-
Notifications
You must be signed in to change notification settings - Fork 131
/
0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml
107 lines (107 loc) · 4.33 KB
/
0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: rolebindingrestrictions.authorization.openshift.io
spec:
group: authorization.openshift.io
names:
kind: RoleBindingRestriction
listKind: RoleBindingRestrictionList
plural: rolebindingrestrictions
singular: rolebindingrestriction
scope: Namespaced
versions:
- name: v1
served: true
storage: true
validation:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
description: Standard object's metadata.
type: object
spec:
description: Spec defines the matcher.
properties:
grouprestriction:
description: GroupRestriction matches against group subjects.
nullable: true
properties:
groups:
description: Groups is a list of groups used to match against an
individual user's groups. If the user is a member of one of the
whitelisted groups, the user is allowed to be bound to a role.
items:
type: string
nullable: true
type: array
labels:
description: Selectors specifies a list of label selectors over
group labels.
items:
type: object
nullable: true
type: array
type: object
serviceaccountrestriction:
description: ServiceAccountRestriction matches against service-account
subjects.
nullable: true
properties:
namespaces:
description: Namespaces specifies a list of literal namespace names.
items:
type: string
type: array
serviceaccounts:
description: ServiceAccounts specifies a list of literal service-account
names.
items:
properties:
name:
description: Name is the name of the service account.
type: string
namespace:
description: Namespace is the namespace of the service account. Service
accounts from inside the whitelisted namespaces are allowed
to be bound to roles. If Namespace is empty, then the namespace
of the RoleBindingRestriction in which the ServiceAccountReference
is embedded is used.
type: string
type: object
type: array
type: object
userrestriction:
description: UserRestriction matches against user subjects.
nullable: true
properties:
groups:
description: Groups specifies a list of literal group names.
items:
type: string
nullable: true
type: array
labels:
description: Selectors specifies a list of label selectors over
user labels.
items:
type: object
nullable: true
type: array
users:
description: Users specifies a list of literal user names.
items:
type: string
type: array
type: object
type: object