|
71 | 71 | OIDC is the configuration for OIDC-based access. |
72 | 72 | Exactly one of Token or OIDC must be set. |
73 | 73 | properties: |
74 | | - additionalRoles: |
75 | | - description: |- |
76 | | - AdditionalRoles are additional (Cluster)Roles that should be created. |
77 | | - Note that they are not automatically bound to any user. |
78 | | - It is strongly recommended to set the name field so that the created (Cluster)Roles can be referenced in the RoleBindings field. |
79 | | - items: |
80 | | - properties: |
81 | | - name: |
82 | | - description: |- |
83 | | - Name is an optional name for the (Cluster)Role that will be created for the requested permissions. |
84 | | - If not set, a randomized name that is unique in the cluster will be generated. |
85 | | - Note that the AccessRequest will not be granted if the to-be-created (Cluster)Role already exists, but is not managed by the AccessRequest, so choose this name carefully. |
86 | | - type: string |
87 | | - namespace: |
88 | | - description: |- |
89 | | - Namespace is the namespace for which the permissions are requested. |
90 | | - If empty, this will result in a ClusterRole, otherwise in a Role in the respective namespace. |
91 | | - Note that for a Role, the namespace needs to either exist or a permission to create it must be included in the requested permissions (it will be created automatically then), otherwise the request will be rejected. |
92 | | - type: string |
93 | | - rules: |
94 | | - description: Rules are the requested RBAC rules. |
95 | | - items: |
96 | | - description: |- |
97 | | - PolicyRule holds information that describes a policy rule, but does not contain information |
98 | | - about who the rule applies to or which namespace the rule applies to. |
99 | | - properties: |
100 | | - apiGroups: |
101 | | - description: |- |
102 | | - APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of |
103 | | - the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. |
104 | | - items: |
105 | | - type: string |
106 | | - type: array |
107 | | - x-kubernetes-list-type: atomic |
108 | | - nonResourceURLs: |
109 | | - description: |- |
110 | | - NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path |
111 | | - Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. |
112 | | - Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. |
113 | | - items: |
114 | | - type: string |
115 | | - type: array |
116 | | - x-kubernetes-list-type: atomic |
117 | | - resourceNames: |
118 | | - description: ResourceNames is an optional white list |
119 | | - of names that the rule applies to. An empty set |
120 | | - means that everything is allowed. |
121 | | - items: |
122 | | - type: string |
123 | | - type: array |
124 | | - x-kubernetes-list-type: atomic |
125 | | - resources: |
126 | | - description: Resources is a list of resources this |
127 | | - rule applies to. '*' represents all resources. |
128 | | - items: |
129 | | - type: string |
130 | | - type: array |
131 | | - x-kubernetes-list-type: atomic |
132 | | - verbs: |
133 | | - description: Verbs is a list of Verbs that apply to |
134 | | - ALL the ResourceKinds contained in this rule. '*' |
135 | | - represents all verbs. |
136 | | - items: |
137 | | - type: string |
138 | | - type: array |
139 | | - x-kubernetes-list-type: atomic |
140 | | - required: |
141 | | - - verbs |
142 | | - type: object |
143 | | - type: array |
144 | | - required: |
145 | | - - rules |
146 | | - type: object |
147 | | - type: array |
148 | 74 | clientID: |
149 | 75 | description: ClientID is the client ID to use for the OIDC provider. |
150 | 76 | type: string |
@@ -254,6 +180,80 @@ spec: |
254 | 180 | - subjects |
255 | 181 | type: object |
256 | 182 | type: array |
| 183 | + roles: |
| 184 | + description: |- |
| 185 | + Roles are additional (Cluster)Roles that should be created. |
| 186 | + Note that they are not automatically bound to any user. |
| 187 | + It is strongly recommended to set the name field so that the created (Cluster)Roles can be referenced in the RoleBindings field. |
| 188 | + items: |
| 189 | + properties: |
| 190 | + name: |
| 191 | + description: |- |
| 192 | + Name is an optional name for the (Cluster)Role that will be created for the requested permissions. |
| 193 | + If not set, a randomized name that is unique in the cluster will be generated. |
| 194 | + Note that the AccessRequest will not be granted if the to-be-created (Cluster)Role already exists, but is not managed by the AccessRequest, so choose this name carefully. |
| 195 | + type: string |
| 196 | + namespace: |
| 197 | + description: |- |
| 198 | + Namespace is the namespace for which the permissions are requested. |
| 199 | + If empty, this will result in a ClusterRole, otherwise in a Role in the respective namespace. |
| 200 | + Note that for a Role, the namespace needs to either exist or a permission to create it must be included in the requested permissions (it will be created automatically then), otherwise the request will be rejected. |
| 201 | + type: string |
| 202 | + rules: |
| 203 | + description: Rules are the requested RBAC rules. |
| 204 | + items: |
| 205 | + description: |- |
| 206 | + PolicyRule holds information that describes a policy rule, but does not contain information |
| 207 | + about who the rule applies to or which namespace the rule applies to. |
| 208 | + properties: |
| 209 | + apiGroups: |
| 210 | + description: |- |
| 211 | + APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of |
| 212 | + the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups. |
| 213 | + items: |
| 214 | + type: string |
| 215 | + type: array |
| 216 | + x-kubernetes-list-type: atomic |
| 217 | + nonResourceURLs: |
| 218 | + description: |- |
| 219 | + NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path |
| 220 | + Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. |
| 221 | + Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both. |
| 222 | + items: |
| 223 | + type: string |
| 224 | + type: array |
| 225 | + x-kubernetes-list-type: atomic |
| 226 | + resourceNames: |
| 227 | + description: ResourceNames is an optional white list |
| 228 | + of names that the rule applies to. An empty set |
| 229 | + means that everything is allowed. |
| 230 | + items: |
| 231 | + type: string |
| 232 | + type: array |
| 233 | + x-kubernetes-list-type: atomic |
| 234 | + resources: |
| 235 | + description: Resources is a list of resources this |
| 236 | + rule applies to. '*' represents all resources. |
| 237 | + items: |
| 238 | + type: string |
| 239 | + type: array |
| 240 | + x-kubernetes-list-type: atomic |
| 241 | + verbs: |
| 242 | + description: Verbs is a list of Verbs that apply to |
| 243 | + ALL the ResourceKinds contained in this rule. '*' |
| 244 | + represents all verbs. |
| 245 | + items: |
| 246 | + type: string |
| 247 | + type: array |
| 248 | + x-kubernetes-list-type: atomic |
| 249 | + required: |
| 250 | + - verbs |
| 251 | + type: object |
| 252 | + type: array |
| 253 | + required: |
| 254 | + - rules |
| 255 | + type: object |
| 256 | + type: array |
257 | 257 | usernameClaim: |
258 | 258 | default: sub |
259 | 259 | description: |- |
|
0 commit comments