- Resource: MembershipFeature
- FeatureConfigRef
- FeatureSpec
- Spec
- Spec.CertificateManagement
- Spec
- Spec.SecurityPolicy
- Spec
- HubConfig
- HubConfig.InstallSpec
- MonitoringConfig
- MonitoringConfig.MonitoringBackend
- PolicyContentSpec
- BundleInstallSpec
- TemplateLibraryConfig
- TemplateLibraryConfig.Installation
- PolicyControllerDeploymentConfig
- ResourceRequirements
- ResourceList
- PolicyControllerDeploymentConfig.Toleration
- PolicyControllerDeploymentConfig.Affinity
- Spec
- Spec.AuthMethod
- Spec.AuthMethod.OidcConfig
- Spec.AuthMethod.AzureADConfig
- Spec.AuthMethod.GoogleConfig
- Spec.AuthMethod.SamlConfig
- Spec.AuthMethod.LdapConfig
- Spec.AuthMethod.LdapConfig.ServerConfig
- Spec.AuthMethod.LdapConfig.UserConfig
- Spec.AuthMethod.LdapConfig.GroupConfig
- Spec.AuthMethod.LdapConfig.ServiceAccountConfig
- Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials
- Spec.IdentityServiceOptions
- Spec.IdentityServiceOptions.DiagnosticInterface
- Spec
- Spec.ControlPlaneManagement
- Channel
- Spec.Management
- Spec.ConfigApi
- Spec
- ConfigSync
- GitConfig
- OciConfig
- PolicyController
- PolicyControllerMonitoring
- PolicyControllerMonitoring.MonitoringBackend
- BinauthzConfig
- HierarchyControllerConfig
- Spec.Management
- FeatureSpec.Origin
- FeatureSpec.Origin.Type
- FeatureState
- State
- IgnoredMembership
- MembershipGKEUpgradeState
- GKEUpgrade
- UpgradeStatus
- UpgradeStatus.Code
- State
- State.DeploymentState
- State
- AnalysisMessage
- AnalysisMessageBase
- AnalysisMessageBase.Type
- AnalysisMessageBase.Level
- State.ControlPlaneManagement
- StatusDetails
- State.LifecycleState
- State.ControlPlaneManagement.Implementation
- State.DataPlaneManagement
- State.Condition
- State.Condition.Code
- State.Condition.Severity
- State
- State
- OperatorState
- DeploymentState
- InstallError
- ConfigSyncState
- ConfigSyncVersion
- ConfigSyncDeploymentState
- SyncState
- SyncState.SyncCode
- SyncError
- ErrorResource
- GroupVersionKind
- ConfigSyncError
- ConfigSyncState.CRDState
- ConfigSyncState.State
- ConfigSyncState.StopSyncingState
- PolicyControllerState
- PolicyControllerVersion
- GatekeeperDeploymentState
- PolicyControllerMigration
- PolicyControllerMigration.Stage
- BinauthzState
- BinauthzVersion
- HierarchyControllerState
- HierarchyControllerVersion
- HierarchyControllerDeploymentState
- State
- OnClusterState
- State.LifecycleState
- PolicyContentState
- State
- State.Status
- State.Code
- State
- State.Code
- LifecycleState
- LifecycleState.State
- Methods
Resource: MembershipFeature
MembershipFeature represents the settings and status of a Fleet Feature enabled on a single Fleet Membership.
JSON representation |
---|
{ "name": string, "labels": { string: string, ... }, "featureConfigRef": { object ( |
Fields | |
---|---|
name |
Output only. The resource name of the membershipFeature, in the format: |
labels |
GCP labels for this MembershipFeature. An object containing a list of |
feature |
Reference information for a FeatureConfig applied on the MembershipFeature. |
spec |
Spec of this membershipFeature. |
state |
Output only. State of the this membershipFeature. |
lifecycle |
Output only. Lifecycle information of the resource itself. |
create |
Output only. When the MembershipFeature resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
update |
Output only. When the MembershipFeature resource was last updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
delete |
Output only. When the MembershipFeature resource was deleted. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureConfigRef
Information of the FeatureConfig applied on the MembershipFeature.
JSON representation |
---|
{ "config": string, "uuid": string, "configUpdateTime": string } |
Fields | |
---|---|
config |
Input only. Resource name of FeatureConfig, in the format: |
uuid |
Output only. An id that uniquely identify a FeatureConfig object. |
config |
Output only. When the FeatureConfig was last applied and copied to FeatureSpec. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
FeatureSpec
FeatureSpec contains user input per-feature spec information.
JSON representation |
---|
{ "origin": { object ( |
Fields | |
---|---|
origin |
Whether this per-Feature spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Feature config (updated to USER implicitly) or setting to FLEET explicitly. |
Union field feature_spec . Spec specific to each Fleet feature. oneof feature type will always match the {feature-type} in the FeatureConfig resource name. feature_spec can be only one of the following: |
|
workloadcertificate |
Workloadcertificate-specific FeatureSpec. |
cloudbuild |
Cloudbuild-specific FeatureSpec. |
policycontroller |
Policycontroller-specific FeatureSpec. |
identityservice |
IdentityService FeatureSpec. |
servicemesh |
ServiceMesh Feature Spec. |
configmanagement |
Config Management FeatureSpec. |
Spec
WorkloadCertificate: The membership-specific input for WorkloadCertificate feature.
JSON representation |
---|
{
"certificateManagement": enum ( |
Fields | |
---|---|
certificate |
CertificateManagement specifies workload certificate management. |
Spec.CertificateManagement
CertificateManagement specifies whether or not the feature is enabled on the member cluster.
Enums | |
---|---|
CERTIFICATE_MANAGEMENT_UNSPECIFIED |
Disable workload certificate feature. |
DISABLED |
Disable workload certificate feature. |
ENABLED |
Enable workload certificate feature. |
Spec
Cloud Build: Configurations for each Cloud Build enabled cluster.
JSON representation |
---|
{
"version": string,
"securityPolicy": enum ( |
Fields | |
---|---|
version |
Version of the cloud build software on the cluster. |
security |
Whether it is allowed to run the privileged builds on the cluster or not. |
Spec.SecurityPolicy
Different security policies we can apply to the cluster.
Enums | |
---|---|
SECURITY_POLICY_UNSPECIFIED |
Unspecified policy |
NON_PRIVILEGED |
Privileged build pods are disallowed |
PRIVILEGED |
Privileged build pods are allowed |
Spec
Policy Controller: Configuration for a single cluster. Intended to parallel the PolicyController CR.
JSON representation |
---|
{
"policyControllerHubConfig": {
object ( |
Fields | |
---|---|
policy |
Policy Controller configuration for the cluster. |
version |
Version of Policy Controller installed. |
HubConfig
Configuration for Policy Controller
JSON representation |
---|
{ "installSpec": enum ( |
Fields | |
---|---|
install |
The installSpec represents the intended state specified by the latest request that mutated installSpec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state. |
exemptable |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log |
Logs all denies and dry run failures. |
mutation |
Enables the ability to mutate resources using Policy Controller. |
deployment |
Map of deployment configs to deployments (“admission”, “audit”, “mutation”). An object containing a list of |
audit |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
monitoring |
Monitoring specifies the configuration of monitoring. |
policy |
Specifies the desired policy content on the cluster |
constraint |
The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used. |
HubConfig.InstallSpec
Enums | |
---|---|
INSTALL_SPEC_UNSPECIFIED |
Spec is unknown. |
INSTALL_SPEC_NOT_INSTALLED |
Request to uninstall Policy Controller. |
INSTALL_SPEC_ENABLED |
Request to install and enable Policy Controller. |
INSTALL_SPEC_SUSPENDED |
Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended. |
INSTALL_SPEC_DETACHED |
Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources. |
MonitoringConfig
MonitoringConfig specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
JSON representation |
---|
{
"backends": [
enum ( |
Fields | |
---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringConfig.MonitoringBackend
Supported backend options for monitoring
Enums | |
---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyContentSpec
PolicyContentSpec defines the user's desired content configuration on the cluster.
JSON representation |
---|
{ "bundles": { string: { object ( |
Fields | |
---|---|
bundles |
map of bundle name to BundleInstallSpec. The bundle name maps to the An object containing a list of |
template |
Configures the installation of the Template Library. |
BundleInstallSpec
BundleInstallSpec is the specification configuration for a single managed bundle.
JSON representation |
---|
{ "exemptedNamespaces": [ string ] } |
Fields | |
---|---|
exempted |
the set of namespaces to be exempted from the bundle |
TemplateLibraryConfig
The config specifying which default library templates to install.
JSON representation |
---|
{
"installation": enum ( |
Fields | |
---|---|
installation |
Configures the manner in which the template library is installed on the cluster. |
TemplateLibraryConfig.Installation
How the template library should be installed
Enums | |
---|---|
INSTALLATION_UNSPECIFIED |
No installation strategy has been specified. |
NOT_INSTALLED |
Do not install the template library. |
ALL |
Install the entire template library. |
PolicyControllerDeploymentConfig
Deployment-specific configuration.
JSON representation |
---|
{ "podTolerations": [ { object ( |
Fields | |
---|---|
pod |
Pod tolerations of node taints. |
pod |
Pod affinity configuration. |
replica |
Pod replica count. |
container |
Container resource requirements. |
podAntiAffinity |
Pod anti-affinity enablement. Deprecated: use |
ResourceRequirements
ResourceRequirements describes the compute resource requirements.
JSON representation |
---|
{ "limits": { object ( |
Fields | |
---|---|
limits |
Limits describes the maximum amount of compute resources allowed for use by the running container. |
requests |
Requests describes the amount of compute resources reserved for the container by the kube-scheduler. |
ResourceList
ResourceList contains container resource requirements.
JSON representation |
---|
{ "memory": string, "cpu": string } |
Fields | |
---|---|
memory |
Memory requirement expressed in Kubernetes resource units. |
cpu |
CPU requirement expressed in Kubernetes resource units. |
PolicyControllerDeploymentConfig.Toleration
Toleration of a node taint.
JSON representation |
---|
{ "key": string, "operator": string, "value": string, "effect": string } |
Fields | |
---|---|
key |
Matches a taint key (not necessarily unique). |
operator |
Matches a taint operator. |
value |
Matches a taint value. |
effect |
Matches a taint effect. |
PolicyControllerDeploymentConfig.Affinity
The pod affinity configuration used by a deployment.
Enums | |
---|---|
AFFINITY_UNSPECIFIED |
No affinity configuration has been specified. |
NO_AFFINITY |
Affinity configurations will be removed from the deployment. |
ANTI_AFFINITY |
Anti-affinity configuration will be applied to this deployment. Default for admissions deployment. |
Spec
IdentityService: Configuration for a single membership.
JSON representation |
---|
{ "authMethods": [ { object ( |
Fields | |
---|---|
auth |
A member may support multiple auth methods. |
identity |
Optional. non-protocol-related configuration options. |
Spec.AuthMethod
Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod.
JSON representation |
---|
{ "name": string, "proxy": string, // Union field |
Fields | |
---|---|
name |
Identifier for auth config. |
proxy |
Proxy server address to use for auth method. |
Union field auth_config . supported auth configurations. auth_config can be only one of the following: |
|
oidc |
OIDC specific configuration. |
azuread |
AzureAD specific Configuration. |
google |
GoogleConfig specific configuration |
saml |
SAML specific configuration. |
ldap |
LDAP specific configuration. |
Spec.AuthMethod.OidcConfig
Configuration for OIDC Auth flow.
JSON representation |
---|
{ "clientId": string, "certificateAuthorityData": string, "issuerUri": string, "kubectlRedirectUri": string, "scopes": string, "extraParams": string, "userClaim": string, "userPrefix": string, "groupsClaim": string, "groupPrefix": string, "deployCloudConsoleProxy": boolean, "clientSecret": string, "encryptedClientSecret": string, "enableAccessToken": boolean } |
Fields | |
---|---|
client |
ID for OIDC client application. |
certificate |
PEM-encoded CA for OIDC provider. |
issuer |
URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. |
kubectl |
Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. |
scopes |
Comma-separated list of identifiers. |
extra |
Comma-separated list of key-value pairs. |
user |
Claim in OIDC ID token that holds username. |
user |
Prefix to prepend to user name. |
groups |
Claim in OIDC ID token that holds group information. |
group |
Prefix to prepend to group name. |
deploy |
Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. |
client |
Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. |
encrypted |
Output only. Encrypted OIDC Client secret A base64-encoded string. |
enable |
Enable access token. |
Spec.AuthMethod.AzureADConfig
Configuration for the AzureAD Auth flow.
JSON representation |
---|
{ "clientId": string, "tenant": string, "kubectlRedirectUri": string, "clientSecret": string, "encryptedClientSecret": string, "userClaim": string, "groupFormat": string } |
Fields | |
---|---|
client |
ID for the registered client application that makes authentication requests to the Azure AD identity provider. |
tenant |
Kind of Azure AD account to be authenticated. Supported values are |
kubectl |
The redirect URL that kubectl uses for authorization. |
client |
Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. |
encrypted |
Output only. Encrypted AzureAD client secret. A base64-encoded string. |
user |
Optional. Claim in the AzureAD ID Token that holds the user details. |
group |
Optional. Format of the AzureAD groups that the client wants for auth. |
Spec.AuthMethod.GoogleConfig
Configuration for the Google Plugin Auth flow.
JSON representation |
---|
{ "disable": boolean } |
Fields | |
---|---|
disable |
Disable automatic configuration of Google Plugin on supported platforms. |
Spec.AuthMethod.SamlConfig
Configuration for the SAML Auth flow.
JSON representation |
---|
{ "identityProviderId": string, "identityProviderSsoUri": string, "identityProviderCertificates": [ string ], "userAttribute": string, "groupsAttribute": string, "userPrefix": string, "groupPrefix": string, "attributeMapping": { string: string, ... } } |
Fields | |
---|---|
identity |
Required. The entity ID of the SAML IdP. |
identity |
Required. The URI where the SAML IdP exposes the SSO service. |
identity |
Required. The list of IdP certificates to validate the SAML response against. |
user |
Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
groups |
Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the |
user |
Optional. Prefix to prepend to user name. |
group |
Optional. Prefix to prepend to group name. |
attribute |
Optional. The mapping of additional user attributes like nickname, birthday and address etc.. An object containing a list of |
Spec.AuthMethod.LdapConfig
Configuration for the LDAP Auth flow.
JSON representation |
---|
{ "server": { object ( |
Fields | |
---|---|
server |
Required. Server settings for the external LDAP server. |
user |
Required. Defines where users exist in the LDAP directory. |
group |
Optional. Contains the properties for locating and authenticating groups in the directory. |
service |
Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. |
Spec.AuthMethod.LdapConfig.ServerConfig
Server settings for the external LDAP server.
JSON representation |
---|
{ "host": string, "connectionType": string, "certificateAuthorityData": string } |
Fields | |
---|---|
host |
Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". |
connection |
Optional. Defines the connection type to communicate with the LDAP server. If |
certificate |
Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. A base64-encoded string. |
Spec.AuthMethod.LdapConfig.UserConfig
Defines where users exist in the LDAP directory.
JSON representation |
---|
{ "baseDn": string, "loginAttribute": string, "idAttribute": string, "filter": string } |
Fields | |
---|---|
base |
Required. The location of the subtree in the LDAP directory to search for user entries. |
login |
Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "( |
id |
Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". |
filter |
Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". |
Spec.AuthMethod.LdapConfig.GroupConfig
Contains the properties for locating and authenticating groups in the directory.
JSON representation |
---|
{ "baseDn": string, "idAttribute": string, "filter": string } |
Fields | |
---|---|
base |
Required. The location of the subtree in the LDAP directory to search for group entries. |
id |
Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". |
filter |
Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". |
Spec.AuthMethod.LdapConfig.ServiceAccountConfig
Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate.
JSON representation |
---|
{ // Union field |
Fields | |
---|---|
Union field authentication_mechanism . Guarantees that the user supplies one authentication mechanism at a time. authentication_mechanism can be only one of the following: |
|
simple |
Credentials for basic auth. |
Spec.AuthMethod.LdapConfig.ServiceAccountConfig.SimpleBindCredentials
The structure holds the LDAP simple binding credential.
JSON representation |
---|
{ "dn": string, "password": string, "encryptedPassword": string } |
Fields | |
---|---|
dn |
Required. The distinguished name(DN) of the service account object/user. |
password |
Required. Input only. The password of the service account object/user. |
encrypted |
Output only. The encrypted password of the service account object/user. A base64-encoded string. |
Spec.IdentityServiceOptions
Holds non-protocol-related configuration options.
JSON representation |
---|
{
"sessionDuration": string,
"diagnosticInterface": {
object ( |
Fields | |
---|---|
session |
Determines the lifespan of STS tokens issued by Anthos Identity Service. A duration in seconds with up to nine fractional digits, ending with ' |
diagnostic |
Configuration options for the AIS diagnostic interface. |
Spec.IdentityServiceOptions.DiagnosticInterface
Configuration options for the AIS diagnostic interface.
JSON representation |
---|
{ "enabled": boolean, "expirationTime": string } |
Fields | |
---|---|
enabled |
Determines whether to enable the diagnostic interface. |
expiration |
Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
Spec
Service Mesh: Spec for a single Membership for the servicemesh feature
JSON representation |
---|
{ "controlPlane": enum ( |
Fields | |
---|---|
controlPlane |
Deprecated: use |
defaultChannel |
Determines which release channel to use for default injection and service mesh APIs. |
management |
Optional. Enables automatic Service Mesh management. |
config |
Optional. Specifies the API that will be used for configuring the mesh workloads. |
Spec.ControlPlaneManagement
Whether to automatically manage Service Mesh control planes.
Enums | |
---|---|
CONTROL_PLANE_MANAGEMENT_UNSPECIFIED |
Unspecified |
AUTOMATIC |
Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install. |
MANUAL |
User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API) |
Channel
Channel indicates which release channel a revision is subscribed to. Release channels are arranged in order of risk.
Enums | |
---|---|
CHANNEL_UNSPECIFIED |
Unspecified |
RAPID |
RAPID channel is offered on an early access basis for customers who want to test new releases. |
REGULAR |
REGULAR channel is intended for production users who want to take advantage of new features. |
STABLE |
STABLE channel includes versions that are known to be stable and reliable in production. |
Spec.Management
Whether to automatically manage Service Mesh.
Enums | |
---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google should manage my Service Mesh for the cluster. |
MANAGEMENT_MANUAL |
User will manually configure their service mesh components. |
Spec.ConfigApi
Specifies the API that will be used for configuring the mesh workloads.
Enums | |
---|---|
CONFIG_API_UNSPECIFIED |
Unspecified |
CONFIG_API_ISTIO |
Use the Istio API for configuration. |
CONFIG_API_GATEWAY |
Use the K8s Gateway API for configuration. |
Spec
Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.
JSON representation |
---|
{ "configSync": { object ( |
Fields | |
---|---|
config |
Config Sync configuration for the cluster. |
policy |
Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead. |
binauthz |
Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set. |
hierarchy |
Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead. |
version |
Version of ACM installed. |
cluster |
The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. |
management |
Enables automatic Feature management. |
ConfigSync
Configuration for Config Sync
Fields | |
---|---|
git |
Git repo configuration for the cluster. |
source |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
prevent |
Set to true to enable the Config Sync admission webhook to prevent drifts. If set to |
oci |
OCI repo configuration for the cluster. |
allowVerticalScale |
Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated. |
metricsGcpServiceAccountEmail |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount |
stop |
Set to true to stop syncing configs for a single cluster. Default to false. |
enabled |
Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. |
GitConfig
Git repo configuration for a single cluster.
JSON representation |
---|
{ "syncRepo": string, "syncBranch": string, "policyDir": string, "syncWaitSecs": string, "syncRev": string, "secretType": string, "httpsProxy": string, "gcpServiceAccountEmail": string } |
Fields | |
---|---|
sync |
The URL of the Git repository to use as the source of truth. |
sync |
The branch of the repository to sync from. Default: master. |
policy |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
sync |
Period in seconds between consecutive syncs. Default: 15. |
sync |
Git revision (tag or hash) to check out. Default HEAD. |
secret |
Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required. |
https |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
gcp |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
OciConfig
OCI repo configuration for a single cluster.
JSON representation |
---|
{ "syncRepo": string, "policyDir": string, "syncWaitSecs": string, "secretType": string, "gcpServiceAccountEmail": string } |
Fields | |
---|---|
sync |
The OCI image repository URL for the package to sync from. e.g. |
policy |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
sync |
Period in seconds between consecutive syncs. Default: 15. |
secret |
Type of secret configured for access to the Git repo. |
gcp |
The Google Cloud Service Account Email used for auth when secretType is gcpServiceAccount. |
PolicyController
Configuration for Policy Controller
JSON representation |
---|
{
"enabled": boolean,
"exemptableNamespaces": [
string
],
"referentialRulesEnabled": boolean,
"logDeniesEnabled": boolean,
"mutationEnabled": boolean,
"monitoring": {
object ( |
Fields | |
---|---|
enabled |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
exemptable |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log |
Logs all denies and dry run failures. |
mutation |
Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. |
monitoring |
Monitoring specifies the configuration of monitoring. |
update |
Output only. Last time this membership spec was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
template |
Installs the default template library along with Policy Controller. |
audit |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
PolicyControllerMonitoring
PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
JSON representation |
---|
{
"backends": [
enum ( |
Fields | |
---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
PolicyControllerMonitoring.MonitoringBackend
Supported backend options for monitoring
Enums | |
---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
BinauthzConfig
Configuration for Binauthz.
JSON representation |
---|
{ "enabled": boolean } |
Fields | |
---|---|
enabled |
Whether binauthz is enabled in this cluster. |
HierarchyControllerConfig
Configuration for Hierarchy Controller.
JSON representation |
---|
{ "enabled": boolean, "enablePodTreeLabels": boolean, "enableHierarchicalResourceQuota": boolean } |
Fields | |
---|---|
enabled |
Whether Hierarchy Controller is enabled in this cluster. |
enable |
Whether pod tree labels are enabled in this cluster. |
enable |
Whether hierarchical resource quota is enabled in this cluster. |
Spec.Management
Whether to automatically manage the Feature.
Enums | |
---|---|
MANAGEMENT_UNSPECIFIED |
Unspecified |
MANAGEMENT_AUTOMATIC |
Google will manage the Feature for the cluster. |
MANAGEMENT_MANUAL |
User will manually manage the Feature for the cluster. |
FeatureSpec.Origin
Origin defines where this FeatureSpec originated from.
JSON representation |
---|
{
"type": enum ( |
Fields | |
---|---|
type |
Type specifies which type of origin is set. |
FeatureSpec.Origin.Type
Type specifies the persona that persisted the config.
Enums | |
---|---|
TYPE_UNSPECIFIED |
Type is unknown or not set. |
FLEET |
Per-Feature spec was inherited from the fleet-level default. |
FLEET_OUT_OF_SYNC |
Per-Feature spec was inherited from the fleet-level default but is now out of sync with the current default. |
USER |
Per-Feature spec was inherited from a user specification. |
FeatureState
FeatureState contains high-level state information and per-feature state information for this MembershipFeature.
JSON representation |
---|
{ "state": { object ( |
Fields | |
---|---|
state |
The high-level state of this MembershipFeature. |
Union field feature_state . Status specific to each Fleet feature. feature_state can be only one of the following: |
|
clusterupgrade |
Cluster upgrade state. |
identityservice |
Identity service state |
servicemesh |
Service mesh state |
metering |
Metering state |
configmanagement |
Config Management state |
policycontroller |
Policy Controller state |
appdevexperience |
Appdevexperience specific state. |
State
Per-membership state for this feature.
JSON representation |
---|
{ "upgrades": [ { object ( |
Fields | |
---|---|
upgrades[] |
Actual upgrade state against desired. |
ignored |
Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. |
IgnoredMembership
IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default.
JSON representation |
---|
{ "reason": string, "ignoredTime": string } |
Fields | |
---|---|
reason |
Reason why the membership is ignored. |
ignored |
Time when the membership was first set to ignored. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
MembershipGKEUpgradeState
MembershipGKEUpgradeState is a GKEUpgrade and its state per-membership.
JSON representation |
---|
{ "upgrade": { object ( |
Fields | |
---|---|
upgrade |
Which upgrade to track the state. |
status |
Status of the upgrade. |
GKEUpgrade
GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade.
JSON representation |
---|
{ "name": string, "version": string } |
Fields | |
---|---|
name |
Name of the upgrade, e.g., "k8s_control_plane". |
version |
Version of the upgrade, e.g., "1.22.1-gke.100". |
UpgradeStatus
UpgradeStatus provides status information for each upgrade.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
Status code of the upgrade. |
reason |
Reason for this status. |
update |
Last timestamp the status was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
UpgradeStatus.Code
Status code of an upgrade.
Enums | |
---|---|
CODE_UNSPECIFIED |
Required by https://linter.aip.dev/126/unspecified. |
INELIGIBLE |
The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope. |
PENDING |
The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope. |
IN_PROGRESS |
The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope. |
SOAKING |
The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete. |
FORCED_SOAKING |
A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status. |
COMPLETE |
The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status. |
State
IdentityService: State for a single membership, analyzed and reported by feature controller.
JSON representation |
---|
{ "installedVersion": string, "state": enum ( |
Fields | |
---|---|
installed |
Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. |
state |
Deployment state on this member |
failure |
The reason of the failure. |
member |
Last reconciled membership configuration |
State.DeploymentState
Deployment state enum
Enums | |
---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Unspecified state |
OK |
deployment succeeds |
ERROR |
Failure with error. |
State
Service Mesh: State for a single Membership, as analyzed by the Service Mesh Hub Controller.
JSON representation |
---|
{ "analysisMessages": [ { object ( |
Fields | |
---|---|
analysis |
Output only. Results of running Service Mesh analyzers. |
control |
Output only. Status of control plane management |
data |
Output only. Status of data plane management. |
config |
The API version (i.e. Istio CRD version) for configuring service mesh in this cluster. This version is influenced by the |
conditions[] |
Output only. List of conditions reported for this membership. |
AnalysisMessage
AnalysisMessage is a single message produced by an analyzer, and it used to communicate to the end user about the state of their Service Mesh configuration.
JSON representation |
---|
{
"messageBase": {
object ( |
Fields | |
---|---|
message |
Details common to all types of Istio and ServiceMesh analysis messages. |
description |
A human readable description of what the error means. It is suitable for non-internationalize display purposes. |
resource |
A list of strings specifying the resource identifiers that were the cause of message generation. A "path" here may be: * MEMBERSHIP_ID if the cause is a specific member cluster * MEMBERSHIP_ID/(NAMESPACE\/)?RESOURCETYPE/NAME if the cause is a resource in a cluster |
args |
A UI can combine these args with a template (based on messageBase.type) to produce an internationalized message. |
AnalysisMessageBase
AnalysisMessageBase describes some common information that is needed for all messages.
JSON representation |
---|
{ "type": { object ( |
Fields | |
---|---|
type |
Represents the specific type of a message. |
level |
Represents how severe a message is. |
documentation |
A url pointing to the Service Mesh or Istio documentation for this specific error type. |
AnalysisMessageBase.Type
A unique identifier for the type of message. Display_name is intended to be human-readable, code is intended to be machine readable. There should be a one-to-one mapping between displayName and code. (i.e. do not re-use display_names or codes between message types.) See istio.analysis.v1alpha1.AnalysisMessageBase.Type
JSON representation |
---|
{ "displayName": string, "code": string } |
Fields | |
---|---|
display |
A human-readable name for the message type. e.g. "InternalError", "PodMissingProxy". This should be the same for all messages of the same type. (This corresponds to the |
code |
A 7 character code matching |
AnalysisMessageBase.Level
The values here are chosen so that more severe messages get sorted higher, as well as leaving space in between to add more later See istio.analysis.v1alpha1.AnalysisMessageBase.Level
Enums | |
---|---|
LEVEL_UNSPECIFIED |
Illegal. Same istio.analysis.v1alpha1.AnalysisMessageBase.Level.UNKNOWN. |
ERROR |
ERROR represents a misconfiguration that must be fixed. |
WARNING |
WARNING represents a misconfiguration that should be fixed. |
INFO |
INFO represents an informational finding. |
State.ControlPlaneManagement
Status of control plane management.
JSON representation |
---|
{ "details": [ { object ( |
Fields | |
---|---|
details[] |
Explanation of state. |
state |
LifecycleState of control plane management. |
implementation |
Output only. Implementation of managed control plane. |
StatusDetails
Structured and human-readable details for a status.
JSON representation |
---|
{ "code": string, "details": string } |
Fields | |
---|---|
code |
A machine-readable code that further describes a broad status. |
details |
Human-readable explanation of code. |
State.LifecycleState
Lifecycle state of Service Mesh components.
Enums | |
---|---|
LIFECYCLE_STATE_UNSPECIFIED |
Unspecified |
DISABLED |
DISABLED means that the component is not enabled. |
FAILED_PRECONDITION |
FAILED_PRECONDITION means that provisioning cannot proceed because of some characteristic of the member cluster. |
PROVISIONING |
PROVISIONING means that provisioning is in progress. |
ACTIVE |
ACTIVE means that the component is ready for use. |
STALLED |
STALLED means that provisioning could not be done. |
NEEDS_ATTENTION |
NEEDS_ATTENTION means that the component is ready, but some user intervention is required. (For example that the user should migrate workloads to a new control plane revision.) |
DEGRADED |
DEGRADED means that the component is ready, but operating in a degraded state. |
State.ControlPlaneManagement.Implementation
Implementation of managed control plane.
Enums | |
---|---|
IMPLEMENTATION_UNSPECIFIED |
Unspecified |
ISTIOD |
A Google build of istiod is used for the managed control plane. |
TRAFFIC_DIRECTOR |
Traffic director is used for the managed control plane. |
UPDATING |
The control plane implementation is being updated. |
State.DataPlaneManagement
Status of data plane management. Only reported per-member.
JSON representation |
---|
{ "state": enum ( |
Fields | |
---|---|
state |
Lifecycle status of data plane management. |
details[] |
Explanation of the status. |
State.Condition
Condition being reported.
JSON representation |
---|
{ "code": enum ( |
Fields | |
---|---|
code |
Unique identifier of the condition which describes the condition recognizable to the user. |
documentation |
Links contains actionable information. |
details |
A short summary about the issue. |
severity |
Severity level of the condition. |
State.Condition.Code
Unique identifier of the condition which describes the condition recognizable to the user.
Enums | |
---|---|
CODE_UNSPECIFIED |
Default Unspecified code |
MESH_IAM_PERMISSION_DENIED |
Mesh IAM permission denied error code |
MESH_IAM_CROSS_PROJECT_PERMISSION_DENIED |
Permission denied error code for cross-project |
CNI_CONFIG_UNSUPPORTED |
CNI config unsupported error code |
GKE_SANDBOX_UNSUPPORTED |
GKE sandbox unsupported error code |
NODEPOOL_WORKLOAD_IDENTITY_FEDERATION_REQUIRED |
Nodepool workload identity federation required error code |
CNI_INSTALLATION_FAILED |
CNI installation failed error code |
CNI_POD_UNSCHEDULABLE |
CNI pod unschedulable error code |
CLUSTER_HAS_ZERO_NODES |
Cluster has zero node code |
UNSUPPORTED_MULTIPLE_CONTROL_PLANES |
Multiple control planes unsupported error code |
VPCSC_GA_SUPPORTED |
VPC-SC GA is supported for this control plane. |
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT |
User is using deprecated ControlPlaneManagement and they have not yet set Management. |
DEPRECATED_SPEC_CONTROL_PLANE_MANAGEMENT_SAFE |
User is using deprecated ControlPlaneManagement and they have already set Management. |
CONFIG_APPLY_INTERNAL_ERROR |
Configuration (Istio/k8s resources) failed to apply due to internal error. |
CONFIG_VALIDATION_ERROR |
Configuration failed to be applied due to being invalid. |
CONFIG_VALIDATION_WARNING |
Encountered configuration(s) with possible unintended behavior or invalid configuration. These configs may not have been applied. |
QUOTA_EXCEEDED_BACKEND_SERVICES |
BackendService quota exceeded error code. |
QUOTA_EXCEEDED_HEALTH_CHECKS |
HealthCheck quota exceeded error code. |
QUOTA_EXCEEDED_HTTP_ROUTES |
HTTPRoute quota exceeded error code. |
QUOTA_EXCEEDED_TCP_ROUTES |
TCPRoute quota exceeded error code. |
QUOTA_EXCEEDED_TLS_ROUTES |
TLS routes quota exceeded error code. |
QUOTA_EXCEEDED_TRAFFIC_POLICIES |
TrafficPolicy quota exceeded error code. |
QUOTA_EXCEEDED_ENDPOINT_POLICIES |
EndpointPolicy quota exceeded error code. |
QUOTA_EXCEEDED_GATEWAYS |
Gateway quota exceeded error code. |
QUOTA_EXCEEDED_MESHES |
Mesh quota exceeded error code. |
QUOTA_EXCEEDED_SERVER_TLS_POLICIES |
ServerTLSPolicy quota exceeded error code. |
QUOTA_EXCEEDED_CLIENT_TLS_POLICIES |
ClientTLSPolicy quota exceeded error code. |
QUOTA_EXCEEDED_SERVICE_LB_POLICIES |
ServiceLBPolicy quota exceeded error code. |
QUOTA_EXCEEDED_HTTP_FILTERS |
HTTPFilter quota exceeded error code. |
QUOTA_EXCEEDED_TCP_FILTERS |
TCPFilter quota exceeded error code. |
QUOTA_EXCEEDED_NETWORK_ENDPOINT_GROUPS |
NetworkEndpointGroup quota exceeded error code. |
MODERNIZATION_SCHEDULED |
Modernization is scheduled for a cluster. |
MODERNIZATION_IN_PROGRESS |
Modernization is in progress for a cluster. |
MODERNIZATION_COMPLETED |
Modernization is completed for a cluster. |
MODERNIZATION_ABORTED |
Modernization is aborted for a cluster. |
State.Condition.Severity
Severity level of the reported condition
Enums | |
---|---|
SEVERITY_UNSPECIFIED |
Unspecified severity |
ERROR |
Indicates an issue that prevents the mesh from operating correctly |
WARNING |
Indicates a setting is likely wrong, but the mesh is still able to operate |
INFO |
An informational message, not requiring any action |
State
Metering: State for a single membership, analyzed and reported by feature controller.
JSON representation |
---|
{ "lastMeasurementTime": string, "preciseLastMeasuredClusterVcpuCapacity": number } |
Fields | |
---|---|
last |
The time stamp of the most recent measurement of the number of vCPUs in the cluster. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
precise |
The vCPUs capacity in the cluster according to the most recent measurement (1/1000 precision). |
State
Anthos Config Management: State for a single cluster.
JSON representation |
---|
{ "clusterName": string, "membershipSpec": { object ( |
Fields | |
---|---|
cluster |
This field is set to the |
membership |
Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state. |
operator |
Current install status of ACM's Operator. |
config |
Current sync status. |
policy |
PolicyController status. |
binauthz |
Binauthz status. |
hierarchy |
Hierarchy Controller status. |
OperatorState
State information for an ACM's Operator.
JSON representation |
---|
{ "version": string, "deploymentState": enum ( |
Fields | |
---|---|
version |
The semenatic version number of the operator. |
deployment |
The state of the Operator's deployment. |
errors[] |
Install errors. |
DeploymentState
Enum representing the state of an ACM's deployment on a cluster.
Enums | |
---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Deployment's state cannot be determined. |
NOT_INSTALLED |
Deployment is not installed. |
INSTALLED |
Deployment is installed. |
ERROR |
Deployment was attempted to be installed, but has errors. |
PENDING |
Deployment is installing or terminating |
InstallError
Errors pertaining to the installation of ACM.
JSON representation |
---|
{ "errorMessage": string } |
Fields | |
---|---|
error |
A string representing the user facing error message. |
ConfigSyncState
State information for ConfigSync.
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version of ConfigSync deployed. |
deployment |
Information about the deployment of ConfigSync, including the version. of the various Pods deployed |
sync |
The state of ConfigSync's process to sync configs to a cluster. |
errors[] |
Errors pertaining to the installation of Config Sync. |
rootsync |
The state of the RootSync CRD |
reposync |
The state of the Reposync CRD |
state |
The state of CS This field summarizes the other fields in this message. |
cluster |
Whether syncing resources to the cluster is stopped at the cluster level. |
cr |
Output only. The number of RootSync and RepoSync CRs in the cluster. |
ConfigSyncVersion
Specific versioning information pertaining to ConfigSync's Pods.
JSON representation |
---|
{ "importer": string, "syncer": string, "gitSync": string, "monitor": string, "reconcilerManager": string, "rootReconciler": string, "admissionWebhook": string, "resourceGroupControllerManager": string, "otelCollector": string } |
Fields | |
---|---|
importer |
Version of the deployed importer pod. |
syncer |
Version of the deployed syncer pod. |
git |
Version of the deployed git-sync pod. |
monitor |
Version of the deployed monitor pod. |
reconciler |
Version of the deployed reconciler-manager pod. |
root |
Version of the deployed reconciler container in root-reconciler pod. |
admission |
Version of the deployed admission-webhook pod. |
resource |
Version of the deployed resource-group-controller-manager pod |
otel |
Version of the deployed otel-collector pod |
ConfigSyncDeploymentState
The state of ConfigSync's deployment on a cluster.
JSON representation |
---|
{ "importer": enum ( |
Fields | |
---|---|
importer |
Deployment state of the importer pod. |
syncer |
Deployment state of the syncer pod. |
git |
Deployment state of the git-sync pod. |
monitor |
Deployment state of the monitor pod. |
reconciler |
Deployment state of reconciler-manager pod. |
root |
Deployment state of root-reconciler. |
admission |
Deployment state of admission-webhook. |
resource |
Deployment state of resource-group-controller-manager |
otel |
Deployment state of otel-collector |
SyncState
State indicating an ACM's progress syncing configurations to a cluster.
JSON representation |
---|
{ "sourceToken": string, "importToken": string, "syncToken": string, "lastSync": string, "lastSyncTime": string, "code": enum ( |
Fields | |
---|---|
source |
Token indicating the state of the repo. |
import |
Token indicating the state of the importer. |
sync |
Token indicating the state of the syncer. |
lastSync |
Deprecated: use lastSyncTime instead. Timestamp of when ACM last successfully synced the repo. The time format is specified in https://golang.org/pkg/time/#Time.String |
last |
Timestamp type of when ACM last successfully synced the repo. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
code |
Sync status code. |
errors[] |
A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. |
SyncState.SyncCode
An enum representing Config Sync's status of syncing configs to a cluster.
Enums | |
---|---|
SYNC_CODE_UNSPECIFIED |
Config Sync cannot determine a sync code |
SYNCED |
Config Sync successfully synced the git Repo with the cluster |
PENDING |
Config Sync is in the progress of syncing a new change |
ERROR |
Indicates an error configuring Config Sync, and user action is required |
NOT_CONFIGURED |
Config Sync has been installed but not configured |
NOT_INSTALLED |
Config Sync has not been installed |
UNAUTHORIZED |
Error authorizing with the cluster |
UNREACHABLE |
Cluster could not be reached |
SyncError
An ACM created error representing a problem syncing configurations.
JSON representation |
---|
{
"code": string,
"errorMessage": string,
"errorResources": [
{
object ( |
Fields | |
---|---|
code |
An ACM defined error code |
error |
A description of the error |
error |
A list of config(s) associated with the error, if any |
ErrorResource
Model for a config file in the git repo with an associated Sync error.
JSON representation |
---|
{
"sourcePath": string,
"resourceName": string,
"resourceNamespace": string,
"resourceGvk": {
object ( |
Fields | |
---|---|
source |
Path in the git repo of the erroneous config |
resource |
Metadata name of the resource that is causing an error |
resource |
Namespace of the resource that is causing an error |
resource |
Group/version/kind of the resource that is causing an error |
GroupVersionKind
A Kubernetes object's GVK.
JSON representation |
---|
{ "group": string, "version": string, "kind": string } |
Fields | |
---|---|
group |
Kubernetes Group |
version |
Kubernetes Version |
kind |
Kubernetes Kind |
ConfigSyncError
Errors pertaining to the installation of Config Sync
JSON representation |
---|
{ "errorMessage": string } |
Fields | |
---|---|
error |
A string representing the user facing error message |
ConfigSyncState.CRDState
CRDState representing the state of a CRD
Enums | |
---|---|
CRD_STATE_UNSPECIFIED |
CRD's state cannot be determined |
NOT_INSTALLED |
CRD is not installed |
INSTALLED |
CRD is installed |
TERMINATING |
CRD is terminating (i.e., it has been deleted and is cleaning up) |
INSTALLING |
CRD is installing |
ConfigSyncState.State
Enums | |
---|---|
STATE_UNSPECIFIED |
CS's state cannot be determined. |
CONFIG_SYNC_NOT_INSTALLED |
CS is not installed. |
CONFIG_SYNC_INSTALLED |
The expected CS version is installed successfully. |
CONFIG_SYNC_ERROR |
CS encounters errors. |
CONFIG_SYNC_PENDING |
CS is installing or terminating. |
ConfigSyncState.StopSyncingState
Enums | |
---|---|
STOP_SYNCING_STATE_UNSPECIFIED |
State cannot be determined |
NOT_STOPPED |
Syncing resources to the cluster is not stopped at the cluster level. |
PENDING |
Some reconcilers stop syncing resources to the cluster, while others are still syncing. |
STOPPED |
Syncing resources to the cluster is stopped at the cluster level. |
PolicyControllerState
State for PolicyControllerState.
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version of Gatekeeper Policy Controller deployed. |
deployment |
The state about the policy controller installation. |
migration |
Record state of ACM -> PoCo Hub migration for this feature. |
PolicyControllerVersion
The build version of Gatekeeper Policy Controller is using.
JSON representation |
---|
{ "version": string } |
Fields | |
---|---|
version |
The gatekeeper image tag that is composed of ACM version, git tag, build number. |
GatekeeperDeploymentState
State of Policy Controller installation.
JSON representation |
---|
{ "gatekeeperControllerManagerState": enum ( |
Fields | |
---|---|
gatekeeper |
Status of gatekeeper-controller-manager pod. |
gatekeeper |
Status of gatekeeper-audit deployment. |
gatekeeper |
Status of the pod serving the mutation webhook. |
PolicyControllerMigration
State for the migration of PolicyController from ACM -> PoCo Hub.
JSON representation |
---|
{
"stage": enum ( |
Fields | |
---|---|
stage |
Stage of the migration. |
copy |
Last time this membership spec was copied to PoCo feature. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
PolicyControllerMigration.Stage
Stage marks what stage of the migration ACM hub is in.
Enums | |
---|---|
STAGE_UNSPECIFIED |
Unknown state of migration. |
ACM_MANAGED |
ACM Hub/Operator manages policycontroller. No migration yet completed. |
POCO_MANAGED |
All migrations steps complete; Poco Hub now manages policycontroller. |
BinauthzState
State for Binauthz.
JSON representation |
---|
{ "webhook": enum ( |
Fields | |
---|---|
webhook |
The state of the binauthz webhook. |
version |
The version of binauthz that is installed. |
BinauthzVersion
The version of binauthz.
JSON representation |
---|
{ "webhookVersion": string } |
Fields | |
---|---|
webhook |
The version of the binauthz webhook. |
HierarchyControllerState
State for Hierarchy Controller.
JSON representation |
---|
{ "version": { object ( |
Fields | |
---|---|
version |
The version for Hierarchy Controller. |
state |
The deployment state for Hierarchy Controller. |
HierarchyControllerVersion
Version for Hierarchy Controller.
JSON representation |
---|
{ "hnc": string, "extension": string } |
Fields | |
---|---|
hnc |
Version for open source HNC. |
extension |
Version for Hierarchy Controller extension. |
HierarchyControllerDeploymentState
Deployment state for Hierarchy Controller
JSON representation |
---|
{ "hnc": enum ( |
Fields | |
---|---|
hnc |
The deployment state for open source HNC (e.g. v0.7.0-hc.0). |
extension |
The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1). |
State
Policy Controller: State for a single cluster.
JSON representation |
---|
{ "componentStates": { string: { object ( |
Fields | |
---|---|
component |
Currently these include (also serving as map keys): 1. "admission" 2. "audit" 3. "mutation" An object containing a list of |
state |
The overall Policy Controller lifecycle state observed by the Hub Feature controller. |
policy |
The overall content state observed by the Hub Feature controller. |
OnClusterState
OnClusterState represents the state of a sub-component of Policy Controller.
JSON representation |
---|
{
"state": enum ( |
Fields | |
---|---|
state |
The lifecycle state of this component. |
details |
Surface potential errors or information logs. |
State.LifecycleState
The set of states Policy Controller can exist in.
Enums | |
---|---|
LIFECYCLE_STATE_UNSPECIFIED |
The lifecycle state is unspecified. |
NOT_INSTALLED |
The PC does not exist on the given cluster, and no k8s resources of any type that are associated with the PC should exist there. The cluster does not possess a membership with the PCH. |
INSTALLING |
The PCH possesses a Membership, however the PC is not fully installed on the cluster. In this state the hub can be expected to be taking actions to install the PC on the cluster. |
ACTIVE |
The PC is fully installed on the cluster and in an operational mode. In this state PCH will be reconciling state with the PC, and the PC will be performing it's operational tasks per that software. Entering a READY state requires that the hub has confirmed the PC is installed and its pods are operational with the version of the PC the PCH expects. |
UPDATING |
The PC is fully installed, but in the process of changing the configuration (including changing the version of PC either up and down, or modifying the manifests of PC) of the resources running on the cluster. The PCH has a Membership, is aware of the version the cluster should be running in, but has not confirmed for itself that the PC is running with that version. |
DECOMMISSIONING |
The PC may have resources on the cluster, but the PCH wishes to remove the Membership. The Membership still exists. |
CLUSTER_ERROR |
The PC is not operational, and the PCH is unable to act to make it operational. Entering a CLUSTER_ERROR state happens automatically when the PCH determines that a PC installed on the cluster is non-operative or that the cluster does not meet requirements set for the PCH to administer the cluster but has nevertheless been given an instruction to do so (such as ‘install'). |
HUB_ERROR |
In this state, the PC may still be operational, and only the PCH is unable to act. The hub should not issue instructions to change the PC state, or otherwise interfere with the on-cluster resources. Entering a HUB_ERROR state happens automatically when the PCH determines the hub is in an unhealthy state and it wishes to ‘take hands off' to avoid corrupting the PC or other data. |
SUSPENDED |
Policy Controller (PC) is installed but suspended. This means that the policies are not enforced, but violations are still recorded (through audit). |
DETACHED |
PoCo Hub is not taking any action to reconcile cluster objects. Changes to those objects will not be overwritten by PoCo Hub. |
PolicyContentState
The state of the policy controller policy content
JSON representation |
---|
{ "templateLibraryState": { object ( |
Fields | |
---|---|
template |
The state of the template library |
bundle |
The state of the any bundles included in the chosen version of the manifest An object containing a list of |
referential |
The state of the referential data sync configuration. This could represent the state of either the syncSet object(s) or the config object, depending on the version of PoCo configured by the user. |
State
State for App Dev Exp Feature.
JSON representation |
---|
{
"networkingInstallSucceeded": {
object ( |
Fields | |
---|---|
networking |
Status of subcomponent that detects configured Service Mesh resources. |
State.Status
Status specifies state for the subcomponent.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
Code specifies AppDevExperienceFeature's subcomponent ready state. |
description |
Description is populated if Code is Failed, explaining why it has failed. |
State.Code
Code specifies the ready state for a AppDevExperienceFeature subcomponent.
Enums | |
---|---|
CODE_UNSPECIFIED |
Not set. |
OK |
AppDevExperienceFeature's specified subcomponent is ready. |
FAILED |
AppDevExperienceFeature's specified subcomponent ready state is false. This means AppDevExperienceFeature has encountered an issue that blocks all, or a portion, of its normal operation. See the description for more details. |
UNKNOWN |
AppDevExperienceFeature's specified subcomponent has a pending or unknown state. |
State
High-level state of a MembershipFeature.
JSON representation |
---|
{
"code": enum ( |
Fields | |
---|---|
code |
The high-level, machine-readable status of this MembershipFeature. |
description |
A human-readable description of the current status. |
update |
The time this status and any related Feature-specific details were updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
State.Code
Code represents a machine-readable, high-level status of the MembershipFeature.
Enums | |
---|---|
CODE_UNSPECIFIED |
Unknown or not set. |
OK |
The MembershipFeature is operating normally. |
WARNING |
The MembershipFeature has encountered an issue, and is operating in a degraded state. The MembershipFeature may need intervention to return to normal operation. See the description and any associated MembershipFeature-specific details for more information. |
ERROR |
The MembershipFeature is not operating or is in a severely degraded state. The MembershipFeature may need intervention to return to normal operation. See the description and any associated MembershipFeature-specific details for more information. |
LifecycleState
LifecycleState describes the state of a MembershipFeature resource in the GkeHub API. See FeatureState
for the "running state" of the MembershipFeature.
JSON representation |
---|
{
"state": enum ( |
Fields | |
---|---|
state |
Output only. The current state of the Feature resource in the Hub API. |
LifecycleState.State
State describes the lifecycle status of a MembershipFeature.
Enums | |
---|---|
STATE_UNSPECIFIED |
State is unknown or not set. |
ENABLING |
The MembershipFeature is being enabled, and the MembershipFeature resource is being created. Once complete, the corresponding MembershipFeature will be enabled in this Hub. |
ACTIVE |
The MembershipFeature is enabled in this Hub, and the MembershipFeature resource is fully available. |
DISABLING |
The MembershipFeature is being disabled in this Hub, and the MembershipFeature resource is being deleted. |
UPDATING |
The MembershipFeature resource is being updated. |
SERVICE_UPDATING |
The MembershipFeature resource is being updated by the Hub Service. |