- Resource: AttachedCluster
- AttachedOidcConfig
- State
- AttachedClusterError
- AttachedClustersAuthorization
- AttachedClusterUser
- AttachedClusterGroup
- AttachedProxyConfig
- KubernetesSecret
- SecurityPostureConfig
- VulnerabilityMode
- Methods
Resource: AttachedCluster
An Anthos cluster running on customer own infrastructure.
| JSON representation |
|---|
{ "name": string, "description": string, "oidcConfig": { object ( |
| Fields | |
|---|---|
name |
The name of this resource. Cluster names are formatted as See Resource Names for more details on Google Cloud Platform resource names. |
description |
Optional. A human readable description of this cluster. Cannot be longer than 255 UTF-8 encoded bytes. |
oidcConfig |
Required. OpenID Connect (OIDC) configuration for the cluster. |
platformVersion |
Required. The platform version for the cluster (e.g. You can list all supported versions on a given Google Cloud region by calling |
distribution |
Required. The Kubernetes distribution of the underlying attached cluster. Supported values: ["eks", "aks", "generic"]. |
clusterRegion |
Output only. The region where this cluster runs. For EKS clusters, this is a AWS region. For AKS clusters, this is an Azure region. |
fleet |
Required. Fleet configuration. |
state |
Output only. The current state of the cluster. |
uid |
Output only. A globally unique identifier for the cluster. |
reconciling |
Output only. If set, there are currently changes in flight to the cluster. |
createTime |
Output only. The time at which this cluster was registered. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The time at which this cluster was last updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
etag |
Allows clients to perform consistent read-modify-writes through optimistic concurrency control. Can be sent on update and delete requests to ensure the client has an up-to-date value before proceeding. |
kubernetesVersion |
Output only. The Kubernetes version of the cluster. |
annotations |
Optional. Annotations on the cluster. This field has the same restrictions as Kubernetes annotations. The total size of all keys and values combined is limited to 256k. Key can have 2 segments: prefix (optional) and name (required), separated by a slash (/). Prefix must be a DNS subdomain. Name must be 63 characters or less, begin and end with alphanumerics, with dashes (-), underscores (_), dots (.), and alphanumerics between. An object containing a list of |
workloadIdentityConfig |
Output only. Workload Identity settings. |
loggingConfig |
Optional. Logging configuration for this cluster. |
errors[] |
Output only. A set of errors found in the cluster. |
authorization |
Optional. Configuration related to the cluster RBAC settings. |
monitoringConfig |
Optional. Monitoring configuration for this cluster. |
proxyConfig |
Optional. Proxy configuration for outbound HTTP(S) traffic. |
binaryAuthorization |
Optional. Binary Authorization configuration for this cluster. |
securityPostureConfig |
Optional. Security Posture configuration for this cluster. |
AttachedOidcConfig
OIDC discovery information of the target cluster.
Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster API server. This fields indicates how Google Cloud Platform services validate KSA tokens in order to allow system workloads (such as GKE Connect and telemetry agents) to authenticate back to Google Cloud Platform.
Both clusters with public and private issuer URLs are supported. Clusters with public issuers only need to specify the issuerUrl field while clusters with private issuers need to provide both issuerUrl and oidc_jwks.
| JSON representation |
|---|
{ "issuerUrl": string, "jwks": string } |
| Fields | |
|---|---|
issuerUrl |
A JSON Web Token (JWT) issuer URI. |
jwks |
Optional. OIDC verification keys in JWKS format (RFC 7517). It contains a list of OIDC verification keys that can be used to verify OIDC JWTs. This field is required for cluster that doesn't have a publicly available discovery endpoint. When provided, it will be directly used to verify the OIDC JWT asserted by the IDP. A base64-encoded string. |
State
The lifecycle state of the cluster.
| Enums | |
|---|---|
STATE_UNSPECIFIED |
Not set. |
PROVISIONING |
The PROVISIONING state indicates the cluster is being registered. |
RUNNING |
The RUNNING state indicates the cluster has been register and is fully usable. |
RECONCILING |
The RECONCILING state indicates that some work is actively being done on the cluster, such as upgrading software components. |
STOPPING |
The STOPPING state indicates the cluster is being de-registered. |
ERROR |
The ERROR state indicates the cluster is in a broken unrecoverable state. |
DEGRADED |
The DEGRADED state indicates the cluster requires user action to restore full functionality. |
AttachedClusterError
AttachedClusterError describes errors found on attached clusters.
| JSON representation |
|---|
{ "message": string } |
| Fields | |
|---|---|
message |
Human-friendly description of the error. |
AttachedClustersAuthorization
Configuration related to the cluster RBAC settings.
| JSON representation |
|---|
{ "adminUsers": [ { object ( |
| Fields | |
|---|---|
adminUsers[] |
Optional. Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
adminGroups[] |
Optional. Groups of users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
AttachedClusterUser
Identities of a user-type subject for Attached clusters.
| JSON representation |
|---|
{ "username": string } |
| Fields | |
|---|---|
username |
Required. The name of the user, e.g. |
AttachedClusterGroup
Identities of a group-type subject for Attached clusters.
| JSON representation |
|---|
{ "group": string } |
| Fields | |
|---|---|
group |
Required. The name of the group, e.g. |
AttachedProxyConfig
Details of a proxy config.
| JSON representation |
|---|
{
"kubernetesSecret": {
object ( |
| Fields | |
|---|---|
kubernetesSecret |
The Kubernetes Secret resource that contains the HTTP(S) proxy configuration. The secret must be a JSON encoded proxy configuration as described in |
KubernetesSecret
Information about a Kubernetes Secret
| JSON representation |
|---|
{ "name": string, "namespace": string } |
| Fields | |
|---|---|
name |
Name of the kubernetes secret. |
namespace |
Namespace in which the kubernetes secret is stored. |
SecurityPostureConfig
SecurityPostureConfig defines the flags needed to enable/disable features for the Security Posture API.
| JSON representation |
|---|
{
"vulnerabilityMode": enum ( |
| Fields | |
|---|---|
vulnerabilityMode |
Sets which mode to use for vulnerability scanning. |
VulnerabilityMode
VulnerabilityMode defines enablement mode for vulnerability scanning.
| Enums | |
|---|---|
VULNERABILITY_MODE_UNSPECIFIED |
Default value not specified. |
VULNERABILITY_DISABLED |
Disables vulnerability scanning on the cluster. |
VULNERABILITY_ENTERPRISE |
Applies the Security Posture's vulnerability on cluster Enterprise level features. |
Methods |
|
|---|---|
|
Creates a new AttachedCluster resource on a given Google Cloud Platform project and region. |
|
Deletes a specific AttachedCluster resource. |
|
Generates an access token for a cluster agent. |
|
Describes a specific AttachedCluster resource. |
|
Imports creates a new AttachedCluster resource by importing an existing Fleet Membership resource. |
|
Lists all AttachedCluster resources on a given Google Cloud project and region. |
|
Updates an AttachedCluster. |