Skip to content

Latest commit

 

History

History
927 lines (873 loc) · 30.4 KB

File metadata and controls

927 lines (873 loc) · 30.4 KB

{# AUTOGENERATED. DO NOT EDIT. #}

{% extends "config-connector/_base.html" %}

{% block page_title %}ContainerAttachedCluster{% endblock %} {% block body %}

Property Value
{{gcp_name_short}} Service Name Anthos Multi-Cloud
{{gcp_name_short}} Service Documentation /anthos/clusters/docs/multi-cloud/attached
{{gcp_name_short}} REST Resource Name v1.projects.locations.attachedClusters
{{gcp_name_short}} REST Resource Documentation /anthos/clusters/docs/multi-cloud/reference/rest/v1/projects.locations.attachedClusters
{{product_name_short}} Resource Short Names gcpcontainerattachedcluster
gcpcontainerattachedclusters
containerattachedcluster
{{product_name_short}} Service Name gkemulticloud.googleapis.com
{{product_name_short}} Resource Fully Qualified Name containerattachedclusters.containerattached.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
{{product_name_short}} Default Average Reconcile Interval In Seconds 600

Prerequisites

Before you can use this resource, you must prepare the target cluster so that the multi-cloud service can connect to the target cluster. To prepare the cluster, follow the steps to deploy an install-agent into the target cluster:

  1. Get the manifest yaml file for the install-agent:

gcloud container attached clusters generate-install-manifest my-cluster --location=GOOGLE_CLOUD_REGION --platform-version=PLATFORM_VERSION --output-file=manifest.yaml

Example command:

gcloud container attached clusters generate-install-manifest kcc-attached-cluster --location=us-west1 --platform-version=1.25.0-gke.5 --output-file=manifest.yaml

  1. Check out the target cluster and get the kubeconfig context:

Amazon Elastic Kubernetes Service cluster: aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER

Azure Kubernetes Service cluster: az aks get-credentials -n $CLUSTER -g $AZURE_RESOURCE_GROUP

export KUBECONFIG_CONTEXT=$(kubectl config current-context)

  1. Apply the manifest.yaml file to the target cluster:

(Optional if you used the previous command to switch context) kubectl use-context $KUBECONFIG_CONTEXT

kubectl apply -f manifest.yaml

You should see the following logs:

 namespace/gke-install created
 serviceaccount/gke-install-agent created
 clusterrolebinding.rbac.authorization.k8s.io/multicloud-install-agent-admin created
 deployment.apps/gke-multicloud-agent created
  1. Switch back to the Google Kubernetes Engine(GKE) cluster with Config Connector installed:

Run kubectl config get-contexts to see all configured contexts. You should see at least two contexts: one associated with the target cluster, and one associated with the GKE cluster with Config Connector installed.

Run kubectl config use-context GKE_CONTEXT to switch back to the GKE context.

Custom Resource Definition Properties

Spec

Schema

annotations:
  string: string
authorization:
  adminUsers:
  - string
binaryAuthorization:
  evaluationMode: string
deletionPolicy: string
description: string
distribution: string
fleet:
  membership: string
  projectRef:
    external: string
    name: string
    namespace: string
location: string
loggingConfig:
  componentConfig:
    enableComponents:
    - string
monitoringConfig:
  managedPrometheusConfig:
    enabled: boolean
oidcConfig:
  issuerUrl: string
  jwks: string
platformVersion: string
projectRef:
  external: string
  kind: string
  name: string
  namespace: string
resourceID: string

Fields

annotations

Optional

map (key: string, value: string)

{% verbatim %}Optional. Annotations on the cluster.

This field has the same restrictions as Kubernetes annotations. The total size of all keys and values combined is limited to 256k. Key can have 2 segments: prefix (optional) and name (required), separated by a slash (/). Prefix must be a DNS subdomain. Name must be 63 characters or less, begin and end with alphanumerics, with dashes (-), underscores (_), dots (.), and alphanumerics between.{% endverbatim %}

authorization

Optional

object

{% verbatim %}Optional. Configuration related to the cluster RBAC settings.{% endverbatim %}

authorization.adminUsers

Optional

list (string)

{% verbatim %}Optional. Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the cluster-admin ClusterRole to the users. Up to ten admin users can be provided.

For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles{% endverbatim %}

authorization.adminUsers[]

Optional

string

{% verbatim %}{% endverbatim %}

binaryAuthorization

Optional

object

{% verbatim %}Optional. Binary Authorization configuration for this cluster.{% endverbatim %}

binaryAuthorization.evaluationMode

Optional

string

{% verbatim %}Mode of operation for binauthz policy evaluation. If unspecified, defaults to DISABLED. Possible values: ["DISABLED", "PROJECT_SINGLETON_POLICY_ENFORCE"].{% endverbatim %}

deletionPolicy

Optional

string

{% verbatim %}Optional. Policy to determine what flags to send on delete.{% endverbatim %}

description

Optional

string

{% verbatim %}Optional. A human readable description of this Attached cluster. Cannot be longer than 255 UTF-8 encoded bytes.{% endverbatim %}

distribution

Required

string

{% verbatim %}Immutable. The Kubernetes distribution of the underlying attached cluster.

Supported values: ["eks", "aks", "generic"].{% endverbatim %}

fleet

Required

object

{% verbatim %}Required. Fleet configuration.{% endverbatim %}

fleet.membership

Optional

string

{% verbatim %}Output only. The name of the managed Hub Membership resource associated to this cluster.

Membership names are formatted as projects/<project-number>/locations/global/membership/<cluster-id>.{% endverbatim %}

fleet.projectRef

Required

object

{% verbatim %}The id of the Fleet host project where this cluster will be registered.{% endverbatim %}

fleet.projectRef.external

Optional

string

{% verbatim %}The project of the fleet. Allowed value: The Google Cloud resource name of a Project resource (format: projects/{{name}}).{% endverbatim %}

fleet.projectRef.name

Optional

string

{% verbatim %}Name of the project resource. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names{% endverbatim %}

fleet.projectRef.namespace

Optional

string

{% verbatim %}Namespace of the project resource. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/{% endverbatim %}

location

Required

string

{% verbatim %}Immutable. The location for the resource.{% endverbatim %}

loggingConfig

Optional

object

{% verbatim %}Optional. Logging configuration for this cluster.{% endverbatim %}

loggingConfig.componentConfig

Optional

object

{% verbatim %}The configuration of the logging components;{% endverbatim %}

loggingConfig.componentConfig.enableComponents

Optional

list (string)

{% verbatim %}The components to be enabled. Possible values: ["SYSTEM_COMPONENTS", "WORKLOADS"].{% endverbatim %}

loggingConfig.componentConfig.enableComponents[]

Optional

string

{% verbatim %}{% endverbatim %}

monitoringConfig

Optional

object

{% verbatim %}Optional. Monitoring configuration for this cluster.{% endverbatim %}

monitoringConfig.managedPrometheusConfig

Optional

object

{% verbatim %}Enable Google Cloud Managed Service for Prometheus in the cluster.{% endverbatim %}

monitoringConfig.managedPrometheusConfig.enabled

Optional

boolean

{% verbatim %}Enable Managed Collection.{% endverbatim %}

oidcConfig

Required

object

{% verbatim %}Required. OpenID Connect (OIDC) discovery information of the target cluster.

Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster API server. This field indicates how GCP services validate KSA tokens in order to allow system workloads (such as GKE Connect and telemetry agents) to authenticate back to GCP.

Both clusters with public and private issuer URLs are supported. Clusters with public issuers only need to specify the 'issuerUrl' field while clusters with private issuers need to provide both 'issuerUrl' and 'jwks'.{% endverbatim %}

oidcConfig.issuerUrl

Required

string

{% verbatim %}Immutable. A JSON Web Token (JWT) issuer URI. issuer must start with https://.{% endverbatim %}

oidcConfig.jwks

Optional

string

{% verbatim %}Immutable, Optional. OIDC verification keys in JWKS format (RFC 7517). It contains a list of OIDC verification keys that can be used to verify OIDC JWTs.

This field is required for cluster that doesn't have a publicly available discovery endpoint. When provided, it will be directly used to verify the OIDC JWT asserted by the IDP.{% endverbatim %}

platformVersion

Required

string

{% verbatim %}Required. The platform version for the cluster (e.g. 1.30.0-gke.1).{% endverbatim %}

projectRef

Required

object

{% verbatim %}The ID of the project in which the resource belongs.{% endverbatim %}

projectRef.external

Optional

string

{% verbatim %}The projectID field of a project, when not managed by Config Connector.{% endverbatim %}

projectRef.kind

Optional

string

{% verbatim %}The kind of the Project resource; optional but must be Project if provided.{% endverbatim %}

projectRef.name

Optional

string

{% verbatim %}The name field of a Project resource.{% endverbatim %}

projectRef.namespace

Optional

string

{% verbatim %}The namespace field of a Project resource.{% endverbatim %}

resourceID

Optional

string

{% verbatim %}Immutable, Optional. The ContainerAttachedCluster name. If not given, the metadata.name will be used.{% endverbatim %}

Status

Schema

clusterRegion: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createTime: string
errors:
- message: string
kubernetesVersion: string
observedGeneration: integer
observedState:
  fleetMembership: string
reconciling: boolean
state: string
uid: string
updateTime: string
workloadIdentityConfig:
- identityProvider: string
  issuerUri: string
  workloadPool: string

Fields
clusterRegion

string

{% verbatim %}The region where this cluster runs.

For EKS clusters, this is an AWS region. For AKS clusters, this is an Azure region.{% endverbatim %}

conditions

list (object)

{% verbatim %}Conditions represent the latest available observations of the object's current state.{% endverbatim %}

conditions[]

object

{% verbatim %}{% endverbatim %}

conditions[].lastTransitionTime

string

{% verbatim %}Last time the condition transitioned from one status to another.{% endverbatim %}

conditions[].message

string

{% verbatim %}Human-readable message indicating details about last transition.{% endverbatim %}

conditions[].reason

string

{% verbatim %}Unique, one-word, CamelCase reason for the condition's last transition.{% endverbatim %}

conditions[].status

string

{% verbatim %}Status is the status of the condition. Can be True, False, Unknown.{% endverbatim %}

conditions[].type

string

{% verbatim %}Type is the type of the condition.{% endverbatim %}

createTime

string

{% verbatim %}The time at which this cluster was registered.{% endverbatim %}

errors

list (object)

{% verbatim %}A set of errors found in the cluster.{% endverbatim %}

errors[]

object

{% verbatim %}{% endverbatim %}

errors[].message

string

{% verbatim %}Human-friendly description of the error.{% endverbatim %}

kubernetesVersion

string

{% verbatim %}The Kubernetes version of the cluster.{% endverbatim %}

observedGeneration

integer

{% verbatim %}ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.{% endverbatim %}

observedState

object

{% verbatim %}ObservedState is the state of the resource as most recently observed in GCP.{% endverbatim %}

observedState.fleetMembership

string

{% verbatim %}Output only. The name of the managed Hub Membership resource associated to this cluster.

Membership names are formatted as projects/<project-number>/locations/global/membership/<cluster-id>. This field mirrors the Spec.Fleet.Membership field.{% endverbatim %}

reconciling

boolean

{% verbatim %}If set, there are currently changes in flight to the cluster.{% endverbatim %}

state

string

{% verbatim %}The current state of the cluster. Possible values: STATE_UNSPECIFIED, PROVISIONING, RUNNING, RECONCILING, STOPPING, ERROR, DEGRADED.{% endverbatim %}

uid

string

{% verbatim %}A globally unique identifier for the cluster.{% endverbatim %}

updateTime

string

{% verbatim %}The time at which this cluster was last updated.{% endverbatim %}

workloadIdentityConfig

list (object)

{% verbatim %}Workload Identity settings.{% endverbatim %}

workloadIdentityConfig[]

object

{% verbatim %}{% endverbatim %}

workloadIdentityConfig[].identityProvider

string

{% verbatim %}The ID of the OIDC Identity Provider (IdP) associated to the Workload Identity Pool.{% endverbatim %}

workloadIdentityConfig[].issuerUri

string

{% verbatim %}The OIDC issuer URL for this cluster.{% endverbatim %}

workloadIdentityConfig[].workloadPool

string

{% verbatim %}The Workload Identity Pool associated to the cluster.{% endverbatim %}

Sample YAML(s)

Container Attached Cluster Basic

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
  name: containerattachedcluster-sample-basic
spec:
  # Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
  resourceID: ${ATTACHED_CLUSTER_NAME?}
  location: us-west1
  projectRef:
    # Replace ${PROJECT_ID?} with your Google Cloud project id
    external: ${PROJECT_ID?}
  description: "Test attached cluster basic sample"
  # Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
  # Supported values: "eks", "aks".
  distribution: ${DISTRIBUTION?}
  oidcConfig:
    # Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
    issuerUrl: ${ISSUER_URL?}
  # Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
  platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
  fleet:
    projectRef:
      name: containerattachedcluster-dep-basic
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: containerattachedcluster-dep-basic
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
spec:
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  resourceID: ${PROJECT_ID?}
  organizationRef:
    # Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
    external: "${ORG_ID?}"
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  name: ${PROJECT_ID?}

Container Attached Cluster Full

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
  name: containerattachedcluster-sample-full
spec:
  # Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
  resourceID: ${ATTACHED_CLUSTER_NAME?}
  location: us-west1
  projectRef:
    # Replace ${PROJECT_ID?} with your Google Cloud project id
    external: ${PROJECT_ID?}
  description: "Test attached cluster full sample"
  # Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
  # Supported values: "eks", "aks".
  distribution: ${DISTRIBUTION?}
  annotations:
    label-one: "value-one"
  authorization:
    admin_users: [ "[email protected]", "[email protected]"]
  oidcConfig:
    # Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
    issuerUrl: ${ISSUER_URL?}
  # Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
  platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
  fleet:
    projectRef:
      name: containerattachedcluster-dep-full
  loggingConfig:
    componentConfig:
      enableComponents: ["SYSTEM_COMPONENTS", "WORKLOADS"]
  monitoringConfig:
    managedPrometheusConfig:
      enabled: true
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: containerattachedcluster-dep-full
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
spec:
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  resourceID: ${PROJECT_ID?}
  organizationRef:
    # Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
    external: "${ORG_ID?}"
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  name: ${PROJECT_ID?}

Container Attached Cluster Ignore Errors

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
  name: containerattachedcluster-sample-ignore-errors
spec:
  # Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
  resourceID: ${ATTACHED_CLUSTER_NAME?}
  location: us-west1
  projectRef:
    # Replace ${PROJECT_ID?} with your Google Cloud project id
    external: ${PROJECT_ID?}
  description: "Test attached cluster ignore errors sample"
  # Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
  # Supported values: "eks", "aks".
  distribution: ${DISTRIBUTION?}
  oidcConfig:
    # Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
    issuerUrl: ${ISSUER_URL?}
  # Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
  platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
  fleet:
    projectRef:
      name: containerattachedcluster-dep-ignore-errors
  deletionPolicy: "DELETE_IGNORE_ERRORS"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: containerattachedcluster-dep-ignore-errors
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
spec:
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  resourceID: ${PROJECT_ID?}
  organizationRef:
    # Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
    external: "${ORG_ID?}"
  # Replace ${PROJECT_ID?} with your Google Cloud project id
  name: ${PROJECT_ID?}

Note: If you have any trouble with instantiating the resource, refer to Troubleshoot Config Connector.

{% endblock %}