本页面介绍了如何使用组织政策服务自定义限制条件来限制对以下 Google Cloud 资源执行的特定操作:
container.googleapis.com/Clustercontainer.googleapis.com/NodePool
如需详细了解组织政策,请参阅自定义组织政策。
组织政策和限制条件简介
借助 Google Cloud 组织政策服务,您可以对组织的资源进行程序化集中控制。作为组织政策管理员,您可以定义组织政策,这是一组称为限制条件的限制,会应用于 Google Cloud 资源层次结构中的Google Cloud 资源及其后代。您可以在组织、文件夹或项目级强制执行组织政策。
组织政策为各种 Google Cloud 服务提供内置的托管式限制。但是,如果您想要更精细地控制和自定义组织政策中受限的特定字段,还可以创建自定义限制条件并在组织政策中使用这些自定义限制条件。
政策继承
如果您对资源强制执行政策,默认情况下,该资源的后代会继承组织政策。例如,如果您对某个文件夹强制执行一项政策, Google Cloud 会对该文件夹中的所有项目强制执行该政策。如需详细了解此行为及其更改方式,请参阅层次结构评估规则。
限制
不支持以下仅限输出的字段:
projects.locations.clusters.masterAuth.clientKeyprojects.locations.clusters.masterAuth.password
准备工作
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Install the Google Cloud CLI.
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init - 请确保您知道您的组织 ID。
-
创建和管理组织政策:组织、文件夹或项目的 Organization Policy Administrator (
roles/orgpolicy.policyAdmin) -
创建集群:项目的 Kubernetes Engine Cluster Admin (
roles/container.clusterAdmin) - 在 Google Cloud 控制台中,转到组织政策页面。
- 在项目选择器中,选择要为其设置组织政策的项目。
- 点击 自定义限制条件。
- 在显示名称框中,为限制条件输入一个人类可读名称。此名称会在错误消息中使用,并可用于识别和调试用途。请勿在显示名称中使用个人身份信息或敏感数据,因为此名称可能会在错误消息中公开。此字段最多可包含 200 个字符。
-
在限制条件 ID 框中,为新的自定义限制条件输入所需的名称。自定义限制条件只能包含字母(包括大写和小写)或数字,例如
custom.disableGkeAutoUpgrade。此字段最多可包含 70 个字符,不计算前缀 (custom.),例如organizations/123456789/customConstraints/custom。请勿在限制条件 ID 中包含个人身份信息或敏感数据,因为该 ID 可能会在错误消息中公开。 - 在说明框中,输入人类可读的限制条件说明。当违反政策时,此说明将用作错误消息。请包含有关发生违规的原因以及如何解决违规问题的详细信息。请勿在说明中包含个人身份信息或敏感数据,因为该说明可能会在错误消息中公开。 此字段最多可包含 2000 个字符。
-
在资源类型框中,选择包含要限制的对象和字段的 Google Cloud REST 资源的名称,例如
container.googleapis.com/NodePool。大多数资源类型最多支持 20 个自定义限制条件。如果您尝试创建更多自定义限制条件,操作将会失败。 - 在强制执行方法下,选择是对 REST CREATE 方法强制执行限制条件,还是同时对 CREATE 和 UPDATE 方法强制执行限制条件。如果您对违反限制条件的资源使用 UPDATE 方法强制执行限制条件,除非更改解决了违规问题,否则组织政策会阻止对该资源的更改。
- 如需定义条件,请点击 修改条件。
-
在添加条件面板中,创建一个引用受支持服务资源的 CEL 条件,例如
resource.management.autoUpgrade == false。此字段最多可包含 1,000 个字符。如需详细了解 CEL 用法,请参阅通用表达式语言。 如需详细了解可在自定义限制条件中使用的服务资源,请参阅自定义限制条件支持的服务。 - 点击保存。
- 在操作下,选择在满足条件时是允许还是拒绝评估的方法。
- 点击创建限制条件。
- 如需创建自定义限制条件,请使用以下格式创建 YAML 文件:
ORGANIZATION_ID:您的组织 ID,例如123456789。-
CONSTRAINT_NAME:新的自定义限制条件的名称。自定义限制条件只能包含字母(包括大写和小写)或数字,例如custom.enableGkeAutopilot。此字段最多可包含 70 个字符。 -
RESOURCE_NAME:包含要限制的对象和字段的 Google Cloud资源的完全限定名称。例如container.googleapis.com/Cluster。 -
CONDITION:针对受支持服务资源的表示形式编写的 CEL 条件。此字段最多可包含 1,000 个字符。例如"resource.autopilot.enabled == false"。 -
ACTION:满足condition时要执行的操作。 可能的值包括ALLOW和DENY。 -
DISPLAY_NAME:限制条件的直观易记名称。此字段最多可包含 200 个字符。 -
DESCRIPTION:直观易懂的限制条件说明,当违反政策时会作为错误消息显示。此字段最多可包含 2000 个字符。 -
为新的自定义限制条件创建 YAML 文件后,您必须对其进行设置,以使其可用于组织中的组织政策。如需设置自定义限制条件,请使用
gcloud org-policies set-custom-constraint命令: - 如需验证自定义限制条件是否存在,请使用
gcloud org-policies list-custom-constraints命令: - 在 Google Cloud 控制台中,前往组织政策页面。
- 在项目选择器中,选择要为其设置组织政策的项目。
- 从组织政策页面上的列表中选择您的限制条件,以查看该限制条件的政策详情页面。
- 如需为该资源配置组织政策,请点击管理政策。
- 在修改政策页面,选择覆盖父级政策。
- 点击添加规则。
- 在强制执行部分中,选择是否强制执行此组织政策。
- (可选)如需使组织政策成为基于某个标记的条件性政策,请点击添加条件。请注意,如果您向组织政策添加条件规则,则必须至少添加一个无条件规则,否则无法保存政策。如需了解详情,请参阅设置带有标记的组织政策。
- 点击测试更改以模拟组织政策的效果。如需了解详情,请参阅使用 Policy Simulator 测试组织政策更改。
- 如需在试运行模式下强制执行组织政策,请点击设置试运行政策。如需了解详情,请参阅在试运行模式下创建组织政策。
- 验证试运行模式下的组织政策按预期运行后,点击设置政策来设置现行政策。
- 如需创建包含布尔值规则的组织政策,请创建引用该限制条件的 YAML 政策文件:
-
PROJECT_ID:要对其强制执行您的限制条件的项目。 -
CONSTRAINT_NAME:您为自定义限制条件定义的名称。例如,custom.enableGkeAutopilot。 -
如需在试运行模式下强制执行组织政策,请运行以下带有
dryRunSpec标志的命令: -
验证试运行模式下的组织政策按预期运行后,使用
org-policies set-policy命令和spec标志设置现行政策: 将以下文件保存为
constraint-enable-autopilot.yaml:name: organizations/ORGANIZATION_ID/customConstraints/custom.enableGkeAutopilot resourceTypes: - container.googleapis.com/Cluster methodTypes: - CREATE condition: "resource.autopilot.enabled == false" actionType: DENY displayName: Enable GKE Autopilot description: All new clusters must be Autopilot clusters.将
ORGANIZATION_ID替换为您的组织 ID。此文件定义了一个限制条件,对于每个新集群,如果集群模式不是 Autopilot,则操作将被拒绝。
应用限制条件:
gcloud org-policies set-custom-constraint ~/constraint-enable-autopilot.yaml验证限制条件存在:
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID输出类似于以下内容:
CUSTOM_CONSTRAINT ACTION_TYPE METHOD_TYPES RESOURCE_TYPES DISPLAY_NAME custom.enableGkeAutopilot DENY CREATE container.googleapis.com/Cluster Enable GKE Autopilot ...将以下文件保存为
policy-enable-autopilot.yaml:name: projects/PROJECT_ID/policies/custom.enableGkeAutopilot spec: rules: - enforce: true将
PROJECT_ID替换为您的项目 ID。应用政策:
gcloud org-policies set-policy ~/policy-enable-autopilot.yaml验证政策存在:
gcloud org-policies list --project=PROJECT_ID输出类似于以下内容:
CONSTRAINT LIST_POLICY BOOLEAN_POLICY ETAG custom.enableGkeAutopilot - SET COCsm5QGENiXi2E=PROJECT_ID:政策所属项目的项目 ID。CONTROL_PLANE_LOCATION:集群控制平面的 Compute Engine 位置。为区域级集群提供区域,或为可用区级集群提供可用区。- 请参阅有关如何强化集群安全性的最佳实践。
- 了解如何根据标记设置组织政策。
- 了解如何要求在所有 GKE 节点上启用虚拟机管理器。
- 详细了解组织政策服务。
- 详细了解如何创建和管理组织政策。
- 查看托管式组织政策限制条件的完整列表。
所需的角色
如需获得在 GKE 中使用组织政策所需的权限,请让您的管理员为您授予以下 IAM 角色:
如需详细了解如何授予角色,请参阅管理对项目、文件夹和组织的访问权限。
设置自定义限制条件
自定义限制条件是在 YAML 文件中,由实施组织政策的服务所支持的资源、方法、条件和操作定义的。自定义限制条件的条件使用通用表达式语言 (CEL) 进行定义。如需详细了解如何使用 CEL 构建自定义限制条件中的条件,请参阅创建和管理自定义限制条件的 CEL 部分。
控制台
如需创建自定义限制条件,请执行以下操作:
并非所有 Google Cloud 服务都支持这两种方法。如需查看每种服务支持的方法,请在支持的服务中找到相应服务。
拒绝操作意味着,如果条件计算结果为 true,则创建或更新资源的操作会被阻止。
允许操作意味着,仅当条件计算结果为 true 时,才允许执行创建或更新资源的操作。除了条件中明确列出的情况之外,其他所有情况都会被阻止。
在每个字段中输入值后,右侧将显示此自定义限制条件的等效 YAML 配置。
gcloud
name: organizations/ORGANIZATION_ID/customConstraints/CONSTRAINT_NAME resourceTypes: - RESOURCE_NAME methodTypes: - CREATE
- UPDATE condition: "CONDITION" actionType: ACTION displayName: DISPLAY_NAME description: DESCRIPTION
请替换以下内容:
如需详细了解可针对其编写条件的资源,请参阅支持的资源。
允许操作意味着,如果条件计算结果为 true,则允许执行创建或更新资源的操作。这也意味着,除了条件中明确列出的情况之外,其他所有情况都会被阻止。
拒绝操作意味着,如果条件计算结果为 true,则创建或更新资源的操作会被阻止。
gcloud org-policies set-custom-constraint CONSTRAINT_PATH
将 CONSTRAINT_PATH 替换为自定义限制条件文件的完整路径。例如 /home/user/customconstraint.yaml。
此操作完成后,您的自定义限制条件将作为组织政策显示在您的 Google Cloud 组织政策列表中。
gcloud org-policies list-custom-constraints --organization=ORGANIZATION_ID
将 ORGANIZATION_ID 替换为您的组织资源的 ID。
如需了解详情,请参阅查看组织政策。
强制执行自定义组织政策
如需强制执行限制条件,您可以创建引用该限制条件的组织政策,并将该组织政策应用于 Google Cloud 资源。控制台
gcloud
name: projects/PROJECT_ID/policies/CONSTRAINT_NAME spec: rules: - enforce: true dryRunSpec: rules: - enforce: true
请替换以下内容:
gcloud org-policies set-policy POLICY_PATH \ --update-mask=dryRunSpec
将 POLICY_PATH 替换为组织政策 YAML 文件的完整路径。该政策最长需要 15 分钟才能生效。
gcloud org-policies set-policy POLICY_PATH \ --update-mask=spec
将 POLICY_PATH 替换为组织政策 YAML 文件的完整路径。该政策最长需要 15 分钟才能生效。
测试自定义组织政策
以下示例创建自定义限制条件和政策,要求项目中的所有新集群都是 Autopilot 集群。
创建限制条件
创建政策
应用政策后,请等待大约两分钟,以便 Google Cloud 开始强制执行政策。
测试政策
尝试在项目中创建 GKE Standard 集群:
gcloud container clusters create org-policy-test \
--project=PROJECT_ID \
--location=CONTROL_PLANE_LOCATION \
--num-nodes=1
替换以下内容:
输出如下所示:
Operation denied by custom org policies: ["customConstraints/custom.enableGkeAutopilot": "All new clusters must be Autopilot clusters."]
常见用例的自定义组织政策示例
以下示例介绍一些可能有用的自定义限制条件的语法:
| 说明 | 限制条件语法 |
|---|---|
| 不停用新节点池的节点自动升级 |
name: organizations/ORGANIZATION_ID/customConstraints/custom.enableAutoUpgrade resourceTypes: - container.googleapis.com/NodePool methodTypes: - CREATE condition: "resource.management.autoUpgrade == true" actionType: ALLOW displayName: Enable node auto-upgrade description: All node pools must have node auto-upgrade enabled. |
| 限制对新集群和现有集群中的集群端点的匿名访问 |
name: organizations/ORGANIZATION_ID/customConstraints/custom.gkeAnonymousAccessLimited resourceTypes: - container.googleapis.com/Cluster methodTypes: - CREATE - UPDATE condition: "resource.anonymousAuthenticationConfig.mode == LIMITED" actionType: ALLOW displayName: "Restrict anonymous access to cluster endpoints." description: "All new and updated clusters must restrict anonymous access to cluster endpoints." |
有条件的组织政策
您可以根据附加到资源的标记有条件地强制执行组织政策。例如,以下组织政策仅在资源(例如项目或集群)的 environment 标记设置为 dev 时强制执行 custom.enableAutoUpgrade 限制条件:
name: organizations/ORGANIZATION_ID/policies/custom.enableAutoUpgrade
spec:
rules:
- condition:
expression: "resource.matchTag('ORGANIZATION_ID/environment', 'dev')"
enforce: true
GKE 支持的资源
下表列出了您可以在自定义限制条件中引用的 GKE 资源。| 资源 | 字段 |
|---|---|
| container.googleapis.com/Cluster |
resource.addonsConfig.cloudRunConfig.disabled
|
resource.addonsConfig.cloudRunConfig.loadBalancerType
| |
resource.addonsConfig.configConnectorConfig.enabled
| |
resource.addonsConfig.dnsCacheConfig.enabled
| |
resource.addonsConfig.gcePersistentDiskCsiDriverConfig.enabled
| |
resource.addonsConfig.gcpFilestoreCsiDriverConfig.enabled
| |
resource.addonsConfig.gcsFuseCsiDriverConfig.enabled
| |
resource.addonsConfig.gkeBackupAgentConfig.enabled
| |
resource.addonsConfig.highScaleCheckpointingConfig.enabled
| |
resource.addonsConfig.horizontalPodAutoscaling.disabled
| |
resource.addonsConfig.httpLoadBalancing.disabled
| |
resource.addonsConfig.kubernetesDashboard.disabled
| |
resource.addonsConfig.networkPolicyConfig.disabled
| |
resource.addonsConfig.parallelstoreCsiDriverConfig.enabled
| |
resource.addonsConfig.rayOperatorConfig.enabled
| |
resource.addonsConfig.rayOperatorConfig.rayClusterLoggingConfig.enabled
| |
resource.addonsConfig.rayOperatorConfig.rayClusterMonitoringConfig.enabled
| |
resource.addonsConfig.statefulHAConfig.enabled
| |
resource.alphaClusterFeatureGates
| |
resource.anonymousAuthenticationConfig.mode
| |
resource.authenticatorGroupsConfig.enabled
| |
resource.authenticatorGroupsConfig.securityGroup
| |
resource.autopilot.enabled
| |
resource.autopilot.privilegedAdmissionConfig.allowlistPaths
| |
resource.autopilot.workloadPolicyConfig.allowNetAdmin
| |
resource.autopilot.workloadPolicyConfig.autopilotCompatibilityAuditingEnabled
| |
resource.autoscaling.autoprovisioningLocations
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.bootDiskKmsKey
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.diskSizeGb
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.diskType
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.imageType
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.insecureKubeletReadonlyPortEnabled
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.management.autoRepair
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.management.autoUpgrade
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.minCpuPlatform
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.oauthScopes
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.serviceAccount
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.shieldedInstanceConfig.enableIntegrityMonitoring
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.shieldedInstanceConfig.enableSecureBoot
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.blueGreenSettings.nodePoolSoakDuration
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchNodeCount
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchPercentage
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchSoakDuration
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.maxSurge
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.maxUnavailable
| |
resource.autoscaling.autoprovisioningNodePoolDefaults.upgradeSettings.strategy
| |
resource.autoscaling.autoscalingProfile
| |
resource.autoscaling.enableNodeAutoprovisioning
| |
resource.autoscaling.resourceLimits.maximum
| |
resource.autoscaling.resourceLimits.minimum
| |
resource.autoscaling.resourceLimits.resourceType
| |
resource.binaryAuthorization.enabled
| |
resource.binaryAuthorization.evaluationMode
| |
resource.binaryAuthorization.policyBindings.name
| |
resource.clusterIpv4Cidr
| |
resource.compliancePostureConfig.complianceStandards.standard
| |
resource.compliancePostureConfig.mode
| |
resource.conditions.code
| |
resource.conditions.message
| |
resource.confidentialNodes.confidentialInstanceType
| |
resource.confidentialNodes.enabled
| |
resource.controlPlaneEndpointsConfig.dnsEndpointConfig.allowExternalTraffic
| |
resource.controlPlaneEndpointsConfig.dnsEndpointConfig.endpoint
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.authorizedNetworksConfig.cidrBlocks.cidrBlock
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.authorizedNetworksConfig.cidrBlocks.displayName
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.authorizedNetworksConfig.enabled
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.authorizedNetworksConfig.gcpPublicCidrsAccessEnabled
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.authorizedNetworksConfig.privateEndpointEnforcementEnabled
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.enabled
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.enablePublicEndpoint
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.globalAccess
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.privateEndpoint
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.privateEndpointSubnetwork
| |
resource.controlPlaneEndpointsConfig.ipEndpointsConfig.publicEndpoint
| |
resource.costManagementConfig.enabled
| |
resource.currentNodeCount
| |
resource.databaseEncryption.keyName
| |
resource.databaseEncryption.state
| |
resource.defaultMaxPodsConstraint.maxPodsPerNode
| |
resource.description
| |
resource.enableK8sBetaApis.enabledApis
| |
resource.enableKubernetesAlpha
| |
resource.enterpriseConfig.clusterTier
| |
resource.fleet.membership
| |
resource.fleet.preRegistered
| |
resource.fleet.project
| |
resource.identityServiceConfig.enabled
| |
resource.initialClusterVersion
| |
resource.initialNodeCount
| |
resource.ipAllocationPolicy.clusterIpv4Cidr
| |
resource.ipAllocationPolicy.clusterIpv4CidrBlock
| |
resource.ipAllocationPolicy.clusterSecondaryRangeName
| |
resource.ipAllocationPolicy.createSubnetwork
| |
resource.ipAllocationPolicy.ipv6AccessType
| |
resource.ipAllocationPolicy.nodeIpv4Cidr
| |
resource.ipAllocationPolicy.nodeIpv4CidrBlock
| |
resource.ipAllocationPolicy.podCidrOverprovisionConfig.disable
| |
resource.ipAllocationPolicy.servicesIpv4Cidr
| |
resource.ipAllocationPolicy.servicesIpv4CidrBlock
| |
resource.ipAllocationPolicy.servicesSecondaryRangeName
| |
resource.ipAllocationPolicy.stackType
| |
resource.ipAllocationPolicy.subnetworkName
| |
resource.ipAllocationPolicy.tpuIpv4CidrBlock
| |
resource.ipAllocationPolicy.useIpAliases
| |
resource.ipAllocationPolicy.useRoutes
| |
resource.labelFingerprint
| |
resource.legacyAbac.enabled
| |
resource.location
| |
resource.locations
| |
resource.loggingConfig.componentConfig.enableComponents
| |
resource.loggingService
| |
resource.maintenancePolicy.resourceVersion
| |
resource.maintenancePolicy.window.dailyMaintenanceWindow.startTime
| |
resource.maintenancePolicy.window.maintenanceExclusions[*].endTime
| |
resource.maintenancePolicy.window.maintenanceExclusions[*].maintenanceExclusionOptions.scope
| |
resource.maintenancePolicy.window.maintenanceExclusions[*].startTime
| |
resource.maintenancePolicy.window.recurringWindow.recurrence
| |
resource.maintenancePolicy.window.recurringWindow.window.endTime
| |
resource.maintenancePolicy.window.recurringWindow.window.maintenanceExclusionOptions.scope
| |
resource.maintenancePolicy.window.recurringWindow.window.startTime
| |
resource.masterAuth.clientCertificateConfig.issueClientCertificate
| |
resource.masterAuth.username
| |
resource.masterAuthorizedNetworksConfig.cidrBlocks.cidrBlock
| |
resource.masterAuthorizedNetworksConfig.cidrBlocks.displayName
| |
resource.masterAuthorizedNetworksConfig.enabled
| |
resource.masterAuthorizedNetworksConfig.gcpPublicCidrsAccessEnabled
| |
resource.masterAuthorizedNetworksConfig.privateEndpointEnforcementEnabled
| |
resource.meshCertificates.enableCertificates
| |
resource.monitoringConfig.advancedDatapathObservabilityConfig.enableMetrics
| |
resource.monitoringConfig.advancedDatapathObservabilityConfig.enableRelay
| |
resource.monitoringConfig.advancedDatapathObservabilityConfig.relayMode
| |
resource.monitoringConfig.componentConfig.enableComponents
| |
resource.monitoringConfig.managedPrometheusConfig.autoMonitoringConfig.scope
| |
resource.monitoringConfig.managedPrometheusConfig.enabled
| |
resource.monitoringService
| |
resource.name
| |
resource.network
| |
resource.networkConfig.datapathProvider
| |
resource.networkConfig.defaultEnablePrivateNodes
| |
resource.networkConfig.defaultSnatStatus.disabled
| |
resource.networkConfig.disableL4LbFirewallReconciliation
| |
resource.networkConfig.dnsConfig.additiveVpcScopeDnsDomain
| |
resource.networkConfig.dnsConfig.clusterDns
| |
resource.networkConfig.dnsConfig.clusterDnsDomain
| |
resource.networkConfig.dnsConfig.clusterDnsScope
| |
resource.networkConfig.enableCiliumClusterwideNetworkPolicy
| |
resource.networkConfig.enableFqdnNetworkPolicy
| |
resource.networkConfig.enableIntraNodeVisibility
| |
resource.networkConfig.enableL4ilbSubsetting
| |
resource.networkConfig.enableMultiNetworking
| |
resource.networkConfig.gatewayApiConfig.channel
| |
resource.networkConfig.inTransitEncryptionConfig
| |
resource.networkConfig.networkPerformanceConfig.totalEgressBandwidthTier
| |
resource.networkConfig.privateIpv6GoogleAccess
| |
resource.networkConfig.serviceExternalIpsConfig.enabled
| |
resource.networkPolicy.enabled
| |
resource.networkPolicy.provider
| |
resource.nodeConfig.accelerators.acceleratorCount
| |
resource.nodeConfig.accelerators.acceleratorType
| |
resource.nodeConfig.accelerators.gpuDriverInstallationConfig.gpuDriverVersion
| |
resource.nodeConfig.accelerators.gpuPartitionSize
| |
resource.nodeConfig.accelerators.gpuSharingConfig.gpuSharingStrategy
| |
resource.nodeConfig.accelerators.gpuSharingConfig.maxSharedClientsPerGpu
| |
resource.nodeConfig.advancedMachineFeatures.enableNestedVirtualization
| |
resource.nodeConfig.advancedMachineFeatures.performanceMonitoringUnit
| |
resource.nodeConfig.advancedMachineFeatures.threadsPerCore
| |
resource.nodeConfig.bootDiskKmsKey
| |
resource.nodeConfig.confidentialNodes.confidentialInstanceType
| |
resource.nodeConfig.confidentialNodes.enabled
| |
resource.nodeConfig.diskSizeGb
| |
resource.nodeConfig.diskType
| |
resource.nodeConfig.ephemeralStorageLocalSsdConfig.dataCacheCount
| |
resource.nodeConfig.ephemeralStorageLocalSsdConfig.localSsdCount
| |
resource.nodeConfig.fastSocket.enabled
| |
resource.nodeConfig.flexStart
| |
resource.nodeConfig.gcfsConfig.enabled
| |
resource.nodeConfig.gvnic.enabled
| |
resource.nodeConfig.imageType
| |
resource.nodeConfig.kubeletConfig.allowedUnsafeSysctls
| |
resource.nodeConfig.kubeletConfig.containerLogMaxFiles
| |
resource.nodeConfig.kubeletConfig.containerLogMaxSize
| |
resource.nodeConfig.kubeletConfig.cpuCfsQuota
| |
resource.nodeConfig.kubeletConfig.cpuCfsQuotaPeriod
| |
resource.nodeConfig.kubeletConfig.cpuManagerPolicy
| |
resource.nodeConfig.kubeletConfig.imageGcHighThresholdPercent
| |
resource.nodeConfig.kubeletConfig.imageGcLowThresholdPercent
| |
resource.nodeConfig.kubeletConfig.imageMaximumGcAge
| |
resource.nodeConfig.kubeletConfig.imageMinimumGcAge
| |
resource.nodeConfig.kubeletConfig.insecureKubeletReadonlyPortEnabled
| |
resource.nodeConfig.kubeletConfig.memoryManager.policy
| |
resource.nodeConfig.kubeletConfig.podPidsLimit
| |
resource.nodeConfig.kubeletConfig.topologyManager.policy
| |
resource.nodeConfig.kubeletConfig.topologyManager.scope
| |
resource.nodeConfig.labels
| |
resource.nodeConfig.linuxNodeConfig.cgroupMode
| |
resource.nodeConfig.linuxNodeConfig.hugepages.hugepageSize1g
| |
resource.nodeConfig.linuxNodeConfig.hugepages.hugepageSize2m
| |
resource.nodeConfig.linuxNodeConfig.sysctls
| |
resource.nodeConfig.localNvmeSsdBlockConfig.localSsdCount
| |
resource.nodeConfig.localSsdCount
| |
resource.nodeConfig.localSsdEncryptionMode
| |
resource.nodeConfig.loggingConfig.variantConfig.variant
| |
resource.nodeConfig.machineType
| |
resource.nodeConfig.maxRunDuration
| |
resource.nodeConfig.metadata
| |
resource.nodeConfig.minCpuPlatform
| |
resource.nodeConfig.nodeGroup
| |
resource.nodeConfig.oauthScopes
| |
resource.nodeConfig.preemptible
| |
resource.nodeConfig.reservationAffinity.consumeReservationType
| |
resource.nodeConfig.reservationAffinity.key
| |
resource.nodeConfig.reservationAffinity.values
| |
resource.nodeConfig.resourceLabels
| |
resource.nodeConfig.resourceManagerTags.tags
| |
resource.nodeConfig.sandboxConfig.type
| |
resource.nodeConfig.secondaryBootDisks.diskImage
| |
resource.nodeConfig.secondaryBootDisks.mode
| |
resource.nodeConfig.serviceAccount
| |
resource.nodeConfig.shieldedInstanceConfig.enableIntegrityMonitoring
| |
resource.nodeConfig.shieldedInstanceConfig.enableSecureBoot
| |
resource.nodeConfig.soleTenantConfig.nodeAffinities.key
| |
resource.nodeConfig.soleTenantConfig.nodeAffinities.operator
| |
resource.nodeConfig.soleTenantConfig.nodeAffinities.values
| |
resource.nodeConfig.spot
| |
resource.nodeConfig.storagePools
| |
resource.nodeConfig.tags
| |
resource.nodeConfig.taints.effect
| |
resource.nodeConfig.taints.key
| |
resource.nodeConfig.taints.value
| |
resource.nodeConfig.windowsNodeConfig.osVersion
| |
resource.nodeConfig.workloadMetadataConfig.mode
| |
resource.nodePoolAutoConfig.networkTags.tags
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.allowedUnsafeSysctls
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.containerLogMaxFiles
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.containerLogMaxSize
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.cpuCfsQuota
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.cpuCfsQuotaPeriod
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.cpuManagerPolicy
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.imageGcHighThresholdPercent
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.imageGcLowThresholdPercent
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.imageMaximumGcAge
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.imageMinimumGcAge
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.insecureKubeletReadonlyPortEnabled
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.memoryManager.policy
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.podPidsLimit
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.topologyManager.policy
| |
resource.nodePoolAutoConfig.nodeKubeletConfig.topologyManager.scope
| |
resource.nodePoolDefaults.nodeConfigDefaults.gcfsConfig.enabled
| |
resource.nodePoolDefaults.nodeConfigDefaults.loggingConfig.variantConfig.variant
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.allowedUnsafeSysctls
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.containerLogMaxFiles
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.containerLogMaxSize
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.cpuCfsQuota
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.cpuCfsQuotaPeriod
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.cpuManagerPolicy
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.imageGcHighThresholdPercent
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.imageGcLowThresholdPercent
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.imageMaximumGcAge
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.imageMinimumGcAge
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.insecureKubeletReadonlyPortEnabled
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.memoryManager.policy
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.podPidsLimit
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.topologyManager.policy
| |
resource.nodePoolDefaults.nodeConfigDefaults.nodeKubeletConfig.topologyManager.scope
| |
resource.notificationConfig.pubsub.enabled
| |
resource.notificationConfig.pubsub.filter.eventType
| |
resource.notificationConfig.pubsub.topic
| |
resource.podAutoscaling.hpaProfile
| |
resource.privateClusterConfig.enablePrivateEndpoint
| |
resource.privateClusterConfig.enablePrivateNodes
| |
resource.privateClusterConfig.masterGlobalAccessConfig.enabled
| |
resource.privateClusterConfig.masterIpv4CidrBlock
| |
resource.privateClusterConfig.privateEndpointSubnetwork
| |
resource.rbacBindingConfig.enableInsecureBindingSystemAuthenticated
| |
resource.rbacBindingConfig.enableInsecureBindingSystemUnauthenticated
| |
resource.releaseChannel.channel
| |
resource.resourceLabels
| |
resource.resourceUsageExportConfig.bigqueryDestination.datasetId
| |
resource.resourceUsageExportConfig.consumptionMeteringConfig.enabled
| |
resource.resourceUsageExportConfig.enableNetworkEgressMetering
| |
resource.secretManagerConfig.enabled
| |
resource.securityPostureConfig.mode
| |
resource.securityPostureConfig.vulnerabilityMode
| |
resource.shieldedNodes.enabled
| |
resource.subnetwork
| |
resource.userManagedKeysConfig.aggregationCa
| |
resource.userManagedKeysConfig.clusterCa
| |
resource.userManagedKeysConfig.controlPlaneDiskEncryptionKey
| |
resource.userManagedKeysConfig.etcdApiCa
| |
resource.userManagedKeysConfig.etcdPeerCa
| |
resource.userManagedKeysConfig.gkeopsEtcdBackupEncryptionKey
| |
resource.userManagedKeysConfig.serviceAccountSigningKeys
| |
resource.userManagedKeysConfig.serviceAccountVerificationKeys
| |
resource.verticalPodAutoscaling.enabled
| |
resource.workloadIdentityConfig.workloadPool
| |
resource.zone
| |
| container.googleapis.com/NodePool |
resource.autopilotConfig.enabled
|
resource.autoscaling.autoprovisioned
| |
resource.autoscaling.enabled
| |
resource.autoscaling.locationPolicy
| |
resource.autoscaling.maxNodeCount
| |
resource.autoscaling.minNodeCount
| |
resource.autoscaling.totalMaxNodeCount
| |
resource.autoscaling.totalMinNodeCount
| |
resource.bestEffortProvisioning.enabled
| |
resource.bestEffortProvisioning.minProvisionNodes
| |
resource.conditions.code
| |
resource.conditions.message
| |
resource.config.accelerators.acceleratorCount
| |
resource.config.accelerators.acceleratorType
| |
resource.config.accelerators.gpuDriverInstallationConfig.gpuDriverVersion
| |
resource.config.accelerators.gpuPartitionSize
| |
resource.config.accelerators.gpuSharingConfig.gpuSharingStrategy
| |
resource.config.accelerators.gpuSharingConfig.maxSharedClientsPerGpu
| |
resource.config.advancedMachineFeatures.enableNestedVirtualization
| |
resource.config.advancedMachineFeatures.performanceMonitoringUnit
| |
resource.config.advancedMachineFeatures.threadsPerCore
| |
resource.config.bootDiskKmsKey
| |
resource.config.confidentialNodes.confidentialInstanceType
| |
resource.config.confidentialNodes.enabled
| |
resource.config.diskSizeGb
| |
resource.config.diskType
| |
resource.config.ephemeralStorageLocalSsdConfig.dataCacheCount
| |
resource.config.ephemeralStorageLocalSsdConfig.localSsdCount
| |
resource.config.fastSocket.enabled
| |
resource.config.flexStart
| |
resource.config.gcfsConfig.enabled
| |
resource.config.gvnic.enabled
| |
resource.config.imageType
| |
resource.config.kubeletConfig.allowedUnsafeSysctls
| |
resource.config.kubeletConfig.containerLogMaxFiles
| |
resource.config.kubeletConfig.containerLogMaxSize
| |
resource.config.kubeletConfig.cpuCfsQuota
| |
resource.config.kubeletConfig.cpuCfsQuotaPeriod
| |
resource.config.kubeletConfig.cpuManagerPolicy
| |
resource.config.kubeletConfig.imageGcHighThresholdPercent
| |
resource.config.kubeletConfig.imageGcLowThresholdPercent
| |
resource.config.kubeletConfig.imageMaximumGcAge
| |
resource.config.kubeletConfig.imageMinimumGcAge
| |
resource.config.kubeletConfig.insecureKubeletReadonlyPortEnabled
| |
resource.config.kubeletConfig.memoryManager.policy
| |
resource.config.kubeletConfig.podPidsLimit
| |
resource.config.kubeletConfig.topologyManager.policy
| |
resource.config.kubeletConfig.topologyManager.scope
| |
resource.config.labels
| |
resource.config.linuxNodeConfig.cgroupMode
| |
resource.config.linuxNodeConfig.hugepages.hugepageSize1g
| |
resource.config.linuxNodeConfig.hugepages.hugepageSize2m
| |
resource.config.linuxNodeConfig.sysctls
| |
resource.config.localNvmeSsdBlockConfig.localSsdCount
| |
resource.config.localSsdCount
| |
resource.config.localSsdEncryptionMode
| |
resource.config.loggingConfig.variantConfig.variant
| |
resource.config.machineType
| |
resource.config.maxRunDuration
| |
resource.config.metadata
| |
resource.config.minCpuPlatform
| |
resource.config.nodeGroup
| |
resource.config.oauthScopes
| |
resource.config.preemptible
| |
resource.config.reservationAffinity.consumeReservationType
| |
resource.config.reservationAffinity.key
| |
resource.config.reservationAffinity.values
| |
resource.config.resourceLabels
| |
resource.config.resourceManagerTags.tags
| |
resource.config.sandboxConfig.type
| |
resource.config.secondaryBootDisks.diskImage
| |
resource.config.secondaryBootDisks.mode
| |
resource.config.serviceAccount
| |
resource.config.shieldedInstanceConfig.enableIntegrityMonitoring
| |
resource.config.shieldedInstanceConfig.enableSecureBoot
| |
resource.config.soleTenantConfig.nodeAffinities.key
| |
resource.config.soleTenantConfig.nodeAffinities.operator
| |
resource.config.soleTenantConfig.nodeAffinities.values
| |
resource.config.spot
| |
resource.config.storagePools
| |
resource.config.tags
| |
resource.config.taints.effect
| |
resource.config.taints.key
| |
resource.config.taints.value
| |
resource.config.windowsNodeConfig.osVersion
| |
resource.config.workloadMetadataConfig.mode
| |
resource.initialNodeCount
| |
resource.locations
| |
resource.management.autoRepair
| |
resource.management.autoUpgrade
| |
resource.maxPodsConstraint.maxPodsPerNode
| |
resource.name
| |
resource.networkConfig.additionalNodeNetworkConfigs.network
| |
resource.networkConfig.additionalNodeNetworkConfigs.subnetwork
| |
resource.networkConfig.additionalPodNetworkConfigs.networkAttachment
| |
resource.networkConfig.createPodRange
| |
resource.networkConfig.enablePrivateNodes
| |
resource.networkConfig.networkPerformanceConfig.totalEgressBandwidthTier
| |
resource.networkConfig.podIpv4CidrBlock
| |
resource.networkConfig.podRange
| |
resource.placementPolicy.policyName
| |
resource.placementPolicy.tpuTopology
| |
resource.placementPolicy.type
| |
resource.queuedProvisioning.enabled
| |
resource.upgradeSettings.blueGreenSettings.nodePoolSoakDuration
| |
resource.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchNodeCount
| |
resource.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchPercentage
| |
resource.upgradeSettings.blueGreenSettings.standardRolloutPolicy.batchSoakDuration
| |
resource.upgradeSettings.maxSurge
| |
resource.upgradeSettings.maxUnavailable
| |
resource.upgradeSettings.strategy
| |
resource.version
|