REST Resource: projects.locations.memberships.features

Resource: MembershipFeature

MembershipFeature represents the settings and status of a Fleet Feature enabled on a single Fleet Membership.

JSON representation
{
  "name": string,
  "labels": {
    string: string,
    ...
  },
  "featureConfigRef": {
    object (FeatureConfigRef)
  },
  "spec": {
    object (FeatureSpec)
  },
  "state": {
    object (FeatureState)
  },
  "lifecycleState": {
    object (LifecycleState)
  },
  "createTime": string,
  "updateTime": string,
  "deleteTime": string
}
Fields
name

string

Output only. The resource name of the membershipFeature, in the format: projects/{project}/locations/{location}/memberships/{membership}/features/{feature}. Note that membershipFeatures is shortened to features in the resource name. (see http://go/aip/122#collection-identifiers)

labels

map (key: string, value: string)

GCP labels for this MembershipFeature.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

featureConfigRef

object (FeatureConfigRef)

Reference information for a FeatureConfig applied on the MembershipFeature.

spec

object (FeatureSpec)

Spec of this membershipFeature.

state

object (FeatureState)

Output only. State of the this membershipFeature.

lifecycleState

object (LifecycleState)

Output only. Lifecycle information of the resource itself.

createTime

string (Timestamp format)

Output only. When the MembershipFeature resource was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. When the MembershipFeature resource was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

deleteTime

string (Timestamp format)

Output only. When the MembershipFeature resource was deleted.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureConfigRef

Information of the FeatureConfig applied on the MembershipFeature.

JSON representation
{
  "config": string,
  "uuid": string,
  "configUpdateTime": string
}
Fields
config

string

Input only. Resource name of FeatureConfig, in the format: projects/{project}/locations/global/featureConfigs/{featureConfig}.

uuid

string

Output only. An id that uniquely identify a FeatureConfig object.

configUpdateTime

string (Timestamp format)

Output only. When the FeatureConfig was last applied and copied to FeatureSpec.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

FeatureSpec

FeatureSpec contains user input per-feature spec information.

JSON representation
{
  "origin": {
    object (FeatureSpec.Origin)
  },

  // Union field feature_spec can be only one of the following:
  "workloadcertificate": {
    object (Spec)
  },
  "cloudbuild": {
    object (Spec)
  },
  "policycontroller": {
    object (Spec)
  },
  "identityservice": {
    object (Spec)
  },
  "servicemesh": {
    object (Spec)
  },
  "configmanagement": {
    object (Spec)
  }
  // End of list of possible types for union field feature_spec.
}
Fields
origin

object (FeatureSpec.Origin)

Whether this per-Feature spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Feature config (updated to USER implicitly) or setting to FLEET explicitly.

Union field feature_spec. Spec specific to each Fleet feature. oneof feature type will always match the {feature-type} in the FeatureConfig resource name. feature_spec can be only one of the following:
workloadcertificate

object (Spec)

Workloadcertificate-specific FeatureSpec.

cloudbuild

object (Spec)

Cloudbuild-specific FeatureSpec.

policycontroller

object (Spec)

Policycontroller-specific FeatureSpec.

identityservice

object (Spec)

IdentityService FeatureSpec.

servicemesh

object (Spec)

ServiceMesh Feature Spec.

configmanagement

object (Spec)

Config Management FeatureSpec.

Spec

WorkloadCertificate: The membership-specific input for WorkloadCertificate feature.

JSON representation
{
  "certificateManagement": enum (Spec.CertificateManagement)
}
Fields
certificateManagement

enum (Spec.CertificateManagement)

CertificateManagement specifies workload certificate management.

Spec.CertificateManagement

CertificateManagement specifies whether or not the feature is enabled on the member cluster.

Enums
CERTIFICATE_MANAGEMENT_UNSPECIFIED Disable workload certificate feature.
DISABLED Disable workload certificate feature.
ENABLED Enable workload certificate feature.

Spec

Cloud Build: Configurations for each Cloud Build enabled cluster.

JSON representation
{
  "version": string,
  "securityPolicy": enum (Spec.SecurityPolicy)
}
Fields
version

string

Version of the cloud build software on the cluster.

securityPolicy

enum (Spec.SecurityPolicy)

Whether it is allowed to run the privileged builds on the cluster or not.

Spec.SecurityPolicy

Different security policies we can apply to the cluster.

Enums
SECURITY_POLICY_UNSPECIFIED Unspecified policy
NON_PRIVILEGED Privileged build pods are disallowed
PRIVILEGED Privileged build pods are allowed

Spec

Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.

JSON representation
{
  "policyControllerHubConfig": {
    object (HubConfig)
  },
  "version": string
}
Fields
policyControllerHubConfig

object (HubConfig)

Policy Controller configuration for the cluster.

version

string

Version of Policy Controller installed.

HubConfig

Configuration for Policy Controller

JSON representation
{
  "installSpec": enum (HubConfig.InstallSpec),
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "deploymentConfigs": {
    string: {
      object (PolicyControllerDeploymentConfig)
    },
    ...
  },
  "auditIntervalSeconds": string,
  "monitoring": {
    object (MonitoringConfig)
  },
  "policyContent": {
    object (PolicyContentSpec)
  },
  "constraintViolationLimit": string
}
Fields
installSpec

enum (HubConfig.InstallSpec)

The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enables the ability to mutate resources using Policy Controller.

deploymentConfigs

map (key: string, value: object (PolicyControllerDeploymentConfig))

Map of deployment configs to deployments (“admission”, “audit”, “mutation”).

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

monitoring

object (MonitoringConfig)

Monitoring specifies the configuration of monitoring.

policyContent

object (PolicyContentSpec)

Specifies the desired policy content on the cluster

constraintViolationLimit

string (int64 format)

The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used.

HubConfig.InstallSpec

Enums
INSTALL_SPEC_UNSPECIFIED Spec is unknown.
INSTALL_SPEC_NOT_INSTALLED Request to uninstall Policy Controller.
INSTALL_SPEC_ENABLED Request to install and enable Policy Controller.
INSTALL_SPEC_SUSPENDED Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended.
INSTALL_SPEC_DETACHED Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources.

MonitoringConfig

MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (MonitoringConfig.MonitoringBackend)
  ]
}
Fields
backends[]

enum (MonitoringConfig.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringConfig.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyContentSpec

PolicyContentSpec defines the user's desired content configuration on the cluster.

JSON representation
{
  "bundles": {
    string: {
      object (BundleInstallSpec)
    },
    ...
  },
  "templateLibrary": {
    object (TemplateLibraryConfig)
  }
}
Fields
bundles

map (key: string, value: object (BundleInstallSpec))

map of bundle name to BundleInstallSpec. The bundle name maps to the bundleName key in the policycontroller.gke.io/constraintData annotation on a constraint.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

templateLibrary

object (TemplateLibraryConfig)

Configures the installation of the Template Library.

BundleInstallSpec

BundleInstallSpec is the specification configuration for a single managed bundle.

JSON representation
{
  "exemptedNamespaces": [
    string
  ]
}
Fields
exemptedNamespaces[]

string

the set of namespaces to be exempted from the bundle

TemplateLibraryConfig

The config specifying which default library templates to install.

JSON representation
{
  "installation": enum (TemplateLibraryConfig.Installation)
}
Fields
installation

enum (TemplateLibraryConfig.Installation)

Configures the manner in which the template library is installed on the cluster.

TemplateLibraryConfig.Installation

How the template library should be installed

Enums
INSTALLATION_UNSPECIFIED No installation strategy has been specified.
NOT_INSTALLED Do not install the template library.
ALL Install the entire template library.

PolicyControllerDeploymentConfig

Deployment-specific configuration.

JSON representation
{
  "podTolerations": [
    {
      object (PolicyControllerDeploymentConfig.Toleration)
    }
  ],
  "podAffinity": enum (PolicyControllerDeploymentConfig.Affinity),
  "replicaCount": string,
  "containerResources": {
    object (ResourceRequirements)
  },
  "podAntiAffinity": boolean
}
Fields
podTolerations[]

object (PolicyControllerDeploymentConfig.Toleration)

Pod tolerations of node taints.

podAffinity

enum (PolicyControllerDeploymentConfig.Affinity)

Pod affinity configuration.

replicaCount

string (int64 format)

Pod replica count.

containerResources

object (ResourceRequirements)

Container resource requirements.

podAntiAffinity
(deprecated)

boolean

Pod anti-affinity enablement. Deprecated: use podAffinity instead.

ResourceRequirements

ResourceRequirements describes the compute resource requirements.

JSON representation
{
  "limits": {
    object (ResourceList)
  },
  "requests": {
    object (ResourceList)
  }
}
Fields
limits

object (ResourceList)

Limits describes the maximum amount of compute resources allowed for use by the running container.

requests

object (ResourceList)

Requests describes the amount of compute resources reserved for the container by the kube-scheduler.

ResourceList

ResourceList contains container resource requirements.

JSON representation
{
  "memory": string,
  "cpu": string
}
Fields
memory

string

Memory requirement expressed in Kubernetes resource units.

cpu

string

CPU requirement expressed in Kubernetes resource units.

PolicyControllerDeploymentConfig.Toleration

Toleration of a node taint.

JSON representation
{
  "key": string,
  "operator": string,
  "value": string,
  "effect": string
}
Fields
key

string

Matches a taint key (not necessarily unique).

operator

string

Matches a taint operator.

value

string

Matches a taint value.

effect

string

Matches a taint effect.

PolicyControllerDeploymentConfig.Affinity

The pod affinity configuration used by a deployment.

Enums
AFFINITY_UNSPECIFIED No affinity configuration has been specified.
NO_AFFINITY Affinity configurations will be removed from the deployment.
ANTI_AFFINITY Anti-affinity configuration will be applied to this deployment. Default for admissions deployment.

Spec

IdentityService: Configuration for a single membership.

JSON representation
{
  "authMethods": [
    {
      object (Spec.AuthMethod)
    }
  ],
  "identityServiceOptions": {
    object (Spec.IdentityServiceOptions)
  }
}
Fields
authMethods[]

object (Spec.AuthMethod)

A member may support multiple auth methods.

identityServiceOptions

object (Spec.IdentityServiceOptions)

Optional. non-protocol-related configuration options.

Spec.AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

JSON representation
{
  "name": string,
  "proxy": string,

  // Union field auth_config can be only one of the following:
  "oidcConfig": {
    object (Spec.AuthMethod.OidcConfig)
  },
  "azureadConfig": {
    object (Spec.AuthMethod.AzureADConfig)
  },
  "googleConfig": {
    object (Spec.AuthMethod.GoogleConfig)
  },
  "samlConfig": {
    object (Spec.AuthMethod.SamlConfig)
  },
  "ldapConfig": {
    object (Spec.AuthMethod.LdapConfig)
  }
  // End of list of possible types for union field auth_config.
}
Fields
name

string

Identifier for auth config.

proxy

string

Proxy server address to use for auth method.

Union field auth_config. supported auth configurations. auth_config can be only one of the following:
oidcConfig

object (Spec.AuthMethod.OidcConfig)

OIDC specific configuration.

azureadConfig

object (Spec.AuthMethod.AzureADConfig)

AzureAD specific Configuration.

googleConfig

object (Spec.AuthMethod.GoogleConfig)

GoogleConfig specific configuration

samlConfig

object (Spec.AuthMethod.SamlConfig)

SAML specific configuration.

ldapConfig

object (Spec.AuthMethod.LdapConfig)

LDAP specific configuration.

Spec.AuthMethod.OidcConfig

Configuration for OIDC Auth flow.

JSON representation
{
  "clientId": string,
  "certificateAuthorityData": string,
  "issuerUri": string,
  "kubectlRedirectUri": string,
  "scopes": string,
  "extraParams": string,
  "userClaim": string,
  "userPrefix": string,
  "groupsClaim": string,
  "groupPrefix": string,
  "deployCloudConsoleProxy": boolean,
  "clientSecret": string,
  "encryptedClientSecret": string,
  "enableAccessToken": boolean
}
Fields
clientId

string

ID for OIDC client application.

certificateAuthorityData

string

PEM-encoded CA for OIDC provider.

issuerUri

string

URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.

kubectlRedirectUri

string

Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.

scopes

string

Comma-separated list of identifiers.

extraParams

string

Comma-separated list of key-value pairs.

userClaim

string

Claim in OIDC ID token that holds username.

userPrefix

string

Prefix to prepend to user name.

groupsClaim

string

Claim in OIDC ID token that holds group information.

groupPrefix

string

Prefix to prepend to group name.

deployCloudConsoleProxy

boolean

Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.

clientSecret

string

Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted OIDC Client secret

A base64-encoded string.

enableAccessToken

boolean

Enable access token.

Spec.AuthMethod.AzureADConfig

Configuration for the AzureAD Auth flow.

JSON representation
{
  "clientId": string,
  "tenant": string,
  "kubectlRedirectUri": string,
  "clientSecret": string,
  "encryptedClientSecret": string,
  "userClaim": string,
  "groupFormat": string
}
Fields
clientId

string

ID for the registered client application that makes authentication requests to the Azure AD identity provider.

tenant

string

Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.

kubectlRedirectUri

string

The redirect URL that kubectl uses for authorization.

clientSecret

string

Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.

encryptedClientSecret

string (bytes format)

Output only. Encrypted AzureAD client secret.

A base64-encoded string.

userClaim

string

Optional. Claim in the AzureAD ID Token that holds the user details.

groupFormat

string

Optional. Format of the AzureAD groups that the client wants for auth.

Spec.AuthMethod.GoogleConfig

Configuration for the Google Plugin Auth flow.

JSON representation
{
  "disable": boolean
}
Fields
disable

boolean

Disable automatic configuration of Google Plugin on supported platforms.

Spec.AuthMethod.SamlConfig

Configuration for the SAML Auth flow.

JSON representation
{
  "identityProviderId": string,
  "identityProviderSsoUri": string,
  "identityProviderCertificates": [
    string
  ],
  "userAttribute": string,
  "groupsAttribute": string,
  "userPrefix": string,
  "groupPrefix": string,
  "attributeMapping": {
    string: string,
    ...
  }
}
Fields
identityProviderId

string

Required. The entity ID of the SAML IdP.

identityProviderSsoUri

string

Required. The URI where the SAML IdP exposes the SSO service.

identityProviderCertificates[]

string

Required. The list of IdP certificates to validate the SAML response against.

userAttribute

string

Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the userPrefix).

groupsAttribute

string

Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the groupPrefix).

userPrefix

string

Optional. Prefix to prepend to user name.

groupPrefix

string

Optional. Prefix to prepend to group name.

attributeMapping

map (key: string, value: string)

Optional. The mapping of additional user attributes like nickname, birthday and address etc.. key is the name of this additional attribute. value is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, key is "attribute.nickname" and value is "assertion.nickname".

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Spec.AuthMethod.LdapConfig

Configuration for the LDAP Auth flow.

JSON representation
{
  "server": {
    object (Spec.AuthMethod.LdapConfig.ServerConfig)
  },
  "user": {
    object (Spec.AuthMethod.LdapConfig.UserConfig)
  },
  "group": {
    object (Spec.AuthMethod.LdapConfig.GroupConfig)
  },
  "serviceAccount": {
    object (Spec.AuthMethod.LdapConfig.ServiceAccountConfig)
  }
}
Fields
server

object (Spec.AuthMethod.LdapConfig.ServerConfig)

Required. Server settings for the external LDAP server.

user

object (Spec.AuthMethod.LdapConfig.UserConfig)

Required. Defines where users exist in the LDAP directory.

group

object (Spec.AuthMethod.LdapConfig.GroupConfig)

Optional. Contains the properties for locating and authenticating groups in the directory.

serviceAccount

object (Spec.AuthMethod.LdapConfig.ServiceAccountConfig)

Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

Spec.AuthMethod.LdapConfig.ServerConfig

Server settings for the external LDAP server.

JSON representation
{
  "host": string,
  "connectionType": string,
  "certificateAuthorityData": string
}
Fields
host

string

Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".

connectionType

string

Optional. Defines the connection type to communicate with the LDAP server. If starttls or ldaps is specified, the certificateAuthorityData should not be empty.

certificateAuthorityData

string (bytes format)

Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

A base64-encoded string.

Spec.AuthMethod.LdapConfig.UserConfig

Defines where users exist in the LDAP directory.

JSON representation
{
  "baseDn": string,
  "loginAttribute": string,
  "idAttribute": string,
  "filter": string
}
Fields
baseDn

string

Required. The location of the subtree in the LDAP directory to search for user entries.

loginAttribute

string

Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".

idAttribute

string

Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".

filter

string

Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".

Spec.AuthMethod.LdapConfig.GroupConfig

Contains the properties for locating and authenticating groups in the directory.

JSON representation
{
  "baseDn": string,
  "idAttribute": string,
  "filter": string
}
Fields
baseDn

string

Required. The location of the subtree in the LDAP directory to search for group entries.

idAttribute

string

Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".

filter

string

Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

Spec.AuthMethod.LdapConfig.ServiceAccountConfig

Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

JSON representation
{

  // Union field authentication_mechanism can be only one of the following:
  "simpleBindCredentials": {
    object (Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials)
  }
  // End of list of possible types for union field authentication_mechanism.
}
Fields
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following:
simpleBindCredentials

object (Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials)

Credentials for basic auth.

Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials

The structure holds the LDAP simple binding credential.

JSON representation
{
  "dn": string,
  "password": string,
  "encryptedPassword": string
}
Fields
dn

string

Required. The distinguished name(DN) of the service account object/user.

password

string

Required. Input only. The password of the service account object/user.

encryptedPassword

string (bytes format)

Output only. The encrypted password of the service account object/user.

A base64-encoded string.

Spec.IdentityServiceOptions

Holds non-protocol-related configuration options.

JSON representation
{
  "sessionDuration": string,
  "diagnosticInterface": {
    object (Spec.IdentityServiceOptions.DiagnosticInterface)
  }
}
Fields
sessionDuration

string (Duration format)

Determines the lifespan of STS tokens issued by Anthos Identity Service.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

diagnosticInterface

object (Spec.IdentityServiceOptions.DiagnosticInterface)

Configuration options for the AIS diagnostic interface.

Spec.IdentityServiceOptions.DiagnosticInterface

Configuration options for the AIS diagnostic interface.

JSON representation
{
  "enabled": boolean,
  "expirationTime": string
}
Fields
enabled

boolean

Determines whether to enable the diagnostic interface.

expirationTime

string (Timestamp format)

Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Spec

Service Mesh: Spec for a single Membership for the servicemesh feature

JSON representation
{
  "controlPlane": enum (Spec.ControlPlaneManagement),
  "defaultChannel": enum (Channel),
  "management": enum (Spec.Management),
  "configApi": enum (Spec.ConfigApi)
}
Fields
controlPlane
(deprecated)

enum (Spec.ControlPlaneManagement)

Deprecated: use management instead Enables automatic control plane management.

defaultChannel
(deprecated)

enum (Channel)

Determines which release channel to use for default injection and service mesh APIs.

management

enum (Spec.Management)

Optional. Enables automatic Service Mesh management.

configApi

enum (Spec.ConfigApi)

Optional. Specifies the API that will be used for configuring the mesh workloads.

Spec.ControlPlaneManagement

Whether to automatically manage Service Mesh control planes.

Enums
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED Unspecified
AUTOMATIC Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install.
MANUAL User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API)

Channel

Channel indicates which release channel a revision is subscribed to. Release channels are arranged in order of risk.

Enums
CHANNEL_UNSPECIFIED Unspecified
RAPID RAPID channel is offered on an early access basis for customers who want to test new releases.
REGULAR REGULAR channel is intended for production users who want to take advantage of new features.
STABLE STABLE channel includes versions that are known to be stable and reliable in production.

Spec.Management

Whether to automatically manage Service Mesh.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google should manage my Service Mesh for the cluster.
MANAGEMENT_MANUAL User will manually configure their service mesh components.

Spec.ConfigApi

Specifies the API that will be used for configuring the mesh workloads.

Enums
CONFIG_API_UNSPECIFIED Unspecified
CONFIG_API_ISTIO Use the Istio API for configuration.
CONFIG_API_GATEWAY Use the K8s Gateway API for configuration.

Spec

Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.

JSON representation
{
  "configSync": {
    object (ConfigSync)
  },
  "policyController": {
    object (PolicyController)
  },
  "binauthz": {
    object (BinauthzConfig)
  },
  "hierarchyController": {
    object (HierarchyControllerConfig)
  },
  "version": string,
  "cluster": string,
  "management": enum (Spec.Management)
}
Fields
configSync

object (ConfigSync)

Config Sync configuration for the cluster.

policyController

object (PolicyController)

Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead.

binauthz
(deprecated)

object (BinauthzConfig)

Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set.

hierarchyController

object (HierarchyControllerConfig)

Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead.

version

string

Version of ACM installed.

cluster

string

The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.

management

enum (Spec.Management)

Enables automatic Feature management.

ConfigSync

Configuration for Config Sync

JSON representation
{
  "git": {
    object (GitConfig)
  },
  "sourceFormat": string,
  "preventDrift": boolean,
  "oci": {
    object (OciConfig)
  },
  "allowVerticalScale": boolean,
  "metricsGcpServiceAccountEmail": string,
  "stopSyncing": boolean,
  "enabled": boolean
}
Fields
git

object (GitConfig)

Git repo configuration for the cluster.

sourceFormat

string

Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

preventDrift

boolean

Set to true to enable the Config Sync admission webhook to prevent drifts. If set to false, disables the Config Sync admission webhook and does not prevent drifts.

oci

object (OciConfig)

OCI repo configuration for the cluster.

allowVerticalScale
(deprecated)

boolean

Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated.

metricsGcpServiceAccountEmail
(deprecated)

string

The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring.

stopSyncing

boolean

Set to true to stop syncing configs for a single cluster. Default to false.

enabled

boolean

Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.

GitConfig

Git repo configuration for a single cluster.

JSON representation
{
  "syncRepo": string,
  "syncBranch": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "syncRev": string,
  "secretType": string,
  "httpsProxy": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The URL of the Git repository to use as the source of truth.

syncBranch

string

The branch of the repository to sync from. Default: master.

policyDir

string

The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

syncRev

string

Git revision (tag or hash) to check out. Default HEAD.

secretType

string

Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required.

httpsProxy

string

URL for the HTTPS proxy to be used when communicating with the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

OciConfig

OCI repo configuration for a single cluster.

JSON representation
{
  "syncRepo": string,
  "policyDir": string,
  "syncWaitSecs": string,
  "secretType": string,
  "gcpServiceAccountEmail": string
}
Fields
syncRepo

string

The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME.

policyDir

string

The absolute path of the directory that contains the local resources. Default: the root directory of the image.

syncWaitSecs

string (int64 format)

Period in seconds between consecutive syncs. Default: 15.

secretType

string

Type of secret configured for access to the Git repo.

gcpServiceAccountEmail

string

The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount.

PolicyController

Configuration for Policy Controller

JSON representation
{
  "enabled": boolean,
  "exemptableNamespaces": [
    string
  ],
  "referentialRulesEnabled": boolean,
  "logDeniesEnabled": boolean,
  "mutationEnabled": boolean,
  "monitoring": {
    object (PolicyControllerMonitoring)
  },
  "updateTime": string,
  "templateLibraryInstalled": boolean,
  "auditIntervalSeconds": string
}
Fields
enabled

boolean

Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.

exemptableNamespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referentialRulesEnabled

boolean

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

logDeniesEnabled

boolean

Logs all denies and dry run failures.

mutationEnabled

boolean

Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster.

monitoring

object (PolicyControllerMonitoring)

Monitoring specifies the configuration of monitoring.

updateTime

string (Timestamp format)

Output only. Last time this membership spec was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

templateLibraryInstalled

boolean

Installs the default template library along with Policy Controller.

auditIntervalSeconds

string (int64 format)

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

PolicyControllerMonitoring

PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

JSON representation
{
  "backends": [
    enum (PolicyControllerMonitoring.MonitoringBackend)
  ]
}
Fields
backends[]

enum (PolicyControllerMonitoring.MonitoringBackend)

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

PolicyControllerMonitoring.MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

BinauthzConfig

Configuration for Binauthz.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether binauthz is enabled in this cluster.

HierarchyControllerConfig

Configuration for Hierarchy Controller.

JSON representation
{
  "enabled": boolean,
  "enablePodTreeLabels": boolean,
  "enableHierarchicalResourceQuota": boolean
}
Fields
enabled

boolean

Whether Hierarchy Controller is enabled in this cluster.

enablePodTreeLabels

boolean

Whether pod tree labels are enabled in this cluster.

enableHierarchicalResourceQuota

boolean

Whether hierarchical resource quota is enabled in this cluster.

Spec.Management

Whether to automatically manage the Feature.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google will manage the Feature for the cluster.
MANAGEMENT_MANUAL User will manually manage the Feature for the cluster.

FeatureSpec.Origin

Origin defines where this FeatureSpec originated from.

JSON representation
{
  "type": enum (FeatureSpec.Origin.Type)
}
Fields
type

enum (FeatureSpec.Origin.Type)

Type specifies which type of origin is set.

FeatureSpec.Origin.Type

Type specifies the persona that persisted the config.

Enums
TYPE_UNSPECIFIED Type is unknown or not set.
FLEET Per-Feature spec was inherited from the fleet-level default.
FLEET_OUT_OF_SYNC Per-Feature spec was inherited from the fleet-level default but is now out of sync with the current default.
USER Per-Feature spec was inherited from a user specification.

FeatureState

FeatureState contains high-level state information and per-feature state information for this MembershipFeature.

JSON representation
{
  "state": {
    object (State)
  },

  // Union field feature_state can be only one of the following:
  "clusterupgrade": {
    object (State)
  },
  "identityservice": {
    object (State)
  },
  "servicemesh": {
    object (State)
  },
  "metering": {
    object (State)
  },
  "configmanagement": {
    object (State)
  },
  "policycontroller": {
    object (State)
  },
  "appdevexperience": {
    object (State)
  }
  // End of list of possible types for union field feature_state.
}
Fields
state

object (State)

The high-level state of this MembershipFeature.

Union field feature_state. Status specific to each Fleet feature. feature_state can be only one of the following:
clusterupgrade

object (State)

Cluster upgrade state.

identityservice

object (State)

Identity service state

servicemesh

object (State)

Service mesh state

metering

object (State)

Metering state

configmanagement

object (State)

Config Management state

policycontroller

object (State)

Policy Controller state

appdevexperience

object (State)

Appdevexperience specific state.

State

Per-membership state for this feature.

JSON representation
{
  "upgrades": [
    {
      object (MembershipGKEUpgradeState)
    }
  ],
  "ignored": {
    object (IgnoredMembership)
  }
}
Fields
upgrades[]

object (MembershipGKEUpgradeState)

Actual upgrade state against desired.

ignored

object (IgnoredMembership)

Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel.

IgnoredMembership

IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.

JSON representation
{
  "reason": string,
  "ignoredTime": string
}
Fields
reason

string

Reason why the membership is ignored.

ignoredTime

string (Timestamp format)

Time when the membership was first set to ignored.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

MembershipGKEUpgradeState

MembershipGKEUpgradeState is a GKEUpgrade and its state per-membership.

JSON representation
{
  "upgrade": {
    object (GKEUpgrade)
  },
  "status": {
    object (UpgradeStatus)
  }
}
Fields
upgrade

object (GKEUpgrade)

Which upgrade to track the state.

status

object (UpgradeStatus)

Status of the upgrade.

GKEUpgrade

GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.

JSON representation
{
  "name": string,
  "version": string
}
Fields
name

string

Name of the upgrade, e.g., "k8s_control_plane".

version

string

Version of the upgrade, e.g., "1.22.1-gke.100".

UpgradeStatus

UpgradeStatus provides status information for each upgrade.

JSON representation
{
  "code": enum (UpgradeStatus.Code),
  "reason": string,
  "updateTime": string
}
Fields
code

enum (UpgradeStatus.Code)

Status code of the upgrade.

reason

string

Reason for this status.

updateTime

string (Timestamp format)

Last timestamp the status was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

UpgradeStatus.Code

Status code of an upgrade.

Enums
CODE_UNSPECIFIED Required by https://linter.aip.dev/126/unspecified.
INELIGIBLE The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope.
PENDING The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope.
IN_PROGRESS The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope.
SOAKING The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete.
FORCED_SOAKING A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status.
COMPLETE The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status.

State

IdentityService: State for a single membership, analyzed and reported by feature controller.

JSON representation
{
  "installedVersion": string,
  "state": enum (State.DeploymentState),
  "failureReason": string,
  "memberConfig": {
    object (Spec)
  }
}
Fields
installedVersion

string

Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.

state

enum (State.DeploymentState)

Deployment state on this member

failureReason

string

The reason of the failure.

memberConfig

object (Spec)

Last reconciled membership configuration

State.DeploymentState

Deployment state enum

Enums
DEPLOYMENT_STATE_UNSPECIFIED Unspecified state
OK deployment succeeds
ERROR Failure with error.

State

Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.

JSON representation
{
  "analysisMessages": [
    {
      object (AnalysisMessage)
    }
  ],
  "controlPlaneManagement": {
    object (State.ControlPlaneManagement)
  },
  "dataPlaneManagement": {
    object (State.DataPlaneManagement)
  },
  "configApiVersion": string,
  "conditions": [
    {
      object (State.Condition)
    }
  ]
}
Fields
analysisMessages[]

object (AnalysisMessage)

Output only. Results of running Service Mesh analyzers.

controlPlaneManagement

object (State.ControlPlaneManagement)

Output only. Status of control plane management

dataPlaneManagement

object (State.DataPlaneManagement)

Output only. Status of data plane management.

configApiVersion

string

The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the defaultChannel field.

conditions[]

object (State.Condition)

Output only. List of conditions reported for this membership.

AnalysisMessage

AnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.

JSON representation
{
  "messageBase": {
    object (AnalysisMessageBase)
  },
  "description": string,
  "resourcePaths": [
    string
  ],
  "args": {
    object
  }
}
Fields
messageBase

object (AnalysisMessageBase)

Details common to all types of Istio and ServiceMesh analysis messages.

description

string

A human readable description of what the error means. It is suitable for non-internationalize display purposes.

resourcePaths[]

string

A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster

args

object (Struct format)

A UI can combine these args with a template (based on messageBase.type) to produce an internationalized message.

AnalysisMessageBase

AnalysisMessageBase describes some common information that is needed for all messages.

JSON representation
{
  "type": {
    object (AnalysisMessageBase.Type)
  },
  "level": enum (AnalysisMessageBase.Level),
  "documentationUrl": string
}
Fields
type

object (AnalysisMessageBase.Type)

Represents the specific type of a message.

level

enum (AnalysisMessageBase.Level)

Represents how severe a message is.

documentationUrl

string

A url pointing to the Service Mesh or Istio documentation for this specific error type.

AnalysisMessageBase.Type

A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between displayName and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type

JSON representation
{
  "displayName": string,
  "code": string
}
Fields
displayName

string

A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the name field in open-source Istio.)

code

string

A 7 character code matching ^IST[0-9]{4}$ or ^ASM[0-9]{4}$, intended to uniquely identify the message type. (e.g. "IST0001" is mapped to the "InternalError" message type.)

AnalysisMessageBase.Level

The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level

Enums
LEVEL_UNSPECIFIED Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN.
ERROR ERROR represents a misconfiguration that must be fixed.
WARNING WARNING represents a misconfiguration that should be fixed.
INFO INFO represents an informational finding.

State.ControlPlaneManagement

Status of control plane management.

JSON representation
{
  "details": [
    {
      object (StatusDetails)
    }
  ],
  "state": enum (State.LifecycleState),
  "implementation": enum (State.ControlPlaneManagement.Implementation)
}
Fields
details[]

object (StatusDetails)

Explanation of state.

state

enum (State.LifecycleState)

LifecycleState of control plane management.

implementation

enum (State.ControlPlaneManagement.Implementation)

Output only. Implementation of managed control plane.

StatusDetails

Structured and human-readable details for a status.

JSON representation
{
  "code": string,
  "details": string
}
Fields
code

string

A machine-readable code that further describes a broad status.

details

string

Human-readable explanation of code.

State.LifecycleState

Lifecycle state of Service Mesh components.

Enums
LIFECYCLE_STATE_UNSPECIFIED Unspecified
DISABLED DISABLED means that the component is not enabled.
FAILED_PRECONDITION FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster.
PROVISIONING PROVISIONING means that provisioning is in progress.
ACTIVE ACTIVE means that the component is ready for use.
STALLED STALLED means that provisioning could not be done.
NEEDS_ATTENTION NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.)
DEGRADED DEGRADED means that the component is ready, but operating in a degraded state.

State.ControlPlaneManagement.Implementation

Implementation of managed control plane.

Enums
IMPLEMENTATION_UNSPECIFIED Unspecified
ISTIOD A Google build of istiod is used for the managed control plane.
TRAFFIC_DIRECTOR Traffic director is used for the managed control plane.
UPDATING The control plane implementation is being updated.

State.DataPlaneManagement

Status of data plane management. Only reported per-member.

JSON representation
{
  "state": enum (State.LifecycleState),
  "details": [
    {
      object (StatusDetails)
    }
  ]
}
Fields
state

enum (State.LifecycleState)

Lifecycle status of data plane management.

details[]

object (StatusDetails)

Explanation of the status.

State.Condition

Condition being reported.

JSON representation
{
  "code": enum (State.Condition.Code),
  "documentationLink": string,
  "details": string,
  "severity": enum (State.Condition.Severity)
}
Fields
code

enum (State.Condition.Code)

Unique identifier of the condition which describes the condition recognizable to the user.

details

string

A short summary about the issue.

severity

enum (State.Condition.Severity)

Severity level of the condition.

State.Condition.Code

Unique identifier of the condition which describes the condition recognizable to the user.

Enums
CODE_UNSPECIFIED Default Unspecified code
MESH_IAM_PERMISSION_DENIED Mesh IAM permission denied error code
MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED Permission denied error code for cross-project
CNI_CONFIG_UNSUPPORTED CNI config unsupported error code
GKE_SANDBOX_UNSUPPORTED GKE sandbox unsupported error code
NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED Nodepool workload identity federation required error code
CNI_INSTALLATION_FAILED CNI installation failed error code
CNI_POD_UNSCHEDULABLE CNI pod unschedulable error code
CLUSTER_HAS_ZERO_NODES Cluster has zero node code
UNSUPPORTED_MULTIPLE_CONTROL_PLANES Multiple control planes unsupported error code
VPCSC_GA_SUPPORTED VPC-SC GA is supported for this control plane.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT User is using deprecated ControlPlaneManagement and they have not yet set Management.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT_SAFE User is using deprecated ControlPlaneManagement and they have already set Management.
CONFIG_APPLY_INTERNAL_ERROR Configuration (Istio/k8s resources) failed to apply due to internal error.
CONFIG_VALIDATION_ERROR Configuration failed to be applied due to being invalid.
CONFIG_VALIDATION_WARNING Encountered configuration(s) with possible unintended behavior or invalid configuration. These configs may not have been applied.
QUOTA_EXCEEDED_BACKEND_SERVICES BackendService quota exceeded error code.
QUOTA_EXCEEDED_HEALTH_CHECKS HealthCheck quota exceeded error code.
QUOTA_EXCEEDED_HTTP_ROUTES HTTPRoute quota exceeded error code.
QUOTA_EXCEEDED_TCP_ROUTES TCPRoute quota exceeded error code.
QUOTA_EXCEEDED_TLS_ROUTES TLS routes quota exceeded error code.
QUOTA_EXCEEDED_TRAFFIC_POLICIES TrafficPolicy quota exceeded error code.
QUOTA_EXCEEDED_ENDPOINT_POLICIES EndpointPolicy quota exceeded error code.
QUOTA_EXCEEDED_GATEWAYS Gateway quota exceeded error code.
QUOTA_EXCEEDED_MESHES Mesh quota exceeded error code.
QUOTA_EXCEEDED_SERVER_TLS_POLICIES ServerTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_CLIENT_TLS_POLICIES ClientTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_SERVICE_LB_POLICIES ServiceLBPolicy quota exceeded error code.
QUOTA_EXCEEDED_HTTP_FILTERS HTTPFilter quota exceeded error code.
QUOTA_EXCEEDED_TCP_FILTERS TCPFilter quota exceeded error code.
QUOTA_EXCEEDED_NETWORK_ENDPOINT_GROUPS NetworkEndpointGroup quota exceeded error code.
MODERNIZATION_SCHEDULED Modernization is scheduled for a cluster.
MODERNIZATION_IN_PROGRESS Modernization is in progress for a cluster.
MODERNIZATION_COMPLETED Modernization is completed for a cluster.
MODERNIZATION_ABORTED Modernization is aborted for a cluster.

State.Condition.Severity

Severity level of the reported condition

Enums
SEVERITY_UNSPECIFIED Unspecified severity
ERROR Indicates an issue that prevents the mesh from operating correctly
WARNING Indicates a setting is likely wrong, but the mesh is still able to operate
INFO An informational message, not requiring any action

State

Metering: State for a single membership, analyzed and reported by feature controller.

JSON representation
{
  "lastMeasurementTime": string,
  "preciseLastMeasuredClusterVcpuCapacity": number
}
Fields
lastMeasurementTime

string (Timestamp format)

The time stamp of the most recent measurement of the number of vCPUs in the cluster.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

preciseLastMeasuredClusterVcpuCapacity

number

The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision).

State

Anthos Config Management: State for a single cluster.

JSON representation
{
  "clusterName": string,
  "membershipSpec": {
    object (Spec)
  },
  "operatorState": {
    object (OperatorState)
  },
  "configSyncState": {
    object (ConfigSyncState)
  },
  "policyControllerState": {
    object (PolicyControllerState)
  },
  "binauthzState": {
    object (BinauthzState)
  },
  "hierarchyControllerState": {
    object (HierarchyControllerState)
  }
}
Fields
clusterName

string

This field is set to the clusterName field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name.

membershipSpec

object (Spec)

Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state.

operatorState

object (OperatorState)

Current install status of ACM's Operator.

configSyncState

object (ConfigSyncState)

Current sync status.

policyControllerState

object (PolicyControllerState)

PolicyController status.

binauthzState

object (BinauthzState)

Binauthz status.

hierarchyControllerState

object (HierarchyControllerState)

Hierarchy Controller status.

OperatorState

State information for an ACM's Operator.

JSON representation
{
  "version": string,
  "deploymentState": enum (DeploymentState),
  "errors": [
    {
      object (InstallError)
    }
  ]
}
Fields
version

string

The semenatic version number of the operator.

deploymentState

enum (DeploymentState)

The state of the Operator's deployment.

errors[]

object (InstallError)

Install errors.

DeploymentState

Enum representing the state of an ACM's deployment on a cluster.

Enums
DEPLOYMENT_STATE_UNSPECIFIED Deployment's state cannot be determined.
NOT_INSTALLED Deployment is not installed.
INSTALLED Deployment is installed.
ERROR Deployment was attempted to be installed, but has errors.
PENDING Deployment is installing or terminating

InstallError

Errors pertaining to the installation of ACM.

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message.

ConfigSyncState

State information for ConfigSync.

JSON representation
{
  "version": {
    object (ConfigSyncVersion)
  },
  "deploymentState": {
    object (ConfigSyncDeploymentState)
  },
  "syncState": {
    object (SyncState)
  },
  "errors": [
    {
      object (ConfigSyncError)
    }
  ],
  "rootsyncCrd": enum (ConfigSyncState.CRDState),
  "reposyncCrd": enum (ConfigSyncState.CRDState),
  "state": enum (ConfigSyncState.State),
  "clusterLevelStopSyncingState": enum (ConfigSyncState.StopSyncingState),
  "crCount": integer
}
Fields
version

object (ConfigSyncVersion)

The version of ConfigSync deployed.

deploymentState

object (ConfigSyncDeploymentState)

Information about the deployment of ConfigSync, including the version. of the various Pods deployed

syncState

object (SyncState)

The state of ConfigSync's process to sync configs to a cluster.

errors[]

object (ConfigSyncError)

Errors pertaining to the installation of Config Sync.

rootsyncCrd

enum (ConfigSyncState.CRDState)

The state of the RootSync CRD

reposyncCrd

enum (ConfigSyncState.CRDState)

The state of the Reposync CRD

state

enum (ConfigSyncState.State)

The state of CS This field summarizes the other fields in this message.

clusterLevelStopSyncingState

enum (ConfigSyncState.StopSyncingState)

Whether syncing resources to the cluster is stopped at the cluster level.

crCount

integer

Output only. The number of RootSync and RepoSync CRs in the cluster.

ConfigSyncVersion

Specific versioning information pertaining to ConfigSync's Pods.

JSON representation
{
  "importer": string,
  "syncer": string,
  "gitSync": string,
  "monitor": string,
  "reconcilerManager": string,
  "rootReconciler": string,
  "admissionWebhook": string,
  "resourceGroupControllerManager": string,
  "otelCollector": string
}
Fields
importer

string

Version of the deployed importer pod.

syncer

string

Version of the deployed syncer pod.

gitSync

string

Version of the deployed git-sync pod.

monitor

string

Version of the deployed monitor pod.

reconcilerManager

string

Version of the deployed reconciler-manager pod.

rootReconciler

string

Version of the deployed reconciler container in root-reconciler pod.

admissionWebhook

string

Version of the deployed admission-webhook pod.

resourceGroupControllerManager

string

Version of the deployed resource-group-controller-manager pod

otelCollector

string

Version of the deployed otel-collector pod

ConfigSyncDeploymentState

The state of ConfigSync's deployment on a cluster.

JSON representation
{
  "importer": enum (DeploymentState),
  "syncer": enum (DeploymentState),
  "gitSync": enum (DeploymentState),
  "monitor": enum (DeploymentState),
  "reconcilerManager": enum (DeploymentState),
  "rootReconciler": enum (DeploymentState),
  "admissionWebhook": enum (DeploymentState),
  "resourceGroupControllerManager": enum (DeploymentState),
  "otelCollector": enum (DeploymentState)
}
Fields
importer

enum (DeploymentState)

Deployment state of the importer pod.

syncer

enum (DeploymentState)

Deployment state of the syncer pod.

gitSync

enum (DeploymentState)

Deployment state of the git-sync pod.

monitor

enum (DeploymentState)

Deployment state of the monitor pod.

reconcilerManager

enum (DeploymentState)

Deployment state of reconciler-manager pod.

rootReconciler

enum (DeploymentState)

Deployment state of root-reconciler.

admissionWebhook

enum (DeploymentState)

Deployment state of admission-webhook.

resourceGroupControllerManager

enum (DeploymentState)

Deployment state of resource-group-controller-manager

otelCollector

enum (DeploymentState)

Deployment state of otel-collector

SyncState

State indicating an ACM's progress syncing configurations to a cluster.

JSON representation
{
  "sourceToken": string,
  "importToken": string,
  "syncToken": string,
  "lastSync": string,
  "lastSyncTime": string,
  "code": enum (SyncState.SyncCode),
  "errors": [
    {
      object (SyncError)
    }
  ]
}
Fields
sourceToken

string

Token indicating the state of the repo.

importToken

string

Token indicating the state of the importer.

syncToken

string

Token indicating the state of the syncer.

lastSync
(deprecated)

string

Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo. The time format is specified in https://golang.org/pkg/time/#Time.String

lastSyncTime

string (Timestamp format)

Timestamp type of when ACM last successfully synced the repo.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

code

enum (SyncState.SyncCode)

Sync status code.

errors[]

object (SyncError)

A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist.

SyncState.SyncCode

An enum representing Config Sync's status of syncing configs to a cluster.

Enums
SYNC_CODE_UNSPECIFIED Config Sync cannot determine a sync code
SYNCED Config Sync successfully synced the git Repo with the cluster
PENDING Config Sync is in the progress of syncing a new change
ERROR Indicates an error configuring Config Sync, and user action is required
NOT_CONFIGURED Config Sync has been installed but not configured
NOT_INSTALLED Config Sync has not been installed
UNAUTHORIZED Error authorizing with the cluster
UNREACHABLE Cluster could not be reached

SyncError

An ACM created error representing a problem syncing configurations.

JSON representation
{
  "code": string,
  "errorMessage": string,
  "errorResources": [
    {
      object (ErrorResource)
    }
  ]
}
Fields
code

string

An ACM defined error code

errorMessage

string

A description of the error

errorResources[]

object (ErrorResource)

A list of config(s) associated with the error, if any

ErrorResource

Model for a config file in the git repo with an associated Sync error.

JSON representation
{
  "sourcePath": string,
  "resourceName": string,
  "resourceNamespace": string,
  "resourceGvk": {
    object (GroupVersionKind)
  }
}
Fields
sourcePath

string

Path in the git repo of the erroneous config

resourceName

string

Metadata name of the resource that is causing an error

resourceNamespace

string

Namespace of the resource that is causing an error

resourceGvk

object (GroupVersionKind)

Group/version/kind of the resource that is causing an error

GroupVersionKind

A Kubernetes object's GVK.

JSON representation
{
  "group": string,
  "version": string,
  "kind": string
}
Fields
group

string

Kubernetes Group

version

string

Kubernetes Version

kind

string

Kubernetes Kind

ConfigSyncError

Errors pertaining to the installation of Config Sync

JSON representation
{
  "errorMessage": string
}
Fields
errorMessage

string

A string representing the user facing error message

ConfigSyncState.CRDState

CRDState representing the state of a CRD

Enums
CRD_STATE_UNSPECIFIED CRD's state cannot be determined
NOT_INSTALLED CRD is not installed
INSTALLED CRD is installed
TERMINATING CRD is terminating (i.e., it has been deleted and is cleaning up)
INSTALLING CRD is installing

ConfigSyncState.State

Enums
STATE_UNSPECIFIED CS's state cannot be determined.
CONFIG_SYNC_NOT_INSTALLED CS is not installed.
CONFIG_SYNC_INSTALLED The expected CS version is installed successfully.
CONFIG_SYNC_ERROR CS encounters errors.
CONFIG_SYNC_PENDING CS is installing or terminating.

ConfigSyncState.StopSyncingState

Enums
STOP_SYNCING_STATE_UNSPECIFIED State cannot be determined
NOT_STOPPED Syncing resources to the cluster is not stopped at the cluster level.
PENDING Some reconcilers stop syncing resources to the cluster, while others are still syncing.
STOPPED Syncing resources to the cluster is stopped at the cluster level.

PolicyControllerState

State for PolicyControllerState.

JSON representation
{
  "version": {
    object (PolicyControllerVersion)
  },
  "deploymentState": {
    object (GatekeeperDeploymentState)
  },
  "migration": {
    object (PolicyControllerMigration)
  }
}
Fields
version

object (PolicyControllerVersion)

The version of Gatekeeper Policy Controller deployed.

deploymentState

object (GatekeeperDeploymentState)

The state about the policy controller installation.

migration

object (PolicyControllerMigration)

Record state of ACM -> PoCo Hub migration for this feature.

PolicyControllerVersion

The build version of Gatekeeper Policy Controller is using.

JSON representation
{
  "version": string
}
Fields
version

string

The gatekeeper image tag that is composed of ACM version, git tag, build number.

GatekeeperDeploymentState

State of Policy Controller installation.

JSON representation
{
  "gatekeeperControllerManagerState": enum (DeploymentState),
  "gatekeeperAudit": enum (DeploymentState),
  "gatekeeperMutation": enum (DeploymentState)
}
Fields
gatekeeperControllerManagerState

enum (DeploymentState)

Status of gatekeeper-controller-manager pod.

gatekeeperAudit

enum (DeploymentState)

Status of gatekeeper-audit deployment.

gatekeeperMutation

enum (DeploymentState)

Status of the pod serving the mutation webhook.

PolicyControllerMigration

State for the migration of PolicyController from ACM -> PoCo Hub.

JSON representation
{
  "stage": enum (PolicyControllerMigration.Stage),
  "copyTime": string
}
Fields
stage

enum (PolicyControllerMigration.Stage)

Stage of the migration.

copyTime

string (Timestamp format)

Last time this membership spec was copied to PoCo feature.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

PolicyControllerMigration.Stage

Stage marks what stage of the migration ACM hub is in.

Enums
STAGE_UNSPECIFIED Unknown state of migration.
ACM_MANAGED ACM Hub/Operator manages policycontroller. No migration yet completed.
POCO_MANAGED All migrations steps complete; Poco Hub now manages policycontroller.

BinauthzState

State for Binauthz.

JSON representation
{
  "webhook": enum (DeploymentState),
  "version": {
    object (BinauthzVersion)
  }
}
Fields
webhook

enum (DeploymentState)

The state of the binauthz webhook.

version

object (BinauthzVersion)

The version of binauthz that is installed.

BinauthzVersion

The version of binauthz.

JSON representation
{
  "webhookVersion": string
}
Fields
webhookVersion

string

The version of the binauthz webhook.

HierarchyControllerState

State for Hierarchy Controller.

JSON representation
{
  "version": {
    object (HierarchyControllerVersion)
  },
  "state": {
    object (HierarchyControllerDeploymentState)
  }
}
Fields
version

object (HierarchyControllerVersion)

The version for Hierarchy Controller.

state

object (HierarchyControllerDeploymentState)

The deployment state for Hierarchy Controller.

HierarchyControllerVersion

Version for Hierarchy Controller.

JSON representation
{
  "hnc": string,
  "extension": string
}
Fields
hnc

string

Version for open source HNC.

extension

string

Version for Hierarchy Controller extension.

HierarchyControllerDeploymentState

Deployment state for Hierarchy Controller

JSON representation
{
  "hnc": enum (DeploymentState),
  "extension": enum (DeploymentState)
}
Fields
hnc

enum (DeploymentState)

The deployment state for open source HNC (e.g. v0.7.0-hc.0).

extension

enum (DeploymentState)

The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1).

State

Policy Controller: State for a single cluster.

JSON representation
{
  "componentStates": {
    string: {
      object (OnClusterState)
    },
    ...
  },
  "state": enum (State.LifecycleState),
  "policyContentState": {
    object (PolicyContentState)
  }
}
Fields
componentStates

map (key: string, value: object (OnClusterState))

Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation"

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

state

enum (State.LifecycleState)

The overall Policy Controller lifecycle state observed by the Hub Feature controller.

policyContentState

object (PolicyContentState)

The overall content state observed by the Hub Feature controller.

OnClusterState

OnClusterState represents the state of a sub-component of Policy Controller.

JSON representation
{
  "state": enum (State.LifecycleState),
  "details": string
}
Fields
state

enum (State.LifecycleState)

The lifecycle state of this component.

details

string

Surface potential errors or information logs.

State.LifecycleState

The set of states Policy Controller can exist in.

Enums
LIFECYCLE_STATE_UNSPECIFIED The lifecycle state is unspecified.
NOT_INSTALLED The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH.
INSTALLING The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster.
ACTIVE The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects.
UPDATING The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version.
DECOMMISSIONING The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists.
CLUSTER_ERROR The PC is not operational, and the PCH is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the PCH to administer the cluster but has nevertheless been given an instruction to do so (such as ‘install').
HUB_ERROR In this state, the PC may still be operational, and only the PCH is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the PCH determines the hub is in an unhealthy state and it wishes to ‘take hands off' to avoid corrupting the PC or other data.
SUSPENDED Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit).
DETACHED PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub.

PolicyContentState

The state of the policy controller policy content

JSON representation
{
  "templateLibraryState": {
    object (OnClusterState)
  },
  "bundleStates": {
    string: {
      object (OnClusterState)
    },
    ...
  },
  "referentialSyncConfigState": {
    object (OnClusterState)
  }
}
Fields
templateLibraryState

object (OnClusterState)

The state of the template library

bundleStates

map (key: string, value: object (OnClusterState))

The state of the any bundles included in the chosen version of the manifest

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

referentialSyncConfigState

object (OnClusterState)

The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user.

State

State for App Dev Exp Feature.

JSON representation
{
  "networkingInstallSucceeded": {
    object (State.Status)
  }
}
Fields
networkingInstallSucceeded

object (State.Status)

Status of subcomponent that detects configured Service Mesh resources.

State.Status

Status specifies state for the subcomponent.

JSON representation
{
  "code": enum (State.Code),
  "description": string
}
Fields
code

enum (State.Code)

Code specifies AppDevExperienceFeature's subcomponent ready state.

description

string

Description is populated if Code is Failed, explaining why it has failed.

State.Code

Code specifies the ready state for a AppDevExperienceFeature subcomponent.

Enums
CODE_UNSPECIFIED Not set.
OK AppDevExperienceFeature's specified subcomponent is ready.
FAILED AppDevExperienceFeature's specified subcomponent ready state is false. This means AppDevExperienceFeature has encountered an issue that blocks all, or a portion, of its normal operation. See the description for more details.
UNKNOWN AppDevExperienceFeature's specified subcomponent has a pending or unknown state.

State

High-level state of a MembershipFeature.

JSON representation
{
  "code": enum (State.Code),
  "description": string,
  "updateTime": string
}
Fields
code

enum (State.Code)

The high-level, machine-readable status of this MembershipFeature.

description

string

A human-readable description of the current status.

updateTime

string (Timestamp format)

The time this status and any related Feature-specific details were updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

State.Code

Code represents a machine-readable, high-level status of the MembershipFeature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The MembershipFeature is operating normally.
WARNING The MembershipFeature has encountered an issue, and is operating in a degraded state. The MembershipFeature may need intervention to return to normal operation. See the description and any associated MembershipFeature-specific details for more information.
ERROR The MembershipFeature is not operating or is in a severely degraded state. The MembershipFeature may need intervention to return to normal operation. See the description and any associated MembershipFeature-specific details for more information.

LifecycleState

LifecycleState describes the state of a MembershipFeature resource in the GkeHub API. See FeatureState for the "running state" of the MembershipFeature.

JSON representation
{
  "state": enum (LifecycleState.State)
}
Fields
state

enum (LifecycleState.State)

Output only. The current state of the Feature resource in the Hub API.

LifecycleState.State

State describes the lifecycle status of a MembershipFeature.

Enums
STATE_UNSPECIFIED State is unknown or not set.
ENABLING The MembershipFeature is being enabled, and the MembershipFeature resource is being created. Once complete, the corresponding MembershipFeature will be enabled in this Hub.
ACTIVE The MembershipFeature is enabled in this Hub, and the MembershipFeature resource is fully available.
DISABLING The MembershipFeature is being disabled in this Hub, and the MembershipFeature resource is being deleted.
UPDATING The MembershipFeature resource is being updated.
SERVICE_UPDATING The MembershipFeature resource is being updated by the Hub Service.

Methods

create

Creates membershipFeature under a given parent.

delete

Removes a membershipFeature.

get

========= MembershipFeature Services ========= Gets details of a membershipFeature.

list

Lists MembershipFeatures in a given project and location.

patch

Updates an existing MembershipFeature.