--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_gkehub_feature{% #gcp_gkehub_feature %} ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `create_time`{% #create_time %} **Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. When the Feature resource was created. ## `delete_time`{% #delete_time %} **Type**: `TIMESTAMP`**Provider name**: `deleteTime`**Description**: Output only. When the Feature resource was deleted. ## `fleet_default_member_config`{% #fleet_default_member_config %} **Type**: `STRUCT`**Provider name**: `fleetDefaultMemberConfig`**Description**: Optional. Feature configuration applicable to all memberships of the fleet. - `configmanagement`**Type**: `STRUCT`**Provider name**: `configmanagement`**Description**: Config Management-specific spec. - `cluster`**Type**: `STRING`**Provider name**: `cluster`**Description**: Optional. The user-specified cluster name used by Config Sync cluster-name-selector annotation or ClusterSelector, for applying configs to only a subset of clusters. Omit this field if the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. Set this field if a name different from the cluster's fleet membership name is used by Config Sync cluster-name-selector annotation or ClusterSelector. - `config_sync`**Type**: `STRUCT`**Provider name**: `configSync`**Description**: Optional. Config Sync configuration for the cluster. - `deployment_overrides`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `deploymentOverrides`**Description**: Optional. Configuration for deployment overrides. - `containers`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `containers`**Description**: Optional. The containers of the deployment resource to be overridden. - `container_name`**Type**: `STRING`**Provider name**: `containerName`**Description**: Required. The name of the container. - `cpu_limit`**Type**: `STRING`**Provider name**: `cpuLimit`**Description**: Optional. The cpu limit of the container. - `cpu_request`**Type**: `STRING`**Provider name**: `cpuRequest`**Description**: Optional. The cpu request of the container. - `memory_limit`**Type**: `STRING`**Provider name**: `memoryLimit`**Description**: Optional. The memory limit of the container. - `memory_request`**Type**: `STRING`**Provider name**: `memoryRequest`**Description**: Optional. The memory request of the container. - `deployment_name`**Type**: `STRING`**Provider name**: `deploymentName`**Description**: Required. The name of the deployment resource to be overridden. - `deployment_namespace`**Type**: `STRING`**Provider name**: `deploymentNamespace`**Description**: Required. The namespace of the deployment resource to be overridden. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Optional. Enables the installation of ConfigSync. If set to true, ConfigSync resources will be created and the other ConfigSync fields will be applied if exist. If set to false, all other ConfigSync fields will be ignored, ConfigSync resources will be deleted. If omitted, ConfigSync resources will be managed depends on the presence of the git or oci field. - `git`**Type**: `STRUCT`**Provider name**: `git`**Description**: Optional. Git repo configuration for the cluster. - `gcp_service_account_email`**Type**: `STRING`**Provider name**: `gcpServiceAccountEmail`**Description**: Optional. The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. - `https_proxy`**Type**: `STRING`**Provider name**: `httpsProxy`**Description**: Optional. URL for the HTTPS proxy to be used when communicating with the Git repo. - `policy_dir`**Type**: `STRING`**Provider name**: `policyDir`**Description**: Optional. The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. - `secret_type`**Type**: `STRING`**Provider name**: `secretType`**Description**: Required. Type of secret configured for access to the Git repo. Must be one of ssh, cookiefile, gcenode, token, gcpserviceaccount, githubapp or none. The validation of this is case-sensitive. - `sync_branch`**Type**: `STRING`**Provider name**: `syncBranch`**Description**: Optional. The branch of the repository to sync from. Default: master. - `sync_repo`**Type**: `STRING`**Provider name**: `syncRepo`**Description**: Required. The URL of the Git repository to use as the source of truth. - `sync_rev`**Type**: `STRING`**Provider name**: `syncRev`**Description**: Optional. Git revision (tag or hash) to check out. Default HEAD. - `sync_wait_secs`**Type**: `INT64`**Provider name**: `syncWaitSecs`**Description**: Optional. Period in seconds between consecutive syncs. Default: 15. - `metrics_gcp_service_account_email`**Type**: `STRING`**Provider name**: `metricsGcpServiceAccountEmail`**Description**: Optional. The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: [https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring](https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring). - `oci`**Type**: `STRUCT`**Provider name**: `oci`**Description**: Optional. OCI repo configuration for the cluster - `gcp_service_account_email`**Type**: `STRING`**Provider name**: `gcpServiceAccountEmail`**Description**: Optional. The Google Cloud Service Account Email used for auth when secret_type is gcpServiceAccount. - `policy_dir`**Type**: `STRING`**Provider name**: `policyDir`**Description**: Optional. The absolute path of the directory that contains the local resources. Default: the root directory of the image. - `secret_type`**Type**: `STRING`**Provider name**: `secretType`**Description**: Required. Type of secret configured for access to the OCI repo. Must be one of gcenode, gcpserviceaccount, k8sserviceaccount or none. The validation of this is case-sensitive. - `sync_repo`**Type**: `STRING`**Provider name**: `syncRepo`**Description**: Required. The OCI image repository URL for the package to sync from. e.g. `LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME`. - `sync_wait_secs`**Type**: `INT64`**Provider name**: `syncWaitSecs`**Description**: Optional. Period in seconds between consecutive syncs. Default: 15. - `prevent_drift`**Type**: `BOOLEAN`**Provider name**: `preventDrift`**Description**: Optional. Set to true to enable the Config Sync admission webhook to prevent drifts. If set to `false`, disables the Config Sync admission webhook and does not prevent drifts. - `source_format`**Type**: `STRING`**Provider name**: `sourceFormat`**Description**: Optional. Specifies whether the Config Sync Repo is in "hierarchical" or "unstructured" mode. - `stop_syncing`**Type**: `BOOLEAN`**Provider name**: `stopSyncing`**Description**: Optional. Set to true to stop syncing configs for a single cluster. Default to false. - `hierarchy_controller`**Type**: `STRUCT`**Provider name**: `hierarchyController`**Description**: Optional. Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use [https://github.com/kubernetes-sigs/hierarchical-namespaces](https://github.com/kubernetes-sigs/hierarchical-namespaces) instead. - `enable_hierarchical_resource_quota`**Type**: `BOOLEAN`**Provider name**: `enableHierarchicalResourceQuota`**Description**: Whether hierarchical resource quota is enabled in this cluster. - `enable_pod_tree_labels`**Type**: `BOOLEAN`**Provider name**: `enablePodTreeLabels`**Description**: Whether pod tree labels are enabled in this cluster. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Whether Hierarchy Controller is enabled in this cluster. - `management`**Type**: `STRING`**Provider name**: `management`**Description**: Optional. Enables automatic Feature management.**Possible values**: - `MANAGEMENT_UNSPECIFIED` - Unspecified - `MANAGEMENT_AUTOMATIC` - Google will manage the Feature for the cluster. - `MANAGEMENT_MANUAL` - User will manually manage the Feature for the cluster. - `policy_controller`**Type**: `STRUCT`**Provider name**: `policyController`**Description**: Optional. Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead. - `audit_interval_seconds`**Type**: `INT64`**Provider name**: `auditIntervalSeconds`**Description**: Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. - `exemptable_namespaces`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `exemptableNamespaces`**Description**: The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. - `log_denies_enabled`**Type**: `BOOLEAN`**Provider name**: `logDeniesEnabled`**Description**: Logs all denies and dry run failures. - `monitoring`**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: Monitoring specifies the configuration of monitoring. - `backends`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `backends`**Description**: Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. - `mutation_enabled`**Type**: `BOOLEAN`**Provider name**: `mutationEnabled`**Description**: Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. - `referential_rules_enabled`**Type**: `BOOLEAN`**Provider name**: `referentialRulesEnabled`**Description**: Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. - `template_library_installed`**Type**: `BOOLEAN`**Provider name**: `templateLibraryInstalled`**Description**: Installs the default template library along with Policy Controller. - `update_time`**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. Last time this membership spec was updated. - `version`**Type**: `STRING`**Provider name**: `version`**Description**: Optional. Version of ACM installed. - `identityservice`**Type**: `STRUCT`**Provider name**: `identityservice`**Description**: Identity Service-specific spec. - `auth_methods`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `authMethods`**Description**: A member may support multiple auth methods. - `azuread_config`**Type**: `STRUCT`**Provider name**: `azureadConfig`**Description**: AzureAD specific Configuration. - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: ID for the registered client application that makes authentication requests to the Azure AD identity provider. - `client_secret`**Type**: `STRING`**Provider name**: `clientSecret`**Description**: Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. - `group_format`**Type**: `STRING`**Provider name**: `groupFormat`**Description**: Optional. Format of the AzureAD groups that the client wants for auth. - `kubectl_redirect_uri`**Type**: `STRING`**Provider name**: `kubectlRedirectUri`**Description**: The redirect URL that kubectl uses for authorization. - `tenant`**Type**: `STRING`**Provider name**: `tenant`**Description**: Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant. - `user_claim`**Type**: `STRING`**Provider name**: `userClaim`**Description**: Optional. Claim in the AzureAD ID Token that holds the user details. - `google_config`**Type**: `STRUCT`**Provider name**: `googleConfig`**Description**: GoogleConfig specific configuration. - `disable`**Type**: `BOOLEAN`**Provider name**: `disable`**Description**: Disable automatic configuration of Google Plugin on supported platforms. - `ldap_config`**Type**: `STRUCT`**Provider name**: `ldapConfig`**Description**: LDAP specific configuration. - `group`**Type**: `STRUCT`**Provider name**: `group`**Description**: Optional. Contains the properties for locating and authenticating groups in the directory. - `base_dn`**Type**: `STRING`**Provider name**: `baseDn`**Description**: Required. The location of the subtree in the LDAP directory to search for group entries. - `filter`**Type**: `STRING`**Provider name**: `filter`**Description**: Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". - `id_attribute`**Type**: `STRING`**Provider name**: `idAttribute`**Description**: Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". - `server`**Type**: `STRUCT`**Provider name**: `server`**Description**: Required. Server settings for the external LDAP server. - `connection_type`**Type**: `STRING`**Provider name**: `connectionType`**Description**: Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. - `host`**Type**: `STRING`**Provider name**: `host`**Description**: Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". - `service_account`**Type**: `STRUCT`**Provider name**: `serviceAccount`**Description**: Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. - `simple_bind_credentials`**Type**: `STRUCT`**Provider name**: `simpleBindCredentials`**Description**: Credentials for basic auth. - `dn`**Type**: `STRING`**Provider name**: `dn`**Description**: Required. The distinguished name(DN) of the service account object/user. - `password`**Type**: `STRING`**Provider name**: `password`**Description**: Required. Input only. The password of the service account object/user. - `user`**Type**: `STRUCT`**Provider name**: `user`**Description**: Required. Defines where users exist in the LDAP directory. - `base_dn`**Type**: `STRING`**Provider name**: `baseDn`**Description**: Required. The location of the subtree in the LDAP directory to search for user entries. - `filter`**Type**: `STRING`**Provider name**: `filter`**Description**: Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". - `id_attribute`**Type**: `STRING`**Provider name**: `idAttribute`**Description**: Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "[bsmith@example.com](mailto:bsmith@example.com)". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". - `login_attribute`**Type**: `STRING`**Provider name**: `loginAttribute`**Description**: Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Identifier for auth config. - `oidc_config`**Type**: `STRUCT`**Provider name**: `oidcConfig`**Description**: OIDC specific configuration. - `certificate_authority_data`**Type**: `STRING`**Provider name**: `certificateAuthorityData`**Description**: PEM-encoded CA for OIDC provider. - `client_id`**Type**: `STRING`**Provider name**: `clientId`**Description**: ID for OIDC client application. - `client_secret`**Type**: `STRING`**Provider name**: `clientSecret`**Description**: Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. - `deploy_cloud_console_proxy`**Type**: `BOOLEAN`**Provider name**: `deployCloudConsoleProxy`**Description**: Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. - `enable_access_token`**Type**: `BOOLEAN`**Provider name**: `enableAccessToken`**Description**: Enable access token. - `extra_params`**Type**: `STRING`**Provider name**: `extraParams`**Description**: Comma-separated list of key-value pairs. - `group_prefix`**Type**: `STRING`**Provider name**: `groupPrefix`**Description**: Prefix to prepend to group name. - `groups_claim`**Type**: `STRING`**Provider name**: `groupsClaim`**Description**: Claim in OIDC ID token that holds group information. - `issuer_uri`**Type**: `STRING`**Provider name**: `issuerUri`**Description**: URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. - `kubectl_redirect_uri`**Type**: `STRING`**Provider name**: `kubectlRedirectUri`**Description**: Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. - `scopes`**Type**: `STRING`**Provider name**: `scopes`**Description**: Comma-separated list of identifiers. - `user_claim`**Type**: `STRING`**Provider name**: `userClaim`**Description**: Claim in OIDC ID token that holds username. - `user_prefix`**Type**: `STRING`**Provider name**: `userPrefix`**Description**: Prefix to prepend to user name. - `proxy`**Type**: `STRING`**Provider name**: `proxy`**Description**: Proxy server address to use for auth method. - `saml_config`**Type**: `STRUCT`**Provider name**: `samlConfig`**Description**: SAML specific configuration. - `group_prefix`**Type**: `STRING`**Provider name**: `groupPrefix`**Description**: Optional. Prefix to prepend to group name. - `groups_attribute`**Type**: `STRING`**Provider name**: `groupsAttribute`**Description**: Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `group_prefix`). - `identity_provider_certificates`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `identityProviderCertificates`**Description**: Required. The list of IdP certificates to validate the SAML response against. - `identity_provider_id`**Type**: `STRING`**Provider name**: `identityProviderId`**Description**: Required. The entity ID of the SAML IdP. - `identity_provider_sso_uri`**Type**: `STRING`**Provider name**: `identityProviderSsoUri`**Description**: Required. The URI where the SAML IdP exposes the SSO service. - `user_attribute`**Type**: `STRING`**Provider name**: `userAttribute`**Description**: Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `user_prefix`). - `user_prefix`**Type**: `STRING`**Provider name**: `userPrefix`**Description**: Optional. Prefix to prepend to user name. - `identity_service_options`**Type**: `STRUCT`**Provider name**: `identityServiceOptions`**Description**: Optional. non-protocol-related configuration options. - `diagnostic_interface`**Type**: `STRUCT`**Provider name**: `diagnosticInterface`**Description**: Configuration options for the AIS diagnostic interface. - `enabled`**Type**: `BOOLEAN`**Provider name**: `enabled`**Description**: Determines whether to enable the diagnostic interface. - `expiration_time`**Type**: `TIMESTAMP`**Provider name**: `expirationTime`**Description**: Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected. - `session_duration`**Type**: `STRING`**Provider name**: `sessionDuration`**Description**: Determines the lifespan of STS tokens issued by Anthos Identity Service. - `mesh`**Type**: `STRUCT`**Provider name**: `mesh`**Description**: Anthos Service Mesh-specific spec - `config_api`**Type**: `STRING`**Provider name**: `configApi`**Description**: Optional. Specifies the API that will be used for configuring the mesh workloads.**Possible values**: - `CONFIG_API_UNSPECIFIED` - Unspecified - `CONFIG_API_ISTIO` - Use the Istio API for configuration. - `CONFIG_API_GATEWAY` - Use the K8s Gateway API for configuration. - `control_plane`**Type**: `STRING`**Provider name**: `controlPlane`**Description**: Deprecated: use `management` instead Enables automatic control plane management.**Possible values**: - `CONTROL_PLANE_MANAGEMENT_UNSPECIFIED` - Unspecified - `AUTOMATIC` - Google should provision a control plane revision and make it available in the cluster. Google will enroll this revision in a release channel and keep it up to date. The control plane revision may be a managed service, or a managed install. - `MANUAL` - User will manually configure the control plane (e.g. via CLI, or via the ControlPlaneRevision KRM API) - `management`**Type**: `STRING`**Provider name**: `management`**Description**: Optional. Enables automatic Service Mesh management.**Possible values**: - `MANAGEMENT_UNSPECIFIED` - Unspecified - `MANAGEMENT_AUTOMATIC` - Google should manage my Service Mesh for the cluster. - `MANAGEMENT_MANUAL` - User will manually configure their service mesh components. - `MANAGEMENT_NOT_INSTALLED` - Google should remove any managed Service Mesh components from this cluster and deprovision any resources. - `policycontroller`**Type**: `STRUCT`**Provider name**: `policycontroller`**Description**: Policy Controller spec. - `policy_controller_hub_config`**Type**: `STRUCT`**Provider name**: `policyControllerHubConfig`**Description**: Policy Controller configuration for the cluster. - `audit_interval_seconds`**Type**: `INT64`**Provider name**: `auditIntervalSeconds`**Description**: Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. - `constraint_violation_limit`**Type**: `INT64`**Provider name**: `constraintViolationLimit`**Description**: The maximum number of audit violations to be stored in a constraint. If not set, the internal default (currently 20) will be used. - `exemptable_namespaces`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `exemptableNamespaces`**Description**: The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. - `install_spec`**Type**: `STRING`**Provider name**: `installSpec`**Description**: The install_spec represents the intended state specified by the latest request that mutated install_spec in the feature spec, not the lifecycle state of the feature observed by the Hub feature controller that is reported in the feature state.**Possible values**: - `INSTALL_SPEC_UNSPECIFIED` - Spec is unknown. - `INSTALL_SPEC_NOT_INSTALLED` - Request to uninstall Policy Controller. - `INSTALL_SPEC_ENABLED` - Request to install and enable Policy Controller. - `INSTALL_SPEC_SUSPENDED` - Request to suspend Policy Controller i.e. its webhooks. If Policy Controller is not installed, it will be installed but suspended. - `INSTALL_SPEC_DETACHED` - Request to stop all reconciliation actions by PoCo Hub controller. This is a breakglass mechanism to stop PoCo Hub from affecting cluster resources. - `log_denies_enabled`**Type**: `BOOLEAN`**Provider name**: `logDeniesEnabled`**Description**: Logs all denies and dry run failures. - `monitoring`**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: Monitoring specifies the configuration of monitoring. - `backends`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `backends`**Description**: Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. - `mutation_enabled`**Type**: `BOOLEAN`**Provider name**: `mutationEnabled`**Description**: Enables the ability to mutate resources using Policy Controller. - `policy_content`**Type**: `STRUCT`**Provider name**: `policyContent`**Description**: Specifies the desired policy content on the cluster - `template_library`**Type**: `STRUCT`**Provider name**: `templateLibrary`**Description**: Configures the installation of the Template Library. - `installation`**Type**: `STRING`**Provider name**: `installation`**Description**: Configures the manner in which the template library is installed on the cluster.**Possible values**: - `INSTALLATION_UNSPECIFIED` - No installation strategy has been specified. - `NOT_INSTALLED` - Do not install the template library. - `ALL` - Install the entire template library. - `referential_rules_enabled`**Type**: `BOOLEAN`**Provider name**: `referentialRulesEnabled`**Description**: Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. - `version`**Type**: `STRING`**Provider name**: `version`**Description**: Version of Policy Controller installed. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Output only. The full, unique name of this Feature resource in the format `projects/*/locations/*/features/*`. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `resource_state`{% #resource_state %} **Type**: `STRUCT`**Provider name**: `resourceState`**Description**: Output only. State of the Feature resource itself. - `state`**Type**: `STRING`**Provider name**: `state`**Description**: The current state of the Feature resource in the Hub API.**Possible values**: - `STATE_UNSPECIFIED` - State is unknown or not set. - `ENABLING` - The Feature is being enabled, and the Feature resource is being created. Once complete, the corresponding Feature will be enabled in this Fleet. - `ACTIVE` - The Feature is enabled in this Fleet, and the Feature resource is fully available. - `DISABLING` - The Feature is being disabled in this Fleet, and the Feature resource is being deleted. - `UPDATING` - The Feature resource is being updated. - `SERVICE_UPDATING` - The Feature resource is being updated by the Hub Service. ## `spec`{% #spec %} **Type**: `STRUCT`**Provider name**: `spec`**Description**: Optional. Fleet-wide Feature configuration. If this Feature does not support any Fleet-wide configuration, this field may be unused. - `appdevexperience`**Type**: `STRUCT`**Provider name**: `appdevexperience`**Description**: Appdevexperience specific spec. - `clusterupgrade`**Type**: `STRUCT`**Provider name**: `clusterupgrade`**Description**: ClusterUpgrade (fleet-based) feature spec. - `gke_upgrade_overrides`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `gkeUpgradeOverrides`**Description**: Allow users to override some properties of each GKE upgrade. - `post_conditions`**Type**: `STRUCT`**Provider name**: `postConditions`**Description**: Required. Post conditions to override for the specified upgrade (name + version). Required. - `soaking`**Type**: `STRING`**Provider name**: `soaking`**Description**: Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required. - `upgrade`**Type**: `STRUCT`**Provider name**: `upgrade`**Description**: Required. Which upgrade to override. Required. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters. - `version`**Type**: `STRING`**Provider name**: `version`**Description**: Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters. - `post_conditions`**Type**: `STRUCT`**Provider name**: `postConditions`**Description**: Required. Post conditions to evaluate to mark an upgrade COMPLETE. Required. - `soaking`**Type**: `STRING`**Provider name**: `soaking`**Description**: Required. Amount of time to "soak" after a rollout has been finished before marking it COMPLETE. Cannot exceed 30 days. Required. - `upstream_fleets`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `upstreamFleets`**Description**: This fleet consumes upgrades that have COMPLETE status code in the upstream fleets. See UpgradeStatus.Code for code definitions. The fleet name should be either fleet project number or id. This is defined as repeated for future proof reasons. Initial implementation will enforce at most one upstream fleet. - `dataplanev2`**Type**: `STRUCT`**Provider name**: `dataplanev2`**Description**: DataplaneV2 feature spec. - `enable_encryption`**Type**: `BOOLEAN`**Provider name**: `enableEncryption`**Description**: Enable dataplane-v2 based encryption for multiple clusters. - `fleetobservability`**Type**: `STRUCT`**Provider name**: `fleetobservability`**Description**: FleetObservability feature spec. - `logging_config`**Type**: `STRUCT`**Provider name**: `loggingConfig`**Description**: Specified if fleet logging feature is enabled for the entire fleet. If UNSPECIFIED, fleet logging feature is disabled for the entire fleet. - `default_config`**Type**: `STRUCT`**Provider name**: `defaultConfig`**Description**: Specified if applying the default routing config to logs not specified in other configs. - `mode`**Type**: `STRING`**Provider name**: `mode`**Description**: mode configures the logs routing mode.**Possible values**: - `MODE_UNSPECIFIED` - If UNSPECIFIED, fleet logging feature is disabled. - `COPY` - logs will be copied to the destination project. - `MOVE` - logs will be moved to the destination project. - `fleet_scope_logs_config`**Type**: `STRUCT`**Provider name**: `fleetScopeLogsConfig`**Description**: Specified if applying the routing config to all logs for all fleet scopes. - `mode`**Type**: `STRING`**Provider name**: `mode`**Description**: mode configures the logs routing mode.**Possible values**: - `MODE_UNSPECIFIED` - If UNSPECIFIED, fleet logging feature is disabled. - `COPY` - logs will be copied to the destination project. - `MOVE` - logs will be moved to the destination project. - `multiclusteringress`**Type**: `STRUCT`**Provider name**: `multiclusteringress`**Description**: Multicluster Ingress-specific spec. - `config_membership`**Type**: `STRING`**Provider name**: `configMembership`**Description**: Fully-qualified Membership name which hosts the MultiClusterIngress CRD. Example: `projects/foo-proj/locations/global/memberships/bar` - `rbacrolebindingactuation`**Type**: `STRUCT`**Provider name**: `rbacrolebindingactuation`**Description**: RBAC Role Binding Actuation feature spec - `allowed_custom_roles`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowedCustomRoles`**Description**: The list of allowed custom roles (ClusterRoles). If a ClusterRole is not part of this list, it cannot be used in a Scope RBACRoleBinding. If a ClusterRole in this list is in use, it cannot be removed from the list. ## `state`{% #state %} **Type**: `STRUCT`**Provider name**: `state`**Description**: Output only. The Fleet-wide Feature state. - `appdevexperience`**Type**: `STRUCT`**Provider name**: `appdevexperience`**Description**: Appdevexperience specific state. - `networking_install_succeeded`**Type**: `STRUCT`**Provider name**: `networkingInstallSucceeded`**Description**: Status of subcomponent that detects configured Service Mesh resources. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: Code specifies AppDevExperienceFeature's subcomponent ready state.**Possible values**: - `CODE_UNSPECIFIED` - Not set. - `OK` - AppDevExperienceFeature's specified subcomponent is ready. - `FAILED` - AppDevExperienceFeature's specified subcomponent ready state is false. This means AppDevExperienceFeature has encountered an issue that blocks all, or a portion, of its normal operation. See the `description` for more details. - `UNKNOWN` - AppDevExperienceFeature's specified subcomponent has a pending or unknown state. - `description`**Type**: `STRING`**Provider name**: `description`**Description**: Description is populated if Code is Failed, explaining why it has failed. - `clusterupgrade`**Type**: `STRUCT`**Provider name**: `clusterupgrade`**Description**: ClusterUpgrade fleet-level state. - `downstream_fleets`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `downstreamFleets`**Description**: This fleets whose upstream_fleets contain the current fleet. The fleet name should be either fleet project number or id. - `gke_state`**Type**: `STRUCT`**Provider name**: `gkeState`**Description**: Feature state for GKE clusters. - `conditions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `conditions`**Description**: Current conditions of the feature. - `gcp_status`**Type**: `STRING`**Provider name**: `status`**Description**: Status of the condition, one of True, False, Unknown. - `reason`**Type**: `STRING`**Provider name**: `reason`**Description**: Reason why the feature is in this status. - `type`**Type**: `STRING`**Provider name**: `type`**Description**: Type of the condition, for example, "ready". - `update_time`**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Last timestamp the condition was updated. - `upgrade_state`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `upgradeState`**Description**: Upgrade state. It will eventually replace `state`. - `gcp_status`**Type**: `STRUCT`**Provider name**: `status`**Description**: Status of the upgrade. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: Status code of the upgrade.**Possible values**: - `CODE_UNSPECIFIED` - Required by [https://linter.aip.dev/126/unspecified](https://linter.aip.dev/126/unspecified). - `INELIGIBLE` - The upgrade is ineligible. At the scope level, this means the upgrade is ineligible for all the clusters in the scope. - `PENDING` - The upgrade is pending. At the scope level, this means the upgrade is pending for all the clusters in the scope. - `IN_PROGRESS` - The upgrade is in progress. At the scope level, this means the upgrade is in progress for at least one cluster in the scope. - `SOAKING` - The upgrade has finished and is soaking until the soaking time is up. At the scope level, this means at least one cluster is in soaking while the rest are either soaking or complete. - `FORCED_SOAKING` - A cluster will be forced to enter soaking if an upgrade doesn't finish within a certain limit, despite it's actual status. - `COMPLETE` - The upgrade has passed all post conditions (soaking). At the scope level, this means all eligible clusters are in COMPLETE status. - `FORCED_COMPLETE` - The upgrade was forced into soaking and the soaking time has passed. This is the equivalent of COMPLETE status for upgrades that were forced into soaking. - `reason`**Type**: `STRING`**Provider name**: `reason`**Description**: Reason for this status. - `update_time`**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Last timestamp the status was updated. - `upgrade`**Type**: `STRUCT`**Provider name**: `upgrade`**Description**: Which upgrade to track the state. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Name of the upgrade, e.g., "k8s_control_plane". It should be a valid upgrade name. It must not exceet 99 characters. - `version`**Type**: `STRING`**Provider name**: `version`**Description**: Version of the upgrade, e.g., "1.22.1-gke.100". It should be a valid version. It must not exceet 99 characters. - `fleetobservability`**Type**: `STRUCT`**Provider name**: `fleetobservability`**Description**: FleetObservability feature state. - `logging`**Type**: `STRUCT`**Provider name**: `logging`**Description**: The feature state of default logging. - `default_log`**Type**: `STRUCT`**Provider name**: `defaultLog`**Description**: The base feature state of fleet default log. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The high-level, machine-readable status of this Feature.**Possible values**: - `CODE_UNSPECIFIED` - Unknown or not set. - `OK` - The Feature is operating normally. - `ERROR` - The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. - `errors`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `errors`**Description**: Errors after reconciling the monitoring and logging feature if the code is not OK. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The code of the error. - `description`**Type**: `STRING`**Provider name**: `description`**Description**: A human-readable description of the current status. - `scope_log`**Type**: `STRUCT`**Provider name**: `scopeLog`**Description**: The base feature state of fleet scope log. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The high-level, machine-readable status of this Feature.**Possible values**: - `CODE_UNSPECIFIED` - Unknown or not set. - `OK` - The Feature is operating normally. - `ERROR` - The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. - `errors`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `errors`**Description**: Errors after reconciling the monitoring and logging feature if the code is not OK. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The code of the error. - `description`**Type**: `STRING`**Provider name**: `description`**Description**: A human-readable description of the current status. - `monitoring`**Type**: `STRUCT`**Provider name**: `monitoring`**Description**: The feature state of fleet monitoring. - `state`**Type**: `STRUCT`**Provider name**: `state`**Description**: The base feature state of fleet monitoring feature. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The high-level, machine-readable status of this Feature.**Possible values**: - `CODE_UNSPECIFIED` - Unknown or not set. - `OK` - The Feature is operating normally. - `ERROR` - The Feature is encountering errors in the reconciliation. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. - `errors`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `errors`**Description**: Errors after reconciling the monitoring and logging feature if the code is not OK. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The code of the error. - `description`**Type**: `STRING`**Provider name**: `description`**Description**: A human-readable description of the current status. - `rbacrolebindingactuation`**Type**: `STRUCT`**Provider name**: `rbacrolebindingactuation`**Description**: RBAC Role Binding Actuation feature state - `state`**Type**: `STRUCT`**Provider name**: `state`**Description**: Output only. The "running state" of the Feature in this Fleet. - `code`**Type**: `STRING`**Provider name**: `code`**Description**: The high-level, machine-readable status of this Feature.**Possible values**: - `CODE_UNSPECIFIED` - Unknown or not set. - `OK` - The Feature is operating normally. - `WARNING` - The Feature has encountered an issue, and is operating in a degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. - `ERROR` - The Feature is not operating or is in a severely degraded state. The Feature may need intervention to return to normal operation. See the description and any associated Feature-specific details for more information. - `description`**Type**: `STRING`**Provider name**: `description`**Description**: A human-readable description of the current status. - `update_time`**Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: The time this status and any related Feature-specific details were updated. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `unreachable`{% #unreachable %} **Type**: `UNORDERED_LIST_STRING`**Provider name**: `unreachable`**Description**: Output only. List of locations that could not be reached while fetching this feature. ## `update_time`{% #update_time %} **Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. When the Feature resource was last updated. ## `zone_id`{% #zone_id %} **Type**: `STRING`