This page shows you how to create Google Distributed Cloud (GDC) air-gapped storage WORM buckets.
Before you begin
A project namespace manages bucket resources in the org admin cluster. You must have a project to work with buckets and objects.
You must also have the appropriate bucket permissions to perform the following operation. See Grant bucket access.
Create a WORM bucket
A WORM bucket ensures that nothing else overwrites objects and it retains them for a minimum period of time. Audit logging is an example use case for a WORM bucket.
Take the following steps to create a WORM bucket:
Set a retention period when creating the bucket. For example, the following example bucket has a retention period of 365 days.
apiVersion: object.gdc.goog/v1 kind: Bucket metadata: name: foo logging-bucket namespace: foo-service spec: description: "Audit logs for foo" storageClass: Standard bucketPolicy : lockingPolicy : defaultObjectRetentionDays: 365Grant the
project-bucket-object-viewerrole to all users who need read-only access:apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: foo-service name: object-readonly-access roleRef: kind: Role name: project-bucket-object-viewer apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: foo-service name: foo-log-processor - kind: User name: bob@example.com apiGroup: rbac.authorization.k8s.ioGrant the
project-bucket-object-adminrole to users who need to write content to the bucket:apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: foo-service name: object-write-access roleRef: kind: Role name: project-bucket-object-viewer apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount namespace: foo-service name: foo-service-account