Package google.cloud.gkehub.v1alpha1

Index

GkeHubDomainFeatureService

GKE Hub CRUD API for the Feature resources

CreateFeature

rpc CreateFeature(CreateFeatureRequest) returns (Operation)

Adds a new Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
DeleteFeature

rpc DeleteFeature(DeleteFeatureRequest) returns (Operation)

Removes a Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
GetFeature

rpc GetFeature(GetFeatureRequest) returns (Feature)

Gets details of a single Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
ListFeatures

rpc ListFeatures(ListFeaturesRequest) returns (ListFeaturesResponse)

Lists Features in a given project and location.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.
UpdateFeature

rpc UpdateFeature(UpdateFeatureRequest) returns (Operation)

Updates an existing Feature.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

AnthosObservabilityFeatureSpec

Spec for Anthos Observability. This is required since Feature proto requires a spec.

Fields
membership_specs

map<string, AnthosObservabilityMembershipSpec>

Per-membership spec that determines the spec in Stackdriver CR
default_membership_spec

AnthosObservabilityMembershipSpec

Default membership spec when nothing is specified.

AnthosObservabilityFeatureState

This type has no fields.

An empty state for Anthos Observability. This is required since FeatureStateDetails requires a state.

AnthosObservabilityMembershipSpec

Anthosobservability: Per-Membership Feature spec.

Fields
enable_stackdriver_on_applications

bool

Enable collecting and reporting metrics and logs from user apps.
do_not_optimize_metrics

bool

Use full of metrics rather than optimized metrics. See https://cloud.google.com/anthos/clusters/docs/on-prem/1.8/concepts/logging-and-monitoring#optimized_metrics_default_metrics
version

string

the version of stackdriver operator used by this feature

AppDevExperienceFeatureSpec

This type has no fields.

Spec for App Dev Experience Feature.

AppDevExperienceFeatureState

State for App Dev Exp Feature.

Fields
networking_install_succeeded

AppDevExperienceFeatureState.Status

Status of subcomponent that detects configured Service Mesh resources.

Code

Code specifies the ready state for a AppDevExperienceFeature subcomponent.

Enums
CODE_UNSPECIFIED Not set.
OK AppDevExperienceFeature's specified subcomponent is ready.
FAILED AppDevExperienceFeature's specified subcomponent ready state is false. This means AppDevExperienceFeature has encountered an issue that blocks all, or a portion, of its normal operation. See the description for more details.
UNKNOWN AppDevExperienceFeature's specified subcomponent has a pending or unknown state.

Status

Status specifies state for the subcomponent.

Fields
code

AppDevExperienceFeatureState.Code

Code specifies AppDevExperienceFeature's subcomponent ready state.
description

string

Description is populated if Code is Failed, explaining why it has failed.

AuthorizerFeatureSpec

This type has no fields.

AuthorizerFeatureSpec contains options and specifications for the Authorizer Feature.

AuthorizerFeatureState

This type has no fields.

AuthorizerFeatureState contains the current detailed state of the Authorizer Feature.

Billing

Deprecated: The FeatureSpec.billing field is no longer used. Billing identifies which billing structure the customer is using.

Enums
BILLING_UNSPECIFIED Unknown
PAY_AS_YOU_GO User pays a fee per-endpoint.
ANTHOS_LICENSE User is paying for Anthos as a whole.

BinauthzConfig

Configuration for Binauthz

Fields
enabled

bool

Whether binauthz is enabled in this cluster.

BinauthzState

State for Binauthz

Fields
webhook

DeploymentState

The state of the binauthz webhook.
version

BinauthzVersion

The version of binauthz that is installed.

BinauthzVersion

The version of binauthz.

Fields
webhook_version

string

The version of the binauthz webhook.

BundleInstallSpec

BundleInstallSpec is the specification configuration for a single managed bundle.

Fields
exempted_namespaces[]

string

The set of namespaces to be exempted from the bundle.

CloudAuditLoggingFeatureSpec

Spec for Audit Logging Allowlisting.

Fields
allowlisted_service_accounts[]

string

Service account that should be allowlisted to send the audit logs; eg cloudauditlogging@gcp-project.iam.gserviceaccount.com. These accounts must already exist, but do not need to have any permissions granted to them. The customer's entitlements will be checked prior to allowlisting (i.e. the customer must be an Anthos customer.)

CloudAuditLoggingFeatureState

This type has no fields.

An empty state for Audit Logging Allowlisting. This is required since FeatureStateDetails requires a state.

CloudBuildFeatureSpec

Cloud Build for Anthos feature spec. This is required since Feature proto requires a spec.

Fields
membership_configs

map<string, CloudBuildMembershipConfig>

The map from membership path (e.g. projects/foo-proj/locations/global/memberships/bar) to the CloudBuildMembershipConfig that is chosen for that member cluster. If CloudBuild feature is enabled for a hub and the membership path of a cluster in that hub exists in this map then it has Cloud Build hub feature enabled for that particular cluster.

CloudBuildMembershipConfig

Configurations for each Cloud Build enabled cluster.

Fields
version

string

Version of the cloud build software on the cluster.
security_policy

CloudBuildMembershipConfig.SecurityPolicy

Whether it is allowed to run the privileged builds on the cluster or not.

SecurityPolicy

Different security policies we can apply to the cluster.

Enums
SECURITY_POLICY_UNSPECIFIED Unspecified policy
NON_PRIVILEGED Privileged build pods are disallowed
PRIVILEGED Privileged build pods are allowed

ConfigManagementFeatureSpec

Spec for Anthos Config Management (ACM).

Fields
membership_configs

map<string, MembershipConfig>

Map of Membership IDs to individual configs.

ConfigManagementFeatureState

State for Anthos Config Management

Fields
cluster_name

string

This field is set to the cluster_name field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name.
membership_config

MembershipConfig

Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipConfig in the FeatureSpec represents the intended state
operator_state

OperatorState

Current install status of ACM's Operator
config_sync_state

ConfigSyncState

Current sync status
policy_controller_state

PolicyControllerState

PolicyController status
binauthz_state

BinauthzState

Binauthz status
hierarchy_controller_state

HierarchyControllerState

Hierarchy Controller status

ConfigSync

Configuration for Config Sync

Fields
git

GitConfig

Git repo configuration for the cluster.
source_format

string

Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode.
prevent_drift

bool

Set to true to enable the Config Sync admission webhook to prevent drifts. Defaults to false which disables the Config Sync admission webhook and does not prevent drifts.
oci

OciConfig

OCI repo configuration for the cluster
allow_vertical_scale
(deprecated)

bool

Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated.
metrics_gcp_service_account_email
(deprecated)

string

The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount default in the namespace config-management-monitoring should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring.
stop_syncing

bool

Set to true to stop syncing configs for a single cluster. Default to false.
enabled

bool

Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field.

ConfigSyncDeploymentState

The state of ConfigSync's deployment on a cluster

Fields
importer

DeploymentState

Deployment state of the importer pod
syncer

DeploymentState

Deployment state of the syncer pod
git_sync

DeploymentState

Deployment state of the git-sync pod
monitor

DeploymentState

Deployment state of the monitor pod
reconciler_manager

DeploymentState

Deployment state of reconciler-manager pod
root_reconciler

DeploymentState

Deployment state of root-reconciler
admission_webhook

DeploymentState

Deployment state of admission-webhook
resource_group_controller_manager

DeploymentState

Deployment state of resource-group-controller-manager
otel_collector

DeploymentState

Deployment state of otel-collector

ConfigSyncError

Errors pertaining to the installation of Config Sync

Fields
error_message

string

A string representing the user facing error message

ConfigSyncState

State information for ConfigSync

Fields
version

ConfigSyncVersion

The version of ConfigSync deployed
deployment_state

ConfigSyncDeploymentState

Information about the deployment of ConfigSync, including the version of the various Pods deployed
sync_state

SyncState

The state of ConfigSync's process to sync configs to a cluster
errors[]

ConfigSyncError

Errors pertaining to the installation of Config Sync.
rootsync_crd

ConfigSyncState.CRDState

The state of the RootSync CRD
reposync_crd

ConfigSyncState.CRDState

The state of the Reposync CRD
state

ConfigSyncState.State

The state of CS This field summarizes the other fields in this message.
cluster_level_stop_syncing_state

ConfigSyncState.StopSyncingState

Whether syncing resources to the cluster is stopped at the cluster level.
cr_count

int32

Output only. The number of RootSync and RepoSync CRs in the cluster.

CRDState

CRDState representing the state of a CRD

Enums
CRD_STATE_UNSPECIFIED CRD's state cannot be determined
NOT_INSTALLED CRD is not installed
INSTALLED CRD is installed
TERMINATING CRD is terminating (i.e., it has been deleted and is cleaning up)
INSTALLING CRD is installing

State

Enums
STATE_UNSPECIFIED CS's state cannot be determined.
CONFIG_SYNC_NOT_INSTALLED CS is not installed.
CONFIG_SYNC_INSTALLED The expected CS version is installed successfully.
CONFIG_SYNC_ERROR CS encounters errors.
CONFIG_SYNC_PENDING CS is installing or terminating.

StopSyncingState

Enums
STOP_SYNCING_STATE_UNSPECIFIED State cannot be determined
NOT_STOPPED Syncing resources to the cluster is not stopped at the cluster level.
PENDING Some reconcilers stop syncing resources to the cluster, while others are still syncing.
STOPPED Syncing resources to the cluster is stopped at the cluster level.

ConfigSyncVersion

Specific versioning information pertaining to ConfigSync's Pods

Fields
importer

string

Version of the deployed importer pod
syncer

string

Version of the deployed syncer pod
git_sync

string

Version of the deployed git-sync pod
monitor

string

Version of the deployed monitor pod
reconciler_manager

string

Version of the deployed reconciler-manager pod
root_reconciler

string

Version of the deployed reconciler container in root-reconciler pod
admission_webhook

string

Version of the deployed admission-webhook pod
resource_group_controller_manager

string

Version of the deployed resource-group-controller-manager pod
otel_collector

string

Version of the deployed otel-collector pod

CreateFeatureRequest

Request message for the GkeHubDomainFeatureService.CreateFeature method.

Fields
parent

string

Required. The parent (project and location) where the Feature will be created. Specified in the format projects/*/locations/global.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.features.create
feature_id

string

The ID of the feature to create.
resource

Feature

The Feature resource to create.

DataplaneV2FeatureSpec

Spec for multi-cluster dataplane-v2 feature. This is required since Feature proto requires a spec.

Fields
enable_encryption

bool

Enable dataplane-v2 based encryption for multiple clusters.

DataplaneV2FeatureState

This type has no fields.

An empty state for multi-cluster dataplane-v2 feature. This is required since FeatureStateDetails requires a state.

DeleteFeatureRequest

Request message for GkeHubDomainFeatureService.DeleteFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/global/features/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.delete
force

bool

If set to true, the delete will ignore any outstanding resources for this Feature (that is, FeatureState.has_resources is set to true). These resources will NOT be cleaned up or modified in any way.

DeploymentState

Enum representing the state of an ACM's deployment on a cluster

Enums
DEPLOYMENT_STATE_UNSPECIFIED Deployment's state cannot be determined
NOT_INSTALLED Deployment is not installed
INSTALLED Deployment is installed
ERROR Deployment was attempted to be installed, but has errors
PENDING Deployment is installing or terminating

ErrorResource

Model for a config file in the git repo with an associated Sync error

Fields
source_path

string

Path in the git repo of the erroneous config
resource_name

string

Metadata name of the resource that is causing an error
resource_namespace

string

Namespace of the resource that is causing an error
resource_gvk

GroupVersionKind

Group/version/kind of the resource that is causing an error

Feature

Feature represents the settings and status of any feature.

Fields
name

string

Output only. The full, unique name of this Feature resource in the format projects/*/locations/global/features/*.
labels

map<string, string>

Labels for this feature.
description

string

Description of the feature, limited to 63 characters.
feature_state

FeatureState

Output only. State of the Feature resource itself.
fleet_default_member_config

FleetDefaultMemberConfig

FleetDefaultMemberConfig describes the default member configuration at the fleet level.
create_time

Timestamp

Output only. When the Feature was created.
update_time

Timestamp

Output only. When the Feature was last updated.
delete_time

Timestamp

Output only. When the Feature was deleted.
unreachable[]

string

Output only. List of locations that could not be reached while fetching this feature.

Union field spec.

spec can be only one of the following:
servicemesh_feature_spec

ServiceMeshFeatureSpec

The specification for the Service Mesh Feature.
authorizer_feature_spec

AuthorizerFeatureSpec

The specification for the Authorizer Feature.
multiclusteringress_feature_spec

MultiClusterIngressFeatureSpec

The specification for Ingress for Anthos.
metering_feature_spec

MeteringFeatureSpec

The specification for the Metering feature.
multiclusterservicediscovery_feature_spec

MultiClusterServiceDiscoveryFeatureSpec

The specification for GKE Multi-Cluster Service Discovery.
configmanagement_feature_spec

ConfigManagementFeatureSpec

The specification for Anthos Config Management.
appdevexperience_feature_spec

AppDevExperienceFeatureSpec

The specification for App Dev Experience.
cloudauditlogging_feature_spec

CloudAuditLoggingFeatureSpec

The specification for Anthos Cloud Audit Logging.
cloudbuild_feature_spec

CloudBuildFeatureSpec

The specification for Cloud Build for Anthos.
servicedirectory_feature_spec

ServiceDirectoryFeatureSpec

The specification for Service Directory.
identityservice_feature_spec

IdentityServiceFeatureSpec

The specification for Anthos Identity Service.
anthosobservability_feature_spec

AnthosObservabilityFeatureSpec

The specification for Anthos Observability.
workloadcertificate_feature_spec

WorkloadCertificateFeatureSpec

The specification for Workload Certificate.
policycontroller_feature_spec

PolicyControllerFeatureSpec

The specification for Policy Controller.
dataplanev2_feature_spec

DataplaneV2FeatureSpec

The specification for multi-cluster dataplane-v2.
fleetobservability_feature_spec

FleetObservabilityFeatureSpec

The specification for FleetObservability feature.

FeatureState

FeatureState describes the state of a Feature resource.

Fields
lifecycle_state

FeatureState.LifecycleState

The current state of the Feature resource.
details

FeatureStateDetails

Aggregate status message of the feature.
details_by_membership

map<string, FeatureStateDetails>

FeatureState for each Membership.

Keys are the fully-qualified Membership name in the format projects/{NUMBER}/locations/*/memberships/*.
has_resources

bool

Whether this Feature has outstanding resources that need to be cleaned up before it can be disabled.

LifecycleState

LifecycleState describes the lifecycle status of a feature.

Enums
LIFECYCLE_STATE_UNSPECIFIED State is unknown or not set.
ENABLING The Feature is being enabled.
ENABLED The Feature is active.
DISABLING The Feature is being disabled.
UPDATING The Feature is being updated.
SERVICE_UPDATING The Feature is being updated by the Hub Service.

FeatureStateDetails

FeatureStateDetails is a semi-structured status message for a declarative resource in the API.

Fields
code

FeatureStateDetails.Code

The code describes, at a high level, if the Feature is operating correctly. Non-OK codes should have details in the description describing what actions (if any) need to be taken to return the Feature to OK.
description

string

Human readable description of the issue.
update_time

Timestamp

The last update time of this status by the controllers
Union field state. Structured information about the feature's status. state can be only one of the following:
servicemesh_feature_state

ServiceMeshFeatureState

State for the Service Mesh Feature.
authorizer_feature_state

AuthorizerFeatureState

State for the Authorizer Feature.
multiclusteringress_feature_state

MultiClusterIngressFeatureState

State for the Ingress for Anthos Feature.
metering_feature_state

MeteringFeatureState

State for the Metering Feature.
multiclusterservicediscovery_feature_state

MultiClusterServiceDiscoveryFeatureState

State for the Multi-cluster Service Discovery Feature.
configmanagement_feature_state

ConfigManagementFeatureState

State for the Config Management Feature.
appdevexperience_feature_state

AppDevExperienceFeatureState

State for the AppDevExperience Feature.
cloudauditlogging_feature_state

CloudAuditLoggingFeatureState

The state of the Anthos Cloud Audit Logging feature.
servicedirectory_feature_state

ServiceDirectoryFeatureState

State for the Service Directory Feature.
identityservice_feature_state

IdentityServiceFeatureState

State for the AIS Feature.
anthosobservability_feature_state

AnthosObservabilityFeatureState

State for the Anthos Observability Feature
workloadcertificate_feature_state

WorkloadCertificateFeatureState

State for the Workload Certificate Feature
policycontroller_feature_state

PolicyControllerFeatureState

State for the Policy Controller Feature.
dataplanev2_feature_state

DataplaneV2FeatureState

State for multi-cluster dataplane-v2 feature.
fleetobservability_feature_state

FleetObservabilityFeatureState

State for the FleetObservability Feature.

Code

The Code describes the error state and severity for this Feature.

Enums
CODE_UNSPECIFIED Not set.
OK No error.
FAILED The Feature has encountered an issue that blocks all, or a significant portion, of its normal operation. See the description for more details.
WARNING The Feature is in a state, or has encountered an issue, that impacts its normal operation. This state may or may not require intervention to resolve, see the description for more details.

FleetDefaultMemberConfig

FleetDefaultMemberConfig contains default configuration information for memberships of a fleet.

Fields

Union field spec.

spec can be only one of the following:
service_mesh

ServiceMeshMembershipSpec

Spec for ServiceMesh.
identity_service

MemberConfig

Spec for IdentityService.

FleetObservabilityBaseFeatureState

Base state for fleet observability feature.

Fields
code

FleetObservabilityBaseFeatureState.Code

The high-level, machine-readable status of this Feature.
errors[]

FleetObservabilityBaseFeatureState.FeatureError

Errors after reconciling the monitoring and logging feature if the code is not OK.

Code

Code represents a machine-readable, high-level status of the Feature.

Enums
CODE_UNSPECIFIED Unknown or not set.
OK The Feature is operating normally.
ERROR The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information.

FeatureError

All error details of the fleet observability feature.

Fields
code

string

The code of the error.
description

string

A human-readable description of the current status.

FleetObservabilityFeatureSpec

Spec for FleetObservability feature. This is required since Feature proto requires a spec.

Fields
logging_config

LoggingConfig

Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet.

FleetObservabilityFeatureState

An empty state for FleetObservability feature. This is required since FeatureStateDetails requires a state.

Fields
logging

FleetObservabilityLoggingState

The feature state of fleet logging.
monitoring

FleetObservabilityMonitoringState

The feature state of fleet monitoring.

FleetObservabilityLoggingState

Feature state for logging feature.

Fields
default_log

FleetObservabilityBaseFeatureState

The base feature state of fleet default log.
scope_log

FleetObservabilityBaseFeatureState

The base feature state of fleet scope log.

FleetObservabilityMonitoringState

Feature state for monitoring feature.

Fields
state

FleetObservabilityBaseFeatureState

The base feature state of fleet monitoring feature.

GatekeeperDeploymentState

State of Policy Controller installation.

Fields
gatekeeper_controller_manager_state

DeploymentState

Status of gatekeeper-controller-manager pod.
gatekeeper_audit

DeploymentState

Status of gatekeeper-audit deployment.
gatekeeper_mutation

DeploymentState

Status of the pod serving the mutation webhook.

GetFeatureRequest

Request message for GkeHubDomainFeatureService.GetFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/global/features/*

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.get
return_partial_success

bool

Optional. If set to true, the response will return partial results when some regions are unreachable and the unreachable field in Feature proto will be populated. If set to false, the request will fail when some regions are unreachable.

GitConfig

Git repo configuration for a single cluster.

Fields
sync_repo

string

The URL of the Git repository to use as the source of truth.
sync_branch

string

The branch of the repository to sync from. Default: master.
policy_dir

string

The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository.
sync_wait_secs

int64

Period in seconds between consecutive syncs. Default: 15.
sync_rev

string

Git revision (tag or hash) to check out. Default HEAD.
secret_type

string

Type of secret configured for access to the Git repo.
https_proxy

string

URL for the HTTPS proxy to be used when communicating with the Git repo.
gcp_service_account_email

string

The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.

GroupVersionKind

A Kubernetes object's GVK

Fields
group

string

Kubernetes Group
version

string

Kubernetes Version
kind

string

Kubernetes Kind

HierarchyControllerConfig

Configuration for Hierarchy Controller

Fields
enabled

bool

Whether Hierarchy Controller is enabled in this cluster.
enable_pod_tree_labels

bool

Whether pod tree labels are enabled in this cluster.
enable_hierarchical_resource_quota

bool

Whether hierarchical resource quota is enabled in this cluster.

HierarchyControllerDeploymentState

Deployment state for Hierarchy Controller

Fields
hnc

DeploymentState

The deployment state for open source HNC (e.g. v0.7.0-hc.0)
extension

DeploymentState

The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1)

HierarchyControllerState

State for Hierarchy Controller

Fields
version

HierarchyControllerVersion

The version for Hierarchy Controller
state

HierarchyControllerDeploymentState

The deployment state for Hierarchy Controller

HierarchyControllerVersion

Version for Hierarchy Controller

Fields
hnc

string

Version for open source HNC
extension

string

Version for Hierarchy Controller extension

IdentityServiceFeatureSpec

Spec for Annthos Identity Service.

Fields
member_configs

map<string, MemberConfig>

A map between member ids to their configurations. The ID needs to be the full path to the membership e.g., /projects/p/locations/l/memberships/m.

IdentityServiceFeatureState

State for Anthos Identity Service

Fields
installed_version

string

Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK.
state

IdentityServiceFeatureState.DeploymentState

Deployment state on this member
failure_reason

string

The reason of the failure.
member_config

MemberConfig

Membership config state on this member

DeploymentState

Deployment state enum

Enums
DEPLOYMENT_STATE_UNSPECIFIED Unspecified state
OK deployment succeeds
ERROR Failure with error.

InstallError

Errors pertaining to the installation of ACM

Fields
error_message

string

A string representing the user facing error message

ListFeaturesRequest

Request message for GkeHubDomainFeatureService.ListFeatures method.

Fields
parent

string

Required. The parent (project and location) where the Features will be listed. Specified in the format projects/*/locations/global.

Authorization requires the following IAM permission on the specified resource parent:

  • gkehub.features.list
page_size

int32

When requesting a 'page' of resources, page_size specifies number of resources to return. If unspecified or set to 0, all resources will be returned.
page_token

string

Token returned by previous call to ListFeatures which specifies the position in the list from where to continue listing the resources.
filter

string

Lists Features that match the filter expression, following the syntax outlined in https://google.aip.dev/160.

Examples:

  • Feature with the name "servicemesh" in project "foo-proj":
  name = "projects/foo-proj/locations/global/features/servicemesh"
  • Service Mesh Feature with mtls enabled:
 servicemesh_feature_spec.mtls = true
  • Features that have a label called foo:
  labels.foo:*
  • Features that have a label called foo whose value is bar:
  labels.foo = bar
order_by

string

One or more fields to compare and use to sort the output. See https://google.aip.dev/132#ordering.
return_partial_success

bool

Optional. If set to true, the response will return partial results when some regions are unreachable and the unreachable field in Feature proto will be populated. If set to false, the request will fail when some regions are unreachable.

ListFeaturesResponse

Response message for the GkeHubDomainFeatureService.ListFeatures method.

Fields
resources[]

Feature

The list of matching Features
next_page_token

string

A token to request the next page of resources from the ListFeatures method. The value of an empty string means that there are no more resources to return.

LoggingConfig

LoggingConfig defines the configuration for different types of logs.

Fields
default_config

RoutingConfig

Specified if applying the default routing config to logs not specified in other configs.
fleet_scope_logs_config

RoutingConfig

Specified if applying the routing config to all logs for all fleet scopes.

MemberConfig

The configuration for a member/cluster

Fields
auth_methods[]

MemberConfig.AuthMethod

A member may support multiple auth methods.
identity_service_options

MemberConfig.IdentityServiceOptions

Optional. non-protocol-related configuration options.

AuthMethod

Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.

Fields
name

string

Identifier for auth config.
proxy

string

Proxy server address to use for auth method.
Union field auth_config. supported auth configurations. auth_config can be only one of the following:
oidc_config

MemberConfig.AuthMethod.OidcConfig

OIDC specific configuration.
azuread_config

MemberConfig.AuthMethod.AzureADConfig

AzureAD specific configuration.
google_config

MemberConfig.AuthMethod.GoogleConfig

GoogleConfig specific configuration
saml_config

MemberConfig.AuthMethod.SamlConfig

Optional. SAML specific configuration.
ldap_config

MemberConfig.AuthMethod.LdapConfig

Optional. LDAP specific configuration.

AzureADConfig

Configuration for the AzureAD Auth flow.

Fields
client_id

string

ID for the registered client application that makes authentication requests to the Azure AD identity provider.
tenant

string

Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant.
kubectl_redirect_uri

string

The redirect URL that kubectl uses for authorization.
client_secret

string

Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH.
encrypted_client_secret

bytes

Output only. Encrypted AzureAD client secret.
user_claim

string

Optional. Claim in the AzureAD ID Token that holds the user details.
group_format

string

Optional. Format of the AzureAD groups that the client wants for auth.

GoogleConfig

Configuration for the Google Plugin Auth flow.

Fields
disable

bool

Disable automatic configuration of Google Plugin on supported platforms.

LdapConfig

Configuration for the LDAP Auth flow.

Fields
server

MemberConfig.AuthMethod.LdapConfig.ServerConfig

Required. Server settings for the external LDAP server.
user

MemberConfig.AuthMethod.LdapConfig.UserConfig

Required. Defines where users exist in the LDAP directory.
group

MemberConfig.AuthMethod.LdapConfig.GroupConfig

Optional. Contains the properties for locating and authenticating groups in the directory.
service_account

MemberConfig.AuthMethod.LdapConfig.ServiceAccountConfig

Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

GroupConfig

Contains the properties for locating and authenticating groups in the directory.

Fields
base_dn

string

Required. The location of the subtree in the LDAP directory to search for group entries.
id_attribute

string

Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName".
filter

string

Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)".

ServerConfig

Server settings for the external LDAP server.

Fields
host

string

Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389".
connection_type

string

Optional. Defines the connection type to communicate with the LDAP server. If starttls or ldaps is specified, the certificate_authority_data should not be empty.
certificate_authority_data

bytes

Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections.

ServiceAccountConfig

Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.

Fields
Union field authentication_mechanism. Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following:
simple_bind_credentials

MemberConfig.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials

Credentials for basic auth.

SimpleBindCredentials

The structure holds the LDAP simple binding credential.

Fields
dn

string

Required. The distinguished name(DN) of the service account object/user.
password

string

Required. Input only. The password of the service account object/user.
encrypted_password

bytes

Output only. The encrypted password of the service account object/user.

UserConfig

Defines where users exist in the LDAP directory.

Fields
base_dn

string

Required. The location of the subtree in the LDAP directory to search for user entries.
login_attribute

string

Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName".
id_attribute

string

Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName".
filter

string

Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)".

OidcConfig

Configuration for OIDC Auth flow.

Fields
client_id

string

ID for OIDC client application.
certificate_authority_data

string

PEM-encoded CA for OIDC provider.
issuer_uri

string

URI for the OIDC provider. This should point to the level below .well-known/openid-configuration.
kubectl_redirect_uri

string

Registered redirect uri to redirect users going through OAuth flow using kubectl plugin.
scopes

string

Comma-separated list of identifiers.
extra_params

string

Comma-separated list of key-value pairs.
user_claim

string

Claim in OIDC ID token that holds username.
user_prefix

string

Prefix to prepend to user name.
groups_claim

string

Claim in OIDC ID token that holds group information.
group_prefix

string

Prefix to prepend to group name.
deploy_cloud_console_proxy

bool

Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console.
client_secret

string

Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH.
encrypted_client_secret

bytes

Output only. Encrypted OIDC Client secret
enable_access_token

bool

Enable access token.

SamlConfig

Configuration for the SAML Auth flow.

Fields
identity_provider_id

string

Required. The entity ID of the SAML IdP.
identity_provider_sso_uri

string

Required. The URI where the SAML IdP exposes the SSO service.
identity_provider_certificates[]

string

Required. The list of IdP certificates to validate the SAML response against.
user_attribute

string

Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the user_prefix).
groups_attribute

string

Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the group_prefix).
user_prefix

string

Optional. Prefix to prepend to user name.
group_prefix

string

Optional. Prefix to prepend to group name.
attribute_mapping

map<string, string>

Optional. The mapping of additional user attributes like nickname, birthday and address etc.. key is the name of this additional attribute. value is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, key is "attribute.nickname" and value is "assertion.nickname".

IdentityServiceOptions

Holds non-protocol-related configuration options.

Fields
session_duration

Duration

Optional. Determines the lifespan of STS tokens issued by Anthos Identity Service.

MembershipConfig

Configuration for a single cluster. Intended to parallel the ConfigManagement CR.

Fields
config_sync

ConfigSync

Config Sync configuration for the cluster.
policy_controller

PolicyController

Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead.
binauthz
(deprecated)

BinauthzConfig

Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set.
hierarchy_controller

HierarchyControllerConfig

Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead.
version

string

Version of ACM installed.
cluster

string

The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector.
management

MembershipConfig.Management

Enables automatic Feature management.

Management

Whether to automatically manage the Feature.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google will manage the Feature for the cluster.
MANAGEMENT_MANUAL User will manually manage the Feature for the cluster.

MeteringFeatureSpec

This type has no fields.

An empty spec for metering feature. This is required since Feature proto requires a spec.

MeteringFeatureState

Metering Feature State.

Fields
last_measurement_time

Timestamp

The time stamp of the most recent measurement of the number of vCPUs in the cluster.
precise_last_measured_cluster_vcpu_capacity

float

The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision).

MultiClusterIngressFeatureSpec

MultiClusterIngressFeatureSpec contains the input for the MultiClusterIngress feature.

Fields
config_membership

string

Fully-qualified member name which hosts the MultiClusterIngress CRD. Example member name: projects/foo-proj/locations/global/memberships/bar
billing
(deprecated)

Billing

Deprecated: This field will be ignored and should not be set. Customer's billing structure

MultiClusterIngressFeatureState

This type has no fields.

MultiClusterIngressFeatureState contains the status fields specific to the MultiClusterIngress feature. This is just a placeholder and more fields will be added when we have more state information to report for this feature.

MultiClusterServiceDiscoveryFeatureSpec

This type has no fields.

An empty spec for multi-cluster service discovery feature. This is required since Feature proto requires a spec.

MultiClusterServiceDiscoveryFeatureState

This type has no fields.

An empty state for multi-cluster service discovery feature. This is required since FeatureStateDetails requires a state.

OciConfig

OCI repo configuration for a single cluster

Fields
sync_repo

string

The OCI image repository URL for the package to sync from. e.g. LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME.
policy_dir

string

The absolute path of the directory that contains the local resources. Default: the root directory of the image.
sync_wait_secs

int64

Period in seconds between consecutive syncs. Default: 15.
secret_type

string

Type of secret configured for access to the Git repo.
gcp_service_account_email

string

The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount.

OnClusterState

OnClusterState represents the state of a sub-component of Policy Controller.

Fields
state

PolicyControllerFeatureState.LifecycleState

The lifecycle state of this component.
details

string

Surface potential errors or information logs.

OperationMetadata

Represents the metadata of the long-running operation.

Fields
create_time

Timestamp

Output only. The time the operation was created.
end_time

Timestamp

Output only. The time the operation finished running.
target

string

Output only. Server-defined resource path for the target of the operation.
verb

string

Output only. Name of the verb executed by the operation.
status_detail

string

Output only. Human-readable status of the operation, if any.
cancel_requested

bool

Output only. Identifies whether the user has requested cancellation of the operation. Operations that have successfully been cancelled have [Operation.error][] value with a google.rpc.Status.code of 1, corresponding to Code.CANCELLED.
api_version

string

Output only. API version used to start the operation.

OperatorState

State information for an ACM's Operator

Fields
version

string

The semenatic version number of the operator
deployment_state

DeploymentState

The state of the Operator's deployment
errors[]

InstallError

Install errors.

PolicyContentSpec

PolicyContentSpec defines the user's desired content configuration on the cluster.

Fields
bundles

map<string, BundleInstallSpec>

map of bundle name to BundleInstallSpec. The bundle name maps to the bundleName key in the policycontroller.gke.io/constraintData annotation on a constraint.
template_library

TemplateLibraryConfig

Configures the installation of the Template Library.

PolicyContentState

The state of the policy controller policy content

Fields
template_library_state

OnClusterState

The state of the template library
bundle_states

map<string, OnClusterState>

The state of the any bundles included in the chosen version of the manifest
referential_sync_config_state

OnClusterState

The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user.

PolicyController

Configuration for Policy Controller

Fields
enabled

bool

Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect.
exemptable_namespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
referential_rules_enabled

bool

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
log_denies_enabled

bool

Logs all denies and dry run failures.
mutation_enabled

bool

Enable users to try out mutation for PolicyController.
monitoring

PolicyControllerMonitoring

Monitoring specifies the configuration of monitoring.
update_time

Timestamp

Output only. Last time this membership spec was updated.

Union field template_library_installed_value.

template_library_installed_value can be only one of the following:
template_library_installed

bool

Installs the default template library along with Policy Controller.

Union field audit_interval_seconds_value.

audit_interval_seconds_value can be only one of the following:
audit_interval_seconds

int64

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.

PolicyControllerDeploymentConfig

Deployment-specific configuration.

Fields
pod_tolerations[]

PolicyControllerDeploymentConfig.Toleration

Pod tolerations of node taints.
pod_affinity

PolicyControllerDeploymentConfig.Affinity

Pod affinity configuration.
replica_count

int64

Pod replica count.
container_resources

ResourceRequirements

Container resource requirements.
pod_anti_affinity
(deprecated)

bool

Pod anti-affinity enablement. Deprecated: use pod_affinity instead.

Affinity

The pod affinity configuration used by a deployment.

Enums
AFFINITY_UNSPECIFIED No affinity configuration has been specified.
NO_AFFINITY Affinity configurations will be removed from the deployment.
ANTI_AFFINITY Anti-affinity configuration will be applied to this deployment. Default for admissions deployment.

Toleration

Toleration of a node taint.

Fields
key

string

Matches a taint key (not necessarily unique).
operator

string

Matches a taint operator.
value

string

Matches a taint value.
effect

string

Matches a taint effect.

PolicyControllerFeatureSpec

Spec for Policy Controller.

Fields
membership_specs

map<string, PolicyControllerMembershipSpec>

Map of Membership IDs to individual specs.

PolicyControllerFeatureState

State for PolicyController

Fields
state

PolicyControllerFeatureState.LifecycleState

The overall Policy Controller lifecycle state observed by the Hub Feature controller.
component_states

map<string, OnClusterState>

On-cluster states of the components we would like to track. Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation"
policy_content_state

PolicyContentState

The overall content state observed by the Hub Feature controller.

LifecycleState

The set of states Policy Controller can exist in.

Enums
LIFECYCLE_STATE_UNSPECIFIED The lifecycle state is unspecified.
NOT_INSTALLED Policy Controller (PC) does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the Hub Feature controller.
INSTALLING The Hub Feature controller possesses a Membership, however Policy Controller is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster.
ACTIVE Policy Controller (PC) is fully installed on the cluster and in an operational mode. In this state the Hub Feature controller will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the Hub Feature controller expects.
UPDATING Policy Controller (PC) is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The Hub Feature controller has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version.
DECOMMISSIONING Policy Controller (PC) may have resources on the cluster, but the Hub Feature controller wishes to remove the Membership. The Membership still exists.
CLUSTER_ERROR Policy Controller (PC) is not operational, and the Hub Feature controller is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the Hub Feature controller to administer the cluster but has nevertheless been given an instruction to do so (such as 'install').
HUB_ERROR In this state, the PC may still be operational, and only the Hub Feature controller is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the Hub Feature controller determines the hub is in an unhealthy state and it wishes to 'take hands off' to avoid corrupting the PC or other data.
SUSPENDED Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit).
DETACHED PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub.

PolicyControllerHubConfig

Configuration for Policy Controller.

Fields
install_spec

PolicyControllerHubConfig.InstallSpec

The install_spec represents the intended state specified by the latest request that mutated install_spec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.
exemptable_namespaces[]

string

The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster.
referential_rules_enabled

bool

Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated.
log_denies_enabled

bool

Logs all denies and dry run failures.
mutation_enabled

bool

Enables the ability to mutate resources using Policy Controller.
monitoring

PolicyControllerMonitoringConfig

Monitoring specifies the configuration of monitoring.
policy_content

PolicyContentSpec

Specifies the desired policy content on the cluster
deployment_configs

map<string, PolicyControllerDeploymentConfig>

Map of deployment configs to deployments (“admission”, “audit”, “mutation”).
audit_interval_seconds

int64

Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether.
constraint_violation_limit

int64

The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used.

InstallSpec

The set of installation specs that the Hub Feature controller may actuate.

Enums
INSTALL_SPEC_UNSPECIFIED Spec is unknown.
INSTALL_SPEC_NOT_INSTALLED Request to uninstall Policy Controller.
INSTALL_SPEC_ENABLED Request to install and enable Policy Controller.
INSTALL_SPEC_SUSPENDED Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended.
INSTALL_SPEC_DETACHED Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources.

PolicyControllerMembershipSpec

Configuration for a single cluster. Intended to parallel the PolicyController CR.

Fields
policy_controller_hub_config

PolicyControllerHubConfig

Policy Controller configuration for the cluster, managed by the Policy Controller Hub Feature controller.
version

string

The version of the Policy Controller Feature.

PolicyControllerMigration

State for the migration of PolicyController from ACM -> PoCo Hub.

Fields
stage

PolicyControllerMigration.Stage

Stage of the migration.
copy_time

Timestamp

Last time this membership spec was copied to PoCo feature.

Stage

Stage marks what stage of the migration ACM hub is in.

Enums
STAGE_UNSPECIFIED Unknown state of migration.
ACM_MANAGED ACM Hub/Operator manages policycontroller. No migration yet completed.
POCO_MANAGED All migrations steps complete; Poco Hub now manages policycontroller.

PolicyControllerMonitoring

PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]

Fields
backends[]

PolicyControllerMonitoring.MonitoringBackend

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyControllerMonitoringConfig

PolicyControllerMonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["prometheus", "cloudmonitoring"]

Fields
backends[]

PolicyControllerMonitoringConfig.MonitoringBackend

Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export.

MonitoringBackend

Supported backend options for monitoring

Enums
MONITORING_BACKEND_UNSPECIFIED Backend cannot be determined
PROMETHEUS Prometheus backend for monitoring
CLOUD_MONITORING Stackdriver/Cloud Monitoring backend for monitoring

PolicyControllerState

State for PolicyControllerState.

Fields
version

PolicyControllerVersion

The version of Gatekeeper Policy Controller deployed.
deployment_state

GatekeeperDeploymentState

The state about the policy controller installation.
migration

PolicyControllerMigration

Record state of ACM -> PoCo Hub migration for this feature.

PolicyControllerVersion

The build version of Gatekeeper Policy Controller is using.

Fields
version

string

The gatekeeper image tag that is composed of ACM version, git tag, build number.

ResourceList

ResourceList contains container resource requirements.

Fields
memory

string

Memory requirement expressed in Kubernetes resource units.
cpu

string

CPU requirement expressed in Kubernetes resource units.

ResourceRequirements

ResourceRequirements describes the compute resource requirements.

Fields
limits

ResourceList

Limits describes the maximum amount of compute resources allowed for use by the running container.
requests

ResourceList

Requests describes the amount of compute resources reserved for the container by the kube-scheduler.

RoutingConfig

RoutingConfig configures the behaviour of fleet logging feature.

Fields
mode

RoutingConfig.Mode

mode configures the logs routing mode.

Mode

Specified if fleet logging feature is enabled.

Enums
MODE_UNSPECIFIED If UNSPECIFIED, fleet logging feature is disabled.
COPY logs will be copied to the destination project.
MOVE logs will be moved to the destination project.

ServiceDirectoryFeatureSpec

This type has no fields.

An empty spec for service directory feature. This is required since Feature proto requires a spec.

ServiceDirectoryFeatureState

This type has no fields.

An empty state for service directory feature. This is rqeuired since FeatureStateDetails requires a state.

ServiceMeshAnalysisMessage

ServiceMeshAnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.

Fields
message_base

ServiceMeshAnalysisMessageBase

Details common to all types of Istio and ServiceMesh analysis messages.
description

string

A human readable description of what the error means. It is suitable for non-internationalize display purposes.
resource_paths[]

string

A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster
args

Struct

A UI can combine these args with a template (based on message_base.type) to produce an internationalized message.

ServiceMeshAnalysisMessageBase

ServiceMeshAnalysisMessageBase describes some common information that is needed for all messages.

Fields
type

ServiceMeshAnalysisMessageBase.Type

Represents the specific type of a message.
level

ServiceMeshAnalysisMessageBase.Level

Represents how severe a message is.
documentation_url

string

A url pointing to the Service Mesh or Istio documentation for this specific error type.

Level

The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level

Enums
LEVEL_UNSPECIFIED Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN.
ERROR ERROR represents a misconfiguration that must be fixed.
WARNING WARNING represents a misconfiguration that should be fixed.
INFO INFO represents an informational finding.

Type

A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between display_name and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type

Fields
display_name

string

A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the name field in open-source Istio.)
code

string

A 7 character code matching ^IST[0-9]{4}$ or ^ASM[0-9]{4}$, intended to uniquely identify the message type. (e.g. "IST0001" is mapped to the "InternalError" message type.)

ServiceMeshFeatureSpec

ServiceMeshFeatureSpec contains the input for the service mesh feature.

Fields
membership_specs

map<string, ServiceMeshMembershipSpec>

Optional. Map from full path to the membership, to its individual config.

ServiceMeshFeatureState

ServiceMeshFeatureState describes the state of the Service Mesh hub feature as analyzed by the Service Mesh Hub Controller.

Fields
analysis_messages[]

ServiceMeshAnalysisMessage

Output only. Results of running Service Mesh analyzers against member clusters, or the entire mesh.
control_plane_management

ServiceMeshFeatureState.ControlPlaneManagement

Output only. Status of control plane management
data_plane_management

ServiceMeshFeatureState.DataPlaneManagement

Output only. Status of data plane management.
config_api_version

string

The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the default_channel field.
conditions[]

ServiceMeshFeatureState.Condition

Output only. List of conditions reported for this membership.

Condition

Condition being reported.

Fields
code

ServiceMeshFeatureState.Condition.Code

Unique identifier of the condition which describes the condition recognizable to the user.
details

string

A short summary about the issue.
severity

ServiceMeshFeatureState.Condition.Severity

Severity level of the condition.

Code

Unique identifier of the condition which describes the condition recognizable to the user.

Enums
CODE_UNSPECIFIED Default Unspecified code
MESH_IAM_PERMISSION_DENIED Mesh IAM permission denied error code
MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED Permission denied error code for cross-project
CNI_CONFIG_UNSUPPORTED CNI config unsupported error code
GKE_SANDBOX_UNSUPPORTED GKE sandbox unsupported error code
NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED Nodepool workload identity federation required error code
CNI_INSTALLATION_FAILED CNI installation failed error code
CNI_POD_UNSCHEDULABLE CNI pod unschedulable error code
CLUSTER_HAS_ZERO_NODES Cluster has zero node code
UNSUPPORTED_MULTIPLE_CONTROL_PLANES Multiple control planes unsupported error code
VPCSC_GA_SUPPORTED VPC-SC GA is supported for this control plane.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT User is using deprecated ControlPlaneManagement and they have not yet set Management.
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT_SAFE User is using deprecated ControlPlaneManagement and they have already set Management.
CONFIG_APPLY_INTERNAL_ERROR Configuration (Istio/k8s resources) failed to apply due to internal error.
CONFIG_VALIDATION_ERROR Configuration failed to be applied due to being invalid.
CONFIG_VALIDATION_WARNING Encountered configuration(s) with possible unintended behavior or invalid configuration. These configs may not have been applied.
QUOTA_EXCEEDED_BACKEND_SERVICES BackendService quota exceeded error code.
QUOTA_EXCEEDED_HEALTH_CHECKS HealthCheck quota exceeded error code.
QUOTA_EXCEEDED_HTTP_ROUTES HTTPRoute quota exceeded error code.
QUOTA_EXCEEDED_TCP_ROUTES TCPRoute quota exceeded error code.
QUOTA_EXCEEDED_TLS_ROUTES TLS routes quota exceeded error code.
QUOTA_EXCEEDED_TRAFFIC_POLICIES TrafficPolicy quota exceeded error code.
QUOTA_EXCEEDED_ENDPOINT_POLICIES EndpointPolicy quota exceeded error code.
QUOTA_EXCEEDED_GATEWAYS Gateway quota exceeded error code.
QUOTA_EXCEEDED_MESHES Mesh quota exceeded error code.
QUOTA_EXCEEDED_SERVER_TLS_POLICIES ServerTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_CLIENT_TLS_POLICIES ClientTLSPolicy quota exceeded error code.
QUOTA_EXCEEDED_SERVICE_LB_POLICIES ServiceLBPolicy quota exceeded error code.
QUOTA_EXCEEDED_HTTP_FILTERS HTTPFilter quota exceeded error code.
QUOTA_EXCEEDED_TCP_FILTERS TCPFilter quota exceeded error code.
QUOTA_EXCEEDED_NETWORK_ENDPOINT_GROUPS NetworkEndpointGroup quota exceeded error code.
MODERNIZATION_SCHEDULED Modernization is scheduled for a cluster.
MODERNIZATION_IN_PROGRESS Modernization is in progress for a cluster.
MODERNIZATION_COMPLETED Modernization is completed for a cluster.
MODERNIZATION_ABORTED Modernization is aborted for a cluster.

Severity

Severity level of the reported condition

Enums
SEVERITY_UNSPECIFIED Unspecified severity
ERROR Indicates an issue that prevents the mesh from operating correctly
WARNING Indicates a setting is likely wrong, but the mesh is still able to operate
INFO An informational message, not requiring any action

ControlPlaneManagement

Status of control plane management. Only reported per-member.

Fields
details[]

StatusDetails

Explanation of state.
state

ServiceMeshFeatureState.LifecycleState

State of control plane management.
implementation

ServiceMeshFeatureState.ControlPlaneManagement.Implementation

Output only. Implementation of managed control plane.

Implementation

Implementation of managed control plane.

Enums
IMPLEMENTATION_UNSPECIFIED Unspecified
ISTIOD A Google build of istiod is used for the managed control plane.
TRAFFIC_DIRECTOR Traffic director is used for the managed control plane.
UPDATING The control plane implementation is being updated.

DataPlaneManagement

Status of data plane management. Only reported per-member.

Fields
state

ServiceMeshFeatureState.LifecycleState

Lifecycle status of data plane management.
details[]

StatusDetails

Explanation of the status.

LifecycleState

Lifecycle state of Service Mesh components.

Enums
LIFECYCLE_STATE_UNSPECIFIED Unspecified
DISABLED DISABLED means that the component is not enabled.
FAILED_PRECONDITION FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster.
PROVISIONING PROVISIONING means that provisioning is in progress.
ACTIVE ACTIVE means that the component is ready for use.
STALLED STALLED means that provisioning could not be done.
NEEDS_ATTENTION NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.)
DEGRADED DEGRADED means that the component is ready, but operating in a degraded state.

ServiceMeshMembershipSpec

Service Mesh: Spec for a single Membership for the servicemesh feature

Fields
control_plane
(deprecated)

ServiceMeshMembershipSpec.ControlPlaneManagement

Deprecated: use management instead Enables automatic control plane management.
management

ServiceMeshMembershipSpec.Management

Optional. Enables automatic Service Mesh management.
config_api

ServiceMeshMembershipSpec.ConfigApi

Optional. Specifies the API that will be used for configuring the mesh workloads.

ConfigApi

Specifies the API that will be used for configuring the mesh workloads.

Enums
CONFIG_API_UNSPECIFIED Unspecified
CONFIG_API_ISTIO Use the Istio API for configuration.
CONFIG_API_GATEWAY Use the K8s Gateway API for configuration.

ControlPlaneManagement

Whether to automatically manage Service Mesh control planes.

Enums
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED Unspecified
AUTOMATIC Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install.
MANUAL User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API)

Management

Whether to automatically manage Service Mesh.

Enums
MANAGEMENT_UNSPECIFIED Unspecified
MANAGEMENT_AUTOMATIC Google should manage my Service Mesh for the cluster.
MANAGEMENT_MANUAL User will manually configure their service mesh components.

StatusDetails

Structured and human-readable details for a status.

Fields
code

string

A machine-readable code that further describes a broad status.
details

string

Human-readable explanation of code.

SyncError

An ACM created error representing a problem syncing configurations

Fields
code

string

An ACM defined error code
error_message

string

A description of the error
error_resources[]

ErrorResource

A list of config(s) associated with the error, if any

SyncState

State indicating an ACM's progress syncing configurations to a cluster

Fields
source_token

string

Token indicating the state of the repo.
import_token

string

Token indicating the state of the importer.
sync_token

string

Token indicating the state of the syncer.
last_sync

string

Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String This field is being deprecated. Use last_sync_time instead.
last_sync_time

Timestamp

Timestamp type of when ACM last successfully synced the repo
code

SyncState.SyncCode

Sync status code
errors[]

SyncError

A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist.

SyncCode

An enum representing Config Sync's status of syncing configs to a cluster.

Enums
SYNC_CODE_UNSPECIFIED Config Sync cannot determine a sync code
SYNCED Config Sync successfully synced the git Repo with the cluster
PENDING Config Sync is in the progress of syncing a new change
ERROR Indicates an error configuring Config Sync, and user action is required
NOT_CONFIGURED Config Sync has been installed but not configured
NOT_INSTALLED Config Sync has not been installed
UNAUTHORIZED Error authorizing with the cluster
UNREACHABLE Cluster could not be reached

TemplateLibraryConfig

The config specifying which default library templates to install.

Fields
installation

TemplateLibraryConfig.Installation

Configures the manner in which the template library is installed on the cluster.

Installation

How the template library should be installed

Enums
INSTALLATION_UNSPECIFIED No installation strategy has been specified.
NOT_INSTALLED Do not install the template library.
ALL Install the entire template library.

UpdateFeatureRequest

Request message for GkeHubDomainFeatureService.UpdateFeature method.

Fields
name

string

Required. The Feature resource name in the format projects/*/locations/global/features/*.

Authorization requires the following IAM permission on the specified resource name:

  • gkehub.features.update
update_mask

FieldMask

Mask of fields to update.
resource

Feature

Only fields specified in update_mask are updated. If you specify a field in the update_mask but don't specify its value here that field will be deleted. If you are updating a map field, set the value of a key to null or empty string to delete the key from the map. It's not possible to update a key's value to the empty string.

WorkloadCertificateFeatureSpec

WorkloadCertificateFeatureSpec contains the input for the workload identity platform feature. This is required since Feature proto requires a spec.

Fields
provision_google_ca

WorkloadCertificateFeatureSpec.GoogleCAProvisioning

Immutable. Specifies CA configuration.
default_config

WorkloadCertificateMembershipSpec

Default membership spec. Users can override the default in the member_configs for each member.
member_configs

map<string, WorkloadCertificateMembershipSpec>

Per-member configuration of workload certificate.

GoogleCAProvisioning

Specifies if a default Google managed CA should be provisioned. If UNSPECIFIED, Google managed CA feature is disabled. If set to UNSPECIFIED/DISABLED, the "certificate_authority_config" field in WorkloadCertificateConfig must specify a CA endpoint.

Enums
GOOGLE_CA_PROVISIONING_UNSPECIFIED Disable default Google managed CA.
DISABLED Disable default Google managed CA.
ENABLED Use default Google managed CA.
ENABLED_WITH_MANAGED_CA Workload certificate feature is enabled, and the entire certificate provisioning process is managed by Google with managed CAS which is more secure than the default CA.
ENABLED_WITH_DEFAULT_CA Workload certificate feature is enabled, and the entire certificate provisioning process is using the default CA which is free.

WorkloadCertificateFeatureState

This type has no fields.

WorkloadCertificateFeatureState describes the state of the workload certificate feature. This is required since FeatureStateDetails requires a state.

WorkloadCertificateMembershipSpec

WorkloadCertificateMembershipSpec contains the membership-specific input for WorkloadCertificate feature.

Fields
certificate_management

WorkloadCertificateMembershipSpec.CertificateManagement

Specifies workload certificate management.

CertificateManagement

Specifies whether or not the feature is enabled on the member cluster.

Enums
CERTIFICATE_MANAGEMENT_UNSPECIFIED Disable workload certificate feature.
DISABLED Disable workload certificate feature.
ENABLED Enable workload certificate feature.