#Connector [accessrequests.alauda.io/v1alpha1]

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.

AccessRequestSpec defines the desired state of AccessRequest.

AccessRequestStatus records the observed state of AccessRequest.

ConnectorRef references the target Connector in the same namespace. Only Name is required; Namespace is always the same as the AccessRequest.

Context provides lifecycle context for this request. Currently only Kind=Pod is supported.

Subject is the identity requesting access (typically a ServiceAccount).

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

ObjectRef points to the lifecycle object (e.g., a Pod). Currently only Kind=Pod is supported.

API version of the referent.

If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids

APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects.

Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error.

Name of the object being referenced.

Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error.

Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards.

Conditions the latest available observations of a resource's current state.

ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.

Policies holds the matched AccessPolicy status list. Full AccessPolicy snapshots are stored to prevent policy changes from affecting in-flight authorization decisions.

LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).

A human readable message indicating details about the transition.

The reason for the condition's last transition.

Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.

Status of the condition, one of True, False, Unknown.

Type of condition.

MatchedChecks records the matched Check Duck Type resources and their states.

Name is the AccessPolicy name, used as the list map key.

PermissionSync records policy-level permission synchronization condition.

PolicySpec is the full AccessPolicy spec snapshot at match time.

Condition records the computed approval condition of this check.

Name matches CheckRule.name in the AccessPolicy.

Ref identifies the matched Check Duck Type resource instance.

LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant).

A human readable message indicating details about the transition.

The reason for the condition's last transition.

Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error.

Status of the condition, one of True, False, Unknown.

Type of condition.

API version of the referent.

If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

message is a human readable message indicating details about the transition. This may be an empty string.

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

status of the condition, one of True, False, Unknown.

type of condition in CamelCase or in foo.example.com/CamelCase.

CheckGrantedPermission defines permissions granted only after approval checks pass.

Connector specifies which Connectors this policy applies to. If empty, the policy applies to all Connectors in the namespace.

DefaultPermission defines the Role and RoleBinding automatically granted without any approval check.

Spec contains the check rules and the permissions to grant after all checks pass.

Checks is the list of approval check rules.

RoleTemplate defines the rules for the generated Role.

Name is the identifier of this check rule, referenced in AccessRequest status.

Ref is a reference to a CheckRuleSpec stored in a ConfigMap.

Spec contains the check rule specification.

ConfigMap references the ConfigMap containing the CheckRuleSpec.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Selector specifies how to find the Check Duck Type resource.

State configures how the check result is computed. If empty, the default duck-type field status.state is used.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

ObjectRef specifies the reference to the object to check against. kind and apiVersion are required to distinguish different duck types

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

API version of the referent.

If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object.

Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency

UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids

Rego is an OPA Rego script (package "approval") that receives the full check resource as input and must output status = {"state": "approved|rejected|pending|passed"}. If empty, the default duck-type field status.state is used.

Ref specifies a reference to a RoleTemplate

ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

Names is an explicit list of resource names to match.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

BindingTemplate defines the subjects for the generated RoleBinding.

RoleTemplate defines the rules to include in the generated Role.

ServiceAccounts is the list of service account templates to bind.

Names is the list of service account names to bind.

NamespaceSelector selects Namespaces by label and/or name.

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

Names is an explicit list of resource names to match.

key is the label key that the selector applies to.

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

Ref specifies a reference to a RoleTemplate

ConfigMap specifies a local reference to a ConfigMap whose data["rules"] contains the YAML-encoded list of rbacv1.PolicyRule entries. Only ConfigMaps in the connectors system namespace are supported.

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names