Skip to content

Latest commit

 

History

History
557 lines (557 loc) · 12.2 KB

settings.md

File metadata and controls

557 lines (557 loc) · 12.2 KB

Packages:

settings.gardener.cloud/v1alpha1

Package v1alpha1 is a version of the API.

Resource Types:

ClusterOpenIDConnectPreset

ClusterOpenIDConnectPreset is a OpenID Connect configuration that is applied to a Shoot objects cluster-wide.

Field Description
apiVersion
string
settings.gardener.cloud/v1alpha1
kind
string
ClusterOpenIDConnectPreset
metadata
Kubernetes meta/v1.ObjectMeta

Standard object metadata.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ClusterOpenIDConnectPresetSpec

Spec is the specification of this OpenIDConnect preset.



OpenIDConnectPresetSpec
OpenIDConnectPresetSpec

(Members of OpenIDConnectPresetSpec are embedded into this type.)

projectSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Project decides whether to apply the configuration if the Shoot is in a specific Project matching the label selector. Use the selector only if the OIDC Preset is opt-in, because end users may skip the admission by setting the labels. Defaults to the empty LabelSelector, which matches everything.

OpenIDConnectPreset

OpenIDConnectPreset is a OpenID Connect configuration that is applied to a Shoot in a namespace.

Field Description
apiVersion
string
settings.gardener.cloud/v1alpha1
kind
string
OpenIDConnectPreset
metadata
Kubernetes meta/v1.ObjectMeta

Standard object metadata.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
OpenIDConnectPresetSpec

Spec is the specification of this OpenIDConnect preset.



server
KubeAPIServerOpenIDConnect

Server contains the kube-apiserver’s OpenID Connect configuration. This configuration is not overwritting any existing OpenID Connect configuration already set on the Shoot object.

client
OpenIDConnectClientAuthentication
(Optional)

Client contains the configuration used for client OIDC authentication of Shoot clusters. This configuration is not overwritting any existing OpenID Connect client authentication already set on the Shoot object.

shootSelector
Kubernetes meta/v1.LabelSelector
(Optional)

ShootSelector decides whether to apply the configuration if the Shoot has matching labels. Use the selector only if the OIDC Preset is opt-in, because end users may skip the admission by setting the labels. Default to the empty LabelSelector, which matches everything.

weight
int32

Weight associated with matching the corresponding preset, in the range 1-100. Required.

ClusterOpenIDConnectPresetSpec

(Appears on: ClusterOpenIDConnectPreset)

ClusterOpenIDConnectPresetSpec contains the OpenIDConnect specification and project selector matching Shoots in Projects.

Field Description
OpenIDConnectPresetSpec
OpenIDConnectPresetSpec

(Members of OpenIDConnectPresetSpec are embedded into this type.)

projectSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Project decides whether to apply the configuration if the Shoot is in a specific Project matching the label selector. Use the selector only if the OIDC Preset is opt-in, because end users may skip the admission by setting the labels. Defaults to the empty LabelSelector, which matches everything.

KubeAPIServerOpenIDConnect

(Appears on: OpenIDConnectPresetSpec)

KubeAPIServerOpenIDConnect contains configuration settings for the OIDC provider. Note: Descriptions were taken from the Kubernetes documentation.

Field Description
caBundle
string
(Optional)

If set, the OpenID server’s certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host’s root CA set will be used.

clientID
string

The client ID for the OpenID Connect client. Required.

groupsClaim
string
(Optional)

If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This field is experimental, please see the authentication documentation for further details.

groupsPrefix
string
(Optional)

If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.

issuerURL
string

The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT). Required.

requiredClaims
map[string]string
(Optional)

key=value pairs that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value.

signingAlgs
[]string
(Optional)

List of allowed JOSE asymmetric signing algorithms. JWTs with a ‘alg’ header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1 Defaults to [RS256]

usernameClaim
string
(Optional)

The OpenID claim to use as the user name. Note that claims other than the default (‘sub’) is not guaranteed to be unique and immutable. This field is experimental, please see the authentication documentation for further details. Defaults to “sub”.

usernamePrefix
string
(Optional)

If provided, all usernames will be prefixed with this value. If not provided, username claims other than ‘email’ are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value ‘-’.

OpenIDConnectClientAuthentication

(Appears on: OpenIDConnectPresetSpec)

OpenIDConnectClientAuthentication contains configuration for OIDC clients.

Field Description
secret
string
(Optional)

The client Secret for the OpenID Connect client.

extraConfig
map[string]string
(Optional)

Extra configuration added to kubeconfig’s auth-provider. Must not be any of idp-issuer-url, client-id, client-secret, idp-certificate-authority, idp-certificate-authority-data, id-token or refresh-token

OpenIDConnectPresetSpec

(Appears on: OpenIDConnectPreset, ClusterOpenIDConnectPresetSpec)

OpenIDConnectPresetSpec contains the Shoot selector for which a specific OpenID Connect configuration is applied.

Field Description
server
KubeAPIServerOpenIDConnect

Server contains the kube-apiserver’s OpenID Connect configuration. This configuration is not overwritting any existing OpenID Connect configuration already set on the Shoot object.

client
OpenIDConnectClientAuthentication
(Optional)

Client contains the configuration used for client OIDC authentication of Shoot clusters. This configuration is not overwritting any existing OpenID Connect client authentication already set on the Shoot object.

shootSelector
Kubernetes meta/v1.LabelSelector
(Optional)

ShootSelector decides whether to apply the configuration if the Shoot has matching labels. Use the selector only if the OIDC Preset is opt-in, because end users may skip the admission by setting the labels. Default to the empty LabelSelector, which matches everything.

weight
int32

Weight associated with matching the corresponding preset, in the range 1-100. Required.


Generated with gen-crd-api-reference-docs