Package google.cloud.gkehub.configmanagement.v2alpha

Index

BinauthzConfig

Configuration for Binauthz.

Fields
enabled

bool

Whether binauthz is enabled in this cluster.

BinauthzState

State for Binauthz.

Fields
webhook

DeploymentState

The state of the binauthz webhook.

version

BinauthzVersion

The version of binauthz that is installed.

BinauthzVersion

The version of binauthz.

Fields
webhook_version

string

The version of the binauthz webhook.

ConfigSync

Configuration for Config Sync

Fields
git

GitConfig

Git repo configuration for the cluster.

source_format

string

Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.

prevent_drift

bool

Set to true to enable the Config Sync admission webhook to prevent drifts. If set to false, disables the Config Sync admission webhook and does not prevent drifts.

oci

OciConfig

OCI repo configuration for the cluster.

allow_vertical_scale
(deprecated)

bool

Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated.

metrics_gcp_service_account_email
(deprecated)

string

The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring.

stop_syncing

bool

Set to true to stop syncing configs for a single cluster. Default to false.

enabled

bool

Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.

ConfigSyncDeploymentState

The state of ConfigSync's deployment on a cluster.

Fields
importer

DeploymentState

Deployment state of the importer pod.

syncer

DeploymentState

Deployment state of the syncer pod.

git_sync

DeploymentState

Deployment state of the git-sync pod.

monitor

DeploymentState

Deployment state of the monitor pod.

reconciler_manager

DeploymentState

Deployment state of reconciler-manager pod.

root_reconciler

DeploymentState

Deployment state of root-reconciler.

admission_webhook

DeploymentState

Deployment state of admission-webhook.

resource_group_controller_manager

DeploymentState

Deployment state of resource-group-controller-manager

otel_collector

DeploymentState

Deployment state of otel-collector

ConfigSyncError

Errors pertaining to the installation of Config Sync

Fields
error_message

string

A string representing the user facing error message

ConfigSyncState

State information for ConfigSync.

Fields
version

ConfigSyncVersion

The version of ConfigSync deployed.

deployment_state

ConfigSyncDeploymentState

Information about the deployment of ConfigSync, including the version. of the various Pods deployed

sync_state

SyncState

The state of ConfigSync's process to sync configs to a cluster.

errors[]

ConfigSyncError

Errors pertaining to the installation of Config Sync.

rootsync_crd

ConfigSyncState.CRDState

The state of the RootSync CRD

reposync_crd

ConfigSyncState.CRDState

The state of the Reposync CRD

state

ConfigSyncState.State

The state of CS This field summarizes the other fields in this message.

cluster_level_stop_syncing_state

ConfigSyncState.StopSyncingState

Whether syncing resources to the cluster is stopped at the cluster level.

cr_count

int32

Output only. The number of RootSync and RepoSync CRs in the cluster.

CRDState

CRDState representing the state of a CRD

Enums
CRD_STATE_UNSPECIFIED CRD's state cannot be determined
NOT_INSTALLED CRD is not installed
INSTALLED CRD is installed
TERMINATING CRD is terminating (i.e., it has been deleted and is cleaning up)
INSTALLING CRD is installing

State

Enums
STATE_UNSPECIFIED CS's state cannot be determined.
CONFIG_SYNC_NOT_INSTALLED CS is not installed.
CONFIG_SYNC_INSTALLED The expected CS version is installed successfully.
CONFIG_SYNC_ERROR CS encounters errors.
CONFIG_SYNC_PENDING CS is installing or terminating.

StopSyncingState

Enums
STOP_SYNCING_STATE_UNSPECIFIED State cannot be determined
NOT_STOPPED Syncing resources to the cluster is not stopped at the cluster level.
PENDING Some reconcilers stop syncing resources to the cluster, while others are still syncing.
STOPPED Syncing resources to the cluster is stopped at the cluster level.

ConfigSyncVersion

Specific versioning information pertaining to ConfigSync's Pods.

Fields
importer

string

Version of the deployed importer pod.

syncer

string

Version of the deployed syncer pod.

git_sync

string

Version of the deployed git-sync pod.

monitor

string

Version of the deployed monitor pod.

reconciler_manager

string

Version of the deployed reconciler-manager pod.

root_reconciler

string

Version of the deployed reconciler container in root-reconciler pod.

admission_webhook

string

Version of the deployed admission-webhook pod.

resource_group_controller_manager

string

Version of the deployed resource-group-controller-manager pod

otel_collector

string

Version of the deployed otel-collector pod

DeploymentState

Enum representing the state of an ACM's deployment on a cluster.

Enums
DEPLOYMENT_STATE_UNSPECIFIED Deployment's state cannot be determined.
NOT_INSTALLED Deployment is not installed.
INSTALLED Deployment is installed.
ERROR Deployment was attempted to be installed, but has errors.
PENDING Deployment is installing or terminating

ErrorResource

Model for a config file in the git repo with an associated Sync error.

Fields
source_path

string

Path in the git repo of the erroneous config

resource_name

string

Metadata name of the resource that is causing an error

resource_namespace

string

Namespace of the resource that is causing an error

resource_gvk

GroupVersionKind

Group/version/kind of the resource that is causing an error

GatekeeperDeploymentState

State of Policy Controller installation.

Fields
gatekeeper_controller_manager_state

DeploymentState

Status of gatekeeper-controller-manager pod.

gatekeeper_audit

DeploymentState

Status of gatekeeper-audit deployment.

gatekeeper_mutation

DeploymentState

Status of the pod serving the mutation webhook.

GitConfig

Git repo configuration for a single cluster.

Fields
sync_repo

string

The URL of the Git repository to use as the source of truth.

sync_branch

string

The branch of the repository to sync from. Default: master.

policy_dir

string

The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.

sync_wait_secs

int64

Period in seconds between consecutive syncs. Default: 15.

sync_rev

string

Git revision (tag or hash) to check out. Default HEAD.

secret_type

string

Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required.

https_proxy

string

URL for the HTTPS proxy to be used when communicating with the Git repo.

gcp_service_account_email

string

The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.

GroupVersionKind

A Kubernetes object's GVK.

Fields
group

string

Kubernetes Group

version

string

Kubernetes Version

kind

string

Kubernetes Kind

HierarchyControllerConfig

Configuration for Hierarchy Controller.

Fields
enabled

bool

Whether Hierarchy Controller is enabled in this cluster.

enable_pod_tree_labels

bool

Whether pod tree labels are enabled in this cluster.

enable_hierarchical_resource_quota

bool

Whether hierarchical resource quota is enabled in this cluster.

HierarchyControllerDeploymentState

Deployment state for Hierarchy Controller

Fields
hnc

DeploymentState

The deployment state for open source HNC (e.g. v0.7.0-hc.0).

extension

DeploymentState

The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1).

HierarchyControllerState

State for Hierarchy Controller.

Fields
version

HierarchyControllerVersion

The version for Hierarchy Controller.

state

HierarchyControllerDeploymentState

The deployment state for Hierarchy Controller.

HierarchyControllerVersion

Version for Hierarchy Controller.

Fields
hnc

string

Version for open source HNC.

extension

string

Version for Hierarchy Controller extension.

InstallError

Errors pertaining to the installation of ACM.

Fields
error_message

string

A string representing the user facing error message.

OciConfig

OCI repo configuration for a single cluster.

Fields
sync_repo

string

The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME.

policy_dir

string

The absolute path of the directory that contains the local resources. Default: the root directory of the image.

sync_wait_secs

int64

Period in seconds between consecutive syncs. Default: 15.

secret_type

string

Type of secret configured for access to the Git repo.

gcp_service_account_email

string

The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.

OperatorState

State information for an ACM's Operator.

Fields
version

string

The semenatic version number of the operator.

deployment_state

DeploymentState

The state of the Operator's deployment.

errors[]

InstallError

Install errors.

PolicyController

Configuration for Policy Controller

Fields
enabled

bool

Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.

exemptable_namespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.

referential_rules_enabled

bool

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.

log_denies_enabled

bool

Logs all denies and dry run failures.

mutation_enabled

bool

Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster.

monitoring

PolicyControllerMonitoring

Monitoring specifies the configuration of monitoring.

update_time

Timestamp

Output only. Last time this membership spec was updated.

template_library_installed

bool

Installs the default template library along with Policy Controller.

audit_interval_seconds

int64

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

PolicyControllerMigration

State for the migration of PolicyController from ACM -> PoCo Hub.

Fields
stage

PolicyControllerMigration.Stage

Stage of the migration.

copy_time

Timestamp

Last time this membership spec was copied to PoCo feature.

Stage

Stage marks what stage of the migration ACM hub is in.

Enums
STAGE_UNSPECIFIED Unknown state of migration.
ACM_MANAGED ACM Hub/Operator manages policycontroller. No migration yet completed.
POCO_MANAGED All migrations steps complete; Poco Hub now manages policycontroller.

PolicyControllerMonitoring

PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

Fields
backends[]

PolicyControllerMonitoring.MonitoringBackend

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyControllerState

State for PolicyControllerState.

Fields
version

PolicyControllerVersion

The version of Gatekeeper Policy Controller deployed.

deployment_state

GatekeeperDeploymentState

The state about the policy controller installation.

migration

PolicyControllerMigration

Record state of ACM -> PoCo Hub migration for this feature.

PolicyControllerVersion

The build version of Gatekeeper Policy Controller is using.

Fields
version

string

The gatekeeper image tag that is composed of ACM version, git tag, build number.

Spec

Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.

Fields
config_sync

ConfigSync

Config Sync configuration for the cluster.

policy_controller

PolicyController

Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead.

binauthz
(deprecated)

BinauthzConfig

Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set.

hierarchy_controller

HierarchyControllerConfig

Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead.

version

string

Version of ACM installed.

cluster

string

The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.

management

Spec.Management

Enables automatic Feature management.

Management

Whether to automatically manage the Feature.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google will manage the Feature for the cluster.
MANAGEMENT_MANUAL User will manually manage the Feature for the cluster.

State

Anthos Config Management: State for a single cluster.

Fields
cluster_name

string

This field is set to the cluster_name field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name.

membership_spec

Spec

Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state.

operator_state

OperatorState

Current install status of ACM's Operator.

config_sync_state

ConfigSyncState

Current sync status.

policy_controller_state

PolicyControllerState

PolicyController status.

binauthz_state

BinauthzState

Binauthz status.

hierarchy_controller_state

HierarchyControllerState

Hierarchy Controller status.

SyncError

An ACM created error representing a problem syncing configurations.

Fields
code

string

An ACM defined error code

error_message

string

A description of the error

error_resources[]

ErrorResource

A list of config(s) associated with the error, if any

SyncState

State indicating an ACM's progress syncing configurations to a cluster.

Fields
source_token

string

Token indicating the state of the repo.

import_token

string

Token indicating the state of the importer.

sync_token

string

Token indicating the state of the syncer.

last_sync
(deprecated)

string

Deprecated: use last_sync_time instead. Timestamp of when ACM last successfully synced the repo. The time format is specified in https://golang.org/pkg/time/#Time.String

last_sync_time

Timestamp

Timestamp type of when ACM last successfully synced the repo.

code

SyncState.SyncCode

Sync status code.

errors[]

SyncError

A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist.

SyncCode

An enum representing Config Sync's status of syncing configs to a cluster.

Enums
SYNC_CODE_UNSPECIFIED Config Sync cannot determine a sync code
SYNCED Config Sync successfully synced the git Repo with the cluster
PENDING Config Sync is in the progress of syncing a new change
ERROR Indicates an error configuring Config Sync, and user action is required
NOT_CONFIGURED Config Sync has been installed but not configured
NOT_INSTALLED Config Sync has not been installed
UNAUTHORIZED Error authorizing with the cluster
UNREACHABLE Cluster could not be reached