Package google.cloud.gkehub.v1alpha

Index

GkeHub

The GKE Hub service handles the registration of many Kubernetes clusters to Google Cloud, and the management of multi-cluster features over those clusters.

The GKE Hub service operates on the following resources:

GKE Hub is currently available in the global region and all regions in https://cloud.google.com/compute/docs/regions-zones. Feature is only available in global region while membership is global region and all the regions.

Membership management may be non-trivial: it is recommended to use one of the Google-provided client libraries or tools where possible when working with Membership resources.

CreateFeature

rpc CreateFeature(CreateFeatureRequest) returns (Operation)

Adds a new Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateFleet

rpc CreateFleet(CreateFleetRequest) returns (Operation)

Creates a fleet.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateMembership

rpc CreateMembership(CreateMembershipRequest) returns (Operation)

Creates a new Membership.

This is currently only supported for GKE clusters on Google Cloud. To register other clusters, follow the instructions at https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateMembershipBinding

rpc CreateMembershipBinding(CreateMembershipBindingRequest) returns (Operation)

Creates a MembershipBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateMembershipRBACRoleBinding

rpc CreateMembershipRBACRoleBinding(CreateMembershipRBACRoleBindingRequest) returns (Operation)

Creates a Membership RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateScope

rpc CreateScope(CreateScopeRequest) returns (Operation)

Creates a Scope.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateScopeNamespace

rpc CreateScopeNamespace(CreateScopeNamespaceRequest) returns (Operation)

Creates a fleet namespace.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

CreateScopeRBACRoleBinding

rpc CreateScopeRBACRoleBinding(CreateScopeRBACRoleBindingRequest) returns (Operation)

Creates a Scope RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteFeature

rpc DeleteFeature(DeleteFeatureRequest) returns (Operation)

Removes a Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteFleet

rpc DeleteFleet(DeleteFleetRequest) returns (Operation)

Removes a Fleet. There must be no memberships remaining in the Fleet.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteMembership

rpc DeleteMembership(DeleteMembershipRequest) returns (Operation)

Removes a Membership.

This is currently only supported for GKE clusters on Google Cloud. To unregister other clusters, follow the instructions at https://cloud.google.com/anthos/multicluster-management/connect/unregistering-a-cluster.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteMembershipBinding

rpc DeleteMembershipBinding(DeleteMembershipBindingRequest) returns (Operation)

Deletes a MembershipBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteMembershipRBACRoleBinding

rpc DeleteMembershipRBACRoleBinding(DeleteMembershipRBACRoleBindingRequest) returns (Operation)

Deletes a Membership RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteScope

rpc DeleteScope(DeleteScopeRequest) returns (Operation)

Deletes a Scope.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteScopeNamespace

rpc DeleteScopeNamespace(DeleteScopeNamespaceRequest) returns (Operation)

Deletes a fleet namespace.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

DeleteScopeRBACRoleBinding

rpc DeleteScopeRBACRoleBinding(DeleteScopeRBACRoleBindingRequest) returns (Operation)

Deletes a Scope RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GenerateConnectManifest

rpc GenerateConnectManifest(GenerateConnectManifestRequest) returns (GenerateConnectManifestResponse)

Generates the manifest for deployment of the GKE connect agent.

This method is used internally by Google-provided libraries. Most clients should not need to call this method directly.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GenerateExclusivityManifest

rpc GenerateExclusivityManifest(GenerateExclusivityManifestRequest) returns (GenerateExclusivityManifestResponse)

GenerateExclusivityManifest generates the manifests to update the exclusivity artifacts in the cluster if needed.

Exclusivity artifacts include the Membership custom resource definition (CRD) and the singleton Membership custom resource (CR). Combined with ValidateExclusivity, exclusivity artifacts guarantee that a Kubernetes cluster is only registered to a single GKE Hub.

The Membership CRD is versioned, and may require conversion when the GKE Hub API server begins serving a newer version of the CRD and corresponding CR. The response will be the converted CRD and CR if there are any differences between the versions.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GenerateMembershipRBACRoleBindingYAML

rpc GenerateMembershipRBACRoleBindingYAML(GenerateMembershipRBACRoleBindingYAMLRequest) returns (GenerateMembershipRBACRoleBindingYAMLResponse)

Generates a YAML of the RBAC policies for the specified RoleBinding and its associated impersonation resources.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetFeature

rpc GetFeature(GetFeatureRequest) returns (Feature)

Gets details of a single Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetFleet

rpc GetFleet(GetFleetRequest) returns (Fleet)

Returns the details of a fleet.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetMembership

rpc GetMembership(GetMembershipRequest) returns (Membership)

Gets the details of a Membership.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetMembershipBinding

rpc GetMembershipBinding(GetMembershipBindingRequest) returns (MembershipBinding)

Returns the details of a MembershipBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetMembershipRBACRoleBinding

rpc GetMembershipRBACRoleBinding(GetMembershipRBACRoleBindingRequest) returns (RBACRoleBinding)

Returns the details of a Membership RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetScope

rpc GetScope(GetScopeRequest) returns (Scope)

Returns the details of a Scope.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetScopeNamespace

rpc GetScopeNamespace(GetScopeNamespaceRequest) returns (Namespace)

Returns the details of a fleet namespace.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

GetScopeRBACRoleBinding

rpc GetScopeRBACRoleBinding(GetScopeRBACRoleBindingRequest) returns (RBACRoleBinding)

Returns the details of a Scope RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListAdminClusterMemberships

rpc ListAdminClusterMemberships(ListAdminClusterMembershipsRequest) returns (ListAdminClusterMembershipsResponse)

Lists Memberships of admin clusters in a given project and location.

This method is only used internally.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListBoundMemberships

rpc ListBoundMemberships(ListBoundMembershipsRequest) returns (ListBoundMembershipsResponse)

Lists Memberships bound to a Scope. The response includes relevant Memberships from all regions.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListFeatures

rpc ListFeatures(ListFeaturesRequest) returns (ListFeaturesResponse)

Lists Features in a given project and location.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListFleets

rpc ListFleets(ListFleetsRequest) returns (ListFleetsResponse)

Returns all fleets within an organization or a project that the caller has access to.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListMembershipBindings

rpc ListMembershipBindings(ListMembershipBindingsRequest) returns (ListMembershipBindingsResponse)

Lists MembershipBindings.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListMembershipRBACRoleBindings

rpc ListMembershipRBACRoleBindings(ListMembershipRBACRoleBindingsRequest) returns (ListMembershipRBACRoleBindingsResponse)

Lists all Membership RBACRoleBindings.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListMemberships

rpc ListMemberships(ListMembershipsRequest) returns (ListMembershipsResponse)

Lists Memberships in a given project and location.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListPermittedScopes

rpc ListPermittedScopes(ListPermittedScopesRequest) returns (ListPermittedScopesResponse)

Lists permitted Scopes.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListScopeNamespaces

rpc ListScopeNamespaces(ListScopeNamespacesRequest) returns (ListScopeNamespacesResponse)

Lists fleet namespaces.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListScopeRBACRoleBindings

rpc ListScopeRBACRoleBindings(ListScopeRBACRoleBindingsRequest) returns (ListScopeRBACRoleBindingsResponse)

Lists all Scope RBACRoleBindings.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ListScopes

rpc ListScopes(ListScopesRequest) returns (ListScopesResponse)

Lists Scopes.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateFeature

rpc UpdateFeature(UpdateFeatureRequest) returns (Operation)

Updates an existing Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateFleet

rpc UpdateFleet(UpdateFleetRequest) returns (Operation)

Updates a fleet.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateMembership

rpc UpdateMembership(UpdateMembershipRequest) returns (Operation)

Updates an existing Membership.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateMembershipBinding

rpc UpdateMembershipBinding(UpdateMembershipBindingRequest) returns (Operation)

Updates a MembershipBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateMembershipRBACRoleBinding

rpc UpdateMembershipRBACRoleBinding(UpdateMembershipRBACRoleBindingRequest) returns (Operation)

Updates a Membership RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateScope

rpc UpdateScope(UpdateScopeRequest) returns (Operation)

Updates a scopes.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateScopeNamespace

rpc UpdateScopeNamespace(UpdateScopeNamespaceRequest) returns (Operation)

Updates a fleet namespace.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

UpdateScopeRBACRoleBinding

rpc UpdateScopeRBACRoleBinding(UpdateScopeRBACRoleBindingRequest) returns (Operation)

Updates a Scope RBACRoleBinding.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ValidateCreateMembership

rpc ValidateCreateMembership(ValidateCreateMembershipRequest) returns (ValidateCreateMembershipResponse)

ValidateCreateMembership is a preflight check for CreateMembership. It checks the following: 1. Caller has the required gkehub.memberships.create permission. 2. The membership_id is still available.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ValidateExclusivity

rpc ValidateExclusivity(ValidateExclusivityRequest) returns (ValidateExclusivityResponse)

ValidateExclusivity validates the state of exclusivity in the cluster. The validation does not depend on an existing Hub membership resource.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

ApplianceCluster

ApplianceCluster contains information specific to GDC Edge Appliance Clusters.

Fields

Authority

Authority encodes how Google will recognize identities from this Membership. See the workload identity documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

Fields
issuer

string

Optional. A JSON Web Token (JWT) issuer URI. issuer must start with https:// and be a valid URL with length <2000 characters, it must use location rather than zone for GKE clusters.

If set, then Google will allow valid OIDC tokens from this issuer to authenticate within the workload_identity_pool. OIDC discovery will be performed on this URI to validate tokens from the issuer.

Clearing issuer disables Workload Identity. issuer cannot be directly modified; it must be cleared (and Workload Identity disabled) before using a new issuer (and re-enabling Workload Identity).

workload_identity_pool

string

Output only. The name of the workload identity pool in which issuer will be recognized.

There is a single Workload Identity Pool per Hub that is shared between all Memberships that belong to that Hub. For a Hub hosted in {PROJECT_ID}, the workload pool format is {PROJECT_ID}.hub.id.goog, although this is subject to change in newer versions of this API.

identity_provider

string

Output only. An identity provider that reflects the issuer in the workload identity pool.

oidc_jwks

bytes

Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517).

When this field is set, OIDC discovery will NOT be performed on issuer, and instead OIDC tokens will be validated using this field.

scope_tenancy_workload_identity_pool

string

Optional. Output only. The name of the scope-tenancy workload identity pool. This pool is set in the fleet-level feature.

scope_tenancy_identity_provider

string

Optional. Output only. The identity provider for the scope-tenancy workload identity pool.

BinaryAuthorizationConfig

BinaryAuthorizationConfig defines the fleet level configuration of binary authorization feature.

Fields
evaluation_mode

BinaryAuthorizationConfig.EvaluationMode

Optional. Mode of operation for binauthz policy evaluation.

policy_bindings[]

BinaryAuthorizationConfig.PolicyBinding

Optional. Binauthz policies that apply to this cluster.

EvaluationMode

Binary Authorization mode of operation.

Enums
EVALUATION_MODE_UNSPECIFIED Default value
DISABLED Disable BinaryAuthorization
POLICY_BINDINGS Use Binary Authorization with the policies specified in policy_bindings.

PolicyBinding

Binauthz policy that applies to this cluster.

Fields
name

string

The relative resource name of the binauthz platform policy to audit. GKE platform policies have the following format: projects/{project_number}/platforms/gke/policies/{policy_id}.

CommonFeatureSpec

CommonFeatureSpec contains Fleet-wide configuration information

Fields

Union field feature_spec.

feature_spec can be only one of the following:

multiclusteringress

FeatureSpec

Multicluster Ingress-specific spec.

cloudauditlogging

FeatureSpec

Cloud Audit Logging-specific spec.

workloadcertificate

FeatureSpec

Workload Certificate spec.

appdevexperience

AppDevExperienceFeatureSpec

Appdevexperience specific spec.

anthosobservability

AnthosObservabilityFeatureSpec

Anthos Observability spec

fleetobservability

FeatureSpec

FleetObservability feature spec.

namespaceactuation

FeatureSpec

Namespace Actuation feature spec

clusterupgrade

FleetSpec

ClusterUpgrade (fleet-based) feature spec.

dataplanev2

FeatureSpec

DataplaneV2 feature spec.

CommonFeatureState

CommonFeatureState contains Fleet-wide Feature status information.

Fields
state

FeatureState

Output only. The "running state" of the Feature in this Fleet.

Union field feature_state.

feature_state can be only one of the following:

servicemesh

FeatureState

Service Mesh-specific state.

appdevexperience

AppDevExperienceFeatureState

Appdevexperience specific state.

fleetobservability

FeatureState

FleetObservability feature state.

namespaceactuation

FeatureState

Namespace Actuation feature state.

clusterupgrade

FleetState

ClusterUpgrade fleet-level state.

CommonFleetDefaultMemberConfigSpec

CommonFleetDefaultMemberConfigSpec contains default configuration information for memberships of a fleet

Fields

Union field feature_spec.

feature_spec can be only one of the following:

mesh

MembershipSpec

Anthos Service Mesh-specific spec

configmanagement

MembershipSpec

Config Management-specific spec.

identityservice

MembershipSpec

Identity Service-specific spec.

policycontroller

MembershipSpec

Policy Controller spec.

CompliancePostureConfig

CompliancePostureConfig defines the settings needed to enable/disable features for the Compliance Posture.

Fields
mode

CompliancePostureConfig.Mode

Defines the enablement mode for Compliance Posture.

compliance_standards[]

CompliancePostureConfig.ComplianceStandard

List of enabled compliance standards.

ComplianceStandard

Fields
standard

string

Name of the compliance standard.

Mode

Enums
MODE_UNSPECIFIED Default value not specified.
DISABLED Disables Compliance Posture features on the cluster.
ENABLED Enables Compliance Posture features on the cluster.

ConnectAgentResource

ConnectAgentResource represents a Kubernetes resource manifest for Connect Agent deployment.

Fields
type

TypeMeta

Kubernetes type of the resource.

manifest

string

YAML manifest of the resource.

CreateFeatureRequest

Request message for the GkeHub.CreateFeature method.

Fields
parent

string

Required. The parent (project and location) where the Feature will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.features.create
feature_id

string

The ID of the feature to create.

resource

Feature

The Feature resource to create.

request_id

string

A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CreateFleetRequest

Request message for the GkeHub.CreateFleet method.

Fields
parent

string

Required. The parent (project and location) where the Fleet will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.fleet.create
fleet

Fleet

Required. The fleet to create.

CreateMembershipBindingRequest

Request to create a MembershipBinding.

Fields
parent

string

Required. The parent (project and location) where the MembershipBinding will be created. Specified in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.membershipbindings.create
membership_binding

MembershipBinding

Required. The MembershipBinding to create.

membership_binding_id

string

Required. The ID to use for the MembershipBinding.

CreateMembershipRBACRoleBindingRequest

Request to create a rbacrolebindings.

Fields
parent

string

Required. The parent (project and location) where the RBACRoleBinding will be created. Specified in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.rbacrolebindings.create
rbacrolebinding_id

string

Required. Client chosen ID for the RBACRoleBinding. rbacrolebinding_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

rbacrolebinding

RBACRoleBinding

Required. The rbacrolebindings to create.

CreateMembershipRequest

Request message for the GkeHub.CreateMembership method.

Fields
parent

string

Required. The parent (project and location) where the Memberships will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.memberships.create
membership_id

string

Required. Client chosen ID for the membership. membership_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

resource

Membership

Required. The membership to create.

request_id

string

Optional. A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

CreateScopeNamespaceRequest

Request to create a fleet namespace.

Fields
parent

string

Required. The parent (project and location) where the Namespace will be created. Specified in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.namespaces.create
scope_namespace_id

string

Required. Client chosen ID for the Namespace. namespace_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

scope_namespace

Namespace

Required. The fleet namespace to create.

CreateScopeRBACRoleBindingRequest

Request to create a rbacrolebindings.

Fields
parent

string

Required. The parent (project and location) where the RBACRoleBinding will be created. Specified in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.rbacrolebindings.create
rbacrolebinding_id

string

Required. Client chosen ID for the RBACRoleBinding. rbacrolebinding_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

rbacrolebinding

RBACRoleBinding

Required. The rbacrolebindings to create.

CreateScopeRequest

Request to create a Scope.

Fields
parent

string

Required. The parent (project and location) where the Scope will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.scopes.create
scope_id

string

Required. Client chosen ID for the Scope. scope_id must be a ????

scope

Scope

Required. The Scope to create.

DefaultClusterConfig

DefaultClusterConfig describes the default cluster configurations to be applied to all clusters born-in-fleet.

Fields
security_posture_config

SecurityPostureConfig

Enable/Disable Security Posture features for the cluster.

binary_authorization_config

BinaryAuthorizationConfig

Optional. Enable/Disable binary authorization features for the cluster.

compliance_posture_config

CompliancePostureConfig

Optional. Enable/Disable Compliance Posture features for the cluster. Note that on UpdateFleet, only full replacement of this field is allowed. Users are not allowed for partial updates through field mask.

DeleteFeatureRequest

Request message for GkeHub.DeleteFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/*/features/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.delete
force

bool

If set to true, the delete will ignore any outstanding resources for this Feature (that is, FeatureState.has_resources is set to true). These resources will NOT be cleaned up or modified in any way.

request_id

string

Optional. A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

DeleteFleetRequest

Request message for GkeHub.DeleteFleet method.

Fields
name

string

Required. The Fleet resource name in the format projects/*/locations/*/fleets/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.fleet.delete

DeleteMembershipBindingRequest

Request to delete a Binding.

Fields
name

string

Required. The MembershipBinding resource name in the format projects/*/locations/*/memberships/*/bindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.membershipbindings.get

DeleteMembershipRBACRoleBindingRequest

Request to delete a Membership RBACRoleBinding.

Fields
name

string

Required. The RBACRoleBinding resource name in the format projects/*/locations/*/memberships/*/rbacrolebindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.rbacrolebindings.delete

DeleteMembershipRequest

Request message for GkeHub.DeleteMembership method.

Fields
name

string

Required. The Membership resource name in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.memberships.delete
request_id

string

Optional. A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

force

bool

Optional. If set to true, any subresource from this Membership will also be deleted. Otherwise, the request will only work if the Membership has no subresource.

DeleteScopeNamespaceRequest

Request to delete a fleet namespace.

Fields
name

string

Required. The Namespace resource name in the format projects/*/locations/*/scopes/*/namespaces/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.namespaces.delete

DeleteScopeRBACRoleBindingRequest

Request to delete a Scope RBACRoleBinding.

Fields
name

string

Required. The RBACRoleBinding resource name in the format projects/*/locations/*/scopes/*/rbacrolebindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.rbacrolebindings.delete

DeleteScopeRequest

Request to delete a Scope.

Fields
name

string

Required. The Scope resource name in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.scopes.delete

EdgeCluster

EdgeCluster contains information specific to Google Edge Clusters.

Fields

Feature

Feature represents the settings and status of any Fleet Feature.

Fields
name

string

Output only. The full, unique name of this Feature resource in the format projects/*/locations/*/features/*.

labels

map<string, string>

Labels for this Feature.

resource_state

FeatureResourceState

Output only. State of the Feature resource itself.

spec

CommonFeatureSpec

Optional. Fleet-wide Feature configuration. If this Feature does not support any Fleet-wide configuration, this field may be unused.

membership_specs

map<string, MembershipFeatureSpec>

Optional. Membership-specific configuration for this Feature. If this Feature does not support any per-Membership configuration, this field may be unused.

The keys indicate which Membership the configuration is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Membership is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

state

CommonFeatureState

Output only. The Fleet-wide Feature state.

membership_states

map<string, MembershipFeatureState>

Output only. Membership-specific Feature status. If this Feature does report any per-Membership status, this field may be unused.

The keys indicate which Membership the state is for, in the form:

projects/{p}/locations/{l}/memberships/{m}

Where {p} is the project number, {l} is a valid location and {m} is a valid Membership in this project at that location. {p} MUST match the Feature's project number.

create_time

Timestamp

Output only. When the Feature resource was created.

update_time

Timestamp

Output only. When the Feature resource was last updated.

delete_time

Timestamp

Output only. When the Feature resource was deleted.

fleet_default_member_config

CommonFleetDefaultMemberConfigSpec

Optional. Feature configuration applicable to all memberships of the fleet.

scope_specs

map<string, ScopeFeatureSpec>

Optional. Scope-specific configuration for this Feature. If this Feature does not support any per-Scope configuration, this field may be unused.

The keys indicate which Scope the configuration is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

{p} will always be returned as the project number, but the project ID is also accepted during input. If the same Scope is specified in the map twice (using the project ID form, and the project number form), exactly ONE of the entries will be saved, with no guarantees as to which. For this reason, it is recommended the same format be used for all entries when mutating a Feature.

scope_states

map<string, ScopeFeatureState>

Output only. Scope-specific Feature status. If this Feature does report any per-Scope status, this field may be unused.

The keys indicate which Scope the state is for, in the form:

projects/{p}/locations/global/scopes/{s}

Where {p} is the project, {s} is a valid Scope in this project. {p} WILL match the Feature's project.

unreachable[]

string

Output only. List of locations that could not be reached while fetching this feature.

FeatureResourceState

FeatureResourceState describes the state of a Feature resource in the GkeHub API. See FeatureState for the "running state" of the Feature in the Fleet and across Memberships.

Fields
state

FeatureResourceState.State

The current state of the Feature resource in the Hub API.

State

State describes the lifecycle status of a Feature.

Enums
STATE_UNSPECIFIED State is unknown or not set.
ENABLING The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Fleet.
ACTIVE The Feature is enabled in this Fleet, and the Feature resource is fully available.
DISABLING The Feature is being disabled in this Fleet, and the Feature resource is being deleted.
UPDATING The Feature resource is being updated.
SERVICE_UPDATING The Feature resource is being updated by the Hub Service.

FeatureState

FeatureState describes the high-level state of a Feature. It may be used to describe a Feature's state at the environ-level, or per-membershop, depending on the context.

Fields
code

FeatureState.Code

The high-level, machine-readable status of this Feature.

description

string

A human-readable description of the current status.

update_time

Timestamp

The time this status and any related Feature-specific details were updated.

Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
WARNING The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.
ERROR The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

Fleet

Fleet contains the Fleet-wide metadata and configuration.

Fields
name

string

Output only. The full, unique resource name of this fleet in the format of projects/{project}/locations/{location}/fleets/{fleet}.

Each Google Cloud project can have at most one fleet resource, named "default".

display_name

string

Optional. A user-assigned display name of the Fleet. When present, it must be between 4 to 30 characters. Allowed characters are: lowercase and uppercase letters, numbers, hyphen, single-quote, double-quote, space, and exclamation point.

Example: Production Fleet

create_time

Timestamp

Output only. When the Fleet was created.

update_time

Timestamp

Output only. When the Fleet was last updated.

delete_time

Timestamp

Output only. When the Fleet was deleted.

uid

string

Output only. Google-generated UUID for this resource. This is unique across all Fleet resources. If a Fleet resource is deleted and another resource with the same name is created, it gets a different uid.

state

FleetLifecycleState

Output only. State of the namespace resource.

default_cluster_config

DefaultClusterConfig

Optional. The default cluster configurations to apply across the fleet.

labels

map<string, string>

Optional. Labels for this Fleet.

FleetLifecycleState

FleetLifecycleState describes the state of a Fleet resource.

Fields
code

FleetLifecycleState.Code

Output only. The current state of the Fleet resource.

Code

Code describes the state of a Fleet resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The fleet is being created.
READY The fleet active.
DELETING The fleet is being deleted.
UPDATING The fleet is being updated.

GenerateConnectManifestRequest

Request message for GkeHub.GenerateConnectManifest method. .

Fields
name

string

Required. The Membership resource name the Agent will associate with, in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.memberships.generateConnectManifest
namespace

string

Optional. Namespace for GKE Connect agent resources. Defaults to gke-connect.

The Connect Agent is authorized automatically when run in the default namespace. Otherwise, explicit authorization must be granted with an additional IAM binding.

proxy

bytes

Optional. URI of a proxy if connectivity from the agent to gkeconnect.googleapis.com requires the use of a proxy. Format must be in the form http(s)://{proxy_address}, depending on the HTTP/HTTPS protocol supported by the proxy. This will direct the connect agent's outbound traffic through a HTTP(S) proxy.

version

string

Optional. The Connect agent version to use. Defaults to the most current version.

is_upgrade

bool

Optional. If true, generate the resources for upgrade only. Some resources generated only for installation (e.g. secrets) will be excluded.

registry

string

Optional. The registry to fetch the connect agent image from. Defaults to gcr.io/gkeconnect.

image_pull_secret_content

bytes

Optional. The image pull secret content for the registry, if not public.

GenerateConnectManifestResponse

GenerateConnectManifestResponse contains manifest information for installing/upgrading a Connect agent.

Fields
manifest[]

ConnectAgentResource

The ordered list of Kubernetes resources that need to be applied to the cluster for GKE Connect agent installation/upgrade.

GenerateExclusivityManifestRequest

The request to generate the manifests for exclusivity artifacts.

Fields
name

string

Required. The Membership resource name in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.memberships.generateConnectManifest
crd_manifest

string

Optional. The YAML manifest of the membership CRD retrieved by kubectl get customresourcedefinitions membership. Leave empty if the resource does not exist.

cr_manifest

string

Optional. The YAML manifest of the membership CR retrieved by kubectl get memberships membership. Leave empty if the resource does not exist.

GenerateExclusivityManifestResponse

The response of the exclusivity artifacts manifests for the client to apply.

Fields
crd_manifest

string

The YAML manifest of the membership CRD to apply if a newer version of the CRD is available. Empty if no update needs to be applied.

cr_manifest

string

The YAML manifest of the membership CR to apply if a new version of the CR is available. Empty if no update needs to be applied.

GenerateMembershipRBACRoleBindingYAMLRequest

Request to generate a YAML of the RBAC policies for the specified RoleBinding and its associated impersonation resources.

Fields
parent

string

Required. The parent (project and location) where the RBACRoleBinding will be created. Specified in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.rbacrolebindings.get
rbacrolebinding_id

string

Required. Client chosen ID for the RBACRoleBinding. rbacrolebinding_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

rbacrolebinding

RBACRoleBinding

Required. The rbacrolebindings to generate the YAML for.

GenerateMembershipRBACRoleBindingYAMLResponse

Response for GenerateRBACRoleBindingYAML.

Fields
role_bindings_yaml

string

a yaml text blob including the RBAC policies.

GetFeatureRequest

Request message for GkeHub.GetFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/*/features/*

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.get
return_partial_success

bool

Optional. If set to true, the response will return partial results when some regions are unreachable and the unreachable field in Feature proto will be populated. If set to false, the request will fail when some regions are unreachable.

GetFleetRequest

Request message for the GkeHub.GetFleet method.

Fields
name

string

Required. The Fleet resource name in the format projects/*/locations/*/fleets/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.fleet.get

GetMembershipBindingRequest

Request message for the GkeHub.GetMembershipBinding method.

Fields
name

string

Required. The MembershipBinding resource name in the format projects/*/locations/*/memberships/*/bindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.membershipbindings.get

GetMembershipRBACRoleBindingRequest

Request message for the GkeHub.GetMembershipRBACRoleBinding method.

Fields
name

string

Required. The RBACRoleBinding resource name in the format projects/*/locations/*/memberships/*/rbacrolebindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.rbacrolebindings.get

GetMembershipRequest

Request message for GkeHub.GetMembership method.

Fields
name

string

Required. The Membership resource name in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.memberships.get

GetScopeNamespaceRequest

Request message for the GkeHub.GetNamespace method.

Fields
name

string

Required. The Namespace resource name in the format projects/*/locations/*/scopes/*/namespaces/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.namespaces.get

GetScopeRBACRoleBindingRequest

Request message for the GkeHub.GetScopeRBACRoleBinding method.

Fields
name

string

Required. The RBACRoleBinding resource name in the format projects/*/locations/*/scopes/*/rbacrolebindings/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.rbacrolebindings.get

GetScopeRequest

Request message for the GkeHub.GetScope method.

Fields
name

string

Required. The Scope resource name in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.scopes.get

GkeCluster

GkeCluster contains information specific to GKE clusters.

Fields
cluster_missing

bool

Output only. If cluster_missing is set then it denotes that the GKE cluster no longer exists in the GKE Control Plane.

KubernetesMetadata

KubernetesMetadata provides informational metadata for Memberships representing Kubernetes clusters.

Fields
kubernetes_api_server_version

string

Output only. Kubernetes API server version string as reported by /version.

node_provider_id

string

Output only. Node providerID as reported by the first node in the list of nodes on the Kubernetes endpoint. On Kubernetes platforms that support zero-node clusters (like GKE-on-GCP), the node_count will be zero and the node_provider_id will be empty.

node_count

int32

Output only. Node count as reported by Kubernetes nodes resources.

vcpu_count

int32

Output only. vCPU count as reported by Kubernetes nodes resources.

memory_mb

int32

Output only. The total memory capacity as reported by the sum of all Kubernetes nodes resources, defined in MB.

update_time

Timestamp

Output only. The time at which these details were last updated. This update_time is different from the Membership-level update_time since EndpointDetails are updated internally for API consumers.

KubernetesResource

KubernetesResource contains the YAML manifests and configuration for Membership Kubernetes resources in the cluster. After CreateMembership or UpdateMembership, these resources should be re-applied in the cluster.

Fields
membership_cr_manifest

string

Input only. The YAML representation of the Membership CR. This field is ignored for GKE clusters where Hub can read the CR directly.

Callers should provide the CR that is currently present in the cluster during CreateMembership or UpdateMembership, or leave this field empty if none exists. The CR manifest is used to validate the cluster has not been registered with another Membership.

membership_resources[]

ResourceManifest

Output only. Additional Kubernetes resources that need to be applied to the cluster after Membership creation, and after every update.

This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.

connect_resources[]

ResourceManifest

Output only. The Kubernetes resources for installing the GKE Connect agent

This field is only populated in the Membership returned from a successful long-running operation from CreateMembership or UpdateMembership. It is not populated during normal GetMembership or ListMemberships requests. To get the resource manifest after the initial registration, the caller should make a UpdateMembership call with an empty field mask.

resource_options

ResourceOptions

Optional. Options for Kubernetes resource generation.

ListAdminClusterMembershipsRequest

Request message for GkeHub.ListAdminClusterMemberships method.

Fields
parent

string

Required. The parent (project and location) where the Memberships of admin cluster will be listed. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.memberships.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListAdminClusterMemberships which specifies the position in the list from where to continue listing the resources.

filter

string

Optional. Lists Memberships of admin clusters that match the filter expression.

order_by

string

Optional. One or more fields to compare and use to sort the output. See https://google.aip.dev/132#ordering.

ListAdminClusterMembershipsResponse

Response message for the GkeHub.ListAdminClusterMemberships method.

Fields
admin_cluster_memberships[]

Membership

The list of matching Memberships of admin clusters.

next_page_token

string

A token to request the next page of resources from the ListAdminClusterMemberships method. The value of an empty string means that there are no more resources to return.

unreachable[]

string

List of locations that could not be reached while fetching this list.

ListBoundMembershipsRequest

Request to list Memberships bound to a Scope.

Fields
scope_name

string

Required. Name of the Scope, in the format projects/*/locations/global/scopes/*, to which the Memberships are bound.

Authorization requires the following IAM permission on the specified resource scopeName:

  • gkehub.scopes.listBoundMemberships
filter

string

Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160. Currently, filtering can be done only based on Memberships's name, labels, create_time, update_time, and unique_id.

page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned. Pagination is currently not supported; therefore, setting this field does not have any impact for now.

page_token

string

Optional. Token returned by previous call to ListBoundMemberships which specifies the position in the list from where to continue listing the resources.

ListBoundMembershipsResponse

List of Memberships bound to a Scope.

Fields
memberships[]

Membership

The list of Memberships bound to the given Scope.

unreachable[]

string

List of locations that could not be reached while fetching this list.

next_page_token

string

A token to request the next page of resources from the ListBoundMemberships method. The value of an empty string means that there are no more resources to return.

ListFeaturesRequest

Request message for GkeHub.ListFeatures method.

Fields
parent

string

Required. The parent (project and location) where the Features will be listed. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.features.list
page_size

int32

When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Token returned by previous call to ListFeatures which specifies the position in the list from where to continue listing the resources.

filter

string

Lists Features that match the filter expression, following the syntax outlined in https://google.aip.dev/160.

Examples:

  • Feature with the name "servicemesh" in project "foo-proj":
  name = "projects/foo-proj/locations/global/features/servicemesh"
  • Features that have a label called foo:
  labels.foo:*
  • Features that have a label called foo whose value is bar:
  labels.foo = bar
order_by

string

One or more fields to compare and use to sort the output. See https://google.aip.dev/132#ordering.

return_partial_success

bool

Optional. If set to true, the response will return partial results when some regions are unreachable and the unreachable field in Feature proto will be populated. If set to false, the request will fail when some regions are unreachable.

ListFeaturesResponse

Response message for the GkeHub.ListFeatures method.

Fields
resources[]

Feature

The list of matching Features

next_page_token

string

A token to request the next page of resources from the ListFeatures method. The value of an empty string means that there are no more resources to return.

ListFleetsRequest

Request message for the GkeHub.ListFleets method.

Fields
parent

string

Required. The organization or project to list for Fleets under, in the format organizations/*/locations/* or projects/*/locations/*.

page_token

string

Optional. A page token, received from a previous ListFleets call. Provide this to retrieve the subsequent page.

When paginating, all other parameters provided to ListFleets must match the call that provided the page token.

page_size

int32

Optional. The maximum number of fleets to return. The service may return fewer than this value. If unspecified, at most 200 fleets will be returned. The maximum value is 1000; values above 1000 will be coerced to 1000.

ListFleetsResponse

Response message for the GkeHub.ListFleetsResponse method.

Fields
fleets[]

Fleet

The list of matching fleets.

next_page_token

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages. The token is only valid for 1h.

ListMembershipBindingsRequest

Request to list MembershipBinding.

Fields
parent

string

Required. The parent Membership for which the MembershipBindings will be listed. Specified in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.membershipbindings.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListMembershipBindings which specifies the position in the list from where to continue listing the resources.

filter

string

Optional. Lists MembershipBindings that match the filter expression, following the syntax outlined in https://google.aip.dev/160.

ListMembershipBindingsResponse

List of MembershipBindings.

Fields
membership_bindings[]

MembershipBinding

The list of membership_bindings

next_page_token

string

A token to request the next page of resources from the ListMembershipBindings method. The value of an empty string means that there are no more resources to return.

unreachable[]

string

List of locations that could not be reached while fetching this list.

ListMembershipRBACRoleBindingsRequest

Request to list Membership RBACRoleBindings.

Fields
parent

string

Required. The parent (project and location) where the Features will be listed. Specified in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.rbacrolebindings.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListMembershipRBACRoleBindings which specifies the position in the list from where to continue listing the resources.

ListMembershipRBACRoleBindingsResponse

List of Membership RBACRoleBindings.

Fields
rbacrolebindings[]

RBACRoleBinding

The list of Membership RBACRoleBindings.

next_page_token

string

A token to request the next page of resources from the ListMembershipRBACRoleBindings method. The value of an empty string means that there are no more resources to return.

unreachable[]

string

List of locations that could not be reached while fetching this list.

ListMembershipsRequest

Request message for GkeHub.ListMemberships method.

Fields
parent

string

Required. The parent (project and location) where the Memberships will be listed. Specified in the format projects/*/locations/*. projects/*/locations/- list memberships in all the regions.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.memberships.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListMemberships which specifies the position in the list from where to continue listing the resources.

filter

string

Optional. Lists Memberships that match the filter expression, following the syntax outlined in https://google.aip.dev/160.

Examples:

  • Name is bar in project foo-proj and location global:
  name = "projects/foo-proj/locations/global/membership/bar"
  • Memberships that have a label called foo:
  labels.foo:*
  • Memberships that have a label called foo whose value is bar:
  labels.foo = bar
  • Memberships in the CREATING state:
  state = CREATING
order_by

string

Optional. One or more fields to compare and use to sort the output. See https://google.aip.dev/132#ordering.

ListMembershipsResponse

Response message for the GkeHub.ListMemberships method.

Fields
resources[]

Membership

The list of matching Memberships.

next_page_token

string

A token to request the next page of resources from the ListMemberships method. The value of an empty string means that there are no more resources to return.

unreachable[]

string

List of locations that could not be reached while fetching this list.

ListPermittedScopesRequest

Request to list permitted Scopes.

Fields
parent

string

Required. The parent (project and location) where the Scope will be listed. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • iam.permissions.none
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListPermittedScopes which specifies the position in the list from where to continue listing the resources.

ListPermittedScopesResponse

List of permitted Scopes.

Fields
scopes[]

Scope

The list of permitted Scopes

next_page_token

string

A token to request the next page of resources from the ListPermittedScopes method. The value of an empty string means that there are no more resources to return.

ListScopeNamespacesRequest

Request to list fleet namespaces.

Fields
parent

string

Required. The parent (project and location) where the Features will be listed. Specified in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.namespaces.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListFeatures which specifies the position in the list from where to continue listing the resources.

ListScopeNamespacesResponse

List of fleet namespaces.

Fields
scope_namespaces[]

Namespace

The list of fleet namespaces

next_page_token

string

A token to request the next page of resources from the ListNamespaces method. The value of an empty string means that there are no more resources to return.

ListScopeRBACRoleBindingsRequest

Request to list Scope RBACRoleBindings.

Fields
parent

string

Required. The parent (project and location) where the Features will be listed. Specified in the format projects/*/locations/*/scopes/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.rbacrolebindings.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListScopeRBACRoleBindings which specifies the position in the list from where to continue listing the resources.

ListScopeRBACRoleBindingsResponse

List of Scope RBACRoleBindings.

Fields
rbacrolebindings[]

RBACRoleBinding

The list of Scope RBACRoleBindings.

next_page_token

string

A token to request the next page of resources from the ListScopeRBACRoleBindings method. The value of an empty string means that there are no more resources to return.

ListScopesRequest

Request to list Scopes.

Fields
parent

string

Required. The parent (project and location) where the Scope will be listed. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.scopes.list
page_size

int32

Optional. When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.

page_token

string

Optional. Token returned by previous call to ListScopes which specifies the position in the list from where to continue listing the resources.

ListScopesResponse

List of Scopes.

Fields
scopes[]

Scope

The list of Scopes

next_page_token

string

A token to request the next page of resources from the ListScopes method. The value of an empty string means that there are no more resources to return.

Membership

Membership contains information about a member cluster.

Fields
name

string

Output only. The full, unique name of this Membership resource in the format projects/*/locations/*/memberships/{membership_id}, set during creation.

membership_id must be a valid RFC 1123 compliant DNS label:

  1. At most 63 characters in length
  2. It must consist of lower case alphanumeric characters or -
  3. It must start and end with an alphanumeric character

Which can be expressed as the regex: [a-z0-9]([-a-z0-9]*[a-z0-9])?, with a maximum length of 63 characters.

labels

map<string, string>

Optional. Labels for this membership.

description

string

Output only. Description of this membership, limited to 63 characters. Must match the regex: [a-zA-Z0-9][a-zA-Z0-9_\-\.\ ]*

This field is present for legacy purposes.

state

MembershipState

Output only. State of the Membership resource.

create_time

Timestamp

Output only. When the Membership was created.

update_time

Timestamp

Output only. When the Membership was last updated.

delete_time

Timestamp

Output only. When the Membership was deleted.

external_id

string

Optional. An externally-generated and managed ID for this Membership. This ID may be modified after creation, but this is not recommended.

The ID must match the regex: [a-zA-Z0-9][a-zA-Z0-9_\-\.]*

If this Membership represents a Kubernetes cluster, this value should be set to the UID of the kube-system namespace object.

last_connection_time

Timestamp

Output only. For clusters using Connect, the timestamp of the most recent connection established with Google Cloud. This time is updated every several minutes, not continuously. For clusters that do not use GKE Connect, or that have never connected successfully, this field will be unset.

unique_id

string

Output only. Google-generated UUID for this resource. This is unique across all Membership resources. If a Membership resource is deleted and another resource with the same name is created, it gets a different unique_id.

authority

Authority

Optional. How to identify workloads from this Membership. See the documentation on Workload Identity for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

monitoring_config

MonitoringConfig

Optional. The monitoring config information for this membership.

cluster_tier

Membership.ClusterTier

Output only. The tier of the cluster.

Union field type. Type of resource represented by this Membership type can be only one of the following:
endpoint

MembershipEndpoint

Optional. Endpoint information to reach this member.

ClusterTier

ClusterTier describes the tier of the GKE cluster as it relates to enterprise functionality. A cluster in the ENTERPRISE tier will have access to all enterprise features. A cluster in the STANDARD tier will not have access to enterprise features.

Enums
CLUSTER_TIER_UNSPECIFIED The ClusterTier is not set.
STANDARD The ClusterTier is standard.
ENTERPRISE The ClusterTier is enterprise.

MembershipBinding

MembershipBinding is a subresource of a Membership, representing what Fleet Scopes (or other, future Fleet resources) a Membership is bound to.

Fields
name

string

The resource name for the membershipbinding itself projects/{project}/locations/{location}/memberships/{membership}/bindings/{membershipbinding}

uid

string

Output only. Google-generated UUID for this resource. This is unique across all membershipbinding resources. If a membershipbinding resource is deleted and another resource with the same name is created, it gets a different uid.

create_time

Timestamp

Output only. When the membership binding was created.

update_time

Timestamp

Output only. When the membership binding was last updated.

delete_time

Timestamp

Output only. When the membership binding was deleted.

state

MembershipBindingLifecycleState

Output only. State of the membership binding resource.

labels

map<string, string>

Optional. Labels for this MembershipBinding.

Union field target. What type of membershipbinding this is. target can be only one of the following:
scope

string

A Scope resource name in the format projects/*/locations/*/scopes/*.

MembershipBindingLifecycleState

MembershipBindingLifecycleState describes the state of a Binding resource.

Fields
code

MembershipBindingLifecycleState.Code

Output only. The current state of the MembershipBinding resource.

Code

Code describes the state of a MembershipBinding resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The membershipbinding is being created.
READY The membershipbinding active.
DELETING The membershipbinding is being deleted.
UPDATING The membershipbinding is being updated.

MembershipEndpoint

MembershipEndpoint contains information needed to contact a Kubernetes API, endpoint and any additional Kubernetes metadata.

Fields
kubernetes_metadata

KubernetesMetadata

Output only. Useful Kubernetes-specific metadata.

kubernetes_resource

KubernetesResource

Optional. The in-cluster Kubernetes Resources that should be applied for a correctly registered cluster, in the steady state. These resources:

  • Ensure that the cluster is exclusively registered to one and only one Hub Membership.
  • Propagate Workload Pool Information available in the Membership Authority field.
  • Ensure proper initial configuration of default Hub Features.
google_managed

bool

Output only. Whether the lifecycle of this membership is managed by a google cluster platform service.

Union field type. Cluster information of the registered cluster. type can be only one of the following:
gke_cluster

GkeCluster

Optional. Specific information for a GKE-on-GCP cluster.

on_prem_cluster

OnPremCluster

Optional. Specific information for a GKE On-Prem cluster. An onprem user-cluster who has no resourceLink is not allowed to use this field, it should have a nil "type" instead.

multi_cloud_cluster

MultiCloudCluster

Optional. Specific information for a GKE Multi-Cloud cluster.

edge_cluster

EdgeCluster

Optional. Specific information for a Google Edge cluster.

appliance_cluster

ApplianceCluster

Optional. Specific information for a GDC Edge Appliance cluster.

MembershipFeatureSpec

MembershipFeatureSpec contains configuration information for a single Membership.

Fields
origin

MembershipFeatureSpec.Origin

Whether this per-Membership spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Membership config (updated to USER implicitly) or setting to FLEET explicitly.

Union field feature_spec.

feature_spec can be only one of the following:

configmanagement

MembershipSpec

Config Management-specific spec.

cloudbuild

MembershipSpec

Cloud Build-specific spec

identityservice

MembershipSpec

Identity Service-specific spec.

workloadcertificate

MembershipSpec

Workload Certificate spec.

mesh

MembershipSpec

Anthos Service Mesh-specific spec

anthosobservability

AnthosObservabilityMembershipSpec

Anthos Observability-specific spec

policycontroller

MembershipSpec

Policy Controller spec.

fleetobservability

MembershipSpec

Fleet observability membership spec

namespaceactuation

MembershipSpec

FNS Actuation membership spec

Origin

Origin defines where this MembershipFeatureSpec originated from.

Fields
type

MembershipFeatureSpec.Origin.Type

Type specifies which type of origin is set.

Type

Type specifies the persona that persisted the config.

Enums
TYPE_UNSPECIFIED Type is unknown or not set.
FLEET Per-Membership spec was inherited from the fleet-level default.
FLEET_OUT_OF_SYNC Per-Membership spec was inherited from the fleet-level default but is now out of sync with the current default.
USER Per-Membership spec was inherited from a user specification.

MembershipFeatureState

MembershipFeatureState contains Feature status information for a single Membership.

Fields
state

FeatureState

The high-level state of this Feature for a single membership.

Union field feature_state.

feature_state can be only one of the following:

servicemesh

MembershipState

Service Mesh-specific state.

metering

MembershipState

Metering-specific state.

configmanagement

MembershipState

Config Management-specific state.

identityservice

MembershipState

Identity Service-specific state.

appdevexperience

AppDevExperienceFeatureState

Appdevexperience specific state.

policycontroller

MembershipState

Policycontroller-specific state.

clusterupgrade

MembershipState

ClusterUpgrade state.

fleetobservability

MembershipState

Fleet observability membership state.

namespaceactuation

MembershipState

FNS Actuation membership state

MembershipState

MembershipState describes the state of a Membership resource.

Fields
code

MembershipState.Code

Output only. The current state of the Membership resource.

Code

Code describes the state of a Membership resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The cluster is being registered.
READY The cluster is registered.
DELETING The cluster is being unregistered.
UPDATING The Membership is being updated.
SERVICE_UPDATING The Membership is being updated by the Hub Service.

MonitoringConfig

MonitoringConfig informs Fleet-based applications/services/UIs how the metrics for the underlying cluster is reported to cloud monitoring services. It can be set from empty to non-empty, but can't be mutated directly to prevent accidentally breaking the constinousty of metrics.

Fields
project_id

string

Optional. Project used to report Metrics

location

string

Optional. Location used to report Metrics

cluster

string

Optional. Cluster name used to report metrics. For Anthos on VMWare/Baremetal/MultiCloud clusters, it would be in format {cluster_type}/{cluster_name}, e.g., "awsClusters/cluster_1".

kubernetes_metrics_prefix

string

Optional. Kubernetes system metrics, if available, are written to this prefix. This defaults to kubernetes.io for GKE, and kubernetes.io/anthos for Anthos eventually. Noted: Anthos MultiCloud will have kubernetes.io prefix today but will migration to be under kubernetes.io/anthos.

cluster_hash

string

Optional. For GKE and Multicloud clusters, this is the UUID of the cluster resource. For VMWare and Baremetal clusters, this is the kube-system UID.

MultiCloudCluster

MultiCloudCluster contains information specific to GKE Multi-Cloud clusters.

Fields
cluster_missing

bool

Output only. If cluster_missing is set then it denotes that API(gkemulticloud.googleapis.com) resource for this GKE Multi-Cloud cluster no longer exists.

Namespace

Namespace represents a namespace across the Fleet

Fields
name

string

The resource name for the namespace projects/{project}/locations/{location}/namespaces/{namespace}

uid

string

Output only. Google-generated UUID for this resource. This is unique across all namespace resources. If a namespace resource is deleted and another resource with the same name is created, it gets a different uid.

create_time

Timestamp

Output only. When the namespace was created.

update_time

Timestamp

Output only. When the namespace was last updated.

delete_time

Timestamp

Output only. When the namespace was deleted.

state

NamespaceLifecycleState

Output only. State of the namespace resource.

scope

string

Required. Scope associated with the namespace

namespace_labels

map<string, string>

Optional. Namespace-level cluster namespace labels. These labels are applied to the related namespace of the member clusters bound to the parent Scope. Scope-level labels (namespace_labels in the Fleet Scope resource) take precedence over Namespace-level labels if they share a key. Keys and values must be Kubernetes-conformant.

labels

map<string, string>

Optional. Labels for this Namespace.

NamespaceLifecycleState

NamespaceLifecycleState describes the state of a Namespace resource.

Fields
code

NamespaceLifecycleState.Code

Output only. The current state of the Namespace resource.

Code

Code describes the state of a Namespace resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The namespace is being created.
READY The namespace active.
DELETING The namespace is being deleted.
UPDATING The namespace is being updated.

OnPremCluster

OnPremCluster contains information specific to GKE On-Prem clusters.

Fields
cluster_missing

bool

Output only. If cluster_missing is set then it denotes that API(gkeonprem.googleapis.com) resource for this GKE On-Prem cluster no longer exists.

admin_cluster

bool

Immutable. Whether the cluster is an admin cluster.

cluster_type

OnPremCluster.ClusterType

Immutable. The on prem cluster's type.

ClusterType

ClusterType describes on prem cluster's type.

Enums
CLUSTERTYPE_UNSPECIFIED The ClusterType is not set.
BOOTSTRAP The ClusterType is bootstrap cluster.
HYBRID The ClusterType is baremetal hybrid cluster.
STANDALONE The ClusterType is baremetal standalone cluster.
USER The ClusterType is user cluster.

OperationMetadata

Represents the metadata of the long-running operation.

Fields
create_time

Timestamp

Output only. The time the operation was created.

end_time

Timestamp

Output only. The time the operation finished running.

target

string

Output only. Server-defined resource path for the target of the operation.

verb

string

Output only. Name of the verb executed by the operation.

status_detail

string

Output only. Human-readable status of the operation, if any.

cancel_requested

bool

Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a google.rpc.Status.code of 1, corresponding to Code.CANCELLED.

api_version

string

Output only. API version used to start the operation.

RBACRoleBinding

RBACRoleBinding represents a rbacrolebinding across the Fleet

Fields
name

string

The resource name for the rbacrolebinding projects/{project}/locations/{location}/scopes/{scope}/rbacrolebindings/{rbacrolebinding} or projects/{project}/locations/{location}/memberships/{membership}/rbacrolebindings/{rbacrolebinding}

uid

string

Output only. Google-generated UUID for this resource. This is unique across all rbacrolebinding resources. If a rbacrolebinding resource is deleted and another resource with the same name is created, it gets a different uid.

create_time

Timestamp

Output only. When the rbacrolebinding was created.

update_time

Timestamp

Output only. When the rbacrolebinding was last updated.

delete_time

Timestamp

Output only. When the rbacrolebinding was deleted.

state

RBACRoleBindingLifecycleState

Output only. State of the rbacrolebinding resource.

role

RBACRoleBinding.Role

Required. Role to bind to the principal

labels

map<string, string>

Optional. Labels for this RBACRolebinding.

Union field principal. Principal that is be authorized in the cluster (at least of one the oneof is required). Updating one will unset the other automatically. principal can be only one of the following:
user

string

user is the name of the user as seen by the kubernetes cluster, example "alice" or "alice@domain.tld"

group

string

group is the group, as seen by the kubernetes cluster.

Role

Role is the type for Kubernetes roles

Fields
predefined_role

RBACRoleBinding.Role.PredefinedRoles

predefined_role is the Kubernetes default role to use

PredefinedRoles

PredefinedRoles is an ENUM representation of the default Kubernetes Roles

Enums
UNKNOWN UNKNOWN
ADMIN ADMIN has EDIT and RBAC permissions
EDIT EDIT can edit all resources except RBAC
VIEW VIEW can only read resources
ANTHOS_SUPPORT ANTHOS_SUPPORT gives Google Support read-only access to a number of cluster resources.

RBACRoleBindingLifecycleState

RBACRoleBindingLifecycleState describes the state of a RbacRoleBinding resource.

Fields
code

RBACRoleBindingLifecycleState.Code

Output only. The current state of the rbacrolebinding resource.

Code

Code describes the state of a rbacrolebinding resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The rbacrolebinding is being created.
READY The rbacrolebinding active.
DELETING The rbacrolebinding is being deleted.
UPDATING The rbacrolebinding is being updated.

ResourceManifest

ResourceManifest represents a single Kubernetes resource to be applied to the cluster.

Fields
manifest

string

Output only. YAML manifest of the resource.

cluster_scoped

bool

Output only. Whether the resource provided in the manifest is cluster_scoped. If unset, the manifest is assumed to be namespace scoped.

This field is used for REST mapping when applying the resource in a cluster.

ResourceOptions

ResourceOptions represent options for Kubernetes resource generation.

Fields
connect_version

string

Optional. The Connect agent version to use for connect_resources. Defaults to the latest GKE Connect version. The version must be a currently supported version, obsolete versions will be rejected.

v1beta1_crd

bool

Optional. Use apiextensions/v1beta1 instead of apiextensions/v1 for CustomResourceDefinition resources. This option should be set for clusters with Kubernetes apiserver versions <1.16.

k8s_version

string

Optional. Major version of the Kubernetes cluster. This is only used to determine which version to use for the CustomResourceDefinition resources, apiextensions/v1beta1 orapiextensions/v1.

Scope

Scope represents a Scope in a Fleet.

Fields
name

string

The resource name for the scope projects/{project}/locations/{location}/scopes/{scope}

uid

string

Output only. Google-generated UUID for this resource. This is unique across all scope resources. If a scope resource is deleted and another resource with the same name is created, it gets a different uid.

create_time

Timestamp

Output only. When the scope was created.

update_time

Timestamp

Output only. When the scope was last updated.

delete_time

Timestamp

Output only. When the scope was deleted.

state

ScopeLifecycleState

Output only. State of the scope resource.

namespace_labels

map<string, string>

Optional. Scope-level cluster namespace labels. For the member clusters bound to the Scope, these labels are applied to each namespace under the Scope. Scope-level labels take precedence over Namespace-level labels (namespace_labels in the Fleet Namespace resource) if they share a key. Keys and values must be Kubernetes-conformant.

labels

map<string, string>

Optional. Labels for this Scope.

ScopeFeatureSpec

ScopeFeatureSpec contains feature specs for a fleet scope.

Fields

Union field feature_spec.

feature_spec can be only one of the following:

clusterupgrade

ScopeSpec

Spec for the ClusterUpgrade feature at the scope level

ScopeFeatureState

ScopeFeatureState contains Scope-wide Feature status information.

Fields
state

FeatureState

Output only. The "running state" of the Feature in this Scope.

Union field feature_state.

feature_state can be only one of the following:

clusterupgrade

ScopeState

State for the ClusterUpgrade feature at the scope level

ScopeLifecycleState

ScopeLifecycleState describes the state of a Scope resource.

Fields
code

ScopeLifecycleState.Code

Output only. The current state of the scope resource.

Code

Code describes the state of a Scope resource.

Enums
CODE_UNSPECIFIED The code is not set.
CREATING The scope is being created.
READY The scope active.
DELETING The scope is being deleted.
UPDATING The scope is being updated.

SecurityPostureConfig

SecurityPostureConfig defines the flags needed to enable/disable features for the Security Posture API.

Fields
mode

SecurityPostureConfig.Mode

Sets which mode to use for Security Posture features.

vulnerability_mode

SecurityPostureConfig.VulnerabilityMode

Sets which mode to use for vulnerability scanning.

Mode

Mode defines enablement mode for GKE Security posture features.

Enums
MODE_UNSPECIFIED Default value not specified.
DISABLED Disables Security Posture features on the cluster.
BASIC Applies Security Posture features on the cluster.
ENTERPRISE Applies the Security Posture off cluster Enterprise level features.

VulnerabilityMode

VulnerabilityMode defines enablement mode for vulnerability scanning.

Enums
VULNERABILITY_MODE_UNSPECIFIED Default value not specified.
VULNERABILITY_DISABLED Disables vulnerability scanning on the cluster.
VULNERABILITY_BASIC Applies basic vulnerability scanning on the cluster.
VULNERABILITY_ENTERPRISE Applies the Security Posture's vulnerability on cluster Enterprise level features.

TypeMeta

TypeMeta is the type information needed for content unmarshalling of Kubernetes resources in the manifest.

Fields
kind

string

Kind of the resource (e.g. Deployment).

api_version

string

APIVersion of the resource (e.g. v1).

UpdateFeatureRequest

Request message for GkeHub.UpdateFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/*/features/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.update
update_mask

FieldMask

Mask of fields to update.

resource

Feature

Only fields specified in update_mask are updated. If you specify a field in the update_mask but don't specify its value here that field will be deleted. If you are updating a map field, set the value of a key to null or empty string to delete the key from the map. It's not possible to update a key's value to the empty string. If you specify the update_mask to be a special path "*", fully replaces all user-modifiable fields to match resource.

request_id

string

A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateFleetRequest

Request message for the GkeHub.UpdateFleet method.

Fields
fleet

Fleet

Required. The Fleet to update.

The name field of the Fleet object identifies which fleet will be updated.

Authorization requires the following IAM permission on the specified resource fleet:

  • gkehub.fleet.update
update_mask

FieldMask

Required. The fields to be updated;

UpdateMembershipBindingRequest

Request to update a MembershipBinding.

Fields
membership_binding

MembershipBinding

Required. The MembershipBinding object with fields updated.

Authorization requires the following IAM permission on the specified resource membershipBinding:

  • gkehub.membershipbindings.update
update_mask

FieldMask

Required. The fields to be updated.

UpdateMembershipRBACRoleBindingRequest

Request to update a membership rbacrolebinding.

Fields
rbacrolebinding

RBACRoleBinding

Required. A rbacrolebinding with fields updated. The 'name' field in this rbacrolebinding is used to identify the resource to update.

Authorization requires the following IAM permission on the specified resource rbacrolebinding:

  • gkehub.rbacrolebindings.update
update_mask

FieldMask

Required. The fields to be updated.

UpdateMembershipRequest

Request message for GkeHub.UpdateMembership method.

Fields
name

string

Required. The Membership resource name in the format projects/*/locations/*/memberships/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.memberships.update
update_mask

FieldMask

Required. Mask of fields to update.

resource

Membership

Required. Only fields specified in update_mask are updated. If you specify a field in the update_mask but don't specify its value here that field will be deleted. If you are updating a map field, set the value of a key to null or empty string to delete the key from the map. It's not possible to update a key's value to the empty string. If you specify the update_mask to be a special path "*", fully replaces all user-modifiable fields to match resource.

request_id

string

Optional. A request ID to identify requests. Specify a unique request ID so that if you must retry your request, the server will know to ignore the request if it has already been completed. The server will guarantee that for at least 60 minutes after the first request.

For example, consider a situation where you make an initial request and the request times out. If you make the request again with the same request ID, the server can check if original operation with the same request ID was received, and if so, will ignore the second request. This prevents clients from accidentally creating duplicate commitments.

The request ID must be a valid UUID with the exception that zero UUID is not supported (00000000-0000-0000-0000-000000000000).

UpdateScopeNamespaceRequest

Request to update a fleet namespace.

Fields
scope_namespace

Namespace

Required. A namespace with fields updated. The 'name' field in this namespace is used to identify the resource to update. Given 'updated' prefix to follow go/proto-best-practices-checkers#keyword_conflict

Authorization requires the following IAM permission on the specified resource scopeNamespace:

  • gkehub.namespace.update
update_mask

FieldMask

Required. The fields to be updated.

UpdateScopeRBACRoleBindingRequest

Request to update a scope rbacrolebinding.

Fields
rbacrolebinding

RBACRoleBinding

Required. A rbacrolebinding with fields updated. The 'name' field in this rbacrolebinding is used to identify the resource to update.

Authorization requires the following IAM permission on the specified resource rbacrolebinding:

  • gkehub.rbacrolebindings.update
update_mask

FieldMask

Required. The fields to be updated.

UpdateScopeRequest

Request to update a Scope.

Fields
scope

Scope

Required. A Scope with fields updated. The 'name' field in this namespace is used to identify the resource to update.

Authorization requires the following IAM permission on the specified resource scope:

  • gkehub.scopes.update
update_mask

FieldMask

Required. The fields to be updated.

ValidateCreateMembershipRequest

Request message for the GkeHub.ValidateCreateMembership method.

Fields
parent

string

Required. The parent (project and location) where the Memberships will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.memberships.create
membership_id

string

Required. Client chosen membership id.

membership

Membership

Required. Membership resource to be created.

ValidateCreateMembershipResponse

Response message for the GkeHub.ValidateCreateMembership method.

Fields
validation_results[]

ValidationResult

Wraps all the validator results.

ValidateExclusivityRequest

The request to validate the existing state of the membership CR in the cluster.

Fields
parent

string

Required. The parent (project and location) where the Memberships will be created. Specified in the format projects/*/locations/*.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.memberships.generateConnectManifest
cr_manifest

string

Optional. The YAML of the membership CR in the cluster. Empty if the membership CR does not exist.

intended_membership

string

Required. The intended membership name under the parent. This method only does validation in anticipation of a CreateMembership call with the same name.

ValidateExclusivityResponse

The response of exclusivity artifacts validation result status.

Fields
status

Status

The validation result.

  • OK means that exclusivity is validated, assuming the manifest produced by GenerateExclusivityManifest is successfully applied.
  • ALREADY_EXISTS means that the Membership CRD is already owned by another Hub. See status.message for more information.

ValidationResult

ValidationResults are results set by each validator running during ValidateCreateMembership.

Fields
validator

ValidationResult.ValidatorType

Validator type to validate membership with.

success

bool

Whether the validation is passed or not.

result

string

Additional information for the validation.

ValidatorType

Specifies different types of validation.

Enums
VALIDATOR_TYPE_UNSPECIFIED UNSPECIFIED validator.
MEMBERSHIP_ID MEMBERSHIP_ID validator validates that the membership_id is still available.
CROSS_PROJECT_PERMISSION CROSS_PROJECT_PERMISSION validator validates that the cross-project role binding for the service agent is in place.