workload-manager-basics

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Workload Manager Basics

Workload Manager 基础

Workload Manager validates enterprise workloads against Google Cloud best practices and recommendations. The public client libraries are centered on evaluations: define a resource scope, choose built-in or custom rules, run an evaluation, then inspect results and scanned resources.

Workload Manager 验证企业工作负载是否符合Google Cloud最佳实践与建议。公共客户端库以评估为核心：定义资源范围，选择内置或自定义规则，运行评估，随后检查结果与扫描资源。

Use This Flow

使用流程

mermaid

flowchart LR
    Rules["List rules"] --> Eval["Create or update evaluation"]
    Resources["Project, folder, or org scope"] --> Eval
    Eval --> Run["Run evaluation"]
    Run --> Results["Inspect evaluation results"]
    Results --> Remediate["Remediate findings"]
    Results --> Export["Optional BigQuery export"]

mermaid

flowchart LR
    Rules["List rules"] --> Eval["Create or update evaluation"]
    Resources["Project, folder, or org scope"] --> Eval
    Eval --> Run["Run evaluation"]
    Run --> Results["Inspect evaluation results"]
    Results --> Remediate["Remediate findings"]
    Results --> Export["Optional BigQuery export"]

Core API Constraints

核心API约束

To ensure compatibility, security, and successful integration:

Public Surface Only: You MUST strictly interact with Workload Manager using the official public
```
google-cloud-workloadmanager
```
client library or the public REST API (
```
workloadmanager.googleapis.com/v1
```
).
No Internal or Undocumented APIs: Do NOT attempt to use internal RPC protocols, private service backends, or undocumented discovery mechanisms. They are not supported for public integrations and will fail.
No Service-Specific CLI: There is no public
```
gcloud workload-manager
```
CLI command group. Use
```
gcloud
```
only for authentication, IAM role assignment, and fetching raw REST tokens.
Sandbox Execution Robustness (Auth/Mock Fallbacks): When gcloud authentication or Workload Manager API calls fail in sandboxed or restricted environments (e.g., due to Context Aware Access token blocks, missing API enablement, or mock resources returning 404/403), immediately fall back to presenting example code and static findings from your references instead of entering retry loops. Present the correct client library code structure or REST API payload example, clearly explain the auth or resource limitation, and list typical rules or mock findings statically to satisfy the request.

为确保兼容性、安全性与集成成功：

仅使用公开接口： 必须严格通过官方公开的
```
google-cloud-workloadmanager
```
客户端库或公开REST API（
```
workloadmanager.googleapis.com/v1
```
）与Workload Manager交互。
禁止使用内部或未公开API： 请勿尝试使用内部RPC协议、私有服务后端或未公开的发现机制。这些不支持公开集成，且会导致失败。
无特定服务CLI： 目前没有公开的
```
gcloud workload-manager
```
命令组。仅可使用
```
gcloud
```
进行身份验证、IAM角色分配及获取原始REST令牌。
沙箱执行鲁棒性（身份验证/模拟回退）： 当在沙箱或受限环境中（例如，因上下文感知访问令牌拦截、API未启用或模拟资源返回404/403错误）导致gcloud身份验证或Workload Manager API调用失败时，应立即回退至展示参考示例代码和静态检测结果，而非进入重试循环。展示正确的客户端库代码结构或REST API负载示例，清晰说明身份验证或资源限制，并静态列出典型规则或模拟检测结果以满足请求。

Prerequisites

前置条件

Enable the Workload Manager API:

bash

gcloud services enable workloadmanager.googleapis.com --quiet

Authenticate locally using Application Default Credentials (ADC) before using client libraries:
bash
```
gcloud auth application-default login
```
Ensure the Workload Manager service agent has the required roles granted in your project (mandatory for API/client library usage, see IAM & Security).
Grant the least-privileged role needed for the task. Start with
```
roles/workloadmanager.viewer
```
for read-only access to evaluation resources and use
```
roles/workloadmanager.evaluationAdmin
```
or
```
roles/workloadmanager.admin
```
only when creating, updating, running, or deleting evaluations.

启用Workload Manager API：

bash

gcloud services enable workloadmanager.googleapis.com --quiet

使用客户端库前，通过应用默认凭据（ADC）在本地完成身份验证：
bash
```
gcloud auth application-default login
```
确保Workload Manager服务代理在您的项目中已被授予所需角色（API/客户端库使用的必备条件，请查看IAM & 安全）。
授予任务所需的最小权限角色。对于评估资源的只读访问，从
```
roles/workloadmanager.viewer
```
开始；仅在创建、更新、运行或删除评估时，使用
```
roles/workloadmanager.evaluationAdmin
```
或
```
roles/workloadmanager.admin
```
。

Quick Client Library Example

客户端库快速示例

Use the Python client library for the first working automation path:

bash

python3 -m pip install --upgrade google-cloud-workloadmanager

python

from google.cloud import workloadmanager_v1

project_id = "PROJECT_ID"
location = "LOCATION"
parent = f"projects/{project_id}/locations/{location}"

client = workloadmanager_v1.WorkloadManagerClient()

rules = client.list_rules(
    request=workloadmanager_v1.ListRulesRequest(
        parent=parent,
        evaluation_type=workloadmanager_v1.Evaluation.EvaluationType.OTHER,
    )
)

for rule in rules.rules:
    print(rule.name, rule.display_name, rule.severity)

使用Python客户端库实现首个自动化流程：

bash

python3 -m pip install --upgrade google-cloud-workloadmanager

python

from google.cloud import workloadmanager_v1

project_id = "PROJECT_ID"
location = "LOCATION"
parent = f"projects/{project_id}/locations/{location}"

client = workloadmanager_v1.WorkloadManagerClient()

rules = client.list_rules(
    request=workloadmanager_v1.ListRulesRequest(
        parent=parent,
        evaluation_type=workloadmanager_v1.Evaluation.EvaluationType.OTHER,
    )
)

for rule in rules.rules:
    print(rule.name, rule.display_name, rule.severity)

Reference Directory

参考目录

Core Concepts: Evaluations, rules, results, scanned resources, supported workload types, and API shape.
General Best Practices: Google Cloud general best-practice posture checks,
```
OTHER
```
evaluation guidance, custom Rego rules, and scale/automation patterns.
Client Libraries: Python and Go client library examples for listing rules, creating evaluations, running evaluations, and reading findings.
REST Usage: Direct REST examples for the public Workload Manager API and operations polling.
Public CLI Status: No documented service-specific
```
gcloud workload-manager
```
command group; use
```
gcloud
```
only for auth, IAM, API enablement, and REST tokens.
Public MCP Status: No documented public Workload Manager MCP server; use client libraries or REST API instead.
Setup Prerequisites: Terraform examples only for adjacent prerequisites such as API enablement, IAM, BigQuery export datasets, and KMS keys. This is not Workload Manager resource management.
IAM & Security: Workload Manager roles, least-privilege guidance, service agents, data handling, and CMEK notes.

If product behavior or API fields are not covered here, check the current Workload Manager product documentation and client library reference before implementing.

核心概念：评估、规则、结果、扫描资源、支持的工作负载类型及API架构。
通用最佳实践：Google Cloud通用最佳实践态势检查、
```
OTHER
```
评估指南、自定义Rego规则及扩展/自动化模式。
客户端库：Python和Go客户端库示例，涵盖列出规则、创建评估、运行评估及读取检测结果。
REST使用方法：Workload Manager公开API的直接REST示例及操作轮询。
公开CLI状态：无文档记录的特定服务
```
gcloud workload-manager
```
命令组；仅可使用
```
gcloud
```
进行身份验证、IAM配置、API启用及获取REST令牌。
公开MCP状态：无文档记录的公开Workload Manager MCP服务器；请使用客户端库或REST API替代。
设置前置条件：仅包含相邻前置条件的Terraform示例，例如API启用、IAM配置、BigQuery导出数据集及KMS密钥。此部分不涉及Workload Manager资源管理。
IAM & 安全：Workload Manager角色、最小权限指南、服务代理、数据处理及CMEK说明。

如果此处未涵盖产品行为或API字段，请在实现前查看当前Workload Manager产品文档及客户端库参考。

Authoritative References

权威参考

Workload Manager overview
Google Cloud best practices
Workload Manager REST API
About custom rules
Write custom rules using Rego
Python package
Workload Manager IAM roles
For additional information, use the Developer Knowledge MCP server
```
search_documents
```
tool.

Workload Manager 概述
Google Cloud 最佳实践
Workload Manager REST API
自定义规则介绍
使用Rego编写自定义规则
Python包
Workload Manager IAM角色
如需更多信息，请使用开发者知识MCP服务器的
```
search_documents
```
工具。

Additional Context

补充内容

Mastering cloud posture management with Workload Manager

使用Workload Manager掌握云态势管理