be unused. The keys indicate which Membership the state is for, in the form:
Where {p} is the project number, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} MUST match the Feature's project number. An object containing a list of |
create |
Output only. When the Feature resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
update |
Output only. When the Feature resource was last updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
delete |
Output only. When the Feature resource was deleted. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
fleet |
Optional. Feature configuration applicable to all memberships of the fleet. |
scope |
Optional. Scope-specific configuration for this Feature. If this Feature does not support any per-Scope configuration, this field may be unused. The keys indicate which Scope the configuration is for, in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. {p} will always be returned as the project number, but the project ID is also accepted during input. If the same Scope is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature. An object containing a list of |
scope |
Output only. Scope-specific Feature status. If this Feature does report any per-Scope status, this field may be unused. The keys indicate which Scope the state is for, in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. An object containing a list of |
unreachable[] |
Output only. List of locations that could not be reached while fetching this feature. |
FeatureResourceState
FeatureResourceState describes the state of a Feature resource in the GkeHub API. See FeatureState for the "running state" of the Feature in the Fleet and across Memberships.
| JSON representation |
|---|
{
"state": enum ( |
| Fields | |
|---|---|
state |
The current state of the Feature resource in the Hub API. |
FeatureResourceState.State
State describes the lifecycle status of a Feature.
| Enums | |
|---|---|
STATE_UNSPECIFIED |
State is unknown or not set. |
ENABLING |
The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Fleet. |
ACTIVE |
The Feature is enabled in this Fleet, and the Feature resource is fully available. |
DISABLING |
The Feature is being disabled in this Fleet, and the Feature resource is being deleted. |
UPDATING |
The Feature resource is being updated. |
SERVICE_UPDATING |
The Feature resource is being updated by the Hub Service. |
CommonFeatureSpec
CommonFeatureSpec contains Fleet-wide configuration information
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
multiclusteringress |
Multicluster Ingress-specific spec. |
appdevexperience |
Appdevexperience specific spec. |
fleetobservability |
FleetObservability feature spec. |
clusterupgrade |
ClusterUpgrade (fleet-based) feature spec. |
dataplanev2 |
DataplaneV2 feature spec. |
FeatureSpec
Multi-cluster Ingress: The configuration for the MultiClusterIngress feature.
| JSON representation |
|---|
{ "configMembership": string } |
| Fields | |
|---|---|
config |
Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: |
FeatureSpec
Fleet Observability: The Hub-wide input for the FleetObservability feature.
| JSON representation |
|---|
{
"loggingConfig": {
object ( |
| Fields | |
|---|---|
logging |
Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet. |
LoggingConfig
LoggingConfig defines the configuration for different types of logs.
| JSON representation |
|---|
{ "defaultConfig": { object ( |
| Fields | |
|---|---|
default |
Specified if applying the default routing config to logs not specified in other configs. |
fleet |
Specified if applying the routing config to all logs for all fleet scopes. |
RoutingConfig
RoutingConfig configures the behaviour of fleet logging feature.
| JSON representation |
|---|
{
"mode": enum ( |
| Fields | |
|---|---|
mode |
mode configures the logs routing mode. |
RoutingConfig.Mode
Specified if fleet logging feature is enabled.
| Enums | |
|---|---|
MODE_UNSPECIFIED |
If UNSPECIFIED, fleet logging feature is disabled. |
COPY |
logs will be copied to the destination project. |
MOVE |
logs will be moved to the destination project. |
FleetSpec
ClusterUpgrade: The configuration for the fleet-level ClusterUpgrade feature.
| JSON representation |
|---|
{ "upstreamFleets": [ string ], "postConditions": { object ( |
| Fields | |
|---|---|
upstream |
This fleet consumes upgrades that have COMPLETE status code in the upstream fleets. See UpgradeStatus.Code for code definitions. The fleet name should be either fleet project number or id. This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream fleet. |
post |
Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required. |
gke |
Allow users to override some properties of each GKE upgrade. |
PostConditions
Post conditional checks after an upgrade has been applied on all eligible clusters.
| JSON representation |
|---|
{ "soaking": string } |
| Fields | |
|---|---|
soaking |
Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required. A duration in seconds with up to nine fractional digits, ending with ' |
GKEUpgradeOverride
Properties of a GKE upgrade that can be overridden by the user. For example, a user can skip soaking by overriding the soaking to 0.
| JSON representation |
|---|
{ "upgrade": { object ( |
| Fields | |
|---|---|
upgrade |
Required. Which upgrade to override. Required. |
post |
Required. Post conditions to override for the specified upgrade (name + version). Required. |
GKEUpgrade
GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.
| JSON representation |
|---|
{ "name": string, "version": string } |
| Fields | |
|---|---|
name |
Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters. |
version |
Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters. |
FeatureSpec
Dataplane V2: Spec
| JSON representation |
|---|
{ "enableEncryption": boolean } |
| Fields | |
|---|---|
enable |
Enable dataplane-v2 based encryption for multiple clusters. |
MembershipFeatureSpec
MembershipFeatureSpec contains configuration information for a single Membership.
| JSON representation |
|---|
{ "origin": { object ( |
| Fields | |
|---|---|
origin |
Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly. |
Union field
|
|
configmanagement |
Config Management-specific spec. |
identityservice |
Identity Service-specific spec. |
mesh |
Anthos Service Mesh-specific spec |
policycontroller |
Policy Controller spec. |
fleetobservability |
Fleet observability membership spec |
MembershipSpec
Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.
| JSON representation |
|---|
{ "configSync": { object ( |
| Fields | |
|---|---|
config |
Config Sync configuration for the cluster. |
policy |
Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead. |
hierarchy |
Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead. |
version |
Version of ACM installed. |
cluster |
The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. |
management |
Enables automatic Feature management. |
ConfigSync
Configuration for Config Sync
| JSON representation |
|---|
{ "git": { object ( |
| Fields | |
|---|---|
git |
Git repo configuration for the cluster. |
source |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
prevent |
Set to true to enable the Config Sync admission webhook to prevent drifts. If set to |
oci |
OCI repo configuration for the cluster |
allowVerticalScale |
Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated. |
metricsGcpServiceAccountEmail |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount |
stop |
Set to true to stop syncing configs for a single cluster. Default to false. |
enabled |
Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. |
GitConfig
Git repo configuration for a single cluster.
| JSON representation |
|---|
{ "syncRepo": string, "syncBranch": string, "policyDir": string, "syncWaitSecs": string, "syncRev": string, "secretType": string, "httpsProxy": string, "gcpServiceAccountEmail": string } |
| Fields | |
|---|---|
sync |
The URL of the Git repository to use as the source of truth. |
sync |
The branch of the repository to sync from. Default: master. |
policy |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
sync |
Period in seconds between consecutive syncs. Default: 15. |
sync |
Git revision (tag or hash) to check out. Default HEAD. |
secret |
Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required. |
https |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
gcp |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
OciConfig
OCI repo configuration for a single cluster
| JSON representation |
|---|
{ "syncRepo": string, "policyDir": string, "syncWaitSecs": string, "secretType": string, "gcpServiceAccountEmail": string } |
| Fields | |
|---|---|
sync |
The OCI image repository URL for the package to sync from. e.g. |
policy |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
sync |
Period in seconds between consecutive syncs. Default: 15. |
secret |
Type of secret configured for access to the Git repo. |
gcp |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
PolicyController
Configuration for Policy Controller
| JSON representation |
|---|
{
"enabled": boolean,
"exemptableNamespaces": [
string
],
"referentialRulesEnabled": boolean,
"logDeniesEnabled": boolean,
"mutationEnabled": boolean,
"monitoring": {
object ( |
| Fields | |
|---|---|
enabled |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
exemptable |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log |
Logs all denies and dry run failures. |
mutation |
Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. |
monitoring |
Monitoring specifies the configuration of monitoring. |
update |
Output only. Last time this membership spec was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
template |
Installs the default template library along with Policy Controller. |
audit |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
PolicyControllerMonitoring
PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
| JSON representation |
|---|
{
"backends": [
enum ( |
| Fields | |
|---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
PolicyControllerMonitoring.MonitoringBackend
Supported backend options for monitoring
| Enums | |
|---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
HierarchyControllerConfig
Configuration for Hierarchy Controller
| JSON representation |
|---|
{ "enabled": boolean, "enablePodTreeLabels": boolean, "enableHierarchicalResourceQuota": boolean } |
| Fields | |
|---|---|
enabled |
Whether Hierarchy Controller is enabled in this cluster. |
enable |
Whether pod tree labels are enabled in this cluster. |
enable |
Whether hierarchical resource quota is enabled in this cluster. |
MembershipSpec.Management
Whether to automatically manage the Feature.
| Enums | |
|---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google will manage the Feature for the cluster. |
MANAGEMENT_MANUAL |
User will manually manage the Feature for the cluster. |
MembershipSpec
Anthos Identity Service: Configuration for a single Membership.
| JSON representation |
|---|
{ "authMethods": [ { object ( |
| Fields | |
|---|---|
auth |
A member may support multiple auth methods. |
identity |
Optional. non-protocol-related configuration options. |
MembershipSpec.AuthMethod
Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.
| JSON representation |
|---|
{ "name": string, "proxy": string, // Union field |
| Fields | |
|---|---|
name |
Identifier for auth config. |
proxy |
Proxy server address to use for auth method. |
Union field auth_config. supported auth configurations. auth_config can be only one of the following: |
|
oidc |
OIDC specific configuration. |
azuread |
AzureAD specific Configuration. |
google |
GoogleConfig specific configuration. |
saml |
SAML specific configuration. |
ldap |
LDAP specific configuration. |
MembershipSpec.AuthMethod.OidcConfig
Configuration for OIDC Auth flow.
| JSON representation |
|---|
{ "clientId": string, "certificateAuthorityData": string, "issuerUri": string, "kubectlRedirectUri": string, "scopes": string, "extraParams": string, "userClaim": string, "userPrefix": string, "groupsClaim": string, "groupPrefix": string, "deployCloudConsoleProxy": boolean, "clientSecret": string, "encryptedClientSecret": string, "enableAccessToken": boolean } |
| Fields | |
|---|---|
client |
ID for OIDC client application. |
certificate |
PEM-encoded CA for OIDC provider. |
issuer |
URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. |
kubectl |
Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. |
scopes |
Comma-separated list of identifiers. |
extra |
Comma-separated list of key-value pairs. |
user |
Claim in OIDC ID token that holds username. |
user |
Prefix to prepend to user name. |
groups |
Claim in OIDC ID token that holds group information. |
group |
Prefix to prepend to group name. |
deploy |
Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. |
client |
Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. |
encrypted |
Output only. Encrypted OIDC Client secret A base64-encoded string. |
enable |
Enable access token. |
MembershipSpec.AuthMethod.AzureADConfig
Configuration for the AzureAD Auth flow.
| JSON representation |
|---|
{ "clientId": string, "tenant": string, "kubectlRedirectUri": string, "clientSecret": string, "encryptedClientSecret": string, "userClaim": string, "groupFormat": string } |
| Fields | |
|---|---|
client |
ID for the registered client application that makes authentication requests to the Azure AD identity provider. |
tenant |
Kind of Azure AD account to be authenticated. Supported values are |
kubectl |
The redirect URL that kubectl uses for authorization. |
client |
Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. |
encrypted |
Output only. Encrypted AzureAD client secret. A base64-encoded string. |
user |
Optional. Claim in the AzureAD ID Token that holds the user details. |
group |
Optional. Format of the AzureAD groups that the client wants for auth. |
MembershipSpec.AuthMethod.GoogleConfig
Configuration for the Google Plugin Auth flow.
| JSON representation |
|---|
{ "disable": boolean } |
| Fields | |
|---|---|
disable |
Disable automatic configuration of Google Plugin on supported platforms. |
MembershipSpec.AuthMethod.SamlConfig
Configuration for the SAML Auth flow.
| JSON representation |
|---|
{ "identityProviderId": string, "identityProviderSsoUri": string, "identityProviderCertificates": [ string ], "userAttribute": string, "groupsAttribute": string, "userPrefix": string, "groupPrefix": string, "attributeMapping": { string: string, ... } } |
| Fields | |
|---|---|
identity |
Required. The entity ID of the SAML IdP. |
identity |
Required. The URI where the SAML IdP exposes the SSO service. |
identity |
Required. The list of IdP certificates to validate the SAML response against. |
user |
Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
groups |
Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
user |
Optional. Prefix to prepend to user name. |
group |
Optional. Prefix to prepend to group name. |
attribute |
Optional. The mapping of additional user attributes like nickname, birthday and address etc.. An object containing a list of |
MembershipSpec.AuthMethod.LdapConfig
Configuration for the LDAP Auth flow.
| JSON representation |
|---|
{ "server": { object ( |
| Fields | |
|---|---|
server |
Required. Server settings for the external LDAP server. |
user |
Required. Defines where users exist in the LDAP directory. |
group |
Optional. Contains the properties for locating and authenticating groups in the directory. |
service |
Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. |
MembershipSpec.AuthMethod.LdapConfig.ServerConfig
Server settings for the external LDAP server.
| JSON representation |
|---|
{ "host": string, "connectionType": string, "certificateAuthorityData": string } |
| Fields | |
|---|---|
host |
Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". |
connection |
Optional. Defines the connection type to communicate with the LDAP server. If |
certificate |
Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. A base64-encoded string. |
MembershipSpec.AuthMethod.LdapConfig.UserConfig
Defines where users exist in the LDAP directory.
| JSON representation |
|---|
{ "baseDn": string, "loginAttribute": string, "idAttribute": string, "filter": string } |
| Fields | |
|---|---|
base |
Required. The location of the subtree in the LDAP directory to search for user entries. |
login |
Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "( |
id |
Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". |
filter |
Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". |
MembershipSpec.AuthMethod.LdapConfig.GroupConfig
Contains the properties for locating and authenticating groups in the directory.
| JSON representation |
|---|
{ "baseDn": string, "idAttribute": string, "filter": string } |
| Fields | |
|---|---|
base |
Required. The location of the subtree in the LDAP directory to search for group entries. |
id |
Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". |
filter |
Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". |
MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig
Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following: |
|
simple |
Credentials for basic auth. |
MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials
The structure holds the LDAP simple binding credential.
| JSON representation |
|---|
{ "dn": string, "password": string, "encryptedPassword": string } |
| Fields | |
|---|---|
dn |
Required. The distinguished name(DN) of the service account object/user. |
password |
Required. Input only. The password of the service account object/user. |
encrypted |
Output only. The encrypted password of the service account object/user. A base64-encoded string. |
MembershipSpec.IdentityServiceOptions
Holds non-protocol-related configuration options.
| JSON representation |
|---|
{
"sessionDuration": string,
"diagnosticInterface": {
object ( |
| Fields | |
|---|---|
session |
Determines the lifespan of STS tokens issued by Anthos Identity Service. A duration in seconds with up to nine fractional digits, ending with ' |
diagnostic |
Configuration options for the AIS diagnostic interface. |
MembershipSpec.IdentityServiceOptions.DiagnosticInterface
Configuration options for the AIS diagnostic interface.
| JSON representation |
|---|
{ "enabled": boolean, "expirationTime": string } |
| Fields | |
|---|---|
enabled |
Determines whether to enable the diagnostic interface. |
expiration |
Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
MembershipSpec
Service Mesh: Spec for a single Membership for the servicemesh feature
| JSON representation |
|---|
{ "controlPlane": enum ( |
| Fields | |
|---|---|
controlPlane |
Deprecated: use |
management |
Optional. Enables automatic Service Mesh management. |
config |
Optional. Specifies the API that will be used for configuring the mesh workloads. |
MembershipSpec.ControlPlaneManagement
Whether to automatically manage Service Mesh control planes.
| Enums | |
|---|---|
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED |
Unspecified |
AUTOMATIC |
Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install. |
MANUAL |
User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API) |
MembershipSpec.Management
Whether to automatically manage Service Mesh.
| Enums | |
|---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google should manage my Service Mesh for the cluster. |
MANAGEMENT_MANUAL |
User will manually configure their service mesh components. |
MembershipSpec.ConfigApi
Specifies the API that will be used for configuring the mesh workloads.
| Enums | |
|---|---|
CONFIG_API_UNSPECIFIED |
Unspecified |
CONFIG_API_ISTIO |
Use the Istio API for configuration. |
CONFIG_API_GATEWAY |
Use the K8s Gateway API for configuration. |
MembershipSpec
Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.
| JSON representation |
|---|
{
"policyControllerHubConfig": {
object ( |
| Fields | |
|---|---|
policy |
Policy Controller configuration for the cluster. |
version |
Version of Policy Controller installed. |
HubConfig
Configuration for Policy Controller
| JSON representation |
|---|
{ "installSpec": enum ( |
| Fields | |
|---|---|
install |
The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state. |
exemptable |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log |
Logs all denies and dry run failures. |
mutation |
Enables the ability to mutate resources using Policy Controller. |
deployment |
Map of deployment configs to deployments ("admission", "audit", "mutation'). An object containing a list of |
audit |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
monitoring |
Monitoring specifies the configuration of monitoring. |
policy |
Specifies the desired policy content on the cluster |
constraint |
The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used. |
HubConfig.InstallSpec
The set of installation specs that the Hub Feature controller may actuate.
| Enums | |
|---|---|
INSTALL_SPEC_UNSPECIFIED |
Spec is unknown. |
INSTALL_SPEC_NOT_INSTALLED |
Request to uninstall Policy Controller. |
INSTALL_SPEC_ENABLED |
Request to install and enable Policy Controller. |
INSTALL_SPEC_SUSPENDED |
Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended. |
INSTALL_SPEC_DETACHED |
Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources. |
MonitoringConfig
MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
| JSON representation |
|---|
{
"backends": [
enum ( |
| Fields | |
|---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringConfig.MonitoringBackend
Supported backend options for monitoring
| Enums | |
|---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyContentSpec
PolicyContentSpec defines the user's desired content configuration on the cluster.
| JSON representation |
|---|
{ "bundles": { string: { object ( |
| Fields | |
|---|---|
bundles |
map of bundle name to BundleInstallSpec. The bundle name maps to the An object containing a list of |
template |
Configures the installation of the Template Library. |
BundleInstallSpec
BundleInstallSpec is the specification configuration for a single managed bundle.
| JSON representation |
|---|
{ "exemptedNamespaces": [ string ] } |
| Fields | |
|---|---|
exempted |
The set of namespaces to be exempted from the bundle. |
TemplateLibraryConfig
The config specifying which default library templates to install.
| JSON representation |
|---|
{
"installation": enum ( |
| Fields | |
|---|---|
installation |
Configures the manner in which the template library is installed on the cluster. |
TemplateLibraryConfig.Installation
How the template library should be installed
| Enums | |
|---|---|
INSTALLATION_UNSPECIFIED |
No installation strategy has been specified. |
NOT_INSTALLED |
Do not install the template library. |
ALL |
Install the entire template library. |
PolicyControllerDeploymentConfig
Deployment-specific configuration.
| JSON representation |
|---|
{ "podTolerations": [ { object ( |
| Fields | |
|---|---|
pod |
Pod tolerations of node taints. |
pod |
Pod affinity configuration. |
replica |
Pod replica count. |
container |
Container resource requirements. |
podAntiAffinity |
Pod anti-affinity enablement. Deprecated: use |
ResourceRequirements
ResourceRequirements describes the compute resource requirements.
| JSON representation |
|---|
{ "limits": { object ( |
| Fields | |
|---|---|
limits |
Limits describes the maximum amount of compute resources allowed for use by the running container. |
requests |
Requests describes the amount of compute resources reserved for the container by the kube-scheduler. |
ResourceList
ResourceList contains container resource requirements.
| JSON representation |
|---|
{ "memory": string, "cpu": string } |
| Fields | |
|---|---|
memory |
Memory requirement expressed in Kubernetes resource units. |
cpu |
CPU requirement expressed in Kubernetes resource units. |
PolicyControllerDeploymentConfig.Toleration
Toleration of a node taint.
| JSON representation |
|---|
{ "key": string, "operator": string, "value": string, "effect": string } |
| Fields | |
|---|---|
key |
Matches a taint key (not necessarily unique). |
operator |
Matches a taint operator. |
value |
Matches a taint value. |
effect |
Matches a taint effect. |
PolicyControllerDeploymentConfig.Affinity
The pod affinity configuration used by a deployment.
| Enums | |
|---|---|
AFFINITY_UNSPECIFIED |
No affinity configuration has been specified. |
NO_AFFINITY |
Affinity configurations will be removed from the deployment. |
ANTI_AFFINITY |
Anti-affinity configuration will be applied to this deployment. Default for admissions deployment. |
MembershipSpec
This type has no fields.
FleetObservability: The membership-specific input for FleetObservability feature.
MembershipFeatureSpec.Origin
Origin defines where this MembershipFeatureSpec originated from.
| JSON representation |
|---|
{
"type": enum ( |
| Fields | |
|---|---|
type |
Type specifies which type of origin is set. |
MembershipFeatureSpec.Origin.Type
Type specifies the persona that persisted the config.
| Enums | |
|---|---|
TYPE_UNSPECIFIED |
Type is unknown or not set. |
FLEET |
Per-Membership spec was inherited from the fleet-level default. |
FLEET_OUT_OF_SYNC |
Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default. |
USER |
Per-Membership spec was inherited from a user specification. |
CommonFeatureState
CommonFeatureState contains Fleet-wide Feature status information.
| JSON representation |
|---|
{ "state": { object ( |
| Fields | |
|---|---|
state |
Output only. The "running state" of the Feature in this Fleet. |
Union field
|
|
appdevexperience |
Appdevexperience specific state. |
fleetobservability |
FleetObservability feature state. |
clusterupgrade |
ClusterUpgrade fleet-level state. |
FeatureState
FleetObservability: Hub-wide Feature for FleetObservability feature. state.
| JSON representation |
|---|
{ "logging": { object ( |
| Fields | |
|---|---|
logging |
The feature state of default logging. |
monitoring |
The feature state of fleet monitoring. |
FleetObservabilityLoggingState
Feature state for logging feature.
| JSON representation |
|---|
{ "defaultLog": { object ( |
| Fields | |
|---|---|
default |
The base feature state of fleet default log. |
scope |
The base feature state of fleet scope log. |
FleetObservabilityBaseFeatureState
Base state for fleet observability feature.
| JSON representation |
|---|
{ "code": enum ( |
| Fields | |
|---|---|
code |
The high-level, machine-readable status of this Feature. |
errors[] |
Errors after reconciling the monitoring and logging feature if the code is not OK. |
FleetObservabilityBaseFeatureState.Code
Code represents a machine-readable, high-level status of the Feature.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The Feature is operating normally. |
ERROR |
The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
FleetObservabilityBaseFeatureState.FeatureError
All error details of the fleet observability feature.
| JSON representation |
|---|
{ "code": string, "description": string } |
| Fields | |
|---|---|
code |
The code of the error. |
description |
A human-readable description of the current status. |
FleetObservabilityMonitoringState
Feature state for monitoring feature.
| JSON representation |
|---|
{
"state": {
object ( |
| Fields | |
|---|---|
state |
The base feature state of fleet monitoring feature. |
FleetState
ClusterUpgrade: The state for the fleet-level ClusterUpgrade feature.
| JSON representation |
|---|
{ "downstreamFleets": [ string ], "ignored": { string: { object ( |
| Fields | |
|---|---|
downstream |
This fleets whose upstreamFleets contain the current fleet. The fleet name should be either fleet project number or id. |
ignored |
A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: An object containing a list of |
gke |
Feature state for GKE clusters. |
IgnoredMembership
IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.
| JSON representation |
|---|
{ "reason": string, "ignoredTime": string } |
| Fields | |
|---|---|
reason |
Reason why the membership is ignored. |
ignored |
Time when the membership was first set to ignored. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
GKEUpgradeFeatureState
GKEUpgradeFeatureState contains feature states for GKE clusters in the scope.
| JSON representation |
|---|
{ "upgradeState": [ { object ( |
| Fields | |
|---|---|
upgrade |
Upgrade state. It will eventually replace |
conditions[] |
Current conditions of the feature. |
GKEUpgradeState
GKEUpgradeState is a GKEUpgrade and its state at the scope and fleet level.
| JSON representation |
|---|
{ "stats": { string: string, ... }, "upgrade": { object ( |
| Fields | |
|---|---|
stats |
Number of GKE clusters in each status code. An object containing a list of |
upgrade |
Which upgrade to track the state. |
status |
Status of the upgrade. |
UpgradeStatus
UpgradeStatus provides status information for each upgrade.
| JSON representation |
|---|
{
"code": enum ( |
| Fields | |
|---|---|
code |
Status code of the upgrade. |
reason |
Reason for this status. |
update |
Last timestamp the status was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
UpgradeStatus.Code
Status code of an upgrade.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Required by https://linter.aip.dev/126/unspecified. |
INELIGIBLE |
The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope. |
PENDING |
The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope. |
IN_PROGRESS |
The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope. |
SOAKING |
The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete. |
FORCED_SOAKING |
A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status. |
COMPLETE |
The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status. |
GKEUpgradeFeatureCondition
GKEUpgradeFeatureCondition describes the condition of the feature for GKE clusters at a certain point of time.
| JSON representation |
|---|
{ "type": string, "status": string, "reason": string, "updateTime": string } |
| Fields | |
|---|---|
type |
Type of the condition, for example, "ready". |
status |
Status of the condition, one of True, False, Unknown. |
reason |
Reason why the feature is in this status. |
update |
Last timestamp the condition was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureState
FeatureState describes the high-level state of a Feature. It may be used to describe a Feature's state at the environ-level, or per-membershop, depending on the context.
| JSON representation |
|---|
{
"code": enum ( |
| Fields | |
|---|---|
code |
The high-level, machine-readable status of this Feature. |
description |
A human-readable description of the current status. |
update |
The time this status and any related Feature-specific details were updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureState.Code
Code represents a machine-readable, high-level status of the Feature.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The Feature is operating normally. |
WARNING |
The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
ERROR |
The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
MembershipFeatureState
MembershipFeatureState contains Feature status information for a single Membership.
| JSON representation |
|---|
{ "state": { object ( |
| Fields | |
|---|---|
state |
The high-level state of this Feature for a single membership. |
Union field
|
|
servicemesh |
Service Mesh-specific state. |
configmanagement |
Config Management-specific state. |
identityservice |
Identity Service-specific state. |
appdevexperience |
Appdevexperience specific state. |
policycontroller |
Policycontroller-specific state. |
clusterupgrade |
ClusterUpgrade state. |
fleetobservability |
Fleet observability membership state. |
MembershipState
Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.
| JSON representation |
|---|
{ "controlPlaneManagement": { object ( |
| Fields | |
|---|---|
control |
Output only. Status of control plane management |
data |
Output only. Status of data plane management. |
conditions[] |
Output only. List of conditions reported for this membership. |
MembershipState.ControlPlaneManagement
Status of control plane management.
| JSON representation |
|---|
{ "details": [ { object ( |
| Fields | |
|---|---|
details[] |
Explanation of state. |
state |
LifecycleState of control plane management. |
implementation |
Output only. Implementation of managed control plane. |
StatusDetails
Structured and human-readable details for a status.
| JSON representation |
|---|
{ "code": string, "details": string } |
| Fields | |
|---|---|
code |
A machine-readable code that further describes a broad status. |
details |
Human-readable explanation of code. |
MembershipState.LifecycleState
Lifecycle state of Service Mesh components.
| Enums | |
|---|---|
LIFECYCLE_STATE_UNSPECIFIED |
Unspecified |
DISABLED |
DISABLED means that the component is not enabled. |
FAILED_PRECONDITION |
FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster. |
PROVISIONING |
PROVISIONING means that provisioning is in progress. |
ACTIVE |
ACTIVE means that the component is ready for use. |
STALLED |
STALLED means that provisioning could not be done. |
NEEDS_ATTENTION |
NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.) |
DEGRADED |
DEGRADED means that the component is ready, but operating in a degraded state. |
MembershipState.ControlPlaneManagement.Implementation
Implementation of managed control plane.
| Enums | |
|---|---|
IMPLEMENTATION_UNSPECIFIED |
Unspecified |
ISTIOD |
A Google build of istiod is used for the managed control plane. |
TRAFFIC_DIRECTOR |
Traffic director is used for the managed control plane. |
UPDATING |
The control plane implementation is being updated. |
MembershipState.DataPlaneManagement
Status of data plane management. Only reported per-member.
| JSON representation |
|---|
{ "state": enum ( |
| Fields | |
|---|---|
state |
Lifecycle status of data plane management. |
details[] |
Explanation of the status. |
MembershipState.Condition
Condition being reported.
| JSON representation |
|---|
{ "code": enum ( |
| Fields | |
|---|---|
code |
Unique identifier of the condition which describes the condition recognizable to the user. |
documentation |
Links contains actionable information. |
details |
A short summary about the issue. |
severity |
Severity level of the condition. |
MembershipState.Condition.Code
Unique identifier of the condition which describes the condition recognizable to the user.
| Enums | |
|---|---|
CODE_UNSPECIFIED |
Default Unspecified code |
MESH_IAM_PERMISSION_DENIED |
Mesh IAM permission denied error code |
MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED |
Permission denied error code for cross-project |
CNI_CONFIG_UNSUPPORTED |
CNI config unsupported error code |
GKE_SANDBOX_UNSUPPORTED |
GKE sandbox unsupported error code |
NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED |
Nodepool workload identity federation required error code |
CNI_INSTALLATION_FAILED |
CNI installation failed error code |
CNI_POD_UNSCHEDULABLE |
CNI pod unschedulable error code |
CLUSTER_HAS_ZERO_NODES |
Cluster has zero node code |
UNSUPPORTED_MULTIPLE_CONTROL_PLANES |
Multiple control planes unsupported error code |
VPCSC_GA_SUPPORTED |
VPC-SC GA is supported for this control plane. |
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT |
User is using deprecated ControlPlaneManagement and they have not yet set Management. |
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT_SAFE |
User is using deprecated ControlPlaneManagement and they have already set Management. |
CONFIG_APPLY_INTERNAL_ERROR |
Configuration (Istio/k8s resources) failed to apply due to internal error. |
CONFIG_VALIDATION_ERROR |
Configuration failed to be applied due to being invalid. |
CONFIG_VALIDATION_WARNING |
Encountered configuration(s) with possible unintended behavior or invalid configuration. These configs may not have been applied. |
QUOTA_EXCEEDED_BACKEND_SERVICES |
BackendService quota exceeded error code. |
QUOTA_EXCEEDED_HEALTH_CHECKS |
HealthCheck quota exceeded error code. |
QUOTA_EXCEEDED_HTTP_ROUTES |
HTTPRoute quota exceeded error code. |
QUOTA_EXCEEDED_TCP_ROUTES |
TCPRoute quota exceeded error code. |
QUOTA_EXCEEDED_TLS_ROUTES |
TLS routes quota exceeded error code. |
QUOTA_EXCEEDED_TRAFFIC_POLICIES |
TrafficPolicy quota exceeded error code. |
QUOTA_EXCEEDED_ENDPOINT_POLICIES |
EndpointPolicy quota exceeded error code. |
QUOTA_EXCEEDED_GATEWAYS |
Gateway quota exceeded error code. |
QUOTA_EXCEEDED_MESHES |
Mesh quota exceeded error code. |
QUOTA_EXCEEDED_SERVER_TLS_POLICIES |
ServerTLSPolicy quota exceeded error code. |
QUOTA_EXCEEDED_CLIENT_TLS_POLICIES |
ClientTLSPolicy quota exceeded error code. |
QUOTA_EXCEEDED_SERVICE_LB_POLICIES |
ServiceLBPolicy quota exceeded error code. |
QUOTA_EXCEEDED_HTTP_FILTERS |
HTTPFilter quota exceeded error code. |
QUOTA_EXCEEDED_TCP_FILTERS |
TCPFilter quota exceeded error code. |
QUOTA_EXCEEDED_NETWORK_ENDPOINT_GROUPS |
NetworkEndpointGroup quota exceeded error code. |
MODERNIZATION_SCHEDULED |
Modernization is scheduled for a cluster. |
MODERNIZATION_IN_PROGRESS |
Modernization is in progress for a cluster. |
MODERNIZATION_COMPLETED |
Modernization is completed for a cluster. |
MODERNIZATION_ABORTED |
Modernization is aborted for a cluster. |
MembershipState.Condition.Severity
Severity level of the reported condition
| Enums | |
|---|---|
SEVERITY_UNSPECIFIED |
Unspecified severity |
ERROR |
Indicates an issue that prevents the mesh from operating correctly |
WARNING |
Indicates a setting is likely wrong, but the mesh is still able to operate |
INFO |
An informational message, not requiring any action |
MembershipState
Anthos Config Management: State for a single cluster.
| JSON representation |
|---|
{ "clusterName": string, "membershipSpec": { object ( |
| Fields | |
|---|---|
cluster |
This field is set to the |
membership |
Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state |
operator |
Current install status of ACM's Operator |
config |
Current sync status |
policy |
PolicyController status |
hierarchy |
Hierarchy Controller status |
OperatorState
State information for an ACM's Operator
| JSON representation |
|---|
{ "version": string, "deploymentState": enum ( |
| Fields | |
|---|---|
version |
The semenatic version number of the operator |
deployment |
The state of the Operator's deployment |
errors[] |
Install errors. |
DeploymentState
Enum representing the state of an ACM's deployment on a cluster
| Enums | |
|---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Deployment's state cannot be determined |
NOT_INSTALLED |
Deployment is not installed |
INSTALLED |
Deployment is installed |
ERROR |
Deployment was attempted to be installed, but has errors |
PENDING |
Deployment is installing or terminating |
InstallError
Errors pertaining to the installation of ACM
| JSON representation |
|---|
{ "errorMessage": string } |
| Fields | |
|---|---|
error |
A string representing the user facing error message |
ConfigSyncState
State information for ConfigSync
| JSON representation |
|---|
{ "version": { object ( |
| Fields | |
|---|---|
version |
The version of ConfigSync deployed |
deployment |
Information about the deployment of ConfigSync, including the version of the various Pods deployed |
sync |
The state of ConfigSync's process to sync configs to a cluster |
errors[] |
Errors pertaining to the installation of Config Sync. |
rootsync |
The state of the RootSync CRD |
reposync |
The state of the Reposync CRD |
state |
The state of CS This field summarizes the other fields in this message. |
cluster |
Whether syncing resources to the cluster is stopped at the cluster level. |
cr |
Output only. The number of RootSync and RepoSync CRs in the cluster. |
ConfigSyncVersion
Specific versioning information pertaining to ConfigSync's Pods
| JSON representation |
|---|
{ "importer": string, "syncer": string, "gitSync": string, "monitor": string, "reconcilerManager": string, "rootReconciler": string, "admissionWebhook": string, "resourceGroupControllerManager": string, "otelCollector": string } |
| Fields | |
|---|---|
importer |
Version of the deployed importer pod |
syncer |
Version of the deployed syncer pod |
git |
Version of the deployed git-sync pod |
monitor |
Version of the deployed monitor pod |
reconciler |
Version of the deployed reconciler-manager pod |
root |
Version of the deployed reconciler container in root-reconciler pod |
admission |
Version of the deployed admission-webhook pod |
resource |
Version of the deployed resource-group-controller-manager pod |
otel |
Version of the deployed otel-collector pod |
ConfigSyncDeploymentState
The state of ConfigSync's deployment on a cluster
| JSON representation |
|---|
{ "importer": enum ( |
| Fields | |
|---|---|
importer |
Deployment state of the importer pod |
syncer |
Deployment state of the syncer pod |
git |
Deployment state of the git-sync pod |
monitor |
Deployment state of the monitor pod |
reconciler |
Deployment state of reconciler-manager pod |
root |
Deployment state of root-reconciler |
admission |
Deployment state of admission-webhook |
resource |
Deployment state of resource-group-controller-manager |
otel |
Deployment state of otel-collector |
SyncState
State indicating an ACM's progress syncing configurations to a cluster
| JSON representation |
|---|
{ "sourceToken": string, "importToken": string, "syncToken": string, "lastSync": string, "lastSyncTime": string, "code": enum ( |
| Fields | |
|---|---|
source |
Token indicating the state of the repo. |
import |
Token indicating the state of the importer. |
sync |
Token indicating the state of the syncer. |
lastSync |
Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String |
last |
Timestamp type of when ACM last successfully synced the repo A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
code |
Sync status code |
errors[] |
A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. |
SyncState.SyncCode
An enum representing Config Sync's status of syncing configs to a cluster.
| Enums | |
|---|---|
SYNC_CODE_UNSPECIFIED |
Config Sync cannot determine a sync code |
SYNCED |
Config Sync successfully synced the git Repo with the cluster |
PENDING |
Config Sync is in the progress of syncing a new change |
ERROR |
Indicates an error configuring Config Sync, and user action is required |
NOT_CONFIGURED |
Config Sync has been installed but not configured |
NOT_INSTALLED |
Config Sync has not been installed |
UNAUTHORIZED |
Error authorizing with the cluster |
UNREACHABLE |
Cluster could not be reached |
SyncError
An ACM created error representing a problem syncing configurations
| JSON representation |
|---|
{
"code": string,
"errorMessage": string,
"errorResources": [
{
object ( |
| Fields | |
|---|---|
code |
An ACM defined error code |
error |
A description of the error |
error |
A list of config(s) associated with the error, if any |
ErrorResource
Model for a config file in the git repo with an associated Sync error
| JSON representation |
|---|
{
"sourcePath": string,
"resourceName": string,
"resourceNamespace": string,
"resourceGvk": {
object ( |
| Fields | |
|---|---|
source |
Path in the git repo of the erroneous config |
resource |
Metadata name of the resource that is causing an error |
resource |
Namespace of the resource that is causing an error |
resource |
Group/version/kind of the resource that is causing an error |
GroupVersionKind
A Kubernetes object's GVK
| JSON representation |
|---|
{ "group": string, "version": string, "kind": string } |
| Fields | |
|---|---|
group |
Kubernetes Group |
version |
Kubernetes Version |
kind |
Kubernetes Kind |
ConfigSyncError
Errors pertaining to the installation of Config Sync
| JSON representation |
|---|
{ "errorMessage": string } |
| Fields | |
|---|---|
error |
A string representing the user facing error message |
ConfigSyncState.CRDState
CRDState representing the state of a CRD
| Enums | |
|---|---|
CRD_STATE_UNSPECIFIED |
CRD's state cannot be determined |
NOT_INSTALLED |
CRD is not installed |
INSTALLED |
CRD is installed |
TERMINATING |
CRD is terminating (i.e., it has been deleted and is cleaning up) |
INSTALLING |
CRD is installing |
ConfigSyncState.State
| Enums | |
|---|---|
STATE_UNSPECIFIED |
CS's state cannot be determined. |
CONFIG_SYNC_NOT_INSTALLED |
CS is not installed. |
CONFIG_SYNC_INSTALLED |
The expected CS version is installed successfully. |
CONFIG_SYNC_ERROR |
CS encounters errors. |
CONFIG_SYNC_PENDING |
CS is installing or terminating. |
ConfigSyncState.StopSyncingState
| Enums | |
|---|---|
STOP_SYNCING_STATE_UNSPECIFIED |
State cannot be determined |
NOT_STOPPED |
Syncing resources to the cluster is not stopped at the cluster level. |
PENDING |
Some reconcilers stop syncing resources to the cluster, while others are still syncing. |
STOPPED |
Syncing resources to the cluster is stopped at the cluster level. |
PolicyControllerState
State for PolicyControllerState.
| JSON representation |
|---|
{ "version": { object ( |
| Fields | |
|---|---|
version |
The version of Gatekeeper Policy Controller deployed. |
deployment |
The state about the policy controller installation. |
migration |
Record state of ACM -> PoCo Hub migration for this feature. |
PolicyControllerVersion
The build version of Gatekeeper Policy Controller is using.
| JSON representation |
|---|
{ "version": string } |
| Fields | |
|---|---|
version |
The gatekeeper image tag that is composed of ACM version, git tag, build number. |
GatekeeperDeploymentState
State of Policy Controller installation.
| JSON representation |
|---|
{ "gatekeeperControllerManagerState": enum ( |
| Fields | |
|---|---|
gatekeeper |
Status of gatekeeper-controller-manager pod. |
gatekeeper |
Status of gatekeeper-audit deployment. |
gatekeeper |
Status of the pod serving the mutation webhook. |
PolicyControllerMigration
State for the migration of PolicyController from ACM -> PoCo Hub.
| JSON representation |
|---|
{
"stage": enum ( |
| Fields | |
|---|---|
stage |
Stage of the migration. |
copy |
Last time this membership spec was copied to PoCo feature. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
PolicyControllerMigration.Stage
Stage marks what stage of the migration ACM hub is in.
| Enums | |
|---|---|
STAGE_UNSPECIFIED |
Unknown state of migration. |
ACM_MANAGED |
ACM Hub/Operator manages policycontroller. No migration yet completed. |
POCO_MANAGED |
All migrations steps complete; Poco Hub now manages policycontroller. |
HierarchyControllerState
State for Hierarchy Controller
| JSON representation |
|---|
{ "version": { object ( |
| Fields | |
|---|---|
version |
The version for Hierarchy Controller |
state |
The deployment state for Hierarchy Controller |
HierarchyControllerVersion
Version for Hierarchy Controller
| JSON representation |
|---|
{ "hnc": string, "extension": string } |
| Fields | |
|---|---|
hnc |
Version for open source HNC |
extension |
Version for Hierarchy Controller extension |
HierarchyControllerDeploymentState
Deployment state for Hierarchy Controller
| JSON representation |
|---|
{ "hnc": enum ( |
| Fields | |
|---|---|
hnc |
The deployment state for open source HNC (e.g. v0.7.0-hc.0) |
extension |
The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1) |
MembershipState
Anthos Identity Service: State for a single Membership.
| JSON representation |
|---|
{ "installedVersion": string, "state": enum ( |
| Fields | |
|---|---|
installed |
Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. |
state |
Deployment state on this member |
failure |
The reason of the failure. |
member |
Last reconciled membership configuration |
MembershipState.DeploymentState
Deployment state enum
| Enums | |
|---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Unspecified state |
OK |
deployment succeeds |
ERROR |
Failure with error. |
MembershipState
Policy Controller: State for a single cluster.
| JSON representation |
|---|
{ "componentStates": { string: { object ( |
| Fields | |
|---|---|
component |
Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation" An object containing a list of |
state |
The overall Policy Controller lifecycle state observed by the Hub Feature controller. |
policy |
The overall content state observed by the Hub Feature controller. |
OnClusterState
OnClusterState represents the state of a sub-component of Policy Controller.
| JSON representation |
|---|
{
"state": enum ( |
| Fields | |
|---|---|
state |
The lifecycle state of this component. |
details |
Surface potential errors or information logs. |
MembershipState.LifecycleState
The set of states Policy Controller can exist in.
| Enums | |
|---|---|
LIFECYCLE_STATE_UNSPECIFIED |
The lifecycle state is unspecified. |
NOT_INSTALLED |
The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH. |
INSTALLING |
The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster. |
ACTIVE |
The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects. |
UPDATING |
The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version. |
DECOMMISSIONING |
The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists. |
CLUSTER_ERROR |
The PC is not operational, and the PCH is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the PCH to administer the cluster but has nevertheless been given an instruction to do so (such as 'install'). |
HUB_ERROR |
In this state, the PC may still be operational, and only the PCH is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the PCH determines the hub is in an unhealthy state and it wishes to 'take hands off' to avoid corrupting the PC or other data. |
SUSPENDED |
Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit). |
DETACHED |
PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub. |
PolicyContentState
The state of the policy controller policy content
| JSON representation |
|---|
{ "templateLibraryState": { object ( |
| Fields | |
|---|---|
template |
The state of the template library |
bundle |
The state of the any bundles included in the chosen version of the manifest An object containing a list of |
referential |
The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user. |
MembershipState
Per-membership state for this feature.
| JSON representation |
|---|
{ "upgrades": [ { object ( |
| Fields | |
|---|---|
upgrades[] |
Actual upgrade state against desired. |
ignored |
Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. |
MembershipGKEUpgradeState
ScopeGKEUpgradeState is a GKEUpgrade and its state per-membership.
| JSON representation |
|---|
{ "upgrade": { object ( |
| Fields | |
|---|---|
upgrade |
Which upgrade to track the state. |
status |
Status of the upgrade. |
MembershipState
This type has no fields.
FleetObservability: Membership-specific Feature state for fleetobservability.
CommonFleetDefaultMemberConfigSpec
CommonFleetDefaultMemberConfigSpec contains default configuration information for memberships of a fleet
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field
|
|
mesh |
Anthos Service Mesh-specific spec |
configmanagement |
Config Management-specific spec. |
identityservice |
Identity Service-specific spec. |
policycontroller |
Policy Controller spec. |
ScopeFeatureSpec
This type has no fields.
ScopeFeatureSpec contains feature specs for a fleet scope.
ScopeFeatureState
ScopeFeatureState contains Scope-wide Feature status information.
| JSON representation |
|---|
{
"state": {
object ( |
| Fields | |
|---|---|
state |
Output only. The "running state" of the Feature in this Scope. |
Methods |
|
|---|---|
|
Adds a new Feature. |
|
Removes a Feature. |
|
Gets details of a single Feature. |
|
Gets the access control policy for a resource. |
|
Lists Features in a given project and location. |
|
Updates an existing Feature. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |