feat: [google-cloud-gke-multicloud] An optional field `security_postu…

…re_config` in message `.google.cloud.gkemulticloud.v1.AttachedCluster` is added (#13088)

BEGIN_COMMIT_OVERRIDE
feat: An optional field `security_posture_config` in message
`.google.cloud.gkemulticloud.v1.AttachedCluster` is added
feat: An optional field `kubelet_config` in message
`.google.cloud.gkemulticloud.v1.AwsNodePool` is added
END_COMMIT_OVERRIDE
- [ ] Regenerate this pull request now.

feat: An optional field `kubelet_config` in message
`.google.cloud.gkemulticloud.v1.AwsNodePool` is added

PiperOrigin-RevId: 674451558

Source-Link:
googleapis/googleapis@31df26d

Source-Link:
googleapis/googleapis-gen@23e6557
Copy-Tag:
eyJwIjoicGFja2FnZXMvZ29vZ2xlLWNsb3VkLWdrZS1tdWx0aWNsb3VkLy5Pd2xCb3QueWFtbCIsImgiOiIyM2U2NTU3MTM1ODIzNjBiNTY4MTcyMzQ4YmU1ZDg4M2NhYTQwZWZiIn0=

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>
Co-authored-by: Anthonios Partheniou <partheniou@google.com>

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud/__init__.py

@@ -175,8 +175,10 @@
     ManagedPrometheusConfig,
     MaxPodsConstraint,
     MonitoringConfig,
+    NodeKubeletConfig,
     NodeTaint,
     OperationMetadata,
+    SecurityPostureConfig,
     WorkloadIdentityConfig,
 )
 
@@ -313,7 +315,9 @@
     "ManagedPrometheusConfig",
     "MaxPodsConstraint",
     "MonitoringConfig",
+    "NodeKubeletConfig",
     "NodeTaint",
     "OperationMetadata",
+    "SecurityPostureConfig",
     "WorkloadIdentityConfig",
 )

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/__init__.py

@@ -163,8 +163,10 @@
     ManagedPrometheusConfig,
     MaxPodsConstraint,
     MonitoringConfig,
+    NodeKubeletConfig,
     NodeTaint,
     OperationMetadata,
+    SecurityPostureConfig,
     WorkloadIdentityConfig,
 )
 
@@ -291,10 +293,12 @@
     "ManagedPrometheusConfig",
     "MaxPodsConstraint",
     "MonitoringConfig",
+    "NodeKubeletConfig",
     "NodeTaint",
     "OperationMetadata",
     "ReplicaPlacement",
     "RollbackAwsNodePoolUpdateRequest",
+    "SecurityPostureConfig",
     "SpotConfig",
     "SurgeSettings",
     "UpdateAttachedClusterRequest",

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/services/attached_clusters/async_client.py

@@ -533,6 +533,7 @@ async def sample_update_attached_cluster():
                 -  ``platform_version``.
                 -  ``proxy_config.kubernetes_secret.name``.
                 -  ``proxy_config.kubernetes_secret.namespace``.
+                -  ``security_posture_config.vulnerability_mode``
 
                 This corresponds to the ``update_mask`` field
                 on the ``request`` instance; if ``request`` is provided, this

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/services/attached_clusters/client.py

@@ -966,6 +966,7 @@ def sample_update_attached_cluster():
                 -  ``platform_version``.
                 -  ``proxy_config.kubernetes_secret.name``.
                 -  ``proxy_config.kubernetes_secret.namespace``.
+                -  ``security_posture_config.vulnerability_mode``
 
                 This corresponds to the ``update_mask`` field
                 on the ``request`` instance; if ``request`` is provided, this

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/__init__.py

@@ -152,8 +152,10 @@
     ManagedPrometheusConfig,
     MaxPodsConstraint,
     MonitoringConfig,
+    NodeKubeletConfig,
     NodeTaint,
     OperationMetadata,
+    SecurityPostureConfig,
     WorkloadIdentityConfig,
 )
 
@@ -284,7 +286,9 @@
     "ManagedPrometheusConfig",
     "MaxPodsConstraint",
     "MonitoringConfig",
+    "NodeKubeletConfig",
     "NodeTaint",
     "OperationMetadata",
+    "SecurityPostureConfig",
     "WorkloadIdentityConfig",
 )

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/attached_resources.py

@@ -134,6 +134,9 @@ class AttachedCluster(proto.Message):
         binary_authorization (google.cloud.gke_multicloud_v1.types.BinaryAuthorization):
             Optional. Binary Authorization configuration
             for this cluster.
+        security_posture_config (google.cloud.gke_multicloud_v1.types.SecurityPostureConfig):
+            Optional. Security Posture configuration for
+            this cluster.
     """
 
     class State(proto.Enum):
@@ -272,6 +275,11 @@ class State(proto.Enum):
         number=25,
         message=common_resources.BinaryAuthorization,
     )
+    security_posture_config: common_resources.SecurityPostureConfig = proto.Field(
+        proto.MESSAGE,
+        number=26,
+        message=common_resources.SecurityPostureConfig,
+    )
 
 
 class AttachedClustersAuthorization(proto.Message):

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/attached_service.py

@@ -211,7 +211,7 @@ class ImportAttachedClusterRequest(proto.Message):
             Required. The Kubernetes distribution of the underlying
             attached cluster.
 
-            Supported values: ["eks", "aks"].
+            Supported values: ["eks", "aks", "generic"].
         proxy_config (google.cloud.gke_multicloud_v1.types.AttachedProxyConfig):
             Optional. Proxy configuration for outbound
             HTTP(S) traffic.
@@ -272,6 +272,7 @@ class UpdateAttachedClusterRequest(proto.Message):
             -  ``platform_version``.
             -  ``proxy_config.kubernetes_secret.name``.
             -  ``proxy_config.kubernetes_secret.namespace``.
+            -  ``security_posture_config.vulnerability_mode``
     """
 
     attached_cluster: attached_resources.AttachedCluster = proto.Field(

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/aws_resources.py

@@ -735,6 +735,8 @@ class AwsNodePool(proto.Message):
         management (google.cloud.gke_multicloud_v1.types.AwsNodeManagement):
             Optional. The Management configuration for
             this node pool.
+        kubelet_config (google.cloud.gke_multicloud_v1.types.NodeKubeletConfig):
+            Optional. Node kubelet configs.
         update_settings (google.cloud.gke_multicloud_v1.types.UpdateSettings):
             Optional. Update settings control the speed
             and disruption of the update.
@@ -843,6 +845,11 @@ class State(proto.Enum):
         number=30,
         message="AwsNodeManagement",
     )
+    kubelet_config: common_resources.NodeKubeletConfig = proto.Field(
+        proto.MESSAGE,
+        number=31,
+        message=common_resources.NodeKubeletConfig,
+    )
     update_settings: "UpdateSettings" = proto.Field(
         proto.MESSAGE,
         number=32,
@@ -1279,7 +1286,7 @@ class AwsProxyConfig(proto.Message):
 
             The secret must be a JSON encoded proxy configuration as
             described in
-            https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws/how-to/use-a-proxy#create_a_proxy_configuration_file
+            https://cloud.google.com/kubernetes-engine/multi-cloud/docs/aws/how-to/use-a-proxy#create_a_proxy_configuration_file
         secret_version (str):
             The version string of the AWS Secret Manager
             secret that contains the HTTP(S) proxy

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/azure_resources.py

@@ -557,7 +557,7 @@ class AzureProxyConfig(proto.Message):
 
             The secret must be a JSON encoded proxy configuration as
             described in
-            https://cloud.google.com/anthos/clusters/docs/multi-cloud/azure/how-to/use-a-proxy#create_a_proxy_configuration_file
+            https://cloud.google.com/kubernetes-engine/multi-cloud/docs/azure/how-to/use-a-proxy#create_a_proxy_configuration_file
 
             Secret ids are formatted as
             ``https://<key-vault-name>.vault.azure.net/secrets/<secret-name>/<secret-version>``.

packages/google-cloud-gke-multicloud/google/cloud/gke_multicloud_v1/types/common_resources.py

@@ -28,12 +28,14 @@
         "MaxPodsConstraint",
         "OperationMetadata",
         "NodeTaint",
+        "NodeKubeletConfig",
         "Fleet",
         "LoggingConfig",
         "LoggingComponentConfig",
         "MonitoringConfig",
         "ManagedPrometheusConfig",
         "BinaryAuthorization",
+        "SecurityPostureConfig",
     },
 )
 
@@ -263,6 +265,96 @@ class Effect(proto.Enum):
     )
 
 
+class NodeKubeletConfig(proto.Message):
+    r"""Configuration for node pool kubelet options.
+
+    .. _oneof: https://proto-plus-python.readthedocs.io/en/stable/fields.html#oneofs-mutually-exclusive-fields
+
+    Attributes:
+        insecure_kubelet_readonly_port_enabled (bool):
+            Optional. Enable the insecure kubelet read
+            only port.
+        cpu_manager_policy (str):
+            Optional. Control the CPU management policy on the node. See
+            https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/
+
+            The following values are allowed.
+
+            -  "none": the default, which represents the existing
+               scheduling behavior.
+            -  "static": allows pods with certain resource
+               characteristics to be granted increased CPU affinity and
+               exclusivity on the node. The default value is 'none' if
+               unspecified.
+
+            This field is a member of `oneof`_ ``_cpu_manager_policy``.
+        cpu_cfs_quota (bool):
+            Optional. Enable CPU CFS quota enforcement
+            for containers that specify CPU limits.
+
+            This option is enabled by default which makes
+            kubelet use CFS quota
+            (https://www.kernel.org/doc/Documentation/scheduler/sched-bwc.txt)
+            to enforce container CPU limits. Otherwise, CPU
+            limits will not be enforced at all.
+
+            Disable this option to mitigate CPU throttling
+            problems while still having your pods to be in
+            Guaranteed QoS class by specifying the CPU
+            limits.
+
+            The default value is 'true' if unspecified.
+
+            This field is a member of `oneof`_ ``_cpu_cfs_quota``.
+        cpu_cfs_quota_period (str):
+            Optional. Set the CPU CFS quota period value
+            'cpu.cfs_period_us'.
+
+            The string must be a sequence of decimal numbers, each with
+            optional fraction and a unit suffix, such as "300ms". Valid
+            time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+            The value must be a positive duration.
+
+            The default value is '100ms' if unspecified.
+
+            This field is a member of `oneof`_ ``_cpu_cfs_quota_period``.
+        pod_pids_limit (int):
+            Optional. Set the Pod PID limits. See
+            https://kubernetes.io/docs/concepts/policy/pid-limiting/#pod-pid-limits
+
+            Controls the maximum number of processes allowed
+            to run in a pod. The value must be greater than
+            or equal to 1024 and less than 4194304.
+
+            This field is a member of `oneof`_ ``_pod_pids_limit``.
+    """
+
+    insecure_kubelet_readonly_port_enabled: bool = proto.Field(
+        proto.BOOL,
+        number=1,
+    )
+    cpu_manager_policy: str = proto.Field(
+        proto.STRING,
+        number=2,
+        optional=True,
+    )
+    cpu_cfs_quota: bool = proto.Field(
+        proto.BOOL,
+        number=3,
+        optional=True,
+    )
+    cpu_cfs_quota_period: str = proto.Field(
+        proto.STRING,
+        number=4,
+        optional=True,
+    )
+    pod_pids_limit: int = proto.Field(
+        proto.INT64,
+        number=5,
+        optional=True,
+    )
+
+
 class Fleet(proto.Message):
     r"""Fleet related configuration.
 
@@ -414,4 +506,39 @@ class EvaluationMode(proto.Enum):
     )
 
 
+class SecurityPostureConfig(proto.Message):
+    r"""SecurityPostureConfig defines the flags needed to
+    enable/disable features for the Security Posture API.
+
+    Attributes:
+        vulnerability_mode (google.cloud.gke_multicloud_v1.types.SecurityPostureConfig.VulnerabilityMode):
+            Sets which mode to use for vulnerability
+            scanning.
+    """
+
+    class VulnerabilityMode(proto.Enum):
+        r"""VulnerabilityMode defines enablement mode for vulnerability
+        scanning.
+
+        Values:
+            VULNERABILITY_MODE_UNSPECIFIED (0):
+                Default value not specified.
+            VULNERABILITY_DISABLED (1):
+                Disables vulnerability scanning on the
+                cluster.
+            VULNERABILITY_ENTERPRISE (2):
+                Applies the Security Posture's vulnerability
+                on cluster Enterprise level features.
+        """
+        VULNERABILITY_MODE_UNSPECIFIED = 0
+        VULNERABILITY_DISABLED = 1
+        VULNERABILITY_ENTERPRISE = 2
+
+    vulnerability_mode: VulnerabilityMode = proto.Field(
+        proto.ENUM,
+        number=1,
+        enum=VulnerabilityMode,
+    )
+
+
 __all__ = tuple(sorted(__protobuf__.manifest))

packages/google-cloud-gke-multicloud/tests/unit/gapic/gke_multicloud_v1/test_attached_clusters.py

@@ -4992,6 +4992,7 @@ def test_create_attached_cluster_rest(request_type):
             "kubernetes_secret": {"name": "name_value", "namespace": "namespace_value"}
         },
         "binary_authorization": {"evaluation_mode": 1},
+        "security_posture_config": {"vulnerability_mode": 1},
     }
     # The version of a generated dependency at test runtime may differ from the version used during generation.
     # Delete any fields which are not present in the current runtime dependency
@@ -5440,6 +5441,7 @@ def test_update_attached_cluster_rest(request_type):
             "kubernetes_secret": {"name": "name_value", "namespace": "namespace_value"}
         },
         "binary_authorization": {"evaluation_mode": 1},
+        "security_posture_config": {"vulnerability_mode": 1},
     }
     # The version of a generated dependency at test runtime may differ from the version used during generation.
     # Delete any fields which are not present in the current runtime dependency

packages/google-cloud-gke-multicloud/tests/unit/gapic/gke_multicloud_v1/test_aws_clusters.py

@@ -10124,6 +10124,13 @@ def test_create_aws_node_pool_rest(request_type):
         "max_pods_constraint": {"max_pods_per_node": 1798},
         "errors": [{"message": "message_value"}],
         "management": {"auto_repair": True},
+        "kubelet_config": {
+            "insecure_kubelet_readonly_port_enabled": True,
+            "cpu_manager_policy": "cpu_manager_policy_value",
+            "cpu_cfs_quota": True,
+            "cpu_cfs_quota_period": "cpu_cfs_quota_period_value",
+            "pod_pids_limit": 1488,
+        },
         "update_settings": {
             "surge_settings": {"max_surge": 971, "max_unavailable": 1577}
         },
@@ -10590,6 +10597,13 @@ def test_update_aws_node_pool_rest(request_type):
         "max_pods_constraint": {"max_pods_per_node": 1798},
         "errors": [{"message": "message_value"}],
         "management": {"auto_repair": True},
+        "kubelet_config": {
+            "insecure_kubelet_readonly_port_enabled": True,
+            "cpu_manager_policy": "cpu_manager_policy_value",
+            "cpu_cfs_quota": True,
+            "cpu_cfs_quota_period": "cpu_cfs_quota_period_value",
+            "pod_pids_limit": 1488,
+        },
         "update_settings": {
             "surge_settings": {"max_surge": 971, "max_unavailable": 1577}
         },