Text file
src/edge-infra.dev/test/fixtures/crds/gcp/iam.cnrm.cloud.google.com_iamworkloadidentitypoolproviders.yaml
1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: iamworkloadidentitypoolproviders.iam.cnrm.cloud.google.com
8spec:
9 group: iam.cnrm.cloud.google.com
10 names:
11 kind: IAMWorkloadIdentityPoolProvider
12 listKind: IAMWorkloadIdentityPoolProviderList
13 plural: iamworkloadidentitypoolproviders
14 singular: iamworkloadidentitypoolprovider
15 scope: Namespaced
16 versions:
17 - name: v1beta1
18 schema:
19 openAPIV3Schema:
20 description: IAMWorkloadIdentityPoolProvider is the Schema for the iam API
21 properties:
22 apiVersion:
23 description: |-
24 APIVersion defines the versioned schema of this representation of an object.
25 Servers should convert recognized schemas to the latest internal value, and
26 may reject unrecognized values.
27 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
28 type: string
29 kind:
30 description: |-
31 Kind is a string value representing the REST resource this object represents.
32 Servers may infer this from the endpoint the client submits requests to.
33 Cannot be updated.
34 In CamelCase.
35 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
36 type: string
37 metadata:
38 type: object
39 spec:
40 properties:
41 attributeCondition:
42 description: '[A Common Expression Language](https://opensource.google/projects/cel)
43 expression, in plain text, to restrict what otherwise valid authentication
44 credentials issued by the provider should not be accepted. The expression
45 must output a boolean representing whether to allow the federation.
46 The following keywords may be referenced in the expressions: * `assertion`:
47 JSON representing the authentication credential issued by the provider.
48 * `google`: The Google attributes mapped from the assertion in the
49 `attribute_mappings`. * `attribute`: The custom attributes mapped
50 from the assertion in the `attribute_mappings`. The maximum length
51 of the attribute condition expression is 4096 characters. If unspecified,
52 all valid authentication credential are accepted. The following
53 example shows how to only allow credentials with a mapped `google.groups`
54 value of `admins`: ``` "''admins'' in google.groups" ```'
55 type: string
56 attributeMapping:
57 additionalProperties:
58 type: string
59 description: 'Maps attributes from authentication credentials issued
60 by an external identity provider to Google Cloud attributes, such
61 as `subject` and `segment`. Each key must be a string specifying
62 the Google Cloud IAM attribute to map to. The following keys are
63 supported: * `google.subject`: The principal IAM is authenticating.
64 You can reference this value in IAM bindings. This is also the subject
65 that appears in Cloud Logging logs. Cannot exceed 127 characters.
66 * `google.groups`: Groups the external identity belongs to. You
67 can grant groups access to resources using an IAM `principalSet`
68 binding; access applies to all members of the group. You can also
69 provide custom attributes by specifying `attribute.{custom_attribute}`,
70 where `{custom_attribute}` is the name of the custom attribute to
71 be mapped. You can define a maximum of 50 custom attributes. The
72 maximum length of a mapped attribute key is 100 characters, and
73 the key may only contain the characters [a-z0-9_]. You can reference
74 these attributes in IAM policies to define fine-grained access for
75 a workload to Google Cloud resources. For example: * `google.subject`:
76 `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
77 * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
78 * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
79 Each value must be a [Common Expression Language] (https://opensource.google/projects/cel)
80 function that maps an identity provider credential to the normalized
81 attribute specified by the corresponding map key. You can use the
82 `assertion` keyword in the expression to access a JSON representation
83 of the authentication credential issued by the provider. The maximum
84 length of an attribute mapping expression is 2048 characters. When
85 evaluated, the total size of all mapped attributes must not exceed
86 8KB. For AWS providers, if no attribute mapping is defined, the
87 following default mapping applies: ``` { "google.subject":"assertion.arn",
88 "attribute.aws_role": "assertion.arn.contains(''assumed-role'')"
89 " ? assertion.arn.extract(''{account_arn}assumed-role/'')" " + ''assumed-role/''"
90 " + assertion.arn.extract(''assumed-role/{role_name}/'')" " : assertion.arn",
91 } ``` If any custom attribute mappings are defined, they must include
92 a mapping to the `google.subject` attribute. For OIDC providers,
93 you must supply a custom mapping, which must include the `google.subject`
94 attribute. For example, the following maps the `sub` claim of the
95 incoming credential to the `subject` attribute on a Google token:
96 ``` {"google.subject": "assertion.sub"} ```'
97 type: object
98 aws:
99 description: An Amazon Web Services identity provider.
100 properties:
101 accountId:
102 description: Required. The AWS account ID.
103 type: string
104 stsUri:
105 description: A list of AWS STS URIs that can be used when exchanging
106 credentials. If not provided, any valid AWS STS URI is allowed.
107 URIs must use the form `https://sts.amazonaws.com` or `https://sts.{region}.amazonaws.com`,
108 where {region} is a valid AWS region. You can specify a maximum
109 of 25 URIs.
110 items:
111 type: string
112 type: array
113 required:
114 - accountId
115 type: object
116 description:
117 description: A description for the provider. Cannot exceed 256 characters.
118 type: string
119 disabled:
120 description: Whether the provider is disabled. You cannot use a disabled
121 provider to exchange tokens. However, existing tokens still grant
122 access.
123 type: boolean
124 displayName:
125 description: A display name for the provider. Cannot exceed 32 characters.
126 type: string
127 location:
128 description: Immutable. The location for the resource
129 type: string
130 oidc:
131 description: An OpenId Connect 1.0 identity provider.
132 properties:
133 allowedAudiences:
134 description: 'Acceptable values for the `aud` field (audience)
135 in the OIDC token. Token exchange requests are rejected if the
136 token audience does not match one of the configured values.
137 Each audience may be at most 256 characters. A maximum of 10
138 audiences may be configured. If this list is empty, the OIDC
139 token audience must be equal to the full canonical resource
140 name of the WorkloadIdentityPoolProvider, with or without the
141 HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
142 https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
143 ```'
144 items:
145 type: string
146 type: array
147 issuerUri:
148 description: Required. The OIDC issuer URL. Must be an HTTPS endpoint.
149 type: string
150 required:
151 - issuerUri
152 type: object
153 projectRef:
154 description: Immutable. The Project that this resource belongs to.
155 properties:
156 external:
157 description: The external name of the referenced resource
158 type: string
159 kind:
160 description: Kind of the referent.
161 type: string
162 name:
163 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
164 type: string
165 namespace:
166 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
167 type: string
168 type: object
169 resourceID:
170 description: Immutable. Optional. The name of the resource. Used for
171 creation and acquisition. When unset, the value of `metadata.name`
172 is used as the default.
173 type: string
174 workloadIdentityPoolRef:
175 description: Immutable.
176 properties:
177 external:
178 description: The external name of the referenced resource
179 type: string
180 kind:
181 description: Kind of the referent.
182 type: string
183 name:
184 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
185 type: string
186 namespace:
187 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
188 type: string
189 type: object
190 required:
191 - location
192 - projectRef
193 - workloadIdentityPoolRef
194 type: object
195 status:
196 properties:
197 conditions:
198 description: |-
199 Conditions represent the latest available observations of the
200 IAMWorkloadIdentityPoolProvider's current state.
201 items:
202 properties:
203 lastTransitionTime:
204 description: Last time the condition transitioned from one status
205 to another.
206 type: string
207 message:
208 description: Human-readable message indicating details about
209 last transition.
210 type: string
211 reason:
212 description: |-
213 Unique, one-word, CamelCase reason for the condition's last
214 transition.
215 type: string
216 status:
217 description: Status is the status of the condition. Can be True,
218 False, Unknown.
219 type: string
220 type:
221 description: Type is the type of the condition.
222 type: string
223 type: object
224 type: array
225 observedGeneration:
226 description: ObservedGeneration is the generation of the resource
227 that was most recently observed by the Config Connector controller.
228 If this is equal to metadata.generation, then that means that the
229 current reported status reflects the most recent desired state of
230 the resource.
231 type: integer
232 state:
233 description: 'Output only. The state of the provider. Possible values:
234 STATE_UNSPECIFIED, ACTIVE, DELETED'
235 type: string
236 type: object
237 type: object
238 served: true
239 storage: true
View as plain text