- Resource: Feature
- FeatureResourceState
- FeatureResourceState.State
- CommonFeatureSpec
- FeatureSpec
- Billing
- FeatureSpec
- FeatureSpec
- FeatureSpec.GoogleCAProvisioning
- MembershipSpec
- MembershipSpec.CertificateManagement
- AnthosObservabilityFeatureSpec
- AnthosObservabilityMembershipSpec
- FeatureSpec
- LoggingConfig
- RoutingConfig
- RoutingConfig.Mode
- FeatureSpec
- FeatureSpec.ActuationMode
- FleetSpec
- PostConditions
- GKEUpgradeOverride
- GKEUpgrade
- FeatureSpec
- MembershipFeatureSpec
- MembershipSpec
- ConfigSync
- GitConfig
- OciConfig
- PolicyController
- PolicyControllerMonitoring
- PolicyControllerMonitoring.MonitoringBackend
- BinauthzConfig
- HierarchyControllerConfig
- MembershipSpec
- MembershipSpec.SecurityPolicy
- MembershipSpec
- MembershipSpec.AuthMethod
- MembershipSpec.AuthMethod.OidcConfig
- MembershipSpec.AuthMethod.AzureADConfig
- MembershipSpec.AuthMethod.GoogleConfig
- MembershipSpec
- MembershipSpec.ControlPlaneManagement
- Channel
- MembershipSpec.Management
- MembershipSpec
- HubConfig
- HubConfig.InstallSpec
- MonitoringConfig
- MonitoringConfig.MonitoringBackend
- PolicyContentSpec
- BundleInstallSpec
- TemplateLibraryConfig
- TemplateLibraryConfig.Installation
- PolicyControllerDeploymentConfig
- ResourceRequirements
- ResourceList
- PolicyControllerDeploymentConfig.Toleration
- PolicyControllerDeploymentConfig.Affinity
- MembershipSpec
- MembershipSpec
- MembershipFeatureSpec.Origin
- MembershipFeatureSpec.Origin.Type
- CommonFeatureState
- FeatureState
- AnalysisMessage
- AnalysisMessageBase
- AnalysisMessageBase.Type
- AnalysisMessageBase.Level
- FeatureState
- FleetObservabilityLoggingState
- FleetObservabilityBaseFeatureState
- FleetObservabilityBaseFeatureState.Code
- FleetObservabilityBaseFeatureState.FeatureError
- FleetObservabilityMonitoringState
- FeatureState
- FleetState
- IgnoredMembership
- GKEUpgradeFeatureState
- GKEUpgradeState
- UpgradeStatus
- UpgradeStatus.Code
- GKEUpgradeFeatureCondition
- FeatureState
- FeatureState.Code
- MembershipFeatureState
- MembershipState
- MembershipState.ControlPlaneManagement
- StatusDetails
- MembershipState.LifecycleState
- MembershipState.DataPlaneManagement
- MembershipState
- MembershipState
- OperatorState
- DeploymentState
- InstallError
- ConfigSyncState
- ConfigSyncVersion
- ConfigSyncDeploymentState
- SyncState
- SyncState.SyncCode
- SyncError
- ErrorResource
- GroupVersionKind
- ConfigSyncError
- PolicyControllerState
- PolicyControllerVersion
- GatekeeperDeploymentState
- PolicyControllerMigration
- PolicyControllerMigration.Stage
- BinauthzState
- BinauthzVersion
- HierarchyControllerState
- HierarchyControllerVersion
- HierarchyControllerDeploymentState
- MembershipState
- MembershipState.DeploymentState
- MembershipState
- OnClusterState
- MembershipState.LifecycleState
- PolicyContentState
- MembershipState
- MembershipGKEUpgradeState
- MembershipState
- MembershipState
- CommonFleetDefaultMemberConfigSpec
- ScopeFeatureSpec
- ScopeSpec
- ScopeFeatureState
- ScopeState
- Methods
Resource: Feature
Feature represents the settings and status of any Hub Feature.
JSON representation |
---|
{ "name": string, "labels": { string: string, ... }, "resourceState": { object ( |
Fields | |
---|---|
name |
Output only. The full, unique name of this Feature resource in the format |
labels |
Labels for this Feature. An object containing a list of |
resourceState |
Output only. State of the Feature resource itself. |
spec |
Optional. Hub-wide Feature configuration. If this Feature does not support any Hub-wide configuration, this field may be unused. |
membershipSpecs |
Optional. Membership-specific configuration for this Feature. If this Feature does not support any per-Membership configuration, this field may be unused. The keys indicate which Membership the configuration is for, in the form:
Where {p} is the project, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} WILL match the Feature's project. {p} will always be returned as the project number, but the project ID is also accepted during input. If the same Membership is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature. An object containing a list of |
state |
Output only. The Hub-wide Feature state. |
membershipStates |
Output only. Membership-specific Feature status. If this Feature does report any per-Membership status, this field may be unused. The keys indicate which Membership the state is for, in the form:
Where {p} is the project number, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} MUST match the Feature's project number. An object containing a list of |
createTime |
Output only. When the Feature resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. When the Feature resource was last updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
deleteTime |
Output only. When the Feature resource was deleted. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
fleetDefaultMemberConfig |
Optional. Feature configuration applicable to all memberships of the fleet. |
scopeSpecs |
Optional. Scope-specific configuration for this Feature. If this Feature does not support any per-Scope configuration, this field may be unused. The keys indicate which Scope the configuration is for, in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. {p} will always be returned as the project number, but the project ID is also accepted during input. If the same Scope is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature. An object containing a list of |
scopeStates |
Output only. Scope-specific Feature status. If this Feature does report any per-Scope status, this field may be unused. The keys indicate which Scope the state is for, in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. An object containing a list of |
FeatureResourceState
FeatureResourceState describes the state of a Feature resource in the GkeHub API. See FeatureState
for the "running state" of the Feature in the Hub and across Memberships.
JSON representation |
---|
{
"state": enum ( |
Fields | |
---|---|
state |
The current state of the Feature resource in the Hub API. |
FeatureResourceState.State
State describes the lifecycle status of a Feature.
Enums | |
---|---|
STATE_UNSPECIFIED |
State is unknown or not set. |
ENABLING |
The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Hub. |
ACTIVE |
The Feature is enabled in this Hub, and the Feature resource is fully available. |
DISABLING |
The Feature is being disabled in this Hub, and the Feature resource is being deleted. |
UPDATING |
The Feature resource is being updated. |
SERVICE_UPDATING |
The Feature resource is being updated by the Hub Service. |
CommonFeatureSpec
CommonFeatureSpec contains Hub-wide configuration information
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
multiclusteringress |
Multicluster Ingress-specific spec. |
cloudauditlogging |
Cloud Audit Logging-specific spec. |
workloadcertificate |
Workload Certificate spec. |
appdevexperience |
Appdevexperience specific spec. |
anthosobservability |
Anthos Observability spec |
fleetobservability |
FleetObservability feature spec. |
namespaceactuation |
Namespace Actuation feature spec |
clusterupgrade |
ClusterUpgrade (fleet-based) feature spec. |
dataplanev2 |
DataplaneV2 feature spec. |
FeatureSpec
Multi-cluster Ingress: The configuration for the MultiClusterIngress feature.
JSON representation |
---|
{
"configMembership": string,
"billing": enum ( |
Fields | |
---|---|
configMembership |
Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: |
billing |
Deprecated: This field will be ignored and should not be set. Customer's billing structure. |
Billing
Deprecated: The FeatureSpec.billing field is no longer used. Billing identifies which billing structure the customer is using.
Enums | |
---|---|
BILLING_UNSPECIFIED |
Unknown |
PAY_AS_YOU_GO |
User pays a fee per-endpoint. |
ANTHOS_LICENSE |
User is paying for Anthos as a whole. |
FeatureSpec
Cloud Audit Logging: Spec for Audit Logging Allowlisting.
JSON representation |
---|
{ "allowlistedServiceAccounts": [ string ] } |
Fields | |
---|---|
allowlistedServiceAccounts[] |
Service account that should be allowlisted to send the audit logs; eg cloudauditlogging@gcp-project.iam.gserviceaccount.com. These accounts must already exist, but do not need to have any permissions granted to them. The customer's entitlements will be checked prior to allowlisting (i.e. the customer must be an Anthos customer.) |
FeatureSpec
Workload Certificate: The Hub-wide input for the WorkloadCertificate feature.
JSON representation |
---|
{ "provisionGoogleCa": enum ( |
Fields | |
---|---|
provisionGoogleCa |
Immutable. Specifies CA configuration. |
defaultConfig |
Specifies default membership spec. Users can override the default in the memberConfigs for each member. |
FeatureSpec.GoogleCAProvisioning
Specifies if a default Google managed CA should be provisioned. If UNSPECIFIED, Google managed CA feature is disabled. If set to UNSPECIFIED/DISABLED, the "certificate_authority_config" field in WorkloadCertificateConfig must specify a CA endpoint.
Enums | |
---|---|
GOOGLE_CA_PROVISIONING_UNSPECIFIED |
Disable default Google managed CA. |
DISABLED |
Disable default Google managed CA. |
ENABLED |
Use default Google managed CA. |
ENABLED_WITH_MANAGED_CA |
Workload certificate feature is enabled, and the entire certificate provisioning process is managed by Google with managed CAS which is more secure than the default CA. |
ENABLED_WITH_DEFAULT_CA |
Workload certificate feature is enabled, and the entire certificate provisioning process is using the default CA which is free. |
MembershipSpec
Workload Certificate: The membership-specific input for WorkloadCertificate feature.
JSON representation |
---|
{
"certificateManagement": enum ( |
Fields | |
---|---|
certificateManagement |
Specifies workload certificate management. |
MembershipSpec.CertificateManagement
Specifies whether or not the feature is enabled on the member cluster.
Enums | |
---|---|
CERTIFICATE_MANAGEMENT_UNSPECIFIED |
Disable workload certificate feature. |
DISABLED |
Disable workload certificate feature. |
ENABLED |
Enable workload certificate feature. |
AnthosObservabilityFeatureSpec
Anthos Observability: Spec
JSON representation |
---|
{
"defaultMembershipSpec": {
object ( |
Fields | |
---|---|
defaultMembershipSpec |
Default membership spec for unconfigured memberships |
AnthosObservabilityMembershipSpec
Anthosobservability: Per-Membership Feature spec.
JSON representation |
---|
{ "enableStackdriverOnApplications": boolean, "doNotOptimizeMetrics": boolean, "version": string } |
Fields | |
---|---|
enableStackdriverOnApplications |
Enable collecting and reporting metrics and logs from user apps. |
doNotOptimizeMetrics |
Use full of metrics rather than optimized metrics. See https://cloud.google.com/anthos/clusters/docs/on-prem/1.8/concepts/logging-and-monitoring#optimized_metrics_default_metrics |
version |
the version of stackdriver operator used by this feature |
FeatureSpec
Fleet Observability: The Hub-wide input for the FleetObservability feature.
JSON representation |
---|
{
"loggingConfig": {
object ( |
Fields | |
---|---|
loggingConfig |
Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet. |
LoggingConfig
LoggingConfig defines the configuration for different types of logs.
JSON representation |
---|
{ "defaultConfig": { object ( |
Fields | |
---|---|
defaultConfig |
Specified if applying the default routing config to logs not specified in other configs. |
fleetScopeLogsConfig |
Specified if applying the routing config to all logs for all fleet scopes. |
RoutingConfig
RoutingConfig configures the behaviour of fleet logging feature.
JSON representation |
---|
{
"mode": enum ( |
Fields | |
---|---|
mode |
mode configures the logs routing mode. |
RoutingConfig.Mode
Specified if fleet logging feature is enabled.
Enums | |
---|---|
MODE_UNSPECIFIED |
If UNSPECIFIED, fleet logging feature is disabled. |
COPY |
logs will be copied to the destination project. |
MOVE |
logs will be moved to the destination project. |
FeatureSpec
An empty spec for actuation feature. This is required since Feature proto requires a spec.
JSON representation |
---|
{
"actuationMode": enum ( |
Fields | |
---|---|
actuationMode |
actuationMode controls the behavior of the controller |
FeatureSpec.ActuationMode
ActuationMode controls the behavior of the controller
Enums | |
---|---|
ACTUATION_MODE_UNSPECIFIED |
ACTUATION_MODE_UNSPECIFIED is similar to CREATE_AND_DELETE_IF_CREATED in the default controller behavior. |
ACTUATION_MODE_CREATE_AND_DELETE_IF_CREATED |
ACTUATION_MODE_CREATE_AND_DELETE_IF_CREATED has the controller create cluster namespaces for each fleet namespace and it deletes only the ones it created, which are identified by a label. |
ACTUATION_MODE_ADD_AND_REMOVE_FLEET_LABELS |
ACTUATION_MODE_ADD_AND_REMOVE_FLEET_LABELS has the controller only apply labels to cluster namespaces to signal fleet namespace enablement. It doesn't create or delete cluster namespaces. |
FleetSpec
ClusterUpgrade: The configuration for the fleet-level ClusterUpgrade feature.
JSON representation |
---|
{ "upstreamFleets": [ string ], "postConditions": { object ( |
Fields | |
---|---|
upstreamFleets[] |
This fleet consumes upgrades that have COMPLETE status code in the upstream fleets. See UpgradeStatus.Code for code definitions. The fleet name should be either fleet project number or id. This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream fleet. |
postConditions |
Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required. |
gkeUpgradeOverrides[] |
Allow users to override some properties of each GKE upgrade. |
PostConditions
Post conditional checks after an upgrade has been applied on all eligible clusters.
JSON representation |
---|
{ "soaking": string } |
Fields | |
---|---|
soaking |
Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required. A duration in seconds with up to nine fractional digits, ending with ' |
GKEUpgradeOverride
Properties of a GKE upgrade that can be overridden by the user. For example, a user can skip soaking by overriding the soaking to 0.
JSON representation |
---|
{ "upgrade": { object ( |
Fields | |
---|---|
upgrade |
Required. Which upgrade to override. Required. |
postConditions |
Required. Post conditions to override for the specified upgrade (name + version). Required. |
GKEUpgrade
GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.
JSON representation |
---|
{ "name": string, "version": string } |
Fields | |
---|---|
name |
Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters. |
version |
Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters. |
FeatureSpec
Dataplane V2: Spec
JSON representation |
---|
{ "enableEncryption": boolean } |
Fields | |
---|---|
enableEncryption |
Enable dataplane-v2 based encryption for multiple clusters. |
MembershipFeatureSpec
MembershipFeatureSpec contains configuration information for a single Membership. NOTE: Please use snake case in your feature name.
JSON representation |
---|
{ "origin": { object ( |
Fields | |
---|---|
origin |
Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly. |
Union field
|
|
configmanagement |
Config Management-specific spec. |
cloudbuild |
Cloud Build-specific spec |
identityservice |
Identity Service-specific spec. |
workloadcertificate |
Workload Certificate spec. |
mesh |
Anthos Service Mesh-specific spec |
anthosobservability |
Anthos Observability-specific spec |
policycontroller |
Policy Controller spec. |
fleetobservability |
Fleet observability membership spec |
namespaceactuation |
FNS Actuation membership spec |
MembershipSpec
Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.
JSON representation |
---|
{ "configSync": { object ( |
Fields | |
---|---|
configSync |
Config Sync configuration for the cluster. |
policyController |
Policy Controller configuration for the cluster. |
binauthz |
Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set. |
hierarchyController |
Hierarchy Controller configuration for the cluster. |
version |
Version of ACM installed. |
cluster |
The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. |
ConfigSync
Configuration for Config Sync
JSON representation |
---|
{ "git": { object ( |
Fields | |
---|---|
git |
Git repo configuration for the cluster. |
sourceFormat |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
preventDrift |
Set to true to enable the Config Sync admission webhook to prevent drifts. If set to |
oci |
OCI repo configuration for the cluster |
allowVerticalScale |
Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated. |
metricsGcpServiceAccountEmail |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount |
enabled |
Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. |
GitConfig
Git repo configuration for a single cluster.
JSON representation |
---|
{ "syncRepo": string, "syncBranch": string, "policyDir": string, "syncWaitSecs": string, "syncRev": string, "secretType": string, "httpsProxy": string, "gcpServiceAccountEmail": string } |
Fields | |
---|---|
syncRepo |
The URL of the Git repository to use as the source of truth. |
syncBranch |
The branch of the repository to sync from. Default: master. |
policyDir |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
syncWaitSecs |
Period in seconds between consecutive syncs. Default: 15. |
syncRev |
Git revision (tag or hash) to check out. Default HEAD. |
secretType |
Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required. |
httpsProxy |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
gcpServiceAccountEmail |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
OciConfig
OCI repo configuration for a single cluster
JSON representation |
---|
{ "syncRepo": string, "policyDir": string, "syncWaitSecs": string, "secretType": string, "gcpServiceAccountEmail": string } |
Fields | |
---|---|
syncRepo |
The OCI image repository URL for the package to sync from. e.g. |
policyDir |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
syncWaitSecs |
Period in seconds between consecutive syncs. Default: 15. |
secretType |
Type of secret configured for access to the Git repo. |
gcpServiceAccountEmail |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
PolicyController
Configuration for Policy Controller
JSON representation |
---|
{
"enabled": boolean,
"exemptableNamespaces": [
string
],
"referentialRulesEnabled": boolean,
"logDeniesEnabled": boolean,
"mutationEnabled": boolean,
"monitoring": {
object ( |
Fields | |
---|---|
enabled |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
exemptableNamespaces[] |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referentialRulesEnabled |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
logDeniesEnabled |
Logs all denies and dry run failures. |
mutationEnabled |
Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. |
monitoring |
Monitoring specifies the configuration of monitoring. |
updateTime |
Output only. Last time this membership spec was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
templateLibraryInstalled |
Installs the default template library along with Policy Controller. |
auditIntervalSeconds |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
PolicyControllerMonitoring
PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
JSON representation |
---|
{
"backends": [
enum ( |
Fields | |
---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
PolicyControllerMonitoring.MonitoringBackend
Supported backend options for monitoring
Enums | |
---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
BinauthzConfig
Configuration for Binauthz
JSON representation |
---|
{ "enabled": boolean } |
Fields | |
---|---|
enabled |
Whether binauthz is enabled in this cluster. |
HierarchyControllerConfig
Configuration for Hierarchy Controller
JSON representation |
---|
{ "enabled": boolean, "enablePodTreeLabels": boolean, "enableHierarchicalResourceQuota": boolean } |
Fields | |
---|---|
enabled |
Whether Hierarchy Controller is enabled in this cluster. |
enablePodTreeLabels |
Whether pod tree labels are enabled in this cluster. |
enableHierarchicalResourceQuota |
Whether hierarchical resource quota is enabled in this cluster. |
MembershipSpec
Cloud Build: Configurations for each Cloud Build enabled cluster.
JSON representation |
---|
{
"version": string,
"securityPolicy": enum ( |
Fields | |
---|---|
version |
Version of the cloud build software on the cluster. |
securityPolicy |
Whether it is allowed to run the privileged builds on the cluster or not. |
MembershipSpec.SecurityPolicy
Different security policies we can apply to the cluster.
Enums | |
---|---|
SECURITY_POLICY_UNSPECIFIED |
Unspecified policy |
NON_PRIVILEGED |
Privileged build pods are disallowed |
PRIVILEGED |
Privileged build pods are allowed |
MembershipSpec
Anthos Identity Service: Configuration for a single Membership.
JSON representation |
---|
{
"authMethods": [
{
object ( |
Fields | |
---|---|
authMethods[] |
A member may support multiple auth methods. |
MembershipSpec.AuthMethod
Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.
JSON representation |
---|
{ "name": string, "proxy": string, // Union field |
Fields | |
---|---|
name |
Identifier for auth config. |
proxy |
Proxy server address to use for auth method. |
Union field auth_config . supported auth configurations. auth_config can be only one of the following: |
|
oidcConfig |
OIDC specific configuration. |
azureadConfig |
AzureAD specific Configuration. |
googleConfig |
GoogleConfig specific configuration. |
MembershipSpec.AuthMethod.OidcConfig
Configuration for OIDC Auth flow.
JSON representation |
---|
{ "clientId": string, "certificateAuthorityData": string, "issuerUri": string, "kubectlRedirectUri": string, "scopes": string, "extraParams": string, "userClaim": string, "userPrefix": string, "groupsClaim": string, "groupPrefix": string, "deployCloudConsoleProxy": boolean, "clientSecret": string, "encryptedClientSecret": string, "enableAccessToken": boolean } |
Fields | |
---|---|
clientId |
ID for OIDC client application. |
certificateAuthorityData |
PEM-encoded CA for OIDC provider. |
issuerUri |
URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. |
kubectlRedirectUri |
Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. |
scopes |
Comma-separated list of identifiers. |
extraParams |
Comma-separated list of key-value pairs. |
userClaim |
Claim in OIDC ID token that holds username. |
userPrefix |
Prefix to prepend to user name. |
groupsClaim |
Claim in OIDC ID token that holds group information. |
groupPrefix |
Prefix to prepend to group name. |
deployCloudConsoleProxy |
Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. |
clientSecret |
Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. |
encryptedClientSecret |
Output only. Encrypted OIDC Client secret A base64-encoded string. |
enableAccessToken |
Enable access token. |
MembershipSpec.AuthMethod.AzureADConfig
Configuration for the AzureAD Auth flow.
JSON representation |
---|
{ "clientId": string, "tenant": string, "kubectlRedirectUri": string, "clientSecret": string, "encryptedClientSecret": string } |
Fields | |
---|---|
clientId |
ID for the registered client application that makes authentication requests to the Azure AD identity provider. |
tenant |
Kind of Azure AD account to be authenticated. Supported values are |
kubectlRedirectUri |
The redirect URL that kubectl uses for authorization. |
clientSecret |
Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. |
encryptedClientSecret |
Output only. Encrypted AzureAD client secret. A base64-encoded string. |
MembershipSpec.AuthMethod.GoogleConfig
Configuration for the Google Plugin Auth flow.
JSON representation |
---|
{ "disable": boolean } |
Fields | |
---|---|
disable |
Disable automatic configuration of Google Plugin on supported platforms. |
MembershipSpec
Service Mesh: Spec for a single Membership for the servicemesh feature
JSON representation |
---|
{ "controlPlane": enum ( |
Fields | |
---|---|
controlPlane |
Deprecated: use |
defaultChannel |
Determines which release channel to use for default injection and service mesh APIs. |
management |
Enables automatic Service Mesh management. |
MembershipSpec.ControlPlaneManagement
Whether to automatically manage Service Mesh control planes.
Enums | |
---|---|
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED |
Unspecified |
AUTOMATIC |
Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install. |
MANUAL |
User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API) |
Channel
Channel indicates which release channel a revision is subscribed to. Release channels are arranged in order of risk.
Enums | |
---|---|
CHANNEL_UNSPECIFIED |
Unspecified |
RAPID |
RAPID channel is offered on an early access basis for customers who want to test new releases. |
REGULAR |
REGULAR channel is intended for production users who want to take advantage of new features. |
STABLE |
STABLE channel includes versions that are known to be stable and reliable in production. |
MembershipSpec.Management
Whether to automatically manage Service Mesh.
Enums | |
---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google should manage my Service Mesh for the cluster. |
MANAGEMENT_MANUAL |
User will manually configure their service mesh components. |
MembershipSpec
Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.
JSON representation |
---|
{
"policyControllerHubConfig": {
object ( |
Fields | |
---|---|
policyControllerHubConfig |
Policy Controller configuration for the cluster. |
version |
Version of Policy Controller installed. |
HubConfig
Configuration for Policy Controller
JSON representation |
---|
{ "installSpec": enum ( |
Fields | |
---|---|
installSpec |
The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state. |
exemptableNamespaces[] |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referentialRulesEnabled |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
logDeniesEnabled |
Logs all denies and dry run failures. |
mutationEnabled |
Enables the ability to mutate resources using Policy Controller. |
deploymentConfigs |
Map of deployment configs to deployments ("admission", "audit", "mutation'). An object containing a list of |
auditIntervalSeconds |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
monitoring |
Monitoring specifies the configuration of monitoring. |
policyContent |
Specifies the desired policy content on the cluster |
constraintViolationLimit |
The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used. |
HubConfig.InstallSpec
The set of installation specs that the Hub Feature controller may actuate.
Enums | |
---|---|
INSTALL_SPEC_UNSPECIFIED |
Spec is unknown. |
INSTALL_SPEC_NOT_INSTALLED |
Request to uninstall Policy Controller. |
INSTALL_SPEC_ENABLED |
Request to install and enable Policy Controller. |
INSTALL_SPEC_SUSPENDED |
Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended. |
INSTALL_SPEC_DETACHED |
Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources. |
MonitoringConfig
MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
JSON representation |
---|
{
"backends": [
enum ( |
Fields | |
---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringConfig.MonitoringBackend
Supported backend options for monitoring
Enums | |
---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyContentSpec
PolicyContentSpec defines the user's desired content configuration on the cluster.
JSON representation |
---|
{ "bundles": { string: { object ( |
Fields | |
---|---|
bundles |
map of bundle name to BundleInstallSpec. The bundle name maps to the An object containing a list of |
templateLibrary |
Configures the installation of the Template Library. |
BundleInstallSpec
BundleInstallSpec is the specification configuration for a single managed bundle.
JSON representation |
---|
{ "exemptedNamespaces": [ string ] } |
Fields | |
---|---|
exemptedNamespaces[] |
The set of namespaces to be exempted from the bundle. |
TemplateLibraryConfig
The config specifying which default library templates to install.
JSON representation |
---|
{
"installation": enum ( |
Fields | |
---|---|
installation |
Configures the manner in which the template library is installed on the cluster. |
TemplateLibraryConfig.Installation
How the template library should be installed
Enums | |
---|---|
INSTALLATION_UNSPECIFIED |
No installation strategy has been specified. |
NOT_INSTALLED |
Do not install the template library. |
ALL |
Install the entire template library. |
PolicyControllerDeploymentConfig
Deployment-specific configuration.
JSON representation |
---|
{ "podTolerations": [ { object ( |
Fields | |
---|---|
podTolerations[] |
Pod tolerations of node taints. |
podAffinity |
Pod affinity configuration. |
replicaCount |
Pod replica count. |
containerResources |
Container resource requirements. |
podAntiAffinity |
Pod anti-affinity enablement. Deprecated: use |
ResourceRequirements
ResourceRequirements describes the compute resource requirements.
JSON representation |
---|
{ "limits": { object ( |
Fields | |
---|---|
limits |
Limits describes the maximum amount of compute resources allowed for use by the running container. |
requests |
Requests describes the amount of compute resources reserved for the container by the kube-scheduler. |
ResourceList
ResourceList contains container resource requirements.
JSON representation |
---|
{ "memory": string, "cpu": string } |
Fields | |
---|---|
memory |
Memory requirement expressed in Kubernetes resource units. |
cpu |
CPU requirement expressed in Kubernetes resource units. |
PolicyControllerDeploymentConfig.Toleration
Toleration of a node taint.
JSON representation |
---|
{ "key": string, "operator": string, "value": string, "effect": string } |
Fields | |
---|---|
key |
Matches a taint key (not necessarily unique). |
operator |
Matches a taint operator. |
value |
Matches a taint value. |
effect |
Matches a taint effect. |
PolicyControllerDeploymentConfig.Affinity
The pod affinity configuration used by a deployment.
Enums | |
---|---|
AFFINITY_UNSPECIFIED |
No affinity configuration has been specified. |
NO_AFFINITY |
Affinity configurations will be removed from the deployment. |
ANTI_AFFINITY |
Anti-affinity configuration will be applied to this deployment. Default for admissions deployment. |
MembershipSpec
This type has no fields.
FleetObservability: The membership-specific input for FleetObservability feature.
MembershipSpec
This type has no fields.
Namespace Actuation: The membership-specific input for NamespaceActuation feature.
MembershipFeatureSpec.Origin
Origin defines where this MembershipFeatureSpec originated from.
JSON representation |
---|
{
"type": enum ( |
Fields | |
---|---|
type |
Type specifies which type of origin is set. |
MembershipFeatureSpec.Origin.Type
Type specifies the persona that persisted the config.
Enums | |
---|---|
TYPE_UNSPECIFIED |
Type is unknown or not set. |
FLEET |
Per-Membership spec was inherited from the fleet-level default. |
FLEET_OUT_OF_SYNC |
Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default. |
USER |
Per-Membership spec was inherited from a user specification. |
CommonFeatureState
CommonFeatureState contains Hub-wide Feature status information.
JSON representation |
---|
{ "state": { object ( |
Fields | |
---|---|
state |
Output only. The "running state" of the Feature in this Hub. |
Union field
|
|
servicemesh |
Service Mesh-specific state. |
appdevexperience |
Appdevexperience specific state. |
fleetobservability |
FleetObservability feature state. |
namespaceactuation |
Namespace Actuation feature state. |
clusterupgrade |
ClusterUpgrade fleet-level state. |
FeatureState
Service Mesh: State for the whole Hub, as analyzed by the Service Mesh Hub Controller.
JSON representation |
---|
{
"analysisMessages": [
{
object ( |
Fields | |
---|---|
analysisMessages[] |
Output only. Results of running Service Mesh analyzers. |
AnalysisMessage
AnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.
JSON representation |
---|
{
"messageBase": {
object ( |
Fields | |
---|---|
messageBase |
Details common to all types of Istio and ServiceMesh analysis messages. |
description |
A human readable description of what the error means. It is suitable for non-internationalize display purposes. |
resourcePaths[] |
A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster |
args |
A UI can combine these args with a template (based on messageBase.type) to produce an internationalized message. |
AnalysisMessageBase
AnalysisMessageBase describes some common information that is needed for all messages.
JSON representation |
---|
{ "type": { object ( |
Fields | |
---|---|
type |
Represents the specific type of a message. |
level |
Represents how severe a message is. |
documentationUrl |
A url pointing to the Service Mesh or Istio documentation for this specific error type. |
AnalysisMessageBase.Type
A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between displayName and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type
JSON representation |
---|
{ "displayName": string, "code": string } |
Fields | |
---|---|
displayName |
A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the |
code |
A 7 character code matching |
AnalysisMessageBase.Level
The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level
Enums | |
---|---|
LEVEL_UNSPECIFIED |
Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN. |
ERROR |
ERROR represents a misconfiguration that must be fixed. |
WARNING |
WARNING represents a misconfiguration that should be fixed. |
INFO |
INFO represents an informational finding. |
FeatureState
FleetObservability: Hub-wide Feature for FleetObservability feature. state.
JSON representation |
---|
{ "logging": { object ( |
Fields | |
---|---|
logging |
The feature state of default logging. |
monitoring |
The feature state of fleet monitoring. |
FleetObservabilityLoggingState
Feature state for logging feature.
JSON representation |
---|
{ "defaultLog": { object ( |
Fields | |
---|---|
defaultLog |
The base feature state of fleet default log. |
scopeLog |
The base feature state of fleet scope log. |
FleetObservabilityBaseFeatureState
Base state for fleet observability feature.
JSON representation |
---|
{ "code": enum ( |
Fields | |
---|---|
code |
The high-level, machine-readable status of this Feature. |
errors[] |
Errors after reconciling the monitoring and logging feature if the code is not OK. |
FleetObservabilityBaseFeatureState.Code
Code represents a machine-readable, high-level status of the Feature.
Enums | |
---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The Feature is operating normally. |
ERROR |
The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
FleetObservabilityBaseFeatureState.FeatureError
All error details of the fleet observability feature.
JSON representation |
---|
{ "code": string, "description": string } |
Fields | |
---|---|
code |
The code of the error. |
description |
A human-readable description of the current status. |
FleetObservabilityMonitoringState
Feature state for monitoring feature.
JSON representation |
---|
{
"state": {
object ( |
Fields | |
---|---|
state |
The base feature state of fleet monitoring feature. |
FeatureState
This type has no fields.
NamespaceActuation Feature State.
FleetState
ClusterUpgrade: The state for the fleet-level ClusterUpgrade feature.
JSON representation |
---|
{ "downstreamFleets": [ string ], "ignored": { string: { object ( |
Fields | |
---|---|
downstreamFleets[] |
This fleets whose upstreamFleets contain the current fleet. The fleet name should be either fleet project number or id. |
ignored |
A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: An object containing a list of |
gkeState |
Feature state for GKE clusters. |
IgnoredMembership
IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.
JSON representation |
---|
{ "reason": string, "ignoredTime": string } |
Fields | |
---|---|
reason |
Reason why the membership is ignored. |
ignoredTime |
Time when the membership was first set to ignored. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
GKEUpgradeFeatureState
GKEUpgradeFeatureState contains feature states for GKE clusters in the scope.
JSON representation |
---|
{ "upgradeState": [ { object ( |
Fields | |
---|---|
upgradeState[] |
Upgrade state. It will eventually replace |
conditions[] |
Current conditions of the feature. |
GKEUpgradeState
GKEUpgradeState is a GKEUpgrade and its state at the scope and fleet level.
JSON representation |
---|
{ "stats": { string: string, ... }, "upgrade": { object ( |
Fields | |
---|---|
stats |
Number of GKE clusters in each status code. An object containing a list of |
upgrade |
Which upgrade to track the state. |
status |
Status of the upgrade. |
UpgradeStatus
UpgradeStatus provides status information for each upgrade.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
Status code of the upgrade. |
reason |
Reason for this status. |
updateTime |
Last timestamp the status was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
UpgradeStatus.Code
Status code of an upgrade.
Enums | |
---|---|
CODE_UNSPECIFIED |
Required by https://linter.aip.dev/126/unspecified. |
INELIGIBLE |
The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope. |
PENDING |
The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope. |
IN_PROGRESS |
The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope. |
SOAKING |
The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete. |
FORCED_SOAKING |
A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status. |
COMPLETE |
The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status. |
GKEUpgradeFeatureCondition
GKEUpgradeFeatureCondition describes the condition of the feature for GKE clusters at a certain point of time.
JSON representation |
---|
{ "type": string, "status": string, "reason": string, "updateTime": string } |
Fields | |
---|---|
type |
Type of the condition, for example, "ready". |
status |
Status of the condition, one of True, False, Unknown. |
reason |
Reason why the feature is in this status. |
updateTime |
Last timestamp the condition was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureState
FeatureState describes the high-level state of a Feature. It may be used to describe a Feature's state at the environ-level, or per-membershop, depending on the context.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
The high-level, machine-readable status of this Feature. |
description |
A human-readable description of the current status. |
updateTime |
The time this status and any related Feature-specific details were updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureState.Code
Code represents a machine-readable, high-level status of the Feature.
Enums | |
---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The Feature is operating normally. |
WARNING |
The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
ERROR |
The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. |
MembershipFeatureState
MembershipFeatureState contains Feature status information for a single Membership.
JSON representation |
---|
{ "state": { object ( |
Fields | |
---|---|
state |
The high-level state of this Feature for a single membership. |
Union field
|
|
servicemesh |
Service Mesh-specific state. |
metering |
Metering-specific state. |
configmanagement |
Config Management-specific state. |
identityservice |
Identity Service-specific state. |
appdevexperience |
Appdevexperience specific state. |
policycontroller |
Policycontroller-specific state. |
clusterupgrade |
ClusterUpgrade state. |
fleetobservability |
Fleet observability membership state. |
namespaceactuation |
FNS Actuation membership state |
MembershipState
Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.
JSON representation |
---|
{ "analysisMessages": [ { object ( |
Fields | |
---|---|
analysisMessages[] |
Output only. Results of running Service Mesh analyzers. |
controlPlaneManagement |
Output only. Status of control plane management |
dataPlaneManagement |
Output only. Status of data plane management. |
configApiVersion |
The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the |
MembershipState.ControlPlaneManagement
Status of control plane management.
JSON representation |
---|
{ "details": [ { object ( |
Fields | |
---|---|
details[] |
Explanation of state. |
state |
LifecycleState of control plane management. |
StatusDetails
Structured and human-readable details for a status.
JSON representation |
---|
{ "code": string, "details": string } |
Fields | |
---|---|
code |
A machine-readable code that further describes a broad status. |
details |
Human-readable explanation of code. |
MembershipState.LifecycleState
Lifecycle state of Service Mesh components.
Enums | |
---|---|
LIFECYCLE_STATE_UNSPECIFIED |
Unspecified |
DISABLED |
DISABLED means that the component is not enabled. |
FAILED_PRECONDITION |
FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster. |
PROVISIONING |
PROVISIONING means that provisioning is in progress. |
ACTIVE |
ACTIVE means that the component is ready for use. |
STALLED |
STALLED means that provisioning could not be done. |
NEEDS_ATTENTION |
NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.) |
DEGRADED |
DEGRADED means that the component is ready, but operating in a degraded state. |
MembershipState.DataPlaneManagement
Status of data plane management. Only reported per-member.
JSON representation |
---|
{ "state": enum ( |
Fields | |
---|---|
state |
Lifecycle status of data plane management. |
details[] |
Explanation of the status. |
MembershipState
Metering: Per-Membership Feature State.
JSON representation |
---|
{ "lastMeasurementTime": string, "preciseLastMeasuredClusterVcpuCapacity": number } |
Fields | |
---|---|
lastMeasurementTime |
The time stamp of the most recent measurement of the number of vCPUs in the cluster. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
preciseLastMeasuredClusterVcpuCapacity |
The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision). |
MembershipState
Anthos Config Management: State for a single cluster.
JSON representation |
---|
{ "clusterName": string, "membershipSpec": { object ( |
Fields | |
---|---|
clusterName |
This field is set to the |
membershipSpec |
Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state |
operatorState |
Current install status of ACM's Operator |
configSyncState |
Current sync status |
policyControllerState |
PolicyController status |
binauthzState |
Binauthz status |
hierarchyControllerState |
Hierarchy Controller status |
OperatorState
State information for an ACM's Operator
JSON representation |
---|
{ "version": string, "deploymentState": enum ( |
Fields | |
---|---|
version |
The semenatic version number of the operator |
deploymentState |
The state of the Operator's deployment |
errors[] |
Install errors. |
DeploymentState
Enum representing the state of an ACM's deployment on a cluster
Enums | |
---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Deployment's state cannot be determined |
NOT_INSTALLED |
Deployment is not installed |
INSTALLED |
Deployment is installed |
ERROR |
Deployment was attempted to be installed, but has errors |
PENDING |
Deployment is installing or terminating |
InstallError
Errors pertaining to the installation of ACM
JSON representation |
---|
{ "errorMessage": string } |
Fields | |
---|---|
errorMessage |
A string representing the user facing error message |
ConfigSyncState
State information for ConfigSync
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version of ConfigSync deployed |
deploymentState |
Information about the deployment of ConfigSync, including the version of the various Pods deployed |
syncState |
The state of ConfigSync's process to sync configs to a cluster |
errors[] |
Errors pertaining to the installation of Config Sync. |
ConfigSyncVersion
Specific versioning information pertaining to ConfigSync's Pods
JSON representation |
---|
{ "importer": string, "syncer": string, "gitSync": string, "monitor": string, "reconcilerManager": string, "rootReconciler": string, "admissionWebhook": string } |
Fields | |
---|---|
importer |
Version of the deployed importer pod |
syncer |
Version of the deployed syncer pod |
gitSync |
Version of the deployed git-sync pod |
monitor |
Version of the deployed monitor pod |
reconcilerManager |
Version of the deployed reconciler-manager pod |
rootReconciler |
Version of the deployed reconciler container in root-reconciler pod |
admissionWebhook |
Version of the deployed admissionWebhook pod |
ConfigSyncDeploymentState
The state of ConfigSync's deployment on a cluster
JSON representation |
---|
{ "importer": enum ( |
Fields | |
---|---|
importer |
Deployment state of the importer pod |
syncer |
Deployment state of the syncer pod |
gitSync |
Deployment state of the git-sync pod |
monitor |
Deployment state of the monitor pod |
reconcilerManager |
Deployment state of reconciler-manager pod |
rootReconciler |
Deployment state of root-reconciler |
admissionWebhook |
Deployment state of admission-webhook |
SyncState
State indicating an ACM's progress syncing configurations to a cluster
JSON representation |
---|
{ "sourceToken": string, "importToken": string, "syncToken": string, "lastSync": string, "lastSyncTime": string, "code": enum ( |
Fields | |
---|---|
sourceToken |
Token indicating the state of the repo. |
importToken |
Token indicating the state of the importer. |
syncToken |
Token indicating the state of the syncer. |
lastSync |
Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String |
lastSyncTime |
Timestamp type of when ACM last successfully synced the repo A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
code |
Sync status code |
errors[] |
A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. |
SyncState.SyncCode
An enum representing Config Sync's status of syncing configs to a cluster.
Enums | |
---|---|
SYNC_CODE_UNSPECIFIED |
Config Sync cannot determine a sync code |
SYNCED |
Config Sync successfully synced the git Repo with the cluster |
PENDING |
Config Sync is in the progress of syncing a new change |
ERROR |
Indicates an error configuring Config Sync, and user action is required |
NOT_CONFIGURED |
Config Sync has been installed but not configured |
NOT_INSTALLED |
Config Sync has not been installed |
UNAUTHORIZED |
Error authorizing with the cluster |
UNREACHABLE |
Cluster could not be reached |
SyncError
An ACM created error representing a problem syncing configurations
JSON representation |
---|
{
"code": string,
"errorMessage": string,
"errorResources": [
{
object ( |
Fields | |
---|---|
code |
An ACM defined error code |
errorMessage |
A description of the error |
errorResources[] |
A list of config(s) associated with the error, if any |
ErrorResource
Model for a config file in the git repo with an associated Sync error
JSON representation |
---|
{
"sourcePath": string,
"resourceName": string,
"resourceNamespace": string,
"resourceGvk": {
object ( |
Fields | |
---|---|
sourcePath |
Path in the git repo of the erroneous config |
resourceName |
Metadata name of the resource that is causing an error |
resourceNamespace |
Namespace of the resource that is causing an error |
resourceGvk |
Group/version/kind of the resource that is causing an error |
GroupVersionKind
A Kubernetes object's GVK
JSON representation |
---|
{ "group": string, "version": string, "kind": string } |
Fields | |
---|---|
group |
Kubernetes Group |
version |
Kubernetes Version |
kind |
Kubernetes Kind |
ConfigSyncError
Errors pertaining to the installation of Config Sync
JSON representation |
---|
{ "errorMessage": string } |
Fields | |
---|---|
errorMessage |
A string representing the user facing error message |
PolicyControllerState
State for PolicyControllerState.
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version of Gatekeeper Policy Controller deployed. |
deploymentState |
The state about the policy controller installation. |
migration |
Record state of ACM -> PoCo Hub migration for this feature. |
PolicyControllerVersion
The build version of Gatekeeper Policy Controller is using.
JSON representation |
---|
{ "version": string } |
Fields | |
---|---|
version |
The gatekeeper image tag that is composed of ACM version, git tag, build number. |
GatekeeperDeploymentState
State of Policy Controller installation.
JSON representation |
---|
{ "gatekeeperControllerManagerState": enum ( |
Fields | |
---|---|
gatekeeperControllerManagerState |
Status of gatekeeper-controller-manager pod. |
gatekeeperAudit |
Status of gatekeeper-audit deployment. |
gatekeeperMutation |
Status of the pod serving the mutation webhook. |
PolicyControllerMigration
State for the migration of PolicyController from ACM -> PoCo Hub.
JSON representation |
---|
{
"stage": enum ( |
Fields | |
---|---|
stage |
Stage of the migration. |
copyTime |
Last time this membership spec was copied to PoCo feature. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
PolicyControllerMigration.Stage
Stage marks what stage of the migration ACM hub is in.
Enums | |
---|---|
STAGE_UNSPECIFIED |
Unknown state of migration. |
ACM_MANAGED |
ACM Hub/Operator manages policycontroller. No migration yet completed. |
POCO_MANAGED |
All migrations steps complete; Poco Hub now manages policycontroller. |
BinauthzState
State for Binauthz
JSON representation |
---|
{ "webhook": enum ( |
Fields | |
---|---|
webhook |
The state of the binauthz webhook. |
version |
The version of binauthz that is installed. |
BinauthzVersion
The version of binauthz.
JSON representation |
---|
{ "webhookVersion": string } |
Fields | |
---|---|
webhookVersion |
The version of the binauthz webhook. |
HierarchyControllerState
State for Hierarchy Controller
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version for Hierarchy Controller |
state |
The deployment state for Hierarchy Controller |
HierarchyControllerVersion
Version for Hierarchy Controller
JSON representation |
---|
{ "hnc": string, "extension": string } |
Fields | |
---|---|
hnc |
Version for open source HNC |
extension |
Version for Hierarchy Controller extension |
HierarchyControllerDeploymentState
Deployment state for Hierarchy Controller
JSON representation |
---|
{ "hnc": enum ( |
Fields | |
---|---|
hnc |
The deployment state for open source HNC (e.g. v0.7.0-hc.0) |
extension |
The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1) |
MembershipState
Anthos Identity Service: State for a single Membership.
JSON representation |
---|
{ "installedVersion": string, "state": enum ( |
Fields | |
---|---|
installedVersion |
Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. |
state |
Deployment state on this member |
failureReason |
The reason of the failure. |
memberConfig |
Last reconciled membership configuration |
MembershipState.DeploymentState
Deployment state enum
Enums | |
---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Unspecified state |
OK |
deployment succeeds |
ERROR |
Failure with error. |
MembershipState
Policy Controller: State for a single cluster.
JSON representation |
---|
{ "componentStates": { string: { object ( |
Fields | |
---|---|
componentStates |
Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation" An object containing a list of |
state |
The overall Policy Controller lifecycle state observed by the Hub Feature controller. |
policyContentState |
The overall content state observed by the Hub Feature controller. |
OnClusterState
OnClusterState represents the state of a sub-component of Policy Controller.
JSON representation |
---|
{
"state": enum ( |
Fields | |
---|---|
state |
The lifecycle state of this component. |
details |
Surface potential errors or information logs. |
MembershipState.LifecycleState
The set of states Policy Controller can exist in.
Enums | |
---|---|
LIFECYCLE_STATE_UNSPECIFIED |
The lifecycle state is unspecified. |
NOT_INSTALLED |
The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH. |
INSTALLING |
The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster. |
ACTIVE |
The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects. |
UPDATING |
The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version. |
DECOMMISSIONING |
The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists. |
CLUSTER_ERROR |
The PC is not operational, and the PCH is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the PCH to administer the cluster but has nevertheless been given an instruction to do so (such as 'install'). |
HUB_ERROR |
In this state, the PC may still be operational, and only the PCH is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the PCH determines the hub is in an unhealthy state and it wishes to 'take hands off' to avoid corrupting the PC or other data. |
SUSPENDED |
Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit). |
DETACHED |
PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub. |
PolicyContentState
The state of the policy controller policy content
JSON representation |
---|
{ "templateLibraryState": { object ( |
Fields | |
---|---|
templateLibraryState |
The state of the template library |
bundleStates |
The state of the any bundles included in the chosen version of the manifest An object containing a list of |
referentialSyncConfigState |
The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user. |
MembershipState
Per-membership state for this feature.
JSON representation |
---|
{ "upgrades": [ { object ( |
Fields | |
---|---|
upgrades[] |
Actual upgrade state against desired. |
scopes[] |
Fully qualified scope names that this clusters is bound to which also have rollout sequencing enabled. |
ignored |
Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. |
MembershipGKEUpgradeState
ScopeGKEUpgradeState is a GKEUpgrade and its state per-membership.
JSON representation |
---|
{ "upgrade": { object ( |
Fields | |
---|---|
upgrade |
Which upgrade to track the state. |
status |
Status of the upgrade. |
MembershipState
This type has no fields.
FleetObservability: Membership-specific Feature state for fleetobservability.
MembershipState
This type has no fields.
Namespace Actuation: An empty state left as an example membership-specific Feature state.
CommonFleetDefaultMemberConfigSpec
CommonFleetDefaultMemberConfigSpec contains default configuration information for memberships of a fleet
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
mesh |
Anthos Service Mesh-specific spec |
configmanagement |
Config Management-specific spec. |
identityservice |
Identity Service-specific spec. |
policycontroller |
Policy Controller spec. |
ScopeFeatureSpec
ScopeFeatureSpec contains feature specs for a fleet scope.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field
|
|
clusterupgrade |
Spec for the ClusterUpgrade feature at the scope level |
ScopeSpec
ClusterUpgrade: The configuration for the scope-level ClusterUpgrade feature.
JSON representation |
---|
{ "upstreamScopes": [ string ], "postConditions": { object ( |
Fields | |
---|---|
upstreamScopes[] |
This scope consumes upgrades that have COMPLETE status code in the upstream scopes. See UpgradeStatus.Code for code definitions. The scope name should be in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream scope. |
postConditions |
Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required. |
gkeUpgradeOverrides[] |
Allow users to override some properties of each GKE upgrade. |
ScopeFeatureState
ScopeFeatureState contains Scope-wide Feature status information.
JSON representation |
---|
{ "state": { object ( |
Fields | |
---|---|
state |
Output only. The "running state" of the Feature in this Scope. |
Union field
|
|
clusterupgrade |
State for the ClusterUpgrade feature at the scope level |
ScopeState
ClusterUpgrade: The state for the scope-level ClusterUpgrade feature.
JSON representation |
---|
{ "downstreamScopes": [ string ], "ignored": { string: { object ( |
Fields | |
---|---|
downstreamScopes[] |
This scopes whose upstreamScopes contain the current scope. The scope name should be in the form:
Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project. |
ignored |
A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: An object containing a list of |
gkeState |
Feature state for GKE clusters. |
Methods |
|
---|---|
|
Adds a new Feature. |
|
Removes a Feature. |
|
Gets details of a single Feature. |
|
Gets the access control policy for a resource. |
|
Lists Features in a given project and location. |
|
Updates an existing Feature. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |