File: //snap/google-cloud-cli/current/lib/surface/remote_build_execution/instances/create.yaml
- release_tracks: [ALPHA]
help_text:
brief: |
Creates a Remote Build Execution instance.
description: |
Creates a Remote Build Execution instance, which contains a remote cache and can contain
worker pools for execution of build and test actions.
examples: |
The following creates an instance named 'new_instance':
$ {command} new_instance
request:
collection: remotebuildexecution.projects.instances
async:
collection: remotebuildexecution.projects.operations
arguments:
resource:
spec: !REF googlecloudsdk.command_lib.remote_build_execution.resources:instance
help_text: |
Arguments describing the instance to create.
params:
- api_field: instance.location
arg_name: location
required: false
default: "us-central1"
help_text: |
The Cloud location to create the instance in.
- api_field: instance.featurePolicy.dockerPrivileged.policy
arg_name: docker-privileged
required: false
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
dockerPrivileged can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
dockerPrivileged cannot be used.
help_text: |
Whether dockerPrivileged can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.dockerRunAsRoot.policy
arg_name: docker-run-as-root
required: false
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
dockerRunAsRoot can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
dockerRunAsRoot cannot be used.
help_text: |
Whether dockerRunAsRoot can be used. If unspecified, the default is equivalent to
"forbidden".
- group:
required: false
help_text: |
Flags for container image sources - either only container-image-sources or both flags may
be specified.
params:
- api_field: instance.featurePolicy.containerImageSources.policy
arg_name: container-image-sources
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
Images from any container image sources can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
No images from any container image sources can be used.
- arg_value: restricted
enum_value: restricted
help_text: |
Container images can be used, if and only if, they are stored in one of the allowed
container image sources.
help_text: |
Whether container image sources can be used. Note that all RBE actions require a
container image so if this is set to "forbidden", all tasks will fail. If unspecified,
the default is equivalent to "allowed".
- api_field: instance.featurePolicy.containerImageSources.allowedValues
arg_name: container-image-sources-allowlist
required: false
help_text: |
The list of allowed container image sources. Note: this will only be used if the
corresponding policy is set to "restricted".
- group:
required: false
help_text: |
Flags for dockerAddCapabilities - either only docker-add-capabilities or both flags may be
specified.
params:
- api_field: instance.featurePolicy.dockerAddCapabilities.policy
arg_name: docker-add-capabilities
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
- arg_value: restricted
enum_value: restricted
help_text: |
The feature can be used, if and only if, it is set to one of the allowed values.
help_text: |
Whether dockerAddCapabilities can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.dockerAddCapabilities.allowedValues
arg_name: docker-add-capabilities-allowlist
required: false
help_text: |
The list of allowed dockerAddCapabilities values. Note: this will only be used if the
corresponding policy is set to "restricted".
- group:
required: false
help_text: |
Flags for dockerChrootPath - either only docker-chroot-path or both flags may be
specified.
params:
- api_field: instance.featurePolicy.dockerChrootPath.policy
arg_name: docker-chroot-path
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
- arg_value: restricted
enum_value: restricted
help_text: |
The feature can be used, if and only if, it is set to one of the allowed values.
help_text: |
Whether dockerChrootPath can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.dockerChrootPath.allowedValues
arg_name: docker-chroot-path-allowlist
required: false
help_text: |
The list of allowed dockerChrootPath values. Note: this will only be used if the
corresponding policy is set to "restricted".
- group:
required: false
help_text: |
Flags for dockerNetwork - either only docker-network or both flags may be specified.
params:
- api_field: instance.featurePolicy.dockerNetwork.policy
arg_name: docker-network
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
- arg_value: restricted
enum_value: restricted
help_text: |
The feature can be used, if and only if, it is set to one of the allowed values.
help_text: |
Whether dockerNetwork can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.dockerNetwork.allowedValues
arg_name: docker-network-allowlist
required: false
help_text: |
The list of allowed dockerNetwork values. Note: this will only be used if the
corresponding policy is set to "restricted".
- group:
required: false
help_text: |
Flags for dockerRunAsContainerProvidedUser - either only docker-run-as-container-provided-user
or both flags may be specified.
params:
- api_field: instance.featurePolicy.dockerRunAsContainerProvidedUser.policy
arg_name: docker-run-as-container-provided-user
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
- arg_value: restricted
enum_value: restricted
help_text: |
The feature can be used, if and only if, it is set to one of the allowed values.
help_text: |
Whether dockerRunAsContainerProvidedUser can be used. If unspecified, the default is
equivalent to "forbidden".
- api_field: instance.featurePolicy.dockerRunAsContainerProvidedUser.allowedValues
arg_name: docker-run-as-container-provided-user-allowlist
required: false
help_text: |
The list of allowed dockerRunAsContainerProvidedUser values. Note: this will only be
used if the corresponding policy is set to "restricted".
- group:
required: false
help_text: |
Flags for dockerRuntime - either only docker-runtime or both flags may be specified.
params:
- api_field: instance.featurePolicy.dockerRuntime.policy
arg_name: docker-runtime
required: true
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
- arg_value: restricted
enum_value: restricted
help_text: |
The feature can be used, if and only if, it is set to one of the allowed values.
help_text: |
Whether dockerRuntime can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.dockerRuntime.allowedValues
arg_name: docker-runtime-allowlist
required: false
help_text: |
The list of allowed dockerRuntime values. Note: this will only be used if the
corresponding policy is set to "restricted".
- api_field: instance.featurePolicy.dockerSiblingContainers.policy
arg_name: docker-sibling-containers
required: false
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
help_text: |
Whether dockerSiblingSontainers can be used. If unspecified, the default is equivalent to
"forbidden".
- api_field: instance.featurePolicy.linuxIsolation
arg_name: linux-isolation
required: false
choices:
- arg_value: gvisor
enum_value: gvisor
help_text: |
gVisor will be used as the isolation mechanism for all linux execution.
- arg_value: 'off'
enum_value: 'off'
help_text: |
No additional isolation mechanisms will be used beyond the default linux runtime.
help_text: |
Which Linux isolation mechanism should be used for execution. If unspecified, the default
Linux runtime will be used.
- api_field: instance.featurePolicy.linuxExecution
arg_name: linux-execution
required: false
choices:
- arg_value: forbidden
enum_value: LINUX_EXECUTION_FORBIDDEN
help_text: |
Forbid Linux actions and worker pools.
- arg_value: unrestricted
enum_value: LINUX_EXECUTION_UNRESTRICTED
help_text: |
No additional restrictions imposed on Linux actions or worker pools by this policy.
- arg_value: hardened-gvisor
enum_value: LINUX_EXECUTION_HARDENED_GVISOR
help_text: |
Linux actions will be hardened with gVisor. Actions incompatible with gVisor hardening
will be rejected.
- arg_value: hardened-gvisor-or-terminal
enum_value: LINUX_EXECUTION_HARDENED_GVISOR_OR_TERMINAL
help_text: |
Linux actions will be hardened with gVisor. Actions incompatible with gVisor hardening
will be made terminal, i.e., the worker that ran the action will be terminated after the
action completes.
help_text: |
Defines whether Linux actions and worker pools are allowed and how they can be configured
to support various levels of isolation.
- api_field: instance.featurePolicy.windowsExecution
arg_name: windows-execution
required: false
choices:
- arg_value: forbidden
enum_value: WINDOWS_EXECUTION_FORBIDDEN
help_text: |
Forbid Windows actions and worker pools.
- arg_value: unrestricted
enum_value: WINDOWS_EXECUTION_UNRESTRICTED
help_text: |
No additional restrictions imposed on Windows actions or worker pools by this policy.
- arg_value: terminal
enum_value: WINDOWS_EXECUTION_TERMINAL
help_text: |
Windows workers will be terminated after they finish running an action.
help_text: |
Defines whether Windows actions and worker pools are allowed and how they can be configured
to support various levels of isolation.
- api_field: instance.featurePolicy.macExecution
arg_name: mac-execution
required: false
choices:
- arg_value: forbidden
enum_value: MAC_EXECUTION_FORBIDDEN
help_text: |
Forbid Mac actions and worker pools.
- arg_value: unrestricted
enum_value: MAC_EXECUTION_UNRESTRICTED
help_text: |
No additional restrictions imposed on Mac actions or worker pools by this policy.
help_text: |
Defines whether Mac actions and worker pools are allowed and how they can be configured
to support various levels of isolation.
- api_field: instance.featurePolicy.actionIsolation
arg_name: action-isolation
required: false
choices:
- arg_value: enforced
enum_value: ACTION_ISOLATION_ENFORCED
help_text: |
Isolation of actions is enforced.
- arg_value: 'off'
enum_value: ACTION_ISOLATION_OFF
help_text: |
No enforcement of isolation for actions.
help_text: |
Defines levels of isolation of actions executed on this instance by requiring other
isolation related feature policies like linux-execution, windows-execution, etc to be set
a certain way.
- api_field: instance.featurePolicy.actionHermeticity
arg_name: action-hermeticity
required: false
choices:
- arg_value: enforced
enum_value: ACTION_HERMETICITY_ENFORCED
help_text: |
Hermeticity of actions is enforced.
- arg_value: best-effort
enum_value: ACTION_HERMETICITY_BEST_EFFORT
help_text: |
Hermeticity of actions is best effort.
- arg_value: 'off'
enum_value: ACTION_HERMETICITY_OFF
help_text: |
No Hermeticity restrictions for actions.
help_text: |
Defines levels of hermeticity for actions executed on this instance by requiring other
isolation and hermeticity related feature policies like linux-execution, windows-execution,
etc to be set a certain way.
- api_field: instance.featurePolicy.dockerUlimits.policy
arg_name: docker-ulimits
required: false
choices:
- arg_value: allowed
enum_value: allowed
help_text: |
The feature can be used.
- arg_value: forbidden
enum_value: forbidden
help_text: |
The feature cannot be used.
help_text: |
Whether dockerUlimits can be used. If unspecified, the default is equivalent to "forbidden".