Connector [accesspolicies.alauda.io/v1alpha1]
connectors.alauda.io group
AccessPolicy defines the access strategy for Connectors in a namespace. It specifies which Connectors are covered and what permissions are granted, either automatically (defaultPermission) or after approval checks pass (checkGrantedPermission).
v1alpha1 versionspec object
AccessPolicySpec defines the desired state of AccessPolicy.
checkGrantedPermission object
CheckGrantedPermission defines permissions granted only after approval checks pass.
spec object required
Spec contains the check rules and the permissions to grant after all checks pass.
checks []object required
CheckRule defines a check rule that must pass for a permission to be granted. it contains either a reference to a CheckRuleSpec stored in a ConfigMap or the CheckRuleSpec itself. you can specify either Ref or Spec, but not both.
name string required
Name is the identifier of this check rule, referenced in AccessRequest status.
ref object
Ref is a reference to a CheckRuleSpec stored in a ConfigMap.
configMap object required
ConfigMap references the ConfigMap containing the CheckRuleSpec.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
spec object
Spec contains the check rule specification.
selector object required
Selector specifies how to find the Check Duck Type resource.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
objectRef object required
ObjectRef specifies the reference to the object to check against. kind and apiVersion are required to distinguish different duck types
apiVersion string
API version of the referent.
fieldPath string
If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.
kind string
Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
name string
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
namespace string
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
resourceVersion string
Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
uid string
UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
state object
State configures how the check result is computed. If empty, the default duck-type field status.state is used.
rego string
Rego is an OPA Rego script (package "approval") that receives the full check resource as input and must output status = {"state": "approved|rejected|pending|passed"}. If empty, the default duck-type field status.state is used.
roleTemplate object required
RoleTemplate defines the rules for the generated Role.
ref object
Ref specifies a reference to a RoleTemplate
configMap object
ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
connector object
Connector specifies which Connectors this policy applies to. If empty, the policy applies to all Connectors in the namespace.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
names []string
Names is an explicit list of resource names to match.
defaultPermission object
DefaultPermission defines the Role and RoleBinding automatically granted without any approval check.
bindingTemplate object required
BindingTemplate defines the subjects for the generated RoleBinding.
serviceAccounts []object
ServiceAccountTemplate defines a template for binding ServiceAccounts. it extends rbacv1.Subject with dynamic label-based selectors.
names []string
Names is the list of service account names to bind.
namespaceSelector object
NamespaceSelector selects Namespaces by label and/or name.
matchExpressions []object
A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
key string required
key is the label key that the selector applies to.
operator string required
operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values []string
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels object
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
names []string
Names is an explicit list of resource names to match.
roleTemplate object required
RoleTemplate defines the rules to include in the generated Role.
ref object
Ref specifies a reference to a RoleTemplate
configMap object
ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
status object
AccessPolicyStatus defines the observed state of AccessPolicy.
annotations object
Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.
conditions []object
Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties
lastTransitionTime string
LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).
message string
A human readable message indicating details about the transition.
reason string
The reason for the condition's last transition.
severity string
Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.
status string required
Status of the condition, one of True, False, Unknown.
type string required
Type of condition.
matchedConnectors []object
LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
name string
Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
observedGeneration integer
ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.