From 6fe9f5144c8b6b5b70e0d3be44c2d3802d89a8ec Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 19:17:50 +0000 Subject: [PATCH 1/2] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 3553 +----------------------------------------- docs/api/identity.md | 18 +- 2 files changed, 72 insertions(+), 3499 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index 6edfe9c3..baba7320 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -12,7 +12,7 @@ Resource Types: - [Group](#group) -- [MachineAccount](#machineaccount) +- [ServiceAccount](#serviceaccount) - [PlatformAccessApproval](#platformaccessapproval) @@ -42,3232 +42,16 @@ Resource Types: ## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) +...[unchanged documentation for GroupMembership and Group]... - - - - -GroupMembership is the Schema for the groupmemberships API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringGroupMembershiptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - GroupMembershipSpec defines the desired state of GroupMembership
- 		false
statusobject - GroupMembershipStatus defines the observed state of GroupMembership
- 		false
- - -### GroupMembership.spec -[↩ Parent](#groupmembership) - - - -GroupMembershipSpec defines the desired state of GroupMembership - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
groupRefobject - GroupRef is a reference to the Group. -Group is a namespaced resource.
- 		true
userRefobject - UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource.
- 		true
- - -### GroupMembership.spec.groupRef -[↩ Parent](#groupmembershipspec) - - - -GroupRef is a reference to the Group. -Group is a namespaced resource. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name is the name of the Group being referenced.
- 		true
namespacestring - Namespace of the referenced Group.
- 		true
- - -### GroupMembership.spec.userRef -[↩ Parent](#groupmembershipspec) - - - -UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource. - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name is the name of the User being referenced.
- 		true
- - -### GroupMembership.status -[↩ Parent](#groupmembership) - - - -GroupMembershipStatus defines the observed state of GroupMembership - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the latest available observations of an object's current state.
- 		false
- - -### GroupMembership.status.conditions[index] -[↩ Parent](#groupmembershipstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## Group -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -Group is the Schema for the groups API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
statusobject - GroupStatus defines the observed state of Group
- 		false
- - -### Group.status -[↩ Parent](#group) - - - -GroupStatus defines the observed state of Group - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the latest available observations of an object's current state.
- 		false
- - -### Group.status.conditions[index] -[↩ Parent](#groupstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## MachineAccount -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -MachineAccount is the Schema for the machine accounts API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringMachineAccounttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - MachineAccountSpec defines the desired state of MachineAccount
- 		false
statusobject - MachineAccountStatus defines the observed state of MachineAccount
- 		false
- - -### MachineAccount.spec -[↩ Parent](#machineaccount) - - - -MachineAccountSpec defines the desired state of MachineAccount - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
stateenum - The state of the machine account. This state can be safely changed as needed. -States: - - Active: The machine account can be used to authenticate. - - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.
-
- Enum: Active, Inactive
- Default: Active
- 		false
- - -### MachineAccount.status -[↩ Parent](#machineaccount) - - - -MachineAccountStatus defines the observed state of MachineAccount - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions provide conditions that represent the current status of the MachineAccount.
- 		false
emailstring - The computed email of the machine account following the pattern: -{metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
- 		false
stateenum - State represents the current activation state of the machine account from the auth provider. -This field tracks the state from the previous generation and is updated when state changes -are successfully propagated to the auth provider. It helps optimize performance by only -updating the auth provider when a state change is detected.
-
- Enum: Active, Inactive
- 		false
- - -### MachineAccount.status.conditions[index] -[↩ Parent](#machineaccountstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## PlatformAccessApproval -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessApproval is the Schema for the platformaccessapprovals API. -It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringPlatformAccessApprovaltrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval.
-
- Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    - - -### PlatformAccessApproval.spec -[↩ Parent](#platformaccessapproval) - - - -PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    subjectRefobject - SubjectRef is the reference to the subject being approved.
    -
    - Validations:
  • (has(self.email) && !has(self.userRef)) || (!has(self.email) && has(self.userRef)): Exactly one of email or userRef must be specified
    • -     		true
    approverRefobject - ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system.
    -     		false
    - - -### PlatformAccessApproval.spec.subjectRef -[↩ Parent](#platformaccessapprovalspec) - - - -SubjectRef is the reference to the subject being approved. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - Email is the email of the user being approved. -Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    userRefobject - UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    - - -### PlatformAccessApproval.spec.subjectRef.userRef -[↩ Parent](#platformaccessapprovalspecsubjectref) - - - -UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessApproval.spec.approverRef -[↩ Parent](#platformaccessapprovalspec) - - - -ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - -## PlatformAccessDenial -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessDenial is the Schema for the platformaccessapprovals API. -It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformAccessDenialtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial.
    -
    - Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    statusobject -
    -     		false
    - - -### PlatformAccessDenial.spec -[↩ Parent](#platformaccessdenial) - - - -PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    subjectRefobject - SubjectRef is the reference to the subject being approved.
    -
    - Validations:
  • (has(self.email) && !has(self.userRef)) || (!has(self.email) && has(self.userRef)): Exactly one of email or userRef must be specified
    • -     		true
    approverRefobject - ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system.
    -     		false
    - - -### PlatformAccessDenial.spec.subjectRef -[↩ Parent](#platformaccessdenialspec) - - - -SubjectRef is the reference to the subject being approved. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - Email is the email of the user being approved. -Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    userRefobject - UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    - - -### PlatformAccessDenial.spec.subjectRef.userRef -[↩ Parent](#platformaccessdenialspecsubjectref) - - - -UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessDenial.spec.approverRef -[↩ Parent](#platformaccessdenialspec) - - - -ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessDenial.status -[↩ Parent](#platformaccessdenial) - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PlatformAccessDenial.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform access approval reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]
    -     		false
    - - -### PlatformAccessDenial.status.conditions[index] -[↩ Parent](#platformaccessdenialstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## PlatformAccessRejection -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessRejection is the Schema for the platformaccessrejections API. -It represents a formal denial of platform access for a user. Once the rejection is created, a notification can be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformAccessRejectiontrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection.
    -
    - Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    - - -### PlatformAccessRejection.spec -[↩ Parent](#platformaccessrejection) - - - -PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection. - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    reasonstring - Reason is the reason for the rejection.
    -     		true
    subjectRefobject - UserRef is the reference to the user being rejected.
    -     		true
    rejecterRefobject - RejecterRef is the reference to the actor who issued the rejection. -If not specified, the rejection was made by the system.
    -     		false
    - - -### PlatformAccessRejection.spec.subjectRef -[↩ Parent](#platformaccessrejectionspec) - - - -UserRef is the reference to the user being rejected. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessRejection.spec.rejecterRef -[↩ Parent](#platformaccessrejectionspec) - - - -RejecterRef is the reference to the actor who issued the rejection. -If not specified, the rejection was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - -## PlatformInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformInvitation is the Schema for the platforminvitations API -It represents a platform invitation for a user. Once the platform invitation is created, an email will be sent to the user to invite them to the platform. -The invited user will have access to the platform after they create an account using the asociated email. -It represents a platform invitation for a user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformInvitationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformInvitationSpec defines the desired state of PlatformInvitation.
    -     		false
    statusobject - PlatformInvitationStatus defines the observed state of PlatformInvitation.
    -     		false
    - - -### PlatformInvitation.spec -[↩ Parent](#platforminvitation) - - - -PlatformInvitationSpec defines the desired state of PlatformInvitation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - The email of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: email type is immutable
    • -     		true
    familyNamestring - The family name of the user being invited.
    -     		false
    givenNamestring - The given name of the user being invited.
    -     		false
    invitedByobject - The user who created the platform invitation. A mutation webhook will default this field to the user who made the request.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: invitedBy type is immutable
    • -     		false
    scheduleAtstring - The schedule at which the platform invitation will be sent. -It can only be updated before the platform invitation is sent.
    -
    - Format: date-time
    -     		false
    - - -### PlatformInvitation.spec.invitedBy -[↩ Parent](#platforminvitationspec) - - - -The user who created the platform invitation. A mutation webhook will default this field to the user who made the request. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformInvitation.status -[↩ Parent](#platforminvitation) - - - -PlatformInvitationStatus defines the observed state of PlatformInvitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PlatformInvitation.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform invitation reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]
    -     		false
    emailobject - The email resource that was created for the platform invitation.
    -     		false
    - - -### PlatformInvitation.status.conditions[index] -[↩ Parent](#platforminvitationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - - -### PlatformInvitation.status.email -[↩ Parent](#platforminvitationstatus) - - - -The email resource that was created for the platform invitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - The name of the email resource that was created for the platform invitation.
    -     		false
    namespacestring - The namespace of the email resource that was created for the platform invitation.
    -     		false
    - -## PolicyBinding -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PolicyBinding is the Schema for the policybindings API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPolicyBindingtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PolicyBindingSpec defines the desired state of PolicyBinding
    -     		false
    statusobject - PolicyBindingStatus defines the observed state of PolicyBinding
    -     		false
    - - -### PolicyBinding.spec -[↩ Parent](#policybinding) - - - -PolicyBindingSpec defines the desired state of PolicyBinding - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    resourceSelectorobject - ResourceSelector defines which resources the subjects in the policy binding -should have the role applied to. Options within this struct are mutually -exclusive.
    -
    - Validations:
  • oldSelf == null || self == oldSelf: ResourceSelector is immutable and cannot be changed after creation
  • has(self.resourceRef) != has(self.resourceKind): exactly one of resourceRef or resourceKind must be specified, but not both
    • -     		true
    roleRefobject - RoleRef is a reference to the Role that is being bound. -This can be a reference to a Role custom resource.
    -
    - Validations:
  • oldSelf == null || self == oldSelf: RoleRef is immutable and cannot be changed after creation
    • -     		true
    subjects[]object - Subjects holds references to the objects the role applies to.
    -     		true
    - - -### PolicyBinding.spec.resourceSelector -[↩ Parent](#policybindingspec) - - - -ResourceSelector defines which resources the subjects in the policy binding -should have the role applied to. Options within this struct are mutually -exclusive. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    resourceKindobject - ResourceKind specifies that the policy binding should apply to all resources of a specific kind. -Mutually exclusive with resourceRef.
    -     		false
    resourceRefobject - ResourceRef provides a reference to a specific resource instance. -Mutually exclusive with resourceKind.
    -     		false
    - - -### PolicyBinding.spec.resourceSelector.resourceKind -[↩ Parent](#policybindingspecresourceselector) - - - -ResourceKind specifies that the policy binding should apply to all resources of a specific kind. -Mutually exclusive with resourceRef. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource type being referenced. If APIGroup -is not specified, the specified Kind must be in the core API group.
    -     		false
    - - -### PolicyBinding.spec.resourceSelector.resourceRef -[↩ Parent](#policybindingspecresourceselector) - - - -ResourceRef provides a reference to a specific resource instance. -Mutually exclusive with resourceKind. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    namestring - Name is the name of resource being referenced.
    -     		true
    uidstring - UID is the unique identifier of the resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource being referenced. -If APIGroup is not specified, the specified Kind must be in the core API group. -For any other third-party types, APIGroup is required.
    -     		false
    namespacestring - Namespace is the namespace of resource being referenced. -Required for namespace-scoped resources. Omitted for cluster-scoped resources.
    -     		false
    - - -### PolicyBinding.spec.roleRef -[↩ Parent](#policybindingspec) - - - -RoleRef is a reference to the Role that is being bound. -This can be a reference to a Role custom resource. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    namespacestring - Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding's namespace.
    -     		false
    - - -### PolicyBinding.spec.subjects[index] -[↩ Parent](#policybindingspec) - - - -Subject contains a reference to the object or user identities a role binding applies to. -This can be a User, Group, or MachineAccount. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindenum - Kind of object being referenced. Values defined in Kind constants.
    -
    - Enum: User, Group, MachineAccount
    -     		true
    namestring - Name of the object being referenced. A special group name of -"system:authenticated-users" can be used to refer to all authenticated -users.
    -     		true
    namespacestring - Namespace of the referenced object. -If not specified for a Group, User or MachineAccount, it is ignored.
    -     		false
    uidstring - UID of the referenced object. Optional for system groups (groups with names starting with "system:").
    -     		false
    - - -### PolicyBinding.status -[↩ Parent](#policybinding) - - - -PolicyBindingStatus defines the observed state of PolicyBinding - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PolicyBinding.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed for this PolicyBinding by the controller.
    -
    - Format: int64
    -     		false
    - - -### PolicyBinding.status.conditions[index] -[↩ Parent](#policybindingstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## ProtectedResource -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -ProtectedResource is the Schema for the protectedresources API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringProtectedResourcetrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - ProtectedResourceSpec defines the desired state of ProtectedResource
    -     		false
    statusobject - ProtectedResourceStatus defines the observed state of ProtectedResource
    -     		false
    - - -### ProtectedResource.spec -[↩ Parent](#protectedresource) - - - -ProtectedResourceSpec defines the desired state of ProtectedResource - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - The kind of the resource. -This will be in the format `Workload`.
    -     		true
    permissions[]string - A list of permissions that are associated with the resource.
    -     		true
    pluralstring - The plural form for the resource type, e.g. 'workloads'. Must follow -camelCase format.
    -     		true
    serviceRefobject - ServiceRef references the service definition this protected resource belongs to.
    -     		true
    singularstring - The singular form for the resource type, e.g. 'workload'. Must follow -camelCase format.
    -     		true
    parentResources[]object - A list of resources that are registered with the platform that may be a -parent to the resource. Permissions may be bound to a parent resource so -they can be inherited down the resource hierarchy.
    -     		false
    - - -### ProtectedResource.spec.serviceRef -[↩ Parent](#protectedresourcespec) - - - -ServiceRef references the service definition this protected resource belongs to. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the resource name of the service definition.
    -     		true
    - - -### ProtectedResource.spec.parentResources[index] -[↩ Parent](#protectedresourcespec) - - - -ParentResourceRef defines the reference to a parent resource - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource being referenced. -If APIGroup is not specified, the specified Kind must be in the core API group. -For any other third-party types, APIGroup is required.
    -     		false
    - - -### ProtectedResource.status -[↩ Parent](#protectedresource) - - - -ProtectedResourceStatus defines the observed state of ProtectedResource - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the ProtectedResource.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed for this ProtectedResource. It corresponds to the -ProtectedResource's generation, which is updated on mutation by the API Server.
    -
    - Format: int64
    -     		false
    - - -### ProtectedResource.status.conditions[index] -[↩ Parent](#protectedresourcestatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## Role -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -Role is the Schema for the roles API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringRoletrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - RoleSpec defines the desired state of Role
    -     		false
    statusobject - RoleStatus defines the observed state of Role
    -
    - Default: map[conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]]
    -     		false
    - - -### Role.spec -[↩ Parent](#role) - - - -RoleSpec defines the desired state of Role - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    launchStagestring - Defines the launch stage of the IAM Role. Must be one of: Early Access, -Alpha, Beta, Stable, Deprecated.
    -     		true
    includedPermissions[]string - The names of the permissions this role grants when bound in an IAM policy. -All permissions must be in the format: `{service}.{resource}.{action}` -(e.g. compute.workloads.create).
    -     		false
    inheritedRoles[]object - The list of roles from which this role inherits permissions. -Each entry must be a valid role resource name.
    -     		false
    - - -### Role.spec.inheritedRoles[index] -[↩ Parent](#rolespec) - - - -ScopedRoleReference defines a reference to another Role, scoped by namespace. -This is used for purposes like role inheritance where a simple name and namespace -is sufficient to identify the target role. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name of the referenced Role.
    -     		true
    namespacestring - Namespace of the referenced Role. -If not specified, it defaults to the namespace of the resource containing this reference.
    -     		false
    - - -### Role.status -[↩ Parent](#role) - - - -RoleStatus defines the observed state of Role - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the Role.
    -     		false
    effectivePermissions[]string - EffectivePermissions is the complete flattened list of all permissions -granted by this role, including permissions from inheritedRoles and -directly specified includedPermissions. This is computed by the controller -and provides a single source of truth for all permissions this role grants.
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed by the controller.
    -
    - Format: int64
    -     		false
    parentstring - The resource name of the parent the role was created under.
    -     		false
    - - -### Role.status.conditions[index] -[↩ Parent](#rolestatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## UserDeactivation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -UserDeactivation is the Schema for the userdeactivations API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUserDeactivationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserDeactivationSpec defines the desired state of UserDeactivation
    -     		false
    statusobject - UserDeactivationStatus defines the observed state of UserDeactivation
    -     		false
    - - -### UserDeactivation.spec -[↩ Parent](#userdeactivation) - - - -UserDeactivationSpec defines the desired state of UserDeactivation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    deactivatedBystring - DeactivatedBy indicates who initiated the deactivation.
    -     		true
    reasonstring - Reason is the internal reason for deactivation.
    -     		true
    userRefobject - UserRef is a reference to the User being deactivated. -User is a cluster-scoped resource.
    -     		true
    descriptionstring - Description provides detailed internal description for the deactivation.
    -     		false
    - - -### UserDeactivation.spec.userRef -[↩ Parent](#userdeactivationspec) - - - -UserRef is a reference to the User being deactivated. -User is a cluster-scoped resource. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### UserDeactivation.status -[↩ Parent](#userdeactivation) - - - -UserDeactivationStatus defines the observed state of UserDeactivation - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions represent the latest available observations of an object's current state.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    - - -### UserDeactivation.status.conditions[index] -[↩ Parent](#userdeactivationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## UserInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -UserInvitation is the Schema for the userinvitations API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUserInvitationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserInvitationSpec defines the desired state of UserInvitation
    -     		false
    statusobject - UserInvitationStatus defines the observed state of UserInvitation
    -     		false
    - - -### UserInvitation.spec -[↩ Parent](#userinvitation) - - - -UserInvitationSpec defines the desired state of UserInvitation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - The email of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: email type is immutable
    • -     		true
    organizationRefobject - OrganizationRef is a reference to the Organization that the user is invoted to.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: organizationRef type is immutable
    • -     		true
    roles[]object - The roles that will be assigned to the user when they accept the invitation.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: roles type is immutable
    • -     		true
    stateenum - State is the state of the UserInvitation. In order to accept the invitation, the invited user -must set the state to Accepted.
    -
    - Validations:
  • type(oldSelf) == null_type || oldSelf == 'Pending' || self == oldSelf: state can only transition from Pending to another state and is immutable afterwards
    • - Enum: Pending, Accepted, Declined
    -     		true
    expirationDatestring - ExpirationDate is the date and time when the UserInvitation will expire. -If not specified, the UserInvitation will never expire.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: expirationDate type is immutable
    • - Format: date-time
    -     		false
    familyNamestring - The last name of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: familyName type is immutable
    • -     		false
    givenNamestring - The first name of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: givenName type is immutable
    • -     		false
    invitedByobject - InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: invitedBy type is immutable
    • -     		false
    - - -### UserInvitation.spec.organizationRef -[↩ Parent](#userinvitationspec) - - - -OrganizationRef is a reference to the Organization that the user is invoted to. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    - - -### UserInvitation.spec.roles[index] -[↩ Parent](#userinvitationspec) - - - -RoleReference contains information that points to the Role being used - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    namespacestring - Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding's namespace.
    -     		false
    - - -### UserInvitation.spec.invitedBy -[↩ Parent](#userinvitationspec) - - - -InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### UserInvitation.status -[↩ Parent](#userinvitation) - - - -UserInvitationStatus defines the observed state of UserInvitation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the UserInvitation.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Unknown]]
    -     		false
    inviteeUserobject - InviteeUser contains information about the invitee user in the invitation. -This value may be nil if the invitee user has not been created yet.
    -     		false
    inviterUserobject - InviterUser contains information about the user who invited the user in the invitation.
    -     		false
    organizationobject - Organization contains information about the organization in the invitation.
    -     		false
    - - -### UserInvitation.status.conditions[index] -[↩ Parent](#userinvitationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - - -### UserInvitation.status.inviteeUser -[↩ Parent](#userinvitationstatus) - - - -InviteeUser contains information about the invitee user in the invitation. -This value may be nil if the invitee user has not been created yet. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the invitee user in the invitation. -Name is a cluster-scoped resource, so Namespace is not needed.
    -     		true
    - - -### UserInvitation.status.inviterUser -[↩ Parent](#userinvitationstatus) - - - -InviterUser contains information about the user who invited the user in the invitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    displayNamestring - DisplayName is the display name of the user who invited the user in the invitation.
    -     		false
    emailAddressstring - EmailAddress is the email address of the user who invited the user in the invitation.
    -     		false
    - - -### UserInvitation.status.organization -[↩ Parent](#userinvitationstatus) - - - -Organization contains information about the organization in the invitation. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    displayNamestring - DisplayName is the display name of the organization in the invitation.
    -     		false
    - -## UserPreference +## ServiceAccount [↩ Parent](#iammiloapiscomv1alpha1 ) - -UserPreference is the Schema for the userpreferences API +ServiceAccount is the Schema for the service accounts API @@ -3287,7 +71,7 @@ UserPreference is the Schema for the userpreferences API - + @@ -3296,29 +80,29 @@ UserPreference is the Schema for the userpreferences API - + - +
    kind stringUserPreferenceServiceAccount true
    Refer to the Kubernetes API documentation for the fields of the `metadata` field. true
    specspec object - UserPreferenceSpec defines the desired state of UserPreference
    + ServiceAccountSpec defines the desired state of ServiceAccount
    		 false
    statusstatus object - UserPreferenceStatus defines the observed state of UserPreference
    + ServiceAccountStatus defines the observed state of ServiceAccount
    		 false
    -### UserPreference.spec -[↩ Parent](#userpreference) +### ServiceAccount.spec +[↩ Parent](#serviceaccount) -UserPreferenceSpec defines the desired state of UserPreference +ServiceAccountSpec defines the desired state of ServiceAccount @@ -3330,32 +114,28 @@ UserPreferenceSpec defines the desired state of UserPreference - - - - - - +
    userRefobject - Reference to the user these preferences belong to.
    -     		true
    themestate enum - The user's theme preference.
    + The state of the service account. This state can be safely changed as needed. +States: + - Active: The service account can be used to authenticate. + - Inactive: The service account is prohibited to be used to authenticate, and revokes all existing sessions.

    - Enum: light, dark, system
    - Default: system
    + Enum: Active, Inactive
    + Default: Active
    		 false
    -### UserPreference.spec.userRef -[↩ Parent](#userpreferencespec) +### ServiceAccount.status +[↩ Parent](#serviceaccount) -Reference to the user these preferences belong to. +ServiceAccountStatus defines the observed state of ServiceAccount @@ -3367,47 +147,38 @@ Reference to the user these preferences belong to. - + + + + + + - - -
    nameconditions[]object + Conditions provide conditions that represent the current status of the ServiceAccount.
    +     		false
    email string - Name is the name of the User being referenced.
    + The computed email of the service account following the pattern: +{metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
    		true
    - - -### UserPreference.status -[↩ Parent](#userpreference) - - - -UserPreferenceStatus defines the observed state of UserPreference - - - - - - - - - - - - - + + + +
    NameTypeDescriptionRequired
    conditions[]objectfalse
    stateenum - Conditions provide conditions that represent the current status of the UserPreference.
    + State represents the current activation state of the service account from the auth provider. +This field tracks the state from the previous generation and is updated when state changes +are successfully propagated to the auth provider. It helps optimize performance by only +updating the auth provider when a state change is detected.

    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    + Enum: Active, Inactive
    		 false
    -### UserPreference.status.conditions[index] -[↩ Parent](#userpreferencestatus) +### ServiceAccount.status.conditions[index] +[↩ Parent](#serviceaccountstatus) @@ -3482,107 +253,13 @@ with respect to the current state of the instance.
    -## User -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -User is the Schema for the users API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUsertrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserSpec defines the desired state of User
    -     		false
    statusobject - UserStatus defines the observed state of User
    -     		false
    - - -### User.spec -[↩ Parent](#user) - - - -UserSpec defines the desired state of User - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - The email of the user.
    -     		true
    familyNamestring - The last name of the user.
    -     		false
    givenNamestring - The first name of the user.
    -     		false
    - - -### User.status -[↩ Parent](#user) - +...[unchanged documentation for all other resources]... +### PolicyBinding.spec.subjects[index] +[↩ Parent](#policybindingspec) -UserStatus defines the observed state of User +Subject contains a reference to the object or user identities a role binding applies to. +This can be a User, Group, or ServiceAccount. @@ -3594,143 +271,39 @@ UserStatus defines the observed state of User - - - - - - - - - - - - - - - - - - - - - + - - -
    avatarUrlstring - AvatarURL points to the avatar image associated with the user. This value is -populated by the auth provider or any service that provides a user avatar URL.
    -
    - Format: uri
    -     		false
    conditions[]object - Conditions provide conditions that represent the current status of the User.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    lastLoginProviderstring - LastLoginProvider records the identity provider that was most recently used by the -user to log in (e.g., "github" or "google"). This field is set by the auth provider -based on authentication events.
    -     		false
    registrationApprovalenum - RegistrationApproval represents the administrator’s decision on the user’s registration request. -States: - - Pending: The user is awaiting review by an administrator. - - Approved: The user registration has been approved. - - Rejected: The user registration has been rejected. -The User resource is always created regardless of this value, but the -ability for the person to sign into the platform and access resources is -governed by this status: only *Approved* users are granted access, while -*Pending* and *Rejected* users are prevented for interacting with resources.
    -
    - Enum: Pending, Approved, Rejected
    -     		false
    statekind enum - State represents the current activation state of the user account from the -auth provider. This field is managed exclusively by the UserDeactivation CRD -and cannot be changed directly by the user. When a UserDeactivation resource -is created for the user, the user is deactivated in the auth provider; when -the UserDeactivation is deleted, the user is reactivated. -States: - - Active: The user can be used to authenticate. - - Inactive: The user is prohibited to be used to authenticate, and revokes all existing sessions.
    -
    - Enum: Active, Inactive
    - Default: Active
    -     		false
    - - -### User.status.conditions[index] -[↩ Parent](#userstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - + - + - - - - - - + - + - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    + Kind of object being referenced. Values defined in Kind constants.

    - Format: date-time
    + Enum: User, Group, ServiceAccount
    		 true
    messagename string - message is a human readable message indicating details about the transition. -This may be an empty string.
    + Name of the object being referenced. A special group name of +"system:authenticated-users" can be used to refer to all authenticated +users.
    		 true
    reasonnamespace string - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    + Namespace of the referenced object. +If not specified for a Group, User or ServiceAccount, it is ignored.
    		truefalse
    typeuid string - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    + UID of the referenced object. Optional for system groups (groups with names starting with "system:").
    		 false
    + +...[unchanged documentation for all other resources]... \ No newline at end of file diff --git a/docs/api/identity.md b/docs/api/identity.md index d2cc07db..e31a610b 100644 --- a/docs/api/identity.md +++ b/docs/api/identity.md @@ -12,7 +12,7 @@ Package v1alpha1 contains API types for identity-related resources. - [UserIdentity](#useridentity) - [Session](#session) -- [MachineAccountKey](#machineaccountkey) +- [ServiceAccountKey](#serviceaccountkey) --- @@ -76,33 +76,33 @@ This resource provides information about user authentication sessions, including --- -### MachineAccountKey +### ServiceAccountKey -MachineAccountKey represents a credential for a MachineAccount. +ServiceAccountKey represents a credential for a ServiceAccount. -This resource allows users to manage API keys for machine-to-machine authentication. When a MachineAccountKey is created, the system generates a private key that is returned in the status only once. +This resource allows users to manage API keys for machine-to-machine authentication. When a ServiceAccountKey is created, the system generates a private key that is returned in the status only once. **Use cases:** - Authenticating external services and automation scripts - Managing key rotation and expiration -- Auditing machine account activity +- Auditing service account activity **Important notes:** - The `privateKey` is ONLY available in the creation response and is NEVER persisted in the Milo API server. - Keys can have an optional expiration date. -- Each key is associated with a specific `MachineAccount` identified by its email. +- Each key is associated with a specific `ServiceAccount` identified by its email. -#### MachineAccountKeySpec +#### ServiceAccountKeySpec | Field | Type | Description | | :--- | :--- | :--- | -| `machineAccountUserName` | string | The email address of the MachineAccount that owns this key. | +| `serviceAccountUserName` | string | The email address of the ServiceAccount that owns this key. | | `expirationDate` | metav1.Time | Optional date and time when the key will expire. | | `publicKey` | string | Optional public key to be registered. If not provided, one will be auto-generated. | -#### MachineAccountKeyStatus +#### ServiceAccountKeyStatus | Field | Type | Description | | :--- | :--- | :--- | From 9fbc880377204a381e33122dc8430708b5a8cddd Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 19:20:05 +0000 Subject: [PATCH 2/2] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 463 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 409 insertions(+), 54 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index baba7320..ecf2f532 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -16,8 +16,6 @@ Resource Types: - [PlatformAccessApproval](#platformaccessapproval) -- [PlatformAccessDenial](#platformaccessdenial) - - [PlatformAccessRejection](#platformaccessrejection) - [PlatformInvitation](#platforminvitation) @@ -42,7 +40,410 @@ Resource Types: ## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) -...[unchanged documentation for GroupMembership and Group]... + + + + + + +GroupMembership is the Schema for the groupmemberships API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringGroupMembershiptrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject + GroupMembershipSpec defines the desired state of GroupMembership
    +     		false
    statusobject + GroupMembershipStatus defines the observed state of GroupMembership
    +     		false
    + + +### GroupMembership.spec +[↩ Parent](#groupmembership) + + + +GroupMembershipSpec defines the desired state of GroupMembership + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    groupRefobject + GroupRef is a reference to the Group. +Group is a namespaced resource.
    +     		true
    userRefobject + UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource.
    +     		true
    + + +### GroupMembership.spec.groupRef +[↩ Parent](#groupmembershipspec) + + + +GroupRef is a reference to the Group. +Group is a namespaced resource. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name is the name of the Group being referenced.
    +     		true
    namespacestring + Namespace of the referenced Group.
    +     		true
    + + +### GroupMembership.spec.userRef +[↩ Parent](#groupmembershipspec) + + + +UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource. + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name is the name of the User being referenced.
    +     		true
    + + +### GroupMembership.status +[↩ Parent](#groupmembership) + + + +GroupMembershipStatus defines the observed state of GroupMembership + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + Conditions represent the latest available observations of an object's current state.
    +     		false
    + + +### GroupMembership.status.conditions[index] +[↩ Parent](#groupmembershipstatus) + + + +Condition contains details for one aspect of the current state of this API Resource. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    lastTransitionTimestring + lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    +
    + Format: date-time
    +     		true
    messagestring + message is a human readable message indicating details about the transition. +This may be an empty string.
    +     		true
    reasonstring + reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty.
    +     		true
    statusenum + status of the condition, one of True, False, Unknown.
    +
    + Enum: True, False, Unknown
    +     		true
    typestring + type of condition in CamelCase or in foo.example.com/CamelCase.
    +     		true
    observedGenerationinteger + observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance.
    +
    + Format: int64
    + Minimum: 0
    +     		false
    + +## Group +[↩ Parent](#iammiloapiscomv1alpha1 ) + + + + + + + +Group is the Schema for the groups API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringGrouptrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    statusobject + GroupStatus defines the observed state of Group
    +     		false
    + + +### Group.status +[↩ Parent](#group) + + + +GroupStatus defines the observed state of Group + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + Conditions represent the latest available observations of an object's current state.
    +     		false
    + + +### Group.status.conditions[index] +[↩ Parent](#groupstatus) + + + +Condition contains details for one aspect of the current state of this API Resource. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    lastTransitionTimestring + lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    +
    + Format: date-time
    +     		true
    messagestring + message is a human readable message indicating details about the transition. +This may be an empty string.
    +     		true
    reasonstring + reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty.
    +     		true
    statusenum + status of the condition, one of True, False, Unknown.
    +
    + Enum: True, False, Unknown
    +     		true
    typestring + type of condition in CamelCase or in foo.example.com/CamelCase.
    +     		true
    observedGenerationinteger + observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance.
    +
    + Format: int64
    + Minimum: 0
    +     		false
    ## ServiceAccount [↩ Parent](#iammiloapiscomv1alpha1 ) @@ -51,6 +452,8 @@ Resource Types: + + ServiceAccount is the Schema for the service accounts API @@ -253,57 +656,9 @@ with respect to the current state of the instance.
    -...[unchanged documentation for all other resources]... - -### PolicyBinding.spec.subjects[index] -[↩ Parent](#policybindingspec) +## PlatformAccessApproval +[↩ Parent](#iammiloapiscomv1alpha1 ) -Subject contains a reference to the object or user identities a role binding applies to. -This can be a User, Group, or ServiceAccount. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindenum - Kind of object being referenced. Values defined in Kind constants.
    -
    - Enum: User, Group, ServiceAccount
    -     		true
    namestring - Name of the object being referenced. A special group name of -"system:authenticated-users" can be used to refer to all authenticated -users.
    -     		true
    namespacestring - Namespace of the referenced object. -If not specified for a Group, User or ServiceAccount, it is ignored.
    -     		false
    uidstring - UID of the referenced object. Optional for system groups (groups with names starting with "system:").
    -     		false
    -...[unchanged documentation for all other resources]... \ No newline at end of file +[... remainder unchanged ...]