Index
BinauthzConfig(message)BinauthzState(message)BinauthzVersion(message)ConfigSync(message)ConfigSyncDeploymentState(message)ConfigSyncError(message)ConfigSyncState(message)ConfigSyncVersion(message)DeploymentState(enum)ErrorResource(message)GatekeeperDeploymentState(message)GitConfig(message)GroupVersionKind(message)HierarchyControllerConfig(message)HierarchyControllerDeploymentState(message)HierarchyControllerState(message)HierarchyControllerVersion(message)InstallError(message)MembershipSpec(message)MembershipState(message)OciConfig(message)OperatorState(message)PolicyController(message)PolicyControllerMigration(message)PolicyControllerMigration.Stage(enum)PolicyControllerMonitoring(message)PolicyControllerMonitoring.MonitoringBackend(enum)PolicyControllerState(message)PolicyControllerVersion(message)SyncError(message)SyncState(message)SyncState.SyncCode(enum)
BinauthzConfig
Configuration for Binauthz
| Fields | |
|---|---|
enabled |
Whether binauthz is enabled in this cluster. |
BinauthzState
State for Binauthz
| Fields | |
|---|---|
webhook |
The state of the binauthz webhook. |
version |
The version of binauthz that is installed. |
BinauthzVersion
The version of binauthz.
| Fields | |
|---|---|
webhook_version |
The version of the binauthz webhook. |
ConfigSync
Configuration for Config Sync
| Fields | |
|---|---|
git |
Git repo configuration for the cluster. |
source_format |
Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. |
prevent_drift |
Set to true to enable the Config Sync admission webhook to prevent drifts. If set to |
oci |
OCI repo configuration for the cluster |
allow_vertical_scale |
Set to true to allow the vertical scaling. Defaults to false which disallows vertical scaling. This field is deprecated. |
metrics_gcp_service_account_email |
The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount |
enabled |
Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. |
ConfigSyncDeploymentState
The state of ConfigSync's deployment on a cluster
| Fields | |
|---|---|
importer |
Deployment state of the importer pod |
syncer |
Deployment state of the syncer pod |
git_sync |
Deployment state of the git-sync pod |
monitor |
Deployment state of the monitor pod |
reconciler_manager |
Deployment state of reconciler-manager pod |
root_reconciler |
Deployment state of root-reconciler |
admission_webhook |
Deployment state of admission-webhook |
ConfigSyncError
Errors pertaining to the installation of Config Sync
| Fields | |
|---|---|
error_message |
A string representing the user facing error message |
ConfigSyncState
State information for ConfigSync
| Fields | |
|---|---|
version |
The version of ConfigSync deployed |
deployment_state |
Information about the deployment of ConfigSync, including the version of the various Pods deployed |
sync_state |
The state of ConfigSync's process to sync configs to a cluster |
errors[] |
Errors pertaining to the installation of Config Sync. |
ConfigSyncVersion
Specific versioning information pertaining to ConfigSync's Pods
| Fields | |
|---|---|
importer |
Version of the deployed importer pod |
syncer |
Version of the deployed syncer pod |
git_sync |
Version of the deployed git-sync pod |
monitor |
Version of the deployed monitor pod |
reconciler_manager |
Version of the deployed reconciler-manager pod |
root_reconciler |
Version of the deployed reconciler container in root-reconciler pod |
admission_webhook |
Version of the deployed admission_webhook pod |
DeploymentState
Enum representing the state of an ACM's deployment on a cluster
| Enums | |
|---|---|
DEPLOYMENT_STATE_UNSPECIFIED |
Deployment's state cannot be determined |
NOT_INSTALLED |
Deployment is not installed |
INSTALLED |
Deployment is installed |
ERROR |
Deployment was attempted to be installed, but has errors |
PENDING |
Deployment is installing or terminating |
ErrorResource
Model for a config file in the git repo with an associated Sync error
| Fields | |
|---|---|
source_path |
Path in the git repo of the erroneous config |
resource_name |
Metadata name of the resource that is causing an error |
resource_namespace |
Namespace of the resource that is causing an error |
resource_gvk |
Group/version/kind of the resource that is causing an error |
GatekeeperDeploymentState
State of Policy Controller installation.
| Fields | |
|---|---|
gatekeeper_controller_manager_state |
Status of gatekeeper-controller-manager pod. |
gatekeeper_audit |
Status of gatekeeper-audit deployment. |
gatekeeper_mutation |
Status of the pod serving the mutation webhook. |
GitConfig
Git repo configuration for a single cluster.
| Fields | |
|---|---|
sync_repo |
The URL of the Git repository to use as the source of truth. |
sync_branch |
The branch of the repository to sync from. Default: master. |
policy_dir |
The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. |
sync_wait_secs |
Period in seconds between consecutive syncs. Default: 15. |
sync_rev |
Git revision (tag or hash) to check out. Default HEAD. |
secret_type |
Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount or none. The validation of this is case-sensitive. Required. |
https_proxy |
URL for the HTTPS proxy to be used when communicating with the Git repo. |
gcp_service_account_email |
The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. |
GroupVersionKind
A Kubernetes object's GVK
| Fields | |
|---|---|
group |
Kubernetes Group |
version |
Kubernetes Version |
kind |
Kubernetes Kind |
HierarchyControllerConfig
Configuration for Hierarchy Controller
| Fields | |
|---|---|
enabled |
Whether Hierarchy Controller is enabled in this cluster. |
enable_pod_tree_labels |
Whether pod tree labels are enabled in this cluster. |
enable_hierarchical_resource_quota |
Whether hierarchical resource quota is enabled in this cluster. |
HierarchyControllerDeploymentState
Deployment state for Hierarchy Controller
| Fields | |
|---|---|
hnc |
The deployment state for open source HNC (e.g. v0.7.0-hc.0) |
extension |
The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1) |
HierarchyControllerState
State for Hierarchy Controller
| Fields | |
|---|---|
version |
The version for Hierarchy Controller |
state |
The deployment state for Hierarchy Controller |
HierarchyControllerVersion
Version for Hierarchy Controller
| Fields | |
|---|---|
hnc |
Version for open source HNC |
extension |
Version for Hierarchy Controller extension |
InstallError
Errors pertaining to the installation of ACM
| Fields | |
|---|---|
error_message |
A string representing the user facing error message |
MembershipSpec
Anthos Config Management: Configuration for a single cluster. Intended to parallel the ConfigManagement CR.
| Fields | |
|---|---|
config_sync |
Config Sync configuration for the cluster. |
policy_controller |
Policy Controller configuration for the cluster. |
binauthz |
Binauthz conifguration for the cluster. Deprecated: This field will be ignored and should not be set. |
hierarchy_controller |
Hierarchy Controller configuration for the cluster. |
version |
Version of ACM installed. |
cluster |
The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. |
MembershipState
Anthos Config Management: State for a single cluster.
| Fields | |
|---|---|
cluster_name |
This field is set to the |
membership_spec |
Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state |
operator_state |
Current install status of ACM's Operator |
config_sync_state |
Current sync status |
policy_controller_state |
PolicyController status |
binauthz_state |
Binauthz status |
hierarchy_controller_state |
Hierarchy Controller status |
OciConfig
OCI repo configuration for a single cluster
| Fields | |
|---|---|
sync_repo |
The OCI image repository URL for the package to sync from. e.g. |
policy_dir |
The absolute path of the directory that contains the local resources. Default: the root directory of the image. |
sync_wait_secs |
Period in seconds between consecutive syncs. Default: 15. |
secret_type |
Type of secret configured for access to the Git repo. |
gcp_service_account_email |
The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. |
OperatorState
State information for an ACM's Operator
| Fields | |
|---|---|
version |
The semenatic version number of the operator |
deployment_state |
The state of the Operator's deployment |
errors[] |
Install errors. |
PolicyController
Configuration for Policy Controller
| Fields | |
|---|---|
enabled |
Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. |
exemptable_namespaces[] |
The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. |
referential_rules_enabled |
Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. |
log_denies_enabled |
Logs all denies and dry run failures. |
mutation_enabled |
Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. |
monitoring |
Monitoring specifies the configuration of monitoring. |
update_time |
Output only. Last time this membership spec was updated. |
template_library_installed |
Installs the default template library along with Policy Controller. |
audit_interval_seconds |
Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. |
PolicyControllerMigration
State for the migration of PolicyController from ACM -> PoCo Hub.
| Fields | |
|---|---|
stage |
Stage of the migration. |
copy_time |
Last time this membership spec was copied to PoCo feature. |
Stage
Stage marks what stage of the migration ACM hub is in.
| Enums | |
|---|---|
STAGE_UNSPECIFIED |
Unknown state of migration. |
ACM_MANAGED |
ACM Hub/Operator manages policycontroller. No migration yet completed. |
POCO_MANAGED |
All migrations steps complete; Poco Hub now manages policycontroller. |
PolicyControllerMonitoring
PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"]
| Fields | |
|---|---|
backends[] |
Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. |
MonitoringBackend
Supported backend options for monitoring
| Enums | |
|---|---|
MONITORING_BACKEND_UNSPECIFIED |
Backend cannot be determined |
PROMETHEUS |
Prometheus backend for monitoring |
CLOUD_MONITORING |
Stackdriver/Cloud Monitoring backend for monitoring |
PolicyControllerState
State for PolicyControllerState.
| Fields | |
|---|---|
version |
The version of Gatekeeper Policy Controller deployed. |
deployment_state |
The state about the policy controller installation. |
migration |
Record state of ACM -> PoCo Hub migration for this feature. |
PolicyControllerVersion
The build version of Gatekeeper Policy Controller is using.
| Fields | |
|---|---|
version |
The gatekeeper image tag that is composed of ACM version, git tag, build number. |
SyncError
An ACM created error representing a problem syncing configurations
| Fields | |
|---|---|
code |
An ACM defined error code |
error_message |
A description of the error |
error_resources[] |
A list of config(s) associated with the error, if any |
SyncState
State indicating an ACM's progress syncing configurations to a cluster
| Fields | |
|---|---|
source_token |
Token indicating the state of the repo. |
import_token |
Token indicating the state of the importer. |
sync_token |
Token indicating the state of the syncer. |
last_sync |
Deprecated: use last_sync_time instead. Timestamp of when ACM last successfully synced the repo The time format is specified in https://golang.org/pkg/time/#Time.String |
last_sync_time |
Timestamp type of when ACM last successfully synced the repo |
code |
Sync status code |
errors[] |
A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. |
SyncCode
An enum representing Config Sync's status of syncing configs to a cluster.
| Enums | |
|---|---|
SYNC_CODE_UNSPECIFIED |
Config Sync cannot determine a sync code |
SYNCED |
Config Sync successfully synced the git Repo with the cluster |
PENDING |
Config Sync is in the progress of syncing a new change |
ERROR |
Indicates an error configuring Config Sync, and user action is required |
NOT_CONFIGURED |
Config Sync has been installed but not configured |
NOT_INSTALLED |
Config Sync has not been installed |
UNAUTHORIZED |
Error authorizing with the cluster |
UNREACHABLE |
Cluster could not be reached |