REST Resource: projects.locations.features

Resource: Feature

Feature represents the settings and status of any Fleet Feature.

JSON representation
{
  "name": string,
  "labels": {
    string: string,
    ...
  },
  "resourceState": {
    object (FeatureResourceState)
  },
  "spec": {
    object (CommonFeatureSpec)
  },
  "membershipSpecs": {
    string: {
      object (MembershipFeatureSpec)
    },
    ...
  },
  "state": {
    object (CommonFeatureState)
  },
  "membershipStates": {
    string: {
      object (MembershipFeatureState)
    },
    ...
  },
  "createTime": string,
  "updateTime": string,
  "deleteTime": string,
  "fleetDefaultMemberConfig": {
    object (CommonFleetDefaultMemberConfigSpec)
  },
  "scopeSpecs": {
    string: {
      object (ScopeFeatureSpec)
    },
    ...
  },
  "scopeStates": {
    string: {
      object (ScopeFeatureState)
    },
    ...
  },
  "unreachable": [
    string
  ]
}
Fields
name

string

Output only. The full, unique name of this Feature resource in the format projects/*/locations/*/features/*.

labels

map (key: string, value: string)

Labels for this Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

resourceState

object (FeatureResourceState)

Output only. State of the Feature resource itself.

spec

object (CommonFeatureSpec)

Optional. Fleet-wide Feature configuration. If this Feature does not support any Fleet-wide configuration, this field may be unused.

membershipSpecs

map (key: string, value: object (MembershipFeatureSpec))

Optional. Membership-specific configuration for this Feature. If this Feature does not support any per-Membership configuration, this field may be unused.

The keys indicate which Membership the configuration is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Membership is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

state

object (CommonFeatureState)

Output only. The Fleet-wide Feature state.

membershipStates

map (key: string, value: object (MembershipFeatureState))

Output only. Membership-specific Feature status. If this Feature does report any per-Membership status, this field may be unused.

The keys indicate which Membership the state is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project number, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} MUST match the Feature's project number.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

createTime

string (Timestamp format)

Output only. When the Feature resource was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. When the Feature resource was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deleteTime

string (Timestamp format)

Output only. When the Feature resource was deleted.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

fleetDefaultMemberConfig

object (CommonFleetDefaultMemberConfigSpec)

Optional. Feature configuration applicable to all memberships of the fleet.

scopeSpecs

map (key: string, value: object (ScopeFeatureSpec))

Optional. Scope-specific configuration for this Feature. If this Feature does not support any per-Scope configuration, this field may be unused.

The keys indicate which Scope the configuration is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Scope is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

scopeStates

map (key: string, value: object (ScopeFeatureState))

Output only. Scope-specific Feature status. If this Feature does report any per-Scope status, this field may be unused.

The keys indicate which Scope the state is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

unreachable[]

string

Output only. List of locations that could not be reached while fetching this feature.

FeatureResourceState

FeatureResourceState describes the state of a Feature resource in the GkeHub API. See FeatureState for the "running state" of the Feature in the Fleet and across Memberships.

JSON representation
{
  "state": enum (FeatureResourceState.State)
}
Fields
state

enum (FeatureResourceState.State)

The current state of the Feature resource in the Hub API.

FeatureResourceState.State

State describes the lifecycle status of a Feature.

Enums
STATE_UNSPECIFIED State is unknown or not set.
ENABLING The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Fleet.
ACTIVE The Feature is enabled in this Fleet, and the Feature resource is fully available.
DISABLING The Feature is being disabled in this Fleet, and the Feature resource is being deleted.
UPDATING The Feature resource is being updated.
SERVICE_UPDATING The Feature resource is being updated by the Hub Service.

CommonFeatureSpec

CommonFeatureSpec contains Fleet-wide configuration information

JSON representation
{

  // Union field feature_spec can be only one of the following:
  "multiclusteringress": {
    object (FeatureSpec)
  },
  "cloudauditlogging": {
    object (FeatureSpec)
  },
  "workloadcertificate": {
    object (FeatureSpec)
  },
  "appdevexperience": {
    object (AppDevExperienceFeatureSpec)
  },
  "anthosobservability": {
    object (AnthosObservabilityFeatureSpec)
  },
  "fleetobservability": {
    object (FeatureSpec)
  },
  "namespaceactuation": {
    object (FeatureSpec)
  },
  "clusterupgrade": {
    object (FleetSpec)
  },
  "dataplanev2": {
    object (FeatureSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields

Union field feature_spec.

feature_spec can be only one of the following:

multiclusteringress

object (FeatureSpec)

Multicluster Ingress-specific spec.

cloudauditlogging

object (FeatureSpec)

Cloud Audit Logging-specific spec.

workloadcertificate

object (FeatureSpec)

Workload Certificate spec.

appdevexperience

object (AppDevExperienceFeatureSpec)

Appdevexperience specific spec.

anthosobservability

object (AnthosObservabilityFeatureSpec)

Anthos Observability spec

fleetobservability

object (FeatureSpec)

FleetObservability feature spec.

namespaceactuation

object (FeatureSpec)

Namespace Actuation feature spec

clusterupgrade

object (FleetSpec)

ClusterUpgrade (fleet-based) feature spec.

dataplanev2

object (FeatureSpec)

DataplaneV2 feature spec.

FeatureSpec

Multi-cluster Ingress: The configuration for the MultiClusterIngress feature.

JSON representation
{
  "configMembership": string,
  "billing": enum (Billing)
}
Fields
configMembership

string

Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: projects/foo-proj/locations/global/memberships/bar

billing
(deprecated)

enum (Billing)

Deprecated: This field will be ignored and should not be set. Customer's billing structure.

Billing

Deprecated: The FeatureSpec.billing field is no longer used. Billing identifies which billing structure the customer is using.

Enums
BILLING_UNSPECIFIED Unknown
PAY_AS_YOU_GO User pays a fee per-endpoint.
ANTHOS_LICENSE User is paying for Anthos as a whole.

FeatureSpec

Cloud Audit Logging: Spec for Audit Logging Allowlisting.

JSON representation
{
  "allowlistedServiceAccounts": [
    string
  ]
}
Fields
allowlistedServiceAccounts[]

string

Service account that should be allowlisted to send the audit logs; eg cloudauditlogging@gcp-project.iam.gserviceaccount.com. These accounts must already exist, but do not need to have any permissions granted to them. The customer's entitlements will be checked prior to allowlisting (i.e. the customer must be an Anthos customer.)

FeatureSpec

Workload Certificate: The Hub-wide input for the WorkloadCertificate feature.

JSON representation
{
  "provisionGoogleCa": enum (FeatureSpec.GoogleCAProvisioning),
  "defaultConfig": {
    object (MembershipSpec)
  }
}
Fields
provisionGoogleCa

enum (FeatureSpec.GoogleCAProvisioning)

Immutable. Specifies CA configuration.

defaultConfig

object (MembershipSpec)

Specifies default membership spec. Users can override the default in the memberConfigs for each member.

FeatureSpec.GoogleCAProvisioning

Specifies if a default Google managed CA should be provisioned. If UNSPECIFIED, Google managed CA feature is disabled. If set to UNSPECIFIED/DISABLED, the "certificate_authority_config" field in WorkloadCertificateConfig must specify a CA endpoint.

Enums
GOOGLE_CA_PROVISIONING_UNSPECIFIED Disable default Google managed CA.
DISABLED Disable default Google managed CA.
ENABLED Use default Google managed CA.
ENABLED_WITH_MANAGED_CA Workload certificate feature is enabled, and the entire certificate provisioning process is managed by Google with managed CAS which is more secure than the default CA.
ENABLED_WITH_DEFAULT_CA Workload certificate feature is enabled, and the entire certificate provisioning process is using the default CA which is free.

MembershipSpec

Workload Certificate: The membership-specific input for WorkloadCertificate feature.

JSON representation
{
  "certificateManagement": enum (MembershipSpec.CertificateManagement)
}
Fields
certificateManagement

enum (MembershipSpec.CertificateManagement)

Specifies workload certificate management.

MembershipSpec.CertificateManagement

Specifies whether or not the feature is enabled on the member cluster.

Enums
CERTIFICATE_MANAGEMENT_UNSPECIFIED Disable workload certificate feature.
DISABLED Disable workload certificate feature.
ENABLED Enable workload certificate feature.

AnthosObservabilityFeatureSpec

Anthos Observability: Spec

JSON representation
{
  "defaultMembershipSpec": {
    object (AnthosObservabilityMembershipSpec)
  }
}
Fields
defaultMembershipSpec

object (AnthosObservabilityMembershipSpec)

Default membership spec for unconfigured memberships

AnthosObservabilityMembershipSpec

Anthosobservability: Per-Membership Feature spec.

JSON representation
{
  "enableStackdriverOnApplications": boolean,
  "doNotOptimizeMetrics": boolean,
  "version": string
}
Fields
enableStackdriverOnApplications

boolean

Enable collecting and reporting metrics and logs from user apps.

doNotOptimizeMetrics

boolean

Use full of metrics rather than optimized metrics. See https://cloud.google.com/anthos/clusters/docs/on-prem/1.8/concepts/logging-and-monitoring#optimized_metrics_default_metrics

version

string

the version of stackdriver operator used by this feature

FeatureSpec

Fleet Observability: The Hub-wide input for the FleetObservability feature.

JSON representation
{
  "loggingConfig": {
    object (LoggingConfig)
  }
}
Fields
loggingConfig

object (LoggingConfig)

Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet.

LoggingConfig

LoggingConfig defines the configuration for different types of logs.

JSON representation
{
  "defaultConfig": {
    object (RoutingConfig)
  },
  "fleetScopeLogsConfig": {
    object (RoutingConfig)
  }
}
Fields
defaultConfig

object (RoutingConfig)

Specified if applying the default routing config to logs not specified in other configs.

fleetScopeLogsConfig

object (RoutingConfig)

Specified if applying the routing config to all logs for all fleet scopes.

RoutingConfig

RoutingConfig configures the behaviour of fleet logging feature.

JSON representation
{
  "mode": enum (RoutingConfig.Mode)
}
Fields
mode

enum (RoutingConfig.Mode)

mode configures the logs routing mode.

RoutingConfig.Mode

Specified if fleet logging feature is enabled.

Enums
MODE_UNSPECIFIED If UNSPECIFIED, fleet logging feature is disabled.
COPY logs will be copied to the destination project.
MOVE logs will be moved to the destination project.

FeatureSpec

An empty spec for actuation feature. This is required since Feature proto requires a spec.

JSON representation
{
  "actuationMode": enum (FeatureSpec.ActuationMode)
}
Fields
actuationMode

enum (FeatureSpec.ActuationMode)

actuationMode controls the behavior of the controller

FeatureSpec.ActuationMode

ActuationMode controls the behavior of the controller

Enums
ACTUATION_MODE_UNSPECIFIED ACTUATION_MODE_UNSPECIFIED is similar to CREATE_AND_DELETE_IF_CREATED in the default controller behavior.
ACTUATION_MODE_CREATE_AND_DELETE_IF_CREATED ACTUATION_MODE_CREATE_AND_DELETE_IF_CREATED has the controller create cluster namespaces for each fleet namespace and it deletes only the ones it created, which are identified by a label.
ACTUATION_MODE_ADD_AND_REMOVE_FLEET_LABELS ACTUATION_MODE_ADD_AND_REMOVE_FLEET_LABELS has the controller only apply labels to cluster namespaces to signal fleet namespace enablement. It doesn't create or delete cluster namespaces.

FleetSpec

ClusterUpgrade: The configuration for the fleet-level ClusterUpgrade feature.

JSON representation
{
  "upstreamFleets": [
    string
  ],
  "postConditions": {
    object (PostConditions)
  },
  "gkeUpgradeOverrides": [
    {
      object (GKEUpgradeOverride)
    }
  ]
}
Fields
upstreamFleets[]

string

This fleet consumes upgrades that have COMPLETE status code in the upstream fleets. See UpgradeStatus.Code for code definitions.

The fleet name should be either fleet project number or id.

This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream fleet.

postConditions

object (PostConditions)

Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required.

gkeUpgradeOverrides[]

object (GKEUpgradeOverride)

Allow users to override some properties of each GKE upgrade.

PostConditions

Post conditional checks after an upgrade has been applied on all eligible clusters.

JSON representation
{
  "soaking": string
}
Fields
soaking

string (Duration format)

Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

GKEUpgradeOverride

Properties of a GKE upgrade that can be overridden by the user. For example, a user can skip soaking by overriding the soaking to 0.

JSON representation
{
  "upgrade": {
    object (GKEUpgrade)
  },
  "postConditions": {
    object (PostConditions)
  }
}
Fields
upgrade

object (GKEUpgrade)

Required. Which upgrade to override. Required.

postConditions

object (PostConditions)

Required. Post conditions to override for the specified upgrade (name + version). Required.

GKEUpgrade

GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.

JSON representation
{
  "name": string,
  "version": string
}
Fields
name

string

Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters.

version

string

Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters.

FeatureSpec

Dataplane V2: Spec

JSON representation
{
  "enableEncryption": boolean
}
Fields
enableEncryption

boolean

Enable dataplane-v2 based encryption for multiple clusters.

MembershipFeatureSpec

MembershipFeatureSpec contains configuration information for a single Membership.

JSON representation
{
  "origin": {
    object (MembershipFeatureSpec.Origin)
  },

  // Union field feature_spec can be only one of the following:
  "configmanagement": {
    object (MembershipSpec)
  },
  "cloudbuild": {
    object (MembershipSpec)
  },
  "identityservice": {
    object (MembershipSpec)
  },
  "workloadcertificate": {
    object (MembershipSpec)
  },
  "mesh": {
    object (MembershipSpec)
  },
  "anthosobservability": {
    object (AnthosObservabilityMembershipSpec)
  },
  "policycontroller": {
    object (MembershipSpec)
  },
  "fleetobservability": {
    object (MembershipSpec)
  },
  "namespaceactuation": {
    object (MembershipSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields
origin

object (MembershipFeatureSpec.Origin)

Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly.

Union field feature_spec.

feature_spec can be only one of the following:

configmanagement

object (MembershipSpec)

Config Management-specific spec.

cloudbuild

object (MembershipSpec)

Cloud Build-specific spec

identityservice

object (MembershipSpec)

Identity Service-specific spec.

workloadcertificate

object (MembershipSpec)

Workload Certificate spec.

mesh

object (MembershipSpec)

Anthos Service Mesh-specific spec

anthosobservability

object (AnthosObservabilityMembershipSpec)

Anthos Observability-specific spec

policycontroller

object (MembershipSpec)

Policy Controller spec.

fleetobservability

object (MembershipSpec)

Fleet observability membership spec

namespaceactuation

object (MembershipSpec)

FNS Actuation membership spec

MembershipSpec

Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.

JSON representation
{
  "configSync": {
    object (ConfigSync)
  },
  "policyController": {
    object (PolicyController)
  },
  "binauthz": {
    object (BinauthzConfig)
  },
  "hierarchyController": {
    object (HierarchyControllerConfig)
  },
  "version": string,
  "cluster": string,
  "management": enum (MembershipSpec.Management)
}
Fields
configSync

object (ConfigSync)

Config Sync configuration for the cluster.

policyController

object (PolicyController)

Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead.

binauthz
(deprecated)

object (BinauthzConfig)

Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set.

hierarchyController

object (HierarchyControllerConfig)

Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead.

version

string

Version of ACM installed.

cluster

string

The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.

management

enum (MembershipSpec.Management)

Enables automatic Feature management.

ConfigSync

Configuration for Config Sync

JSON representation
{
  "git": {
    object (GitConfig)
  },
  "sourceFormat": string,
  "preventDrift": boolean,
  "oci": {
    object (OciConfig)
  },
  "allowVerticalScale": boolean,
  "metricsGcpServiceAccountEmail": string,
  "stopSyncing": boolean,
  "enabled": boolean
}
Fields
git

object (GitConfig)

Git repo configuration for the cluster.

sourceFormat

string

Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

preventDrift

boolean

Set to true to enable the Config Sync admission webhook to prevent drifts. If set to false, disables the Config Sync admission webhook and does not prevent drifts.

oci

object (OciConfig)

OCI repo configuration for the cluster

allowVerticalScale
(deprecated)

boolean

Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated.

metricsGcpServiceAccountEmail
(deprecated)

string

The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring.

stopSyncing

boolean

Set to true to stop syncing configs for a single cluster. Default to false.

enabled

boolean

Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.

GitConfig

Git repo configuration for a single cluster.

JSON representation
{
  "syncRepo": string,
  "syncBranch": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "syncRev": string,
  "secretType": string,
  "httpsProxy": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The URL of the Git repository to use as the source of truth.

syncBranch

string

The branch of the repository to sync from. Default: master.

policyDir

string

The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

syncRev

string

Git revision (tag or hash) to check out. Default HEAD.

secretType

string

Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required.

httpsProxy

string

URL for the HTTPS proxy to be used when communicating with the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

OciConfig

OCI repo configuration for a single cluster

JSON representation
{
  "syncRepo": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "secretType": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME.

policyDir

string

The absolute path of the directory that contains the local resources. Default: the root directory of the image.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

secretType

string

Type of secret configured for access to the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

PolicyController

Configuration for Policy Controller

JSON representation
{
  "enabled": boolean,
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "monitoring": {
    object (PolicyControllerMonitoring)
  },
  "updateTime": string,
  "templateLibraryInstalled": boolean,
  "auditIntervalSeconds": string
}
Fields
enabled

boolean

Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster.

monitoring

object (PolicyControllerMonitoring)

Monitoring specifies the configuration of monitoring.

updateTime

string (Timestamp format)

Output only. Last time this membership spec was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

templateLibraryInstalled

boolean

Installs the default template library along with Policy Controller.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

PolicyControllerMonitoring

PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (PolicyControllerMonitoring.MonitoringBackend)
  ]
}
Fields
backends[]

enum (PolicyControllerMonitoring.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

PolicyControllerMonitoring.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

BinauthzConfig

Configuration for Binauthz

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether binauthz is enabled in this cluster.

HierarchyControllerConfig

Configuration for Hierarchy Controller

JSON representation
{
  "enabled": boolean,
  "enablePodTreeLabels": boolean,
  "enableHierarchicalResourceQuota": boolean
}
Fields
enabled

boolean

Whether Hierarchy Controller is enabled in this cluster.

enablePodTreeLabels

boolean

Whether pod tree labels are enabled in this cluster.

enableHierarchicalResourceQuota

boolean

Whether hierarchical resource quota is enabled in this cluster.

MembershipSpec.Management

Whether to automatically manage the Feature.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google will manage the Feature for the cluster.
MANAGEMENT_MANUAL User will manually manage the Feature for the cluster.

MembershipSpec

Cloud Build: Configurations for each Cloud Build enabled cluster.

JSON representation
{
  "version": string,
  "securityPolicy": enum (MembershipSpec.SecurityPolicy)
}
Fields
version

string

Version of the cloud build software on the cluster.

securityPolicy

enum (MembershipSpec.SecurityPolicy)

Whether it is allowed to run the privileged builds on the cluster or not.

MembershipSpec.SecurityPolicy

Different security policies we can apply to the cluster.

Enums
SECURITY_POLICY_UNSPECIFIED Unspecified policy
NON_PRIVILEGED Privileged build pods are disallowed
PRIVILEGED Privileged build pods are allowed

MembershipSpec

Anthos Identity Service: Configuration for a single Membership.

JSON representation
{
  "authMethods": [
    {
      object (MembershipSpec.AuthMethod)
    }
  ],
  "identityServiceOptions": {
    object (MembershipSpec.IdentityServiceOptions)
  }
}
Fields
authMethods[]

object (MembershipSpec.AuthMethod)

A member may support multiple auth methods.

identityServiceOptions

object (MembershipSpec.IdentityServiceOptions)

Optional. non-protocol-related configuration options.

MembershipSpec.AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

JSON representation
{
  "name": string,
  "proxy": string,

  // Union field auth_config can be only one of the following:
  "oidcConfig": {
    object (MembershipSpec.AuthMethod.OidcConfig)
  },
  "azureadConfig": {
    object (MembershipSpec.AuthMethod.AzureADConfig)
  },
  "googleConfig": {
    object (MembershipSpec.AuthMethod.GoogleConfig)
  },
  "samlConfig": {
    object (MembershipSpec.AuthMethod.SamlConfig)
  },
  "ldapConfig": {
    object (MembershipSpec.AuthMethod.LdapConfig)
  }
  // End of list of possible types for union field auth_config.
}
Fields
name

string

Identifier for auth config.

proxy

string

Proxy server address to use for auth method.

Union field auth_config. supported auth configurations. auth_config can be only one of the following:
oidcConfig

object (MembershipSpec.AuthMethod.OidcConfig)

OIDC specific configuration.

azureadConfig

object (MembershipSpec.AuthMethod.AzureADConfig)

AzureAD specific Configuration.

googleConfig

object (MembershipSpec.AuthMethod.GoogleConfig)

GoogleConfig specific configuration.

samlConfig

object (MembershipSpec.AuthMethod.SamlConfig)

SAML specific configuration.

ldapConfig

object (MembershipSpec.AuthMethod.LdapConfig)

LDAP specific configuration.

MembershipSpec.AuthMethod.OidcConfig

Configuration for OIDC Auth flow.

JSON representation
{
  "clientId": string,
  "certificateAuthorityData": string,
  "issuerUri": string,
  "kubectlRedirectUri": string,
  "scopes": string,
  "extraParams": string,
  "userClaim": string,
  "userPrefix": string,
  "groupsClaim": string,
  "groupPrefix": string,
  "deployCloudConsoleProxy": boolean,
  "clientSecret": string,
  "encryptedClientSecret": string,
  "enableAccessToken": boolean
}
Fields
clientId

string

ID for OIDC client application.

certificateAuthorityData

string

PEM-encoded CA for OIDC provider.

issuerUri

string

URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.

kubectlRedirectUri

string

Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.

scopes

string

Comma-separated list of identifiers.

extraParams

string

Comma-separated list of key-value pairs.

userClaim

string

Claim in OIDC ID token that holds username.

userPrefix

string

Prefix to prepend to user name.

groupsClaim

string

Claim in OIDC ID token that holds group information.

groupPrefix

string

Prefix to prepend to group name.

deployCloudConsoleProxy

boolean

Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.

clientSecret

string

Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted OIDC Client secret

A base64-encoded string.

enableAccessToken

boolean

Enable access token.

MembershipSpec.AuthMethod.AzureADConfig

Configuration for the AzureAD Auth flow.

JSON representation
{
  "clientId": string,
  "tenant": string,
  "kubectlRedirectUri": string,
  "clientSecret": string,
  "encryptedClientSecret": string,
  "userClaim": string,
  "groupFormat": string
}
Fields
clientId

string

ID for the registered client application that makes authentication requests to the Azure AD identity provider.

tenant

string

Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.

kubectlRedirectUri

string

The redirect URL that kubectl uses for authorization.

clientSecret

string

Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted AzureAD client secret.

A base64-encoded string.

userClaim

string

Optional. Claim in the AzureAD ID Token that holds the user details.

groupFormat

string

Optional. Format of the AzureAD groups that the client wants for auth.

MembershipSpec.AuthMethod.GoogleConfig

Configuration for the Google Plugin Auth flow.

JSON representation
{
  "disable": boolean
}
Fields
disable

boolean

Disable automatic configuration of Google Plugin on supported platforms.

MembershipSpec.AuthMethod.SamlConfig

Configuration for the SAML Auth flow.

JSON representation
{
  "identityProviderId": string,
  "identityProviderSsoUri": string,
  "identityProviderCertificates": [
    string
  ],
  "userAttribute": string,
  "groupsAttribute": string,
  "userPrefix": string,
  "groupPrefix": string,
  "attributeMapping": {
    string: string,
    ...
  }
}
Fields
identityProviderId

string

Required. The entity ID of the SAML IdP.

identityProviderSsoUri

string

Required. The URI where the SAML IdP exposes the SSO service.

identityProviderCertificates[]

string

Required. The list of IdP certificates to validate the SAML response against.

userAttribute

string

Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the userPrefix).

groupsAttribute

string

Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the groupPrefix).

userPrefix

string

Optional. Prefix to prepend to user name.

groupPrefix

string

Optional. Prefix to prepend to group name.

attributeMapping

map (key: string, value: string)

Optional. The mapping of additional user attributes like nickname, birthday and address etc.. key is the name of this additional attribute. value is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, key is "attribute.nickname" and value is "assertion.nickname".

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

MembershipSpec.AuthMethod.LdapConfig

Configuration for the LDAP Auth flow.

JSON representation
{
  "server": {
    object (MembershipSpec.AuthMethod.LdapConfig.ServerConfig)
  },
  "user": {
    object (MembershipSpec.AuthMethod.LdapConfig.UserConfig)
  },
  "group": {
    object (MembershipSpec.AuthMethod.LdapConfig.GroupConfig)
  },
  "serviceAccount": {
    object (MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig)
  }
}
Fields
server

object (MembershipSpec.AuthMethod.LdapConfig.ServerConfig)

Required. Server settings for the external LDAP server.

user

object (MembershipSpec.AuthMethod.LdapConfig.UserConfig)

Required. Defines where users exist in the LDAP directory.

group

object (MembershipSpec.AuthMethod.LdapConfig.GroupConfig)

Optional. Contains the properties for locating and authenticating groups in the directory.

serviceAccount

object (MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig)

Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

MembershipSpec.AuthMethod.LdapConfig.ServerConfig

Server settings for the external LDAP server.

JSON representation
{
  "host": string,
  "connectionType": string,
  "certificateAuthorityData": string
}
Fields
host

string

Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".

connectionType

string

Optional. Defines the connection type to communicate with the LDAP server. If starttls or ldaps is specified, the certificateAuthorityData should not be empty.

certificateAuthorityData

string (bytes format)

Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

A base64-encoded string.

MembershipSpec.AuthMethod.LdapConfig.UserConfig

Defines where users exist in the LDAP directory.

JSON representation
{
  "baseDn": string,
  "loginAttribute": string,
  "idAttribute": string,
  "filter": string
}
Fields
baseDn

string

Required. The location of the subtree in the LDAP directory to search for user entries.

loginAttribute

string

Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".

idAttribute

string

Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".

filter

string

Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".

MembershipSpec.AuthMethod.LdapConfig.GroupConfig

Contains the properties for locating and authenticating groups in the directory.

JSON representation
{
  "baseDn": string,
  "idAttribute": string,
  "filter": string
}
Fields
baseDn

string

Required. The location of the subtree in the LDAP directory to search for group entries.

idAttribute

string

Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".

filter

string

Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig

Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

JSON representation
{

  // Union field authentication_mechanism can be only one of the following:
  "simpleBindCredentials": {
    object (MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials)
  }
  // End of list of possible types for union field authentication_mechanism.
}
Fields
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following:
simpleBindCredentials

object (MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials)

Credentials for basic auth.

MembershipSpec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials

The structure holds the LDAP simple binding credential.

JSON representation
{
  "dn": string,
  "password": string,
  "encryptedPassword": string
}
Fields
dn

string

Required. The distinguished name(DN) of the service account object/user.

password

string

Required. Input only. The password of the service account object/user.

encryptedPassword

string (bytes format)

Output only. The encrypted password of the service account object/user.

A base64-encoded string.

MembershipSpec.IdentityServiceOptions

Holds non-protocol-related configuration options.

JSON representation
{
  "sessionDuration": string,
  "diagnosticInterface": {
    object (MembershipSpec.IdentityServiceOptions.DiagnosticInterface)
  }
}
Fields
sessionDuration

string (Duration format)

Determines the lifespan of STS tokens issued by Anthos Identity Service.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

diagnosticInterface

object (MembershipSpec.IdentityServiceOptions.DiagnosticInterface)

Configuration options for the AIS diagnostic interface.

MembershipSpec.IdentityServiceOptions.DiagnosticInterface

Configuration options for the AIS diagnostic interface.

JSON representation
{
  "enabled": boolean,
  "expirationTime": string
}
Fields
enabled

boolean

Determines whether to enable the diagnostic interface.

expirationTime

string (Timestamp format)

Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

MembershipSpec

Service Mesh: Spec for a single Membership for the servicemesh feature

JSON representation
{
  "controlPlane": enum (MembershipSpec.ControlPlaneManagement),
  "defaultChannel": enum (Channel),
  "management": enum (MembershipSpec.Management),
  "configApi": enum (MembershipSpec.ConfigApi)
}
Fields
controlPlane
(deprecated)

enum (MembershipSpec.ControlPlaneManagement)

Deprecated: use management instead Enables automatic control plane management.

defaultChannel
(deprecated)

enum (Channel)

Determines which release channel to use for default injection and service mesh APIs.

management

enum (MembershipSpec.Management)

Optional. Enables automatic Service Mesh management.

configApi

enum (MembershipSpec.ConfigApi)

Optional. Specifies the API that will be used for configuring the mesh workloads.

MembershipSpec.ControlPlaneManagement

Whether to automatically manage Service Mesh control planes.

Enums
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED Unspecified
AUTOMATIC Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install.
MANUAL User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API)

Channel

Channel indicates which release channel a revision is subscribed to. Release channels are arranged in order of risk.

Enums
CHANNEL_UNSPECIFIED Unspecified
RAPID RAPID channel is offered on an early access basis for customers who want to test new releases.
REGULAR REGULAR channel is intended for production users who want to take advantage of new features.
STABLE STABLE channel includes versions that are known to be stable and reliable in production.

MembershipSpec.Management

Whether to automatically manage Service Mesh.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google should manage my Service Mesh for the cluster.
MANAGEMENT_MANUAL User will manually configure their service mesh components.

MembershipSpec.ConfigApi

Specifies the API that will be used for configuring the mesh workloads.

Enums
CONFIG_API_UNSPECIFIED Unspecified
CONFIG_API_ISTIO Use the Istio API for configuration.
CONFIG_API_GATEWAY Use the K8s Gateway API for configuration.

MembershipSpec

Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.

JSON representation
{
  "policyControllerHubConfig": {
    object (HubConfig)
  },
  "version": string
}
Fields
policyControllerHubConfig

object (HubConfig)

Policy Controller configuration for the cluster.

version

string

Version of Policy Controller installed.

HubConfig

Configuration for Policy Controller

JSON representation
{
  "installSpec": enum (HubConfig.InstallSpec),
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "deploymentConfigs": {
    string: {
      object (PolicyControllerDeploymentConfig)
    },
    ...
  },
  "auditIntervalSeconds": string,
  "monitoring": {
    object (MonitoringConfig)
  },
  "policyContent": {
    object (PolicyContentSpec)
  },
  "constraintViolationLimit": string
}
Fields
installSpec

enum (HubConfig.InstallSpec)

The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enables the ability to mutate resources using Policy Controller.

deploymentConfigs

map (key: string, value: object (PolicyControllerDeploymentConfig))

Map of deployment configs to deployments ("admission", "audit", "mutation').

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

monitoring

object (MonitoringConfig)

Monitoring specifies the configuration of monitoring.

policyContent

object (PolicyContentSpec)

Specifies the desired policy content on the cluster

constraintViolationLimit

string (int64 format)

The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used.

HubConfig.InstallSpec

The set of installation specs that the Hub Feature controller may actuate.

Enums
INSTALL_SPEC_UNSPECIFIED Spec is unknown.
INSTALL_SPEC_NOT_INSTALLED Request to uninstall Policy Controller.
INSTALL_SPEC_ENABLED Request to install and enable Policy Controller.
INSTALL_SPEC_SUSPENDED Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended.
INSTALL_SPEC_DETACHED Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources.

MonitoringConfig

MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (MonitoringConfig.MonitoringBackend)
  ]
}
Fields
backends[]

enum (MonitoringConfig.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringConfig.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyContentSpec

PolicyContentSpec defines the user's desired content configuration on the cluster.

JSON representation
{
  "bundles": {
    string: {
      object (BundleInstallSpec)
    },
    ...
  },
  "templateLibrary": {
    object (TemplateLibraryConfig)
  }
}
Fields
bundles

map (key: string, value: object (BundleInstallSpec))

map of bundle name to BundleInstallSpec. The bundle name maps to the bundleName key in the policycontroller.gke.io/constraintData annotation on a constraint.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

templateLibrary

object (TemplateLibraryConfig)

Configures the installation of the Template Library.

BundleInstallSpec

BundleInstallSpec is the specification configuration for a single managed bundle.

JSON representation
{
  "exemptedNamespaces": [
    string
  ]
}
Fields
exemptedNamespaces[]

string

The set of namespaces to be exempted from the bundle.

TemplateLibraryConfig

The config specifying which default library templates to install.

JSON representation
{
  "installation": enum (TemplateLibraryConfig.Installation)
}
Fields
installation

enum (TemplateLibraryConfig.Installation)

Configures the manner in which the template library is installed on the cluster.

TemplateLibraryConfig.Installation

How the template library should be installed

Enums
INSTALLATION_UNSPECIFIED No installation strategy has been specified.
NOT_INSTALLED Do not install the template library.
ALL Install the entire template library.

PolicyControllerDeploymentConfig

Deployment-specific configuration.

JSON representation
{
  "podTolerations": [
    {
      object (PolicyControllerDeploymentConfig.Toleration)
    }
  ],
  "podAffinity": enum (PolicyControllerDeploymentConfig.Affinity),
  "replicaCount": string,
  "containerResources": {
    object (ResourceRequirements)
  },
  "podAntiAffinity": boolean
}
Fields
podTolerations[]

object (PolicyControllerDeploymentConfig.Toleration)

Pod tolerations of node taints.

podAffinity

enum (PolicyControllerDeploymentConfig.Affinity)

Pod affinity configuration.

replicaCount

string (int64 format)

Pod replica count.

containerResources

object (ResourceRequirements)

Container resource requirements.

podAntiAffinity
(deprecated)

boolean

Pod anti-affinity enablement. Deprecated: use podAffinity instead.

ResourceRequirements

ResourceRequirements describes the compute resource requirements.

JSON representation
{
  "limits": {
    object (ResourceList)
  },
  "requests": {
    object (ResourceList)
  }
}
Fields
limits

object (ResourceList)

Limits describes the maximum amount of compute resources allowed for use by the running container.

requests

object (ResourceList)

Requests describes the amount of compute resources reserved for the container by the kube-scheduler.

ResourceList

ResourceList contains container resource requirements.

JSON representation
{
  "memory": string,
  "cpu": string
}
Fields
memory

string

Memory requirement expressed in Kubernetes resource units.

cpu

string

CPU requirement expressed in Kubernetes resource units.

PolicyControllerDeploymentConfig.Toleration

Toleration of a node taint.

JSON representation
{
  "key": string,
  "operator": string,
  "value": string,
  "effect": string
}
Fields
key

string

Matches a taint key (not necessarily unique).

operator

string

Matches a taint operator.

value

string

Matches a taint value.

effect

string

Matches a taint effect.

PolicyControllerDeploymentConfig.Affinity

The pod affinity configuration used by a deployment.

Enums
AFFINITY_UNSPECIFIED No affinity configuration has been specified.
NO_AFFINITY Affinity configurations will be removed from the deployment.
ANTI_AFFINITY Anti-affinity configuration will be applied to this deployment. Default for admissions deployment.

MembershipSpec

This type has no fields.

FleetObservability: The membership-specific input for FleetObservability feature.

MembershipSpec

This type has no fields.

Namespace Actuation: The membership-specific input for NamespaceActuation feature.

MembershipFeatureSpec.Origin

Origin defines where this MembershipFeatureSpec originated from.

JSON representation
{
  "type": enum (MembershipFeatureSpec.Origin.Type)
}
Fields
type

enum (MembershipFeatureSpec.Origin.Type)

Type specifies which type of origin is set.

MembershipFeatureSpec.Origin.Type

Type specifies the persona that persisted the config.

Enums
TYPE_UNSPECIFIED Type is unknown or not set.
FLEET Per-Membership spec was inherited from the fleet-level default.
FLEET_OUT_OF_SYNC Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default.
USER Per-Membership spec was inherited from a user specification.

CommonFeatureState

CommonFeatureState contains Fleet-wide Feature status information.

JSON representation
{
  "state": {
    object (FeatureState)
  },

  // Union field feature_state can be only one of the following:
  "servicemesh": {
    object (FeatureState)
  },
  "appdevexperience": {
    object (AppDevExperienceFeatureState)
  },
  "fleetobservability": {
    object (FeatureState)
  },
  "namespaceactuation": {
    object (FeatureState)
  },
  "clusterupgrade": {
    object (FleetState)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (FeatureState)

Output only. The "running state" of the Feature in this Fleet.

Union field feature_state.

feature_state can be only one of the following:

servicemesh

object (FeatureState)

Service Mesh-specific state.

appdevexperience

object (AppDevExperienceFeatureState)

Appdevexperience specific state.

fleetobservability

object (FeatureState)

FleetObservability feature state.

namespaceactuation

object (FeatureState)

Namespace Actuation feature state.

clusterupgrade

object (FleetState)

ClusterUpgrade fleet-level state.

FeatureState

Service Mesh: State for the whole Hub, as analyzed by the Service Mesh Hub Controller.

JSON representation
{
  "analysisMessages": [
    {
      object (AnalysisMessage)
    }
  ]
}
Fields
analysisMessages[]

object (AnalysisMessage)

Output only. Results of running Service Mesh analyzers.

AnalysisMessage

AnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.

JSON representation
{
  "messageBase": {
    object (AnalysisMessageBase)
  },
  "description": string,
  "resourcePaths": [
    string
  ],
  "args": {
    object
  }
}
Fields
messageBase

object (AnalysisMessageBase)

Details common to all types of Istio and ServiceMesh analysis messages.

description

string

A human readable description of what the error means. It is suitable for non-internationalize display purposes.

resourcePaths[]

string

A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster

args

object (Struct format)

A UI can combine these args with a template (based on messageBase.type) to produce an internationalized message.

AnalysisMessageBase

AnalysisMessageBase describes some common information that is needed for all messages.

JSON representation
{
  "type": {
    object (AnalysisMessageBase.Type)
  },
  "level": enum (AnalysisMessageBase.Level),
  "documentationUrl": string
}
Fields
type

object (AnalysisMessageBase.Type)

Represents the specific type of a message.

level

enum (AnalysisMessageBase.Level)

Represents how severe a message is.

documentationUrl

string

A url pointing to the Service Mesh or Istio documentation for this specific error type.

AnalysisMessageBase.Type

A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between displayName and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type

JSON representation
{
  "displayName": string,
  "code": string
}
Fields
displayName

string

A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the name field in open-source Istio.)

code

string

A 7 character code matching ^IST[0-9]{4}$ or ^ASM[0-9]{4}$, intended to uniquely identify the message type. (e.g. "IST0001" is mapped to the "InternalError" message type.)

AnalysisMessageBase.Level

The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level

Enums
LEVEL_UNSPECIFIED Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN.
ERROR ERROR represents a misconfiguration that must be fixed.
WARNING WARNING represents a misconfiguration that should be fixed.
INFO INFO represents an informational finding.

FeatureState

FleetObservability: Hub-wide Feature for FleetObservability feature. state.

JSON representation
{
  "logging": {
    object (FleetObservabilityLoggingState)
  },
  "monitoring": {
    object (FleetObservabilityMonitoringState)
  }
}
Fields
logging

object (FleetObservabilityLoggingState)

The feature state of default logging.

monitoring

object (FleetObservabilityMonitoringState)

The feature state of fleet monitoring.

FleetObservabilityLoggingState

Feature state for logging feature.

JSON representation
{
  "defaultLog": {
    object (FleetObservabilityBaseFeatureState)
  },
  "scopeLog": {
    object (FleetObservabilityBaseFeatureState)
  }
}
Fields
defaultLog

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet default log.

scopeLog

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet scope log.

FleetObservabilityBaseFeatureState

Base state for fleet observability feature.

JSON representation
{
  "code": enum (FleetObservabilityBaseFeatureState.Code),
  "errors": [
    {
      object (FleetObservabilityBaseFeatureState.FeatureError)
    }
  ]
}
Fields
code

enum (FleetObservabilityBaseFeatureState.Code)

The high-level, machine-readable status of this Feature.

errors[]

object (FleetObservabilityBaseFeatureState.FeatureError)

Errors after reconciling the monitoring and logging feature if the code is not OK.

FleetObservabilityBaseFeatureState.Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
ERROR The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

FleetObservabilityBaseFeatureState.FeatureError

All error details of the fleet observability feature.

JSON representation
{
  "code": string,
  "description": string
}
Fields
code

string

The code of the error.

description

string

A human-readable description of the current status.

FleetObservabilityMonitoringState

Feature state for monitoring feature.

JSON representation
{
  "state": {
    object (FleetObservabilityBaseFeatureState)
  }
}
Fields
state

object (FleetObservabilityBaseFeatureState)

The base feature state of fleet monitoring feature.

FeatureState

This type has no fields.

NamespaceActuation Feature State.

FleetState

ClusterUpgrade: The state for the fleet-level ClusterUpgrade feature.

JSON representation
{
  "downstreamFleets": [
    string
  ],
  "ignored": {
    string: {
      object (IgnoredMembership)
    },
    ...
  },
  "gkeState": {
    object (GKEUpgradeFeatureState)
  }
}
Fields
downstreamFleets[]

string

This fleets whose upstreamFleets contain the current fleet.

The fleet name should be either fleet project number or id.

ignored

map (key: string, value: object (IgnoredMembership))

A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: projects/{p}/locations/{l}/membership/{m}.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

gkeState

object (GKEUpgradeFeatureState)

Feature state for GKE clusters.

IgnoredMembership

IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.

JSON representation
{
  "reason": string,
  "ignoredTime": string
}
Fields
reason

string

Reason why the membership is ignored.

ignoredTime

string (Timestamp format)

Time when the membership was first set to ignored.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

GKEUpgradeFeatureState

GKEUpgradeFeatureState contains feature states for GKE clusters in the scope.

JSON representation
{
  "upgradeState": [
    {
      object (GKEUpgradeState)
    }
  ],
  "conditions": [
    {
      object (GKEUpgradeFeatureCondition)
    }
  ]
}
Fields
upgradeState[]

object (GKEUpgradeState)

Upgrade state. It will eventually replace state.

conditions[]

object (GKEUpgradeFeatureCondition)

Current conditions of the feature.

GKEUpgradeState

GKEUpgradeState is a GKEUpgrade and its state at the scope and fleet level.

JSON representation
{
  "stats": {
    string: string,
    ...
  },
  "upgrade": {
    object (GKEUpgrade)
  },
  "status": {
    object (UpgradeStatus)
  }
}
Fields
stats

map (key: string, value: string (int64 format))

Number of GKE clusters in each status code.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

upgrade

object (GKEUpgrade)

Which upgrade to track the state.

status

object (UpgradeStatus)

Status of the upgrade.

UpgradeStatus

UpgradeStatus provides status information for each upgrade.

JSON representation
{
  "code": enum (UpgradeStatus.Code),
  "reason": string,
  "updateTime": string
}
Fields
code

enum (UpgradeStatus.Code)

Status code of the upgrade.

reason

string

Reason for this status.

updateTime

string (Timestamp format)

Last timestamp the status was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

UpgradeStatus.Code

Status code of an upgrade.

Enums
CODE_UNSPECIFIED Required by https://linter.aip.dev/126/unspecified.
INELIGIBLE The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope.
PENDING The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope.
IN_PROGRESS The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope.
SOAKING The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete.
FORCED_SOAKING A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status.
COMPLETE The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status.

GKEUpgradeFeatureCondition

GKEUpgradeFeatureCondition describes the condition of the feature for GKE clusters at a certain point of time.

JSON representation
{
  "type": string,
  "status": string,
  "reason": string,
  "updateTime": string
}
Fields
type

string

Type of the condition, for example, "ready".

status

string

Status of the condition, one of True, False, Unknown.

reason

string

Reason why the feature is in this status.

updateTime

string (Timestamp format)

Last timestamp the condition was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureState

FeatureState describes the high-level state of a Feature. It may be used to describe a Feature's state at the environ-level, or per-membershop, depending on the context.

JSON representation
{
  "code": enum (FeatureState.Code),
  "description": string,
  "updateTime": string
}
Fields
code

enum (FeatureState.Code)

The high-level, machine-readable status of this Feature.

description

string

A human-readable description of the current status.

updateTime

string (Timestamp format)

The time this status and any related Feature-specific details were updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureState.Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
WARNING The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.
ERROR The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

MembershipFeatureState

MembershipFeatureState contains Feature status information for a single Membership.

JSON representation
{
  "state": {
    object (FeatureState)
  },

  // Union field feature_state can be only one of the following:
  "servicemesh": {
    object (MembershipState)
  },
  "metering": {
    object (MembershipState)
  },
  "configmanagement": {
    object (MembershipState)
  },
  "identityservice": {
    object (MembershipState)
  },
  "appdevexperience": {
    object (AppDevExperienceFeatureState)
  },
  "policycontroller": {
    object (MembershipState)
  },
  "clusterupgrade": {
    object (MembershipState)
  },
  "fleetobservability": {
    object (MembershipState)
  },
  "namespaceactuation": {
    object (MembershipState)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (FeatureState)

The high-level state of this Feature for a single membership.

Union field feature_state.

feature_state can be only one of the following:

servicemesh

object (MembershipState)

Service Mesh-specific state.

metering

object (MembershipState)

Metering-specific state.

configmanagement

object (MembershipState)

Config Management-specific state.

identityservice

object (MembershipState)

Identity Service-specific state.

appdevexperience

object (AppDevExperienceFeatureState)

Appdevexperience specific state.

policycontroller

object (MembershipState)

Policycontroller-specific state.

clusterupgrade

object (MembershipState)

ClusterUpgrade state.

fleetobservability

object (MembershipState)

Fleet observability membership state.

namespaceactuation

object (MembershipState)

FNS Actuation membership state

MembershipState

Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.

JSON representation
{
  "analysisMessages": [
    {
      object (AnalysisMessage)
    }
  ],
  "controlPlaneManagement": {
    object (MembershipState.ControlPlaneManagement)
  },
  "dataPlaneManagement": {
    object (MembershipState.DataPlaneManagement)
  },
  "configApiVersion": string,
  "conditions": [
    {
      object (MembershipState.Condition)
    }
  ]
}
Fields
analysisMessages[]

object (AnalysisMessage)

Output only. Results of running Service Mesh analyzers.

controlPlaneManagement

object (MembershipState.ControlPlaneManagement)

Output only. Status of control plane management

dataPlaneManagement

object (MembershipState.DataPlaneManagement)

Output only. Status of data plane management.

configApiVersion

string

The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the defaultChannel field.

conditions[]

object (MembershipState.Condition)

Output only. List of conditions reported for this membership.

MembershipState.ControlPlaneManagement

Status of control plane management.

JSON representation
{
  "details": [
    {
      object (StatusDetails)
    }
  ],
  "state": enum (MembershipState.LifecycleState),
  "implementation": enum (MembershipState.ControlPlaneManagement.Implementation)
}
Fields
details[]

object (StatusDetails)

Explanation of state.

state

enum (MembershipState.LifecycleState)

LifecycleState of control plane management.

implementation

enum (MembershipState.ControlPlaneManagement.Implementation)

Output only. Implementation of managed control plane.

StatusDetails

Structured and human-readable details for a status.

JSON representation
{
  "code": string,
  "details": string
}
Fields
code

string

A machine-readable code that further describes a broad status.

details

string

Human-readable explanation of code.

MembershipState.LifecycleState

Lifecycle state of Service Mesh components.

Enums
LIFECYCLE_STATE_UNSPECIFIED Unspecified
DISABLED DISABLED means that the component is not enabled.
FAILED_PRECONDITION FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster.
PROVISIONING PROVISIONING means that provisioning is in progress.
ACTIVE ACTIVE means that the component is ready for use.
STALLED STALLED means that provisioning could not be done.
NEEDS_ATTENTION NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.)
DEGRADED DEGRADED means that the component is ready, but operating in a degraded state.

MembershipState.ControlPlaneManagement.Implementation

Implementation of managed control plane.

Enums
IMPLEMENTATION_UNSPECIFIED Unspecified
ISTIOD A Google build of istiod is used for the managed control plane.
TRAFFIC_DIRECTOR Traffic director is used for the managed control plane.
UPDATING The control plane implementation is being updated.

MembershipState.DataPlaneManagement

Status of data plane management. Only reported per-member.

JSON representation
{
  "state": enum (MembershipState.LifecycleState),
  "details": [
    {
      object (StatusDetails)
    }
  ]
}
Fields
state

enum (MembershipState.LifecycleState)

Lifecycle status of data plane management.

details[]

object (StatusDetails)

Explanation of the status.

MembershipState.Condition

Condition being reported.

JSON representation
{
  "code": enum (MembershipState.Condition.Code),
  "documentationLink": string,
  "details": string,
  "severity": enum (MembershipState.Condition.Severity)
}
Fields
code

enum (MembershipState.Condition.Code)

Unique identifier of the condition which describes the condition recognizable to the user.

details

string

A short summary about the issue.

severity

enum (MembershipState.Condition.Severity)

Severity level of the condition.

MembershipState.Condition.Code

Unique identifier of the condition which describes the condition recognizable to the user.

Enums
CODE_UNSPECIFIED Default Unspecified code
MESH_IAM_PERMISSION_DENIED Mesh IAM permission denied error code
MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED Permission denied error code for cross-project
CNI_CONFIG_UNSUPPORTED CNI config unsupported error code
GKE_SANDBOX_UNSUPPORTED GKE sandbox unsupported error code
NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED Nodepool workload identity federation required error code
CNI_INSTALLATION_FAILED CNI installation failed error code
CNI_POD_UNSCHEDULABLE CNI pod unschedulable error code
CLUSTER_HAS_ZERO_NODES Cluster has zero node code
UNSUPPORTED_MULTIPLE_CONTROL_PLANES Multiple control planes unsupported error code
VPCSC_GA_SUPPORTED VPC-SC GA is supported for this control plane.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT User is using deprecated ControlPlaneManagement and they have not yet set Management.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT_SAFE User is using deprecated ControlPlaneManagement and they have already set Management.
CONFIG_APPLY_INTERNAL_ERROR Configuration (Istio/k8s resources) failed to apply due to internal error.
CONFIG_VALIDATION_ERROR Configuration failed to be applied due to being invalid.
CONFIG_VALIDATION_WARNING Encountered configuration(s) with possible unintended behavior or invalid configuration. These configs may not have been applied.
QUOTA_EXCEEDED_BACKEND_SERVICES BackendService quota exceeded error code.
QUOTA_EXCEEDED_HEALTH_CHECKS HealthCheck quota exceeded error code.
QUOTA_EXCEEDED_HTTP_ROUTES HTTPRoute quota exceeded error code.
QUOTA_EXCEEDED_TCP_ROUTES TCPRoute quota exceeded error code.
QUOTA_EXCEEDED_TLS_ROUTES TLS routes quota exceeded error code.
QUOTA_EXCEEDED_TRAFFIC_POLICIES TrafficPolicy quota exceeded error code.
QUOTA_EXCEEDED_ENDPOINT_POLICIES EndpointPolicy quota exceeded error code.
QUOTA_EXCEEDED_GATEWAYS Gateway quota exceeded error code.
QUOTA_EXCEEDED_MESHES Mesh quota exceeded error code.
QUOTA_EXCEEDED_SERVER_TLS_POLICIES ServerTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_CLIENT_TLS_POLICIES ClientTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_SERVICE_LB_POLICIES ServiceLBPolicy quota exceeded error code.
QUOTA_EXCEEDED_HTTP_FILTERS HTTPFilter quota exceeded error code.
QUOTA_EXCEEDED_TCP_FILTERS TCPFilter quota exceeded error code.
QUOTA_EXCEEDED_NETWORK_ENDPOINT_GROUPS NetworkEndpointGroup quota exceeded error code.
MODERNIZATION_SCHEDULED Modernization is scheduled for a cluster.
MODERNIZATION_IN_PROGRESS Modernization is in progress for a cluster.
MODERNIZATION_COMPLETED Modernization is completed for a cluster.
MODERNIZATION_ABORTED Modernization is aborted for a cluster.

MembershipState.Condition.Severity

Severity level of the reported condition

Enums
SEVERITY_UNSPECIFIED Unspecified severity
ERROR Indicates an issue that prevents the mesh from operating correctly
WARNING Indicates a setting is likely wrong, but the mesh is still able to operate
INFO An informational message, not requiring any action

MembershipState

Metering: Per-Membership Feature State.

JSON representation
{
  "lastMeasurementTime": string,
  "preciseLastMeasuredClusterVcpuCapacity": number
}
Fields
lastMeasurementTime

string (Timestamp format)

The time stamp of the most recent measurement of the number of vCPUs in the cluster.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

preciseLastMeasuredClusterVcpuCapacity

number

The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision).

MembershipState

Anthos Config Management: State for a single cluster.

JSON representation
{
  "clusterName": string,
  "membershipSpec": {
    object (MembershipSpec)
  },
  "operatorState": {
    object (OperatorState)
  },
  "configSyncState": {
    object (ConfigSyncState)
  },
  "policyControllerState": {
    object (PolicyControllerState)
  },
  "binauthzState": {
    object (BinauthzState)
  },
  "hierarchyControllerState": {
    object (HierarchyControllerState)
  }
}
Fields
clusterName

string

This field is set to the clusterName field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name.

membershipSpec

object (MembershipSpec)

Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state

operatorState

object (OperatorState)

Current install status of ACM's Operator

configSyncState

object (ConfigSyncState)

Current sync status

policyControllerState

object (PolicyControllerState)

PolicyController status

binauthzState

object (BinauthzState)

Binauthz status

hierarchyControllerState

object (HierarchyControllerState)

Hierarchy Controller status

OperatorState

State information for an ACM's Operator

JSON representation
{
  "version": string,
  "deploymentState": enum (DeploymentState),
  "errors": [
    {
      object (InstallError)
    }
  ]
}
Fields
version

string

The semenatic version number of the operator

deploymentState

enum (DeploymentState)

The state of the Operator's deployment

errors[]

object (InstallError)

Install errors.

DeploymentState

Enum representing the state of an ACM's deployment on a cluster

Enums
DEPLOYMENT_STATE_UNSPECIFIED Deployment's state cannot be determined
NOT_INSTALLED Deployment is not installed
INSTALLED Deployment is installed
ERROR Deployment was attempted to be installed, but has errors
PENDING Deployment is installing or terminating

InstallError

Errors pertaining to the installation of ACM

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message

ConfigSyncState

State information for ConfigSync

JSON representation
{
  "version": {
    object (ConfigSyncVersion)
  },
  "deploymentState": {
    object (ConfigSyncDeploymentState)
  },
  "syncState": {
    object (SyncState)
  },
  "errors": [
    {
      object (ConfigSyncError)
    }
  ],
  "rootsyncCrd": enum (ConfigSyncState.CRDState),
  "reposyncCrd": enum (ConfigSyncState.CRDState),
  "state": enum (ConfigSyncState.State),
  "clusterLevelStopSyncingState": enum (ConfigSyncState.StopSyncingState),
  "crCount": integer
}
Fields
version

object (ConfigSyncVersion)

The version of ConfigSync deployed

deploymentState

object (ConfigSyncDeploymentState)

Information about the deployment of ConfigSync, including the version of the various Pods deployed

syncState

object (SyncState)

The state of ConfigSync's process to sync configs to a cluster

errors[]

object (ConfigSyncError)

Errors pertaining to the installation of Config Sync.

rootsyncCrd

enum (ConfigSyncState.CRDState)

The state of the RootSync CRD

reposyncCrd

enum (ConfigSyncState.CRDState)

The state of the Reposync CRD

state

enum (ConfigSyncState.State)

The state of CS This field summarizes the other fields in this message.

clusterLevelStopSyncingState

enum (ConfigSyncState.StopSyncingState)

Whether syncing resources to the cluster is stopped at the cluster level.

crCount

integer

Output only. The number of RootSync and RepoSync CRs in the cluster.

ConfigSyncVersion

Specific versioning information pertaining to ConfigSync's Pods

JSON representation
{
  "importer": string,
  "syncer": string,
  "gitSync": string,
  "monitor": string,
  "reconcilerManager": string,
  "rootReconciler": string,
  "admissionWebhook": string,
  "resourceGroupControllerManager": string,
  "otelCollector": string
}
Fields
importer

string

Version of the deployed importer pod

syncer

string

Version of the deployed syncer pod

gitSync

string

Version of the deployed git-sync pod

monitor

string

Version of the deployed monitor pod

reconcilerManager

string

Version of the deployed reconciler-manager pod

rootReconciler

string

Version of the deployed reconciler container in root-reconciler pod

admissionWebhook

string

Version of the deployed admission-webhook pod

resourceGroupControllerManager

string

Version of the deployed resource-group-controller-manager pod

otelCollector

string

Version of the deployed otel-collector pod

ConfigSyncDeploymentState

The state of ConfigSync's deployment on a cluster

JSON representation
{
  "importer": enum (DeploymentState),
  "syncer": enum (DeploymentState),
  "gitSync": enum (DeploymentState),
  "monitor": enum (DeploymentState),
  "reconcilerManager": enum (DeploymentState),
  "rootReconciler": enum (DeploymentState),
  "admissionWebhook": enum (DeploymentState),
  "resourceGroupControllerManager": enum (DeploymentState),
  "otelCollector": enum (DeploymentState)
}
Fields
importer

enum (DeploymentState)

Deployment state of the importer pod

syncer

enum (DeploymentState)

Deployment state of the syncer pod

gitSync

enum (DeploymentState)

Deployment state of the git-sync pod

monitor

enum (DeploymentState)

Deployment state of the monitor pod

reconcilerManager

enum (DeploymentState)

Deployment state of reconciler-manager pod

rootReconciler

enum (DeploymentState)

Deployment state of root-reconciler

admissionWebhook

enum (DeploymentState)

Deployment state of admission-webhook

resourceGroupControllerManager

enum (DeploymentState)

Deployment state of resource-group-controller-manager

otelCollector

enum (DeploymentState)

Deployment state of otel-collector

SyncState

State indicating an ACM's progress syncing configurations to a cluster

JSON representation
{
  "sourceToken": string,
  "importToken": string,
  "syncToken": string,
  "lastSync": string,
  "lastSyncTime": string,
  "code": enum (SyncState.SyncCode),
  "errors": [
    {
      object (SyncError)
    }
  ]
}
Fields
sourceToken

string

Token indicating the state of the repo.

importToken

string

Token indicating the state of the importer.

syncToken

string

Token indicating the state of the syncer.

lastSync
(deprecated)

string

Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String

lastSyncTime

string (Timestamp format)

Timestamp type of when ACM last successfully synced the repo

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

code

enum (SyncState.SyncCode)

Sync status code

errors[]

object (SyncError)

A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist.

SyncState.SyncCode

An enum representing Config Sync's status of syncing configs to a cluster.

Enums
SYNC_CODE_UNSPECIFIED Config Sync cannot determine a sync code
SYNCED Config Sync successfully synced the git Repo with the cluster
PENDING Config Sync is in the progress of syncing a new change
ERROR Indicates an error configuring Config Sync, and user action is required
NOT_CONFIGURED Config Sync has been installed but not configured
NOT_INSTALLED Config Sync has not been installed
UNAUTHORIZED Error authorizing with the cluster
UNREACHABLE Cluster could not be reached

SyncError

An ACM created error representing a problem syncing configurations

JSON representation
{
  "code": string,
  "errorMessage": string,
  "errorResources": [
    {
      object (ErrorResource)
    }
  ]
}
Fields
code

string

An ACM defined error code

errorMessage

string

A description of the error

errorResources[]

object (ErrorResource)

A list of config(s) associated with the error, if any

ErrorResource

Model for a config file in the git repo with an associated Sync error

JSON representation
{
  "sourcePath": string,
  "resourceName": string,
  "resourceNamespace": string,
  "resourceGvk": {
    object (GroupVersionKind)
  }
}
Fields
sourcePath

string

Path in the git repo of the erroneous config

resourceName

string

Metadata name of the resource that is causing an error

resourceNamespace

string

Namespace of the resource that is causing an error

resourceGvk

object (GroupVersionKind)

Group/version/kind of the resource that is causing an error

GroupVersionKind

A Kubernetes object's GVK

JSON representation
{
  "group": string,
  "version": string,
  "kind": string
}
Fields
group

string

Kubernetes Group

version

string

Kubernetes Version

kind

string

Kubernetes Kind

ConfigSyncError

Errors pertaining to the installation of Config Sync

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message

ConfigSyncState.CRDState

CRDState representing the state of a CRD

Enums
CRD_STATE_UNSPECIFIED CRD's state cannot be determined
NOT_INSTALLED CRD is not installed
INSTALLED CRD is installed
TERMINATING CRD is terminating (i.e., it has been deleted and is cleaning up)
INSTALLING CRD is installing

ConfigSyncState.State

Enums
STATE_UNSPECIFIED CS's state cannot be determined.
CONFIG_SYNC_NOT_INSTALLED CS is not installed.
CONFIG_SYNC_INSTALLED The expected CS version is installed successfully.
CONFIG_SYNC_ERROR CS encounters errors.
CONFIG_SYNC_PENDING CS is installing or terminating.

ConfigSyncState.StopSyncingState

Enums
STOP_SYNCING_STATE_UNSPECIFIED State cannot be determined
NOT_STOPPED Syncing resources to the cluster is not stopped at the cluster level.
PENDING Some reconcilers stop syncing resources to the cluster, while others are still syncing.
STOPPED Syncing resources to the cluster is stopped at the cluster level.

PolicyControllerState

State for PolicyControllerState.

JSON representation
{
  "version": {
    object (PolicyControllerVersion)
  },
  "deploymentState": {
    object (GatekeeperDeploymentState)
  },
  "migration": {
    object (PolicyControllerMigration)
  }
}
Fields
version

object (PolicyControllerVersion)

The version of Gatekeeper Policy Controller deployed.

deploymentState

object (GatekeeperDeploymentState)

The state about the policy controller installation.

migration

object (PolicyControllerMigration)

Record state of ACM -> PoCo Hub migration for this feature.

PolicyControllerVersion

The build version of Gatekeeper Policy Controller is using.

JSON representation
{
  "version": string
}
Fields
version

string

The gatekeeper image tag that is composed of ACM version, git tag, build number.

GatekeeperDeploymentState

State of Policy Controller installation.

JSON representation
{
  "gatekeeperControllerManagerState": enum (DeploymentState),
  "gatekeeperAudit": enum (DeploymentState),
  "gatekeeperMutation": enum (DeploymentState)
}
Fields
gatekeeperControllerManagerState

enum (DeploymentState)

Status of gatekeeper-controller-manager pod.

gatekeeperAudit

enum (DeploymentState)

Status of gatekeeper-audit deployment.

gatekeeperMutation

enum (DeploymentState)

Status of the pod serving the mutation webhook.

PolicyControllerMigration

State for the migration of PolicyController from ACM -> PoCo Hub.

JSON representation
{
  "stage": enum (PolicyControllerMigration.Stage),
  "copyTime": string
}
Fields
stage

enum (PolicyControllerMigration.Stage)

Stage of the migration.

copyTime

string (Timestamp format)

Last time this membership spec was copied to PoCo feature.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

PolicyControllerMigration.Stage

Stage marks what stage of the migration ACM hub is in.

Enums
STAGE_UNSPECIFIED Unknown state of migration.
ACM_MANAGED ACM Hub/Operator manages policycontroller. No migration yet completed.
POCO_MANAGED All migrations steps complete; Poco Hub now manages policycontroller.

BinauthzState

State for Binauthz

JSON representation
{
  "webhook": enum (DeploymentState),
  "version": {
    object (BinauthzVersion)
  }
}
Fields
webhook

enum (DeploymentState)

The state of the binauthz webhook.

version

object (BinauthzVersion)

The version of binauthz that is installed.

BinauthzVersion

The version of binauthz.

JSON representation
{
  "webhookVersion": string
}
Fields
webhookVersion

string

The version of the binauthz webhook.

HierarchyControllerState

State for Hierarchy Controller

JSON representation
{
  "version": {
    object (HierarchyControllerVersion)
  },
  "state": {
    object (HierarchyControllerDeploymentState)
  }
}
Fields
version

object (HierarchyControllerVersion)

The version for Hierarchy Controller

state

object (HierarchyControllerDeploymentState)

The deployment state for Hierarchy Controller

HierarchyControllerVersion

Version for Hierarchy Controller

JSON representation
{
  "hnc": string,
  "extension": string
}
Fields
hnc

string

Version for open source HNC

extension

string

Version for Hierarchy Controller extension

HierarchyControllerDeploymentState

Deployment state for Hierarchy Controller

JSON representation
{
  "hnc": enum (DeploymentState),
  "extension": enum (DeploymentState)
}
Fields
hnc

enum (DeploymentState)

The deployment state for open source HNC (e.g. v0.7.0-hc.0)

extension

enum (DeploymentState)

The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1)

MembershipState

Anthos Identity Service: State for a single Membership.

JSON representation
{
  "installedVersion": string,
  "state": enum (MembershipState.DeploymentState),
  "failureReason": string,
  "memberConfig": {
    object (MembershipSpec)
  }
}
Fields
installedVersion

string

Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.

state

enum (MembershipState.DeploymentState)

Deployment state on this member

failureReason

string

The reason of the failure.

memberConfig

object (MembershipSpec)

Last reconciled membership configuration

MembershipState.DeploymentState

Deployment state enum

Enums
DEPLOYMENT_STATE_UNSPECIFIED Unspecified state
OK deployment succeeds
ERROR Failure with error.

MembershipState

Policy Controller: State for a single cluster.

JSON representation
{
  "componentStates": {
    string: {
      object (OnClusterState)
    },
    ...
  },
  "state": enum (MembershipState.LifecycleState),
  "policyContentState": {
    object (PolicyContentState)
  }
}
Fields
componentStates

map (key: string, value: object (OnClusterState))

Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation"

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

state

enum (MembershipState.LifecycleState)

The overall Policy Controller lifecycle state observed by the Hub Feature controller.

policyContentState

object (PolicyContentState)

The overall content state observed by the Hub Feature controller.

OnClusterState

OnClusterState represents the state of a sub-component of Policy Controller.

JSON representation
{
  "state": enum (MembershipState.LifecycleState),
  "details": string
}
Fields
state

enum (MembershipState.LifecycleState)

The lifecycle state of this component.

details

string

Surface potential errors or information logs.

MembershipState.LifecycleState

The set of states Policy Controller can exist in.

Enums
LIFECYCLE_STATE_UNSPECIFIED The lifecycle state is unspecified.
NOT_INSTALLED The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH.
INSTALLING The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster.
ACTIVE The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects.
UPDATING The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version.
DECOMMISSIONING The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists.
CLUSTER_ERROR The PC is not operational, and the PCH is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the PCH to administer the cluster but has nevertheless been given an instruction to do so (such as 'install').
HUB_ERROR In this state, the PC may still be operational, and only the PCH is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the PCH determines the hub is in an unhealthy state and it wishes to 'take hands off' to avoid corrupting the PC or other data.
SUSPENDED Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit).
DETACHED PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub.

PolicyContentState

The state of the policy controller policy content

JSON representation
{
  "templateLibraryState": {
    object (OnClusterState)
  },
  "bundleStates": {
    string: {
      object (OnClusterState)
    },
    ...
  },
  "referentialSyncConfigState": {
    object (OnClusterState)
  }
}
Fields
templateLibraryState

object (OnClusterState)

The state of the template library

bundleStates

map (key: string, value: object (OnClusterState))

The state of the any bundles included in the chosen version of the manifest

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

referentialSyncConfigState

object (OnClusterState)

The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user.

MembershipState

Per-membership state for this feature.

JSON representation
{
  "upgrades": [
    {
      object (MembershipGKEUpgradeState)
    }
  ],
  "scopes": [
    string
  ],
  "ignored": {
    object (IgnoredMembership)
  }
}
Fields
upgrades[]

object (MembershipGKEUpgradeState)

Actual upgrade state against desired.

scopes[]

string

Fully qualified scope names that this clusters is bound to which also have rollout sequencing enabled.

ignored

object (IgnoredMembership)

Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel.

MembershipGKEUpgradeState

ScopeGKEUpgradeState is a GKEUpgrade and its state per-membership.

JSON representation
{
  "upgrade": {
    object (GKEUpgrade)
  },
  "status": {
    object (UpgradeStatus)
  }
}
Fields
upgrade

object (GKEUpgrade)

Which upgrade to track the state.

status

object (UpgradeStatus)

Status of the upgrade.

MembershipState

This type has no fields.

FleetObservability: Membership-specific Feature state for fleetobservability.

MembershipState

This type has no fields.

Namespace Actuation: An empty state left as an example membership-specific Feature state.

CommonFleetDefaultMemberConfigSpec

CommonFleetDefaultMemberConfigSpec contains default configuration information for memberships of a fleet

JSON representation
{

  // Union field feature_spec can be only one of the following:
  "mesh": {
    object (MembershipSpec)
  },
  "configmanagement": {
    object (MembershipSpec)
  },
  "identityservice": {
    object (MembershipSpec)
  },
  "policycontroller": {
    object (MembershipSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields

Union field feature_spec.

feature_spec can be only one of the following:

mesh

object (MembershipSpec)

Anthos Service Mesh-specific spec

configmanagement

object (MembershipSpec)

Config Management-specific spec.

identityservice

object (MembershipSpec)

Identity Service-specific spec.

policycontroller

object (MembershipSpec)

Policy Controller spec.

ScopeFeatureSpec

ScopeFeatureSpec contains feature specs for a fleet scope.

JSON representation
{

  // Union field feature_spec can be only one of the following:
  "clusterupgrade": {
    object (ScopeSpec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields

Union field feature_spec.

feature_spec can be only one of the following:

clusterupgrade

object (ScopeSpec)

Spec for the ClusterUpgrade feature at the scope level

ScopeSpec

ClusterUpgrade: The configuration for the scope-level ClusterUpgrade feature.

JSON representation
{
  "upstreamScopes": [
    string
  ],
  "postConditions": {
    object (PostConditions)
  },
  "gkeUpgradeOverrides": [
    {
      object (GKEUpgradeOverride)
    }
  ]
}
Fields
upstreamScopes[]

string

This scope consumes upgrades that have COMPLETE status code in the upstream scopes. See UpgradeStatus.Code for code definitions.

The scope name should be in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream scope.

postConditions

object (PostConditions)

Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required.

gkeUpgradeOverrides[]

object (GKEUpgradeOverride)

Allow users to override some properties of each GKE upgrade.

ScopeFeatureState

ScopeFeatureState contains Scope-wide Feature status information.

JSON representation
{
  "state": {
    object (FeatureState)
  },

  // Union field feature_state can be only one of the following:
  "clusterupgrade": {
    object (ScopeState)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (FeatureState)

Output only. The "running state" of the Feature in this Scope.

Union field feature_state.

feature_state can be only one of the following:

clusterupgrade

object (ScopeState)

State for the ClusterUpgrade feature at the scope level

ScopeState

ClusterUpgrade: The state for the scope-level ClusterUpgrade feature.

JSON representation
{
  "downstreamScopes": [
    string
  ],
  "ignored": {
    string: {
      object (IgnoredMembership)
    },
    ...
  },
  "gkeState": {
    object (GKEUpgradeFeatureState)
  }
}
Fields
downstreamScopes[]

string

This scopes whose upstreamScopes contain the current scope.

The scope name should be in the form:

projects/{p}/locations/gloobal/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

ignored

map (key: string, value: object (IgnoredMembership))

A list of memberships ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. The membership resource is in the format: projects/{p}/locations/{l}/membership/{m}.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

gkeState

object (GKEUpgradeFeatureState)

Feature state for GKE clusters.

Methods

create

Adds a new Feature.

delete

Removes a Feature.

get

Gets details of a single Feature.

getIamPolicy

Gets the access control policy for a resource.

list

Lists Features in a given project and location.

patch

Updates an existing Feature.

setIamPolicy

Sets the access control policy on the specified resource.

testIamPermissions

Returns permissions that a caller has on the specified resource.