googleapis · sofisl · Sep 20, 2024 · Sep 14, 2024 · Sep 14, 2024
@@ -165,6 +165,10 @@ message AttachedCluster {
   // Optional. Binary Authorization configuration for this cluster.
   BinaryAuthorization binary_authorization = 25
       [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Security Posture configuration for this cluster.
+  SecurityPostureConfig security_posture_config = 26
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Configuration related to the cluster RBAC settings.

@@ -291,7 +291,7 @@ message ImportAttachedClusterRequest {
 
   // Required. The Kubernetes distribution of the underlying attached cluster.
   //
-  // Supported values: ["eks", "aks"].
+  // Supported values: ["eks", "aks", "generic"].
   string distribution = 5 [(google.api.field_behavior) = REQUIRED];
 
   // Optional. Proxy configuration for outbound HTTP(S) traffic.
@@ -323,6 +323,7 @@ message UpdateAttachedClusterRequest {
   //  *   `platform_version`.
   //  *   `proxy_config.kubernetes_secret.name`.
   //  *   `proxy_config.kubernetes_secret.namespace`.
+  //  *   `security_posture_config.vulnerability_mode`
   google.protobuf.FieldMask update_mask = 3
       [(google.api.field_behavior) = REQUIRED];
 }

@@ -481,6 +481,10 @@ message AwsNodePool {
   // Optional. The Management configuration for this node pool.
   AwsNodeManagement management = 30 [(google.api.field_behavior) = OPTIONAL];
 
+  // Optional. Node kubelet configs.
+  NodeKubeletConfig kubelet_config = 31
+      [(google.api.field_behavior) = OPTIONAL];
+
   // Optional. Update settings control the speed and disruption of the update.
   UpdateSettings update_settings = 32 [(google.api.field_behavior) = OPTIONAL];
 }
@@ -714,7 +718,7 @@ message AwsProxyConfig {
   //
   // The secret must be a JSON encoded proxy configuration
   // as described in
-  // https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws/how-to/use-a-proxy#create_a_proxy_configuration_file
+  // https://cloud.google.com/kubernetes-engine/multi-cloud/docs/aws/how-to/use-a-proxy#create_a_proxy_configuration_file
   string secret_arn = 1;
 
   // The version string of the AWS Secret Manager secret that contains the

@@ -335,7 +335,7 @@ message AzureProxyConfig {
   //
   // The secret must be a JSON encoded proxy configuration
   // as described in
-  // https://cloud.google.com/anthos/clusters/docs/multi-cloud/azure/how-to/use-a-proxy#create_a_proxy_configuration_file
+  // https://cloud.google.com/kubernetes-engine/multi-cloud/docs/azure/how-to/use-a-proxy#create_a_proxy_configuration_file
   //
   // Secret ids are formatted as
   // `https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<secret-version>`.

@@ -141,6 +141,57 @@ message NodeTaint {
   Effect effect = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
+// Configuration for node pool kubelet options.
+message NodeKubeletConfig {
+  // Optional. Enable the insecure kubelet read only port.
+  bool insecure_kubelet_readonly_port_enabled = 1
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Control the CPU management policy on the node.
+  // See
+  // https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/
+  //
+  // The following values are allowed.
+  // * "none": the default, which represents the existing scheduling behavior.
+  // * "static": allows pods with certain resource characteristics to be granted
+  // increased CPU affinity and exclusivity on the node.
+  // The default value is 'none' if unspecified.
+  optional string cpu_manager_policy = 2
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Enable CPU CFS quota enforcement for containers that specify CPU
+  // limits.
+  //
+  // This option is enabled by default which makes kubelet use CFS quota
+  // (https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt) to
+  // enforce container CPU limits. Otherwise, CPU limits will not be enforced at
+  // all.
+  //
+  // Disable this option to mitigate CPU throttling problems while still having
+  // your pods to be in Guaranteed QoS class by specifying the CPU limits.
+  //
+  // The default value is 'true' if unspecified.
+  optional bool cpu_cfs_quota = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Set the CPU CFS quota period value 'cpu.cfs_period_us'.
+  //
+  // The string must be a sequence of decimal numbers, each with optional
+  // fraction and a unit suffix, such as "300ms".
+  // Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+  // The value must be a positive duration.
+  //
+  // The default value is '100ms' if unspecified.
+  optional string cpu_cfs_quota_period = 4
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Set the Pod PID limits. See
+  // https://kubernetes.io/docs/concepts/policy/pid-limiting/#pod-pid-limits
+  //
+  // Controls the maximum number of processes allowed to run in a pod. The value
+  // must be greater than or equal to 1024 and less than 4194304.
+  optional int64 pod_pids_limit = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
 // Fleet related configuration.
 //
 // Fleets are a Google Cloud concept for logically organizing clusters,
@@ -222,3 +273,23 @@ message BinaryAuthorization {
   // to DISABLED.
   EvaluationMode evaluation_mode = 1;
 }
+
+// SecurityPostureConfig defines the flags needed to enable/disable features for
+// the Security Posture API.
+message SecurityPostureConfig {
+  // VulnerabilityMode defines enablement mode for vulnerability scanning.
+  enum VulnerabilityMode {
+    // Default value not specified.
+    VULNERABILITY_MODE_UNSPECIFIED = 0;
+
+    // Disables vulnerability scanning on the cluster.
+    VULNERABILITY_DISABLED = 1;
+
+    // Applies the Security Posture's vulnerability on cluster Enterprise level
+    // features.
+    VULNERABILITY_ENTERPRISE = 2;
+  }
+
+  // Sets which mode to use for vulnerability scanning.
+  VulnerabilityMode vulnerability_mode = 1;
+}