- release_tracks: [ALPHA] help_text: brief: | Creates a Remote Build Execution instance. description: | Creates a Remote Build Execution instance, which contains a remote cache and can contain worker pools for execution of build and test actions. examples: | The following creates an instance named 'new_instance': $ {command} new_instance request: collection: remotebuildexecution.projects.instances async: collection: remotebuildexecution.projects.operations arguments: resource: spec: !REF googlecloudsdk.command_lib.remote_build_execution.resources:instance help_text: | Arguments describing the instance to create. params: - api_field: instance.location arg_name: location required: false default: "us-central1" help_text: | The Cloud location to create the instance in. - api_field: instance.featurePolicy.dockerPrivileged.policy arg_name: docker-privileged required: false choices: - arg_value: allowed enum_value: allowed help_text: | dockerPrivileged can be used. - arg_value: forbidden enum_value: forbidden help_text: | dockerPrivileged cannot be used. help_text: | Whether dockerPrivileged can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerRunAsRoot.policy arg_name: docker-run-as-root required: false choices: - arg_value: allowed enum_value: allowed help_text: | dockerRunAsRoot can be used. - arg_value: forbidden enum_value: forbidden help_text: | dockerRunAsRoot cannot be used. help_text: | Whether dockerRunAsRoot can be used. If unspecified, the default is equivalent to "forbidden". - group: required: false help_text: | Flags for container image sources - either only container-image-sources or both flags may be specified. params: - api_field: instance.featurePolicy.containerImageSources.policy arg_name: container-image-sources required: true choices: - arg_value: allowed enum_value: allowed help_text: | Images from any container image sources can be used. - arg_value: forbidden enum_value: forbidden help_text: | No images from any container image sources can be used. - arg_value: restricted enum_value: restricted help_text: | Container images can be used, if and only if, they are stored in one of the allowed container image sources. help_text: | Whether container image sources can be used. Note that all RBE actions require a container image so if this is set to "forbidden", all tasks will fail. If unspecified, the default is equivalent to "allowed". - api_field: instance.featurePolicy.containerImageSources.allowedValues arg_name: container-image-sources-allowlist required: false help_text: | The list of allowed container image sources. Note: this will only be used if the corresponding policy is set to "restricted". - group: required: false help_text: | Flags for dockerAddCapabilities - either only docker-add-capabilities or both flags may be specified. params: - api_field: instance.featurePolicy.dockerAddCapabilities.policy arg_name: docker-add-capabilities required: true choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. - arg_value: restricted enum_value: restricted help_text: | The feature can be used, if and only if, it is set to one of the allowed values. help_text: | Whether dockerAddCapabilities can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerAddCapabilities.allowedValues arg_name: docker-add-capabilities-allowlist required: false help_text: | The list of allowed dockerAddCapabilities values. Note: this will only be used if the corresponding policy is set to "restricted". - group: required: false help_text: | Flags for dockerChrootPath - either only docker-chroot-path or both flags may be specified. params: - api_field: instance.featurePolicy.dockerChrootPath.policy arg_name: docker-chroot-path required: true choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. - arg_value: restricted enum_value: restricted help_text: | The feature can be used, if and only if, it is set to one of the allowed values. help_text: | Whether dockerChrootPath can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerChrootPath.allowedValues arg_name: docker-chroot-path-allowlist required: false help_text: | The list of allowed dockerChrootPath values. Note: this will only be used if the corresponding policy is set to "restricted". - group: required: false help_text: | Flags for dockerNetwork - either only docker-network or both flags may be specified. params: - api_field: instance.featurePolicy.dockerNetwork.policy arg_name: docker-network required: true choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. - arg_value: restricted enum_value: restricted help_text: | The feature can be used, if and only if, it is set to one of the allowed values. help_text: | Whether dockerNetwork can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerNetwork.allowedValues arg_name: docker-network-allowlist required: false help_text: | The list of allowed dockerNetwork values. Note: this will only be used if the corresponding policy is set to "restricted". - group: required: false help_text: | Flags for dockerRunAsContainerProvidedUser - either only docker-run-as-container-provided-user or both flags may be specified. params: - api_field: instance.featurePolicy.dockerRunAsContainerProvidedUser.policy arg_name: docker-run-as-container-provided-user required: true choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. - arg_value: restricted enum_value: restricted help_text: | The feature can be used, if and only if, it is set to one of the allowed values. help_text: | Whether dockerRunAsContainerProvidedUser can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerRunAsContainerProvidedUser.allowedValues arg_name: docker-run-as-container-provided-user-allowlist required: false help_text: | The list of allowed dockerRunAsContainerProvidedUser values. Note: this will only be used if the corresponding policy is set to "restricted". - group: required: false help_text: | Flags for dockerRuntime - either only docker-runtime or both flags may be specified. params: - api_field: instance.featurePolicy.dockerRuntime.policy arg_name: docker-runtime required: true choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. - arg_value: restricted enum_value: restricted help_text: | The feature can be used, if and only if, it is set to one of the allowed values. help_text: | Whether dockerRuntime can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.dockerRuntime.allowedValues arg_name: docker-runtime-allowlist required: false help_text: | The list of allowed dockerRuntime values. Note: this will only be used if the corresponding policy is set to "restricted". - api_field: instance.featurePolicy.dockerSiblingContainers.policy arg_name: docker-sibling-containers required: false choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. help_text: | Whether dockerSiblingSontainers can be used. If unspecified, the default is equivalent to "forbidden". - api_field: instance.featurePolicy.linuxIsolation arg_name: linux-isolation required: false choices: - arg_value: gvisor enum_value: gvisor help_text: | gVisor will be used as the isolation mechanism for all linux execution. - arg_value: 'off' enum_value: 'off' help_text: | No additional isolation mechanisms will be used beyond the default linux runtime. help_text: | Which Linux isolation mechanism should be used for execution. If unspecified, the default Linux runtime will be used. - api_field: instance.featurePolicy.linuxExecution arg_name: linux-execution required: false choices: - arg_value: forbidden enum_value: LINUX_EXECUTION_FORBIDDEN help_text: | Forbid Linux actions and worker pools. - arg_value: unrestricted enum_value: LINUX_EXECUTION_UNRESTRICTED help_text: | No additional restrictions imposed on Linux actions or worker pools by this policy. - arg_value: hardened-gvisor enum_value: LINUX_EXECUTION_HARDENED_GVISOR help_text: | Linux actions will be hardened with gVisor. Actions incompatible with gVisor hardening will be rejected. - arg_value: hardened-gvisor-or-terminal enum_value: LINUX_EXECUTION_HARDENED_GVISOR_OR_TERMINAL help_text: | Linux actions will be hardened with gVisor. Actions incompatible with gVisor hardening will be made terminal, i.e., the worker that ran the action will be terminated after the action completes. help_text: | Defines whether Linux actions and worker pools are allowed and how they can be configured to support various levels of isolation. - api_field: instance.featurePolicy.windowsExecution arg_name: windows-execution required: false choices: - arg_value: forbidden enum_value: WINDOWS_EXECUTION_FORBIDDEN help_text: | Forbid Windows actions and worker pools. - arg_value: unrestricted enum_value: WINDOWS_EXECUTION_UNRESTRICTED help_text: | No additional restrictions imposed on Windows actions or worker pools by this policy. - arg_value: terminal enum_value: WINDOWS_EXECUTION_TERMINAL help_text: | Windows workers will be terminated after they finish running an action. help_text: | Defines whether Windows actions and worker pools are allowed and how they can be configured to support various levels of isolation. - api_field: instance.featurePolicy.macExecution arg_name: mac-execution required: false choices: - arg_value: forbidden enum_value: MAC_EXECUTION_FORBIDDEN help_text: | Forbid Mac actions and worker pools. - arg_value: unrestricted enum_value: MAC_EXECUTION_UNRESTRICTED help_text: | No additional restrictions imposed on Mac actions or worker pools by this policy. help_text: | Defines whether Mac actions and worker pools are allowed and how they can be configured to support various levels of isolation. - api_field: instance.featurePolicy.actionIsolation arg_name: action-isolation required: false choices: - arg_value: enforced enum_value: ACTION_ISOLATION_ENFORCED help_text: | Isolation of actions is enforced. - arg_value: 'off' enum_value: ACTION_ISOLATION_OFF help_text: | No enforcement of isolation for actions. help_text: | Defines levels of isolation of actions executed on this instance by requiring other isolation related feature policies like linux-execution, windows-execution, etc to be set a certain way. - api_field: instance.featurePolicy.actionHermeticity arg_name: action-hermeticity required: false choices: - arg_value: enforced enum_value: ACTION_HERMETICITY_ENFORCED help_text: | Hermeticity of actions is enforced. - arg_value: best-effort enum_value: ACTION_HERMETICITY_BEST_EFFORT help_text: | Hermeticity of actions is best effort. - arg_value: 'off' enum_value: ACTION_HERMETICITY_OFF help_text: | No Hermeticity restrictions for actions. help_text: | Defines levels of hermeticity for actions executed on this instance by requiring other isolation and hermeticity related feature policies like linux-execution, windows-execution, etc to be set a certain way. - api_field: instance.featurePolicy.dockerUlimits.policy arg_name: docker-ulimits required: false choices: - arg_value: allowed enum_value: allowed help_text: | The feature can be used. - arg_value: forbidden enum_value: forbidden help_text: | The feature cannot be used. help_text: | Whether dockerUlimits can be used. If unspecified, the default is equivalent to "forbidden".