Text file
src/github.com/GoogleCloudPlatform/k8s-config-connector/config/crds/resources/apiextensions.k8s.io_v1_customresourcedefinition_accesscontextmanagerserviceperimeters.accesscontextmanager.cnrm.cloud.google.com.yaml
1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/managed-by-kcc: "true"
9 cnrm.cloud.google.com/stability-level: stable
10 cnrm.cloud.google.com/system: "true"
11 cnrm.cloud.google.com/tf2crd: "true"
12 name: accesscontextmanagerserviceperimeters.accesscontextmanager.cnrm.cloud.google.com
13spec:
14 group: accesscontextmanager.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: AccessContextManagerServicePerimeter
19 plural: accesscontextmanagerserviceperimeters
20 shortNames:
21 - gcpaccesscontextmanagerserviceperimeter
22 - gcpaccesscontextmanagerserviceperimeters
23 singular: accesscontextmanagerserviceperimeter
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 accessPolicyRef:
62 description: |-
63 The AccessContextManagerAccessPolicy this
64 AccessContextManagerServicePerimeter lives in.
65 oneOf:
66 - not:
67 required:
68 - external
69 required:
70 - name
71 - not:
72 anyOf:
73 - required:
74 - name
75 - required:
76 - namespace
77 required:
78 - external
79 properties:
80 external:
81 description: 'Allowed value: string of the format `accessPolicies/{{value}}`,
82 where {{value}} is the `name` field of an `AccessContextManagerAccessPolicy`
83 resource.'
84 type: string
85 name:
86 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
87 type: string
88 namespace:
89 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
90 type: string
91 type: object
92 description:
93 description: |-
94 Description of the ServicePerimeter and its use. Does not affect
95 behavior.
96 type: string
97 perimeterType:
98 description: |-
99 Immutable. Specifies the type of the Perimeter. There are two types: regular and
100 bridge. Regular Service Perimeter contains resources, access levels,
101 and restricted services. Every resource can be in at most
102 ONE regular Service Perimeter.
103
104 In addition to being in a regular service perimeter, a resource can also
105 be in zero or more perimeter bridges. A perimeter bridge only contains
106 resources. Cross project operations are permitted if all effected
107 resources share some perimeter (whether bridge or regular). Perimeter
108 Bridge does not contain access levels or services: those are governed
109 entirely by the regular perimeter that resource is in.
110
111 Perimeter Bridges are typically useful when building more complex
112 topologies with many independent perimeters that need to share some data
113 with a common perimeter, but should not be able to share data among
114 themselves. Default value: "PERIMETER_TYPE_REGULAR" Possible values: ["PERIMETER_TYPE_REGULAR", "PERIMETER_TYPE_BRIDGE"].
115 type: string
116 resourceID:
117 description: Immutable. Optional. The name of the resource. Used for
118 creation and acquisition. When unset, the value of `metadata.name`
119 is used as the default.
120 type: string
121 spec:
122 description: |-
123 Proposed (or dry run) ServicePerimeter configuration.
124 This configuration allows to specify and test ServicePerimeter configuration
125 without enforcing actual access restrictions. Only allowed to be set when
126 the 'useExplicitDryRunSpec' flag is set.
127 properties:
128 accessLevels:
129 items:
130 description: |-
131 (Optional) A list of AccessLevel resource names that allow resources within
132 the ServicePerimeter to be accessed from the internet. AccessLevels listed
133 must be in the same policy as this ServicePerimeter.
134 Referencing a nonexistent AccessLevel is a syntax error. If no
135 AccessLevel names are listed, resources within the perimeter can
136 only be accessed via GCP calls with request origins within the
137 perimeter. For Service Perimeter Bridge, must be empty.
138 oneOf:
139 - not:
140 required:
141 - external
142 required:
143 - name
144 - not:
145 anyOf:
146 - required:
147 - name
148 - required:
149 - namespace
150 required:
151 - external
152 properties:
153 external:
154 description: 'Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`,
155 where {{value}} is the `name` field of an `AccessContextManagerAccessLevel`
156 resource.'
157 type: string
158 name:
159 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
160 type: string
161 namespace:
162 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
163 type: string
164 type: object
165 type: array
166 egressPolicies:
167 description: |-
168 List of EgressPolicies to apply to the perimeter. A perimeter may
169 have multiple EgressPolicies, each of which is evaluated separately.
170 Access is granted if any EgressPolicy grants it. Must be empty for
171 a perimeter bridge.
172 items:
173 properties:
174 egressFrom:
175 description: Defines conditions on the source of a request
176 causing this 'EgressPolicy' to apply.
177 properties:
178 identities:
179 items:
180 description: |-
181 (Optional) A list of identities that are allowed access through this
182 EgressPolicy. Should be in the format of email address. The email
183 address should represent individual user or service account only.
184 oneOf:
185 - required:
186 - serviceAccountRef
187 - required:
188 - user
189 properties:
190 serviceAccountRef:
191 oneOf:
192 - not:
193 required:
194 - external
195 required:
196 - name
197 - not:
198 anyOf:
199 - required:
200 - name
201 - required:
202 - namespace
203 required:
204 - external
205 properties:
206 external:
207 description: 'Allowed value: string of the
208 format `serviceAccount:{{value}}`, where
209 {{value}} is the `email` field of an `IAMServiceAccount`
210 resource.'
211 type: string
212 name:
213 description: 'Name of the referent. More info:
214 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
215 type: string
216 namespace:
217 description: 'Namespace of the referent. More
218 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
219 type: string
220 type: object
221 user:
222 type: string
223 type: object
224 type: array
225 identityType:
226 description: |-
227 Specifies the type of identities that are allowed access to outside the
228 perimeter. If left unspecified, then members of 'identities' field will
229 be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
230 type: string
231 type: object
232 egressTo:
233 description: |-
234 Defines the conditions on the 'ApiOperation' and destination resources that
235 cause this 'EgressPolicy' to apply.
236 properties:
237 externalResources:
238 description: |-
239 A list of external resources that are allowed to be accessed. A request
240 matches if it contains an external resource in this list (Example:
241 s3://bucket/path). Currently '*' is not allowed.
242 items:
243 type: string
244 type: array
245 operations:
246 description: |-
247 A list of 'ApiOperations' that this egress rule applies to. A request matches
248 if it contains an operation/service in this list.
249 items:
250 properties:
251 methodSelectors:
252 description: |-
253 API methods or permissions to allow. Method or permission must belong
254 to the service specified by 'serviceName' field. A single MethodSelector
255 entry with '*' specified for the 'method' field will allow all methods
256 AND permissions for the service specified in 'serviceName'.
257 items:
258 properties:
259 method:
260 description: |-
261 Value for 'method' should be a valid method name for the corresponding
262 'serviceName' in 'ApiOperation'. If '*' used as value for method,
263 then ALL methods and permissions are allowed.
264 type: string
265 permission:
266 description: |-
267 Value for permission should be a valid Cloud IAM permission for the
268 corresponding 'serviceName' in 'ApiOperation'.
269 type: string
270 type: object
271 type: array
272 serviceName:
273 description: |-
274 The name of the API whose methods or permissions the 'IngressPolicy' or
275 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName
276 field set to '*' will allow all methods AND permissions for all services.
277 type: string
278 type: object
279 type: array
280 resources:
281 items:
282 description: |-
283 (Optional) A list of resources, currently only projects in the form
284 "projects/{project_number}". A request
285 matches if it contains a resource in this list.
286 properties:
287 projectRef:
288 oneOf:
289 - not:
290 required:
291 - external
292 required:
293 - name
294 - not:
295 anyOf:
296 - required:
297 - name
298 - required:
299 - namespace
300 required:
301 - external
302 properties:
303 external:
304 description: 'Allowed value: string of the
305 format `projects/{{value}}`, where {{value}}
306 is the `number` field of a `Project` resource.'
307 type: string
308 name:
309 description: 'Name of the referent. More info:
310 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
311 type: string
312 namespace:
313 description: 'Namespace of the referent. More
314 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
315 type: string
316 type: object
317 type: object
318 type: array
319 type: object
320 type: object
321 type: array
322 ingressPolicies:
323 description: |-
324 List of 'IngressPolicies' to apply to the perimeter. A perimeter may
325 have multiple 'IngressPolicies', each of which is evaluated
326 separately. Access is granted if any 'Ingress Policy' grants it.
327 Must be empty for a perimeter bridge.
328 items:
329 properties:
330 ingressFrom:
331 description: |-
332 Defines the conditions on the source of a request causing this 'IngressPolicy'
333 to apply.
334 properties:
335 identities:
336 items:
337 description: |-
338 (Optional) A list of identities that are allowed access through this
339 ingress policy. Should be in the format of email address. The email
340 address should represent individual user or service account only.
341 oneOf:
342 - required:
343 - serviceAccountRef
344 - required:
345 - user
346 properties:
347 serviceAccountRef:
348 oneOf:
349 - not:
350 required:
351 - external
352 required:
353 - name
354 - not:
355 anyOf:
356 - required:
357 - name
358 - required:
359 - namespace
360 required:
361 - external
362 properties:
363 external:
364 description: 'Allowed value: string of the
365 format `serviceAccount:{{value}}`, where
366 {{value}} is the `email` field of an `IAMServiceAccount`
367 resource.'
368 type: string
369 name:
370 description: 'Name of the referent. More info:
371 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
372 type: string
373 namespace:
374 description: 'Namespace of the referent. More
375 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
376 type: string
377 type: object
378 user:
379 type: string
380 type: object
381 type: array
382 identityType:
383 description: |-
384 Specifies the type of identities that are allowed access from outside the
385 perimeter. If left unspecified, then members of 'identities' field will be
386 allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
387 type: string
388 sources:
389 description: Sources that this 'IngressPolicy' authorizes
390 access from.
391 items:
392 properties:
393 accessLevelRef:
394 description: |-
395 An AccessLevel resource name that allow resources within the
396 ServicePerimeters to be accessed from the internet. AccessLevels
397 listed must be in the same policy as this ServicePerimeter.
398 Referencing a nonexistent AccessLevel will cause an error. If no
399 AccessLevel names are listed, resources within the perimeter can
400 only be accessed via Google Cloud calls with request origins within
401 the perimeter.
402 oneOf:
403 - not:
404 required:
405 - external
406 required:
407 - name
408 - not:
409 anyOf:
410 - required:
411 - name
412 - required:
413 - namespace
414 required:
415 - external
416 properties:
417 external:
418 description: 'Allowed value: string of the
419 format `{{parent}}/accessLevels/{{value}}`,
420 where {{value}} is the `name` field of an
421 `AccessContextManagerAccessLevel` resource.'
422 type: string
423 name:
424 description: 'Name of the referent. More info:
425 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
426 type: string
427 namespace:
428 description: 'Namespace of the referent. More
429 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
430 type: string
431 type: object
432 projectRef:
433 description: |-
434 (Optional) A Google Cloud resource that is allowed to ingress the
435 perimeter. Requests from these resources will be allowed to access
436 perimeter data. Currently only projects are allowed. Format
437 "projects/{project_number}" The project may be in any Google Cloud
438 organization, not just the organization that the perimeter is defined in.
439 oneOf:
440 - not:
441 required:
442 - external
443 required:
444 - name
445 - not:
446 anyOf:
447 - required:
448 - name
449 - required:
450 - namespace
451 required:
452 - external
453 properties:
454 external:
455 description: 'Allowed value: string of the
456 format `projects/{{value}}`, where {{value}}
457 is the `number` field of a `Project` resource.'
458 type: string
459 name:
460 description: 'Name of the referent. More info:
461 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
462 type: string
463 namespace:
464 description: 'Namespace of the referent. More
465 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
466 type: string
467 type: object
468 type: object
469 type: array
470 type: object
471 ingressTo:
472 description: |-
473 Defines the conditions on the 'ApiOperation' and request destination that cause
474 this 'IngressPolicy' to apply.
475 properties:
476 operations:
477 description: |-
478 A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'
479 are allowed to perform in this 'ServicePerimeter'.
480 items:
481 properties:
482 methodSelectors:
483 description: |-
484 API methods or permissions to allow. Method or permission must belong to
485 the service specified by serviceName field. A single 'MethodSelector' entry
486 with '*' specified for the method field will allow all methods AND
487 permissions for the service specified in 'serviceName'.
488 items:
489 properties:
490 method:
491 description: |-
492 Value for method should be a valid method name for the corresponding
493 serviceName in 'ApiOperation'. If '*' used as value for 'method', then
494 ALL methods and permissions are allowed.
495 type: string
496 permission:
497 description: |-
498 Value for permission should be a valid Cloud IAM permission for the
499 corresponding 'serviceName' in 'ApiOperation'.
500 type: string
501 type: object
502 type: array
503 serviceName:
504 description: |-
505 The name of the API whose methods or permissions the 'IngressPolicy' or
506 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'
507 field set to '*' will allow all methods AND permissions for all services.
508 type: string
509 type: object
510 type: array
511 resources:
512 items:
513 description: |-
514 A list of resources, currently only projects in the form
515 "projects/{project_number}", protected by this ServicePerimeter
516 that are allowed to be accessed by sources defined in the
517 corresponding IngressFrom. A request matches if it contains a
518 resource in this list.
519 properties:
520 projectRef:
521 oneOf:
522 - not:
523 required:
524 - external
525 required:
526 - name
527 - not:
528 anyOf:
529 - required:
530 - name
531 - required:
532 - namespace
533 required:
534 - external
535 properties:
536 external:
537 description: 'Allowed value: string of the
538 format `projects/{{value}}`, where {{value}}
539 is the `number` field of a `Project` resource.'
540 type: string
541 name:
542 description: 'Name of the referent. More info:
543 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
544 type: string
545 namespace:
546 description: 'Namespace of the referent. More
547 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
548 type: string
549 type: object
550 type: object
551 type: array
552 type: object
553 type: object
554 type: array
555 resources:
556 items:
557 description: |-
558 (Optional) A list of GCP resources that are inside of the service perimeter.
559 Currently only projects are allowed.
560 properties:
561 projectRef:
562 oneOf:
563 - not:
564 required:
565 - external
566 required:
567 - name
568 - not:
569 anyOf:
570 - required:
571 - name
572 - required:
573 - namespace
574 required:
575 - external
576 properties:
577 external:
578 description: 'Allowed value: string of the format `projects/{{value}}`,
579 where {{value}} is the `number` field of a `Project`
580 resource.'
581 type: string
582 name:
583 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
584 type: string
585 namespace:
586 description: 'Namespace of the referent. More info:
587 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
588 type: string
589 type: object
590 type: object
591 type: array
592 restrictedServices:
593 description: |-
594 GCP services that are subject to the Service Perimeter
595 restrictions. Must contain a list of services. For example, if
596 'storage.googleapis.com' is specified, access to the storage
597 buckets inside the perimeter must meet the perimeter's access
598 restrictions.
599 items:
600 type: string
601 type: array
602 vpcAccessibleServices:
603 description: |-
604 Specifies how APIs are allowed to communicate within the Service
605 Perimeter.
606 properties:
607 allowedServices:
608 description: |-
609 The list of APIs usable within the Service Perimeter.
610 Must be empty unless 'enableRestriction' is True.
611 items:
612 type: string
613 type: array
614 enableRestriction:
615 description: |-
616 Whether to restrict API calls within the Service Perimeter to the
617 list of APIs specified in 'allowedServices'.
618 type: boolean
619 type: object
620 type: object
621 status:
622 description: |-
623 ServicePerimeter configuration. Specifies sets of resources,
624 restricted services and access levels that determine
625 perimeter content and boundaries.
626 properties:
627 accessLevels:
628 items:
629 description: |-
630 (Optional) A list of AccessLevel resource names that allow resources within
631 the ServicePerimeter to be accessed from the internet. AccessLevels listed
632 must be in the same policy as this ServicePerimeter.
633 Referencing a nonexistent AccessLevel is a syntax error. If no
634 AccessLevel names are listed, resources within the perimeter can
635 only be accessed via GCP calls with request origins within the
636 perimeter. For Service Perimeter Bridge, must be empty.
637 oneOf:
638 - not:
639 required:
640 - external
641 required:
642 - name
643 - not:
644 anyOf:
645 - required:
646 - name
647 - required:
648 - namespace
649 required:
650 - external
651 properties:
652 external:
653 description: 'Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`,
654 where {{value}} is the `name` field of an `AccessContextManagerAccessLevel`
655 resource.'
656 type: string
657 name:
658 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
659 type: string
660 namespace:
661 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
662 type: string
663 type: object
664 type: array
665 egressPolicies:
666 description: |-
667 List of EgressPolicies to apply to the perimeter. A perimeter may
668 have multiple EgressPolicies, each of which is evaluated separately.
669 Access is granted if any EgressPolicy grants it. Must be empty for
670 a perimeter bridge.
671 items:
672 properties:
673 egressFrom:
674 description: Defines conditions on the source of a request
675 causing this 'EgressPolicy' to apply.
676 properties:
677 identities:
678 items:
679 description: |-
680 (Optional) A list of identities that are allowed access through this
681 EgressPolicy. Should be in the format of email address. The email
682 address should represent individual user or service account only.
683 oneOf:
684 - required:
685 - serviceAccountRef
686 - required:
687 - user
688 properties:
689 serviceAccountRef:
690 oneOf:
691 - not:
692 required:
693 - external
694 required:
695 - name
696 - not:
697 anyOf:
698 - required:
699 - name
700 - required:
701 - namespace
702 required:
703 - external
704 properties:
705 external:
706 description: 'Allowed value: string of the
707 format `serviceAccount:{{value}}`, where
708 {{value}} is the `email` field of an `IAMServiceAccount`
709 resource.'
710 type: string
711 name:
712 description: 'Name of the referent. More info:
713 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
714 type: string
715 namespace:
716 description: 'Namespace of the referent. More
717 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
718 type: string
719 type: object
720 user:
721 type: string
722 type: object
723 type: array
724 identityType:
725 description: |-
726 Specifies the type of identities that are allowed access to outside the
727 perimeter. If left unspecified, then members of 'identities' field will
728 be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
729 type: string
730 type: object
731 egressTo:
732 description: |-
733 Defines the conditions on the 'ApiOperation' and destination resources that
734 cause this 'EgressPolicy' to apply.
735 properties:
736 externalResources:
737 description: |-
738 A list of external resources that are allowed to be accessed. A request
739 matches if it contains an external resource in this list (Example:
740 s3://bucket/path). Currently '*' is not allowed.
741 items:
742 type: string
743 type: array
744 operations:
745 description: |-
746 A list of 'ApiOperations' that this egress rule applies to. A request matches
747 if it contains an operation/service in this list.
748 items:
749 properties:
750 methodSelectors:
751 description: |-
752 API methods or permissions to allow. Method or permission must belong
753 to the service specified by 'serviceName' field. A single MethodSelector
754 entry with '*' specified for the 'method' field will allow all methods
755 AND permissions for the service specified in 'serviceName'.
756 items:
757 properties:
758 method:
759 description: |-
760 Value for 'method' should be a valid method name for the corresponding
761 'serviceName' in 'ApiOperation'. If '*' used as value for method,
762 then ALL methods and permissions are allowed.
763 type: string
764 permission:
765 description: |-
766 Value for permission should be a valid Cloud IAM permission for the
767 corresponding 'serviceName' in 'ApiOperation'.
768 type: string
769 type: object
770 type: array
771 serviceName:
772 description: |-
773 The name of the API whose methods or permissions the 'IngressPolicy' or
774 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName
775 field set to '*' will allow all methods AND permissions for all services.
776 type: string
777 type: object
778 type: array
779 resources:
780 items:
781 description: |-
782 (Optional) A list of resources, currently only projects in the form
783 "projects/{project_number}". A request
784 matches if it contains a resource in this list.
785 properties:
786 projectRef:
787 oneOf:
788 - not:
789 required:
790 - external
791 required:
792 - name
793 - not:
794 anyOf:
795 - required:
796 - name
797 - required:
798 - namespace
799 required:
800 - external
801 properties:
802 external:
803 description: 'Allowed value: string of the
804 format `projects/{{value}}`, where {{value}}
805 is the `number` field of a `Project` resource.'
806 type: string
807 name:
808 description: 'Name of the referent. More info:
809 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
810 type: string
811 namespace:
812 description: 'Namespace of the referent. More
813 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
814 type: string
815 type: object
816 type: object
817 type: array
818 type: object
819 type: object
820 type: array
821 ingressPolicies:
822 description: |-
823 List of 'IngressPolicies' to apply to the perimeter. A perimeter may
824 have multiple 'IngressPolicies', each of which is evaluated
825 separately. Access is granted if any 'Ingress Policy' grants it.
826 Must be empty for a perimeter bridge.
827 items:
828 properties:
829 ingressFrom:
830 description: |-
831 Defines the conditions on the source of a request causing this 'IngressPolicy'
832 to apply.
833 properties:
834 identities:
835 items:
836 description: |-
837 (Optional) A list of identities that are allowed access through this
838 EgressPolicy. Should be in the format of email address. The email
839 address should represent individual user or service account only.
840 oneOf:
841 - required:
842 - serviceAccountRef
843 - required:
844 - user
845 properties:
846 serviceAccountRef:
847 oneOf:
848 - not:
849 required:
850 - external
851 required:
852 - name
853 - not:
854 anyOf:
855 - required:
856 - name
857 - required:
858 - namespace
859 required:
860 - external
861 properties:
862 external:
863 description: 'Allowed value: string of the
864 format `serviceAccount:{{value}}`, where
865 {{value}} is the `email` field of an `IAMServiceAccount`
866 resource.'
867 type: string
868 name:
869 description: 'Name of the referent. More info:
870 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
871 type: string
872 namespace:
873 description: 'Namespace of the referent. More
874 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
875 type: string
876 type: object
877 user:
878 type: string
879 type: object
880 type: array
881 identityType:
882 description: |-
883 Specifies the type of identities that are allowed access from outside the
884 perimeter. If left unspecified, then members of 'identities' field will be
885 allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
886 type: string
887 sources:
888 description: Sources that this 'IngressPolicy' authorizes
889 access from.
890 items:
891 properties:
892 accessLevelRef:
893 description: |-
894 An AccessLevel resource name that allow resources within the
895 ServicePerimeters to be accessed from the internet. AccessLevels
896 listed must be in the same policy as this ServicePerimeter.
897 Referencing a nonexistent AccessLevel will cause an error. If no
898 AccessLevel names are listed, resources within the perimeter can
899 only be accessed via Google Cloud calls with request origins within
900 the perimeter.
901 oneOf:
902 - not:
903 required:
904 - external
905 required:
906 - name
907 - not:
908 anyOf:
909 - required:
910 - name
911 - required:
912 - namespace
913 required:
914 - external
915 properties:
916 external:
917 description: 'Allowed value: string of the
918 format `{{parent}}/accessLevels/{{value}}`,
919 where {{value}} is the `name` field of an
920 `AccessContextManagerAccessLevel` resource.'
921 type: string
922 name:
923 description: 'Name of the referent. More info:
924 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
925 type: string
926 namespace:
927 description: 'Namespace of the referent. More
928 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
929 type: string
930 type: object
931 projectRef:
932 description: |-
933 (Optional) A Google Cloud resource that is allowed to ingress the
934 perimeter. Requests from these resources will be allowed to access
935 perimeter data. Currently only projects are allowed. Format
936 "projects/{project_number}" The project may be in any Google Cloud
937 organization, not just the organization that the perimeter is defined in.
938 oneOf:
939 - not:
940 required:
941 - external
942 required:
943 - name
944 - not:
945 anyOf:
946 - required:
947 - name
948 - required:
949 - namespace
950 required:
951 - external
952 properties:
953 external:
954 description: 'Allowed value: string of the
955 format `projects/{{value}}`, where {{value}}
956 is the `number` field of a `Project` resource.'
957 type: string
958 name:
959 description: 'Name of the referent. More info:
960 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
961 type: string
962 namespace:
963 description: 'Namespace of the referent. More
964 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
965 type: string
966 type: object
967 type: object
968 type: array
969 type: object
970 ingressTo:
971 description: |-
972 Defines the conditions on the 'ApiOperation' and request destination that cause
973 this 'IngressPolicy' to apply.
974 properties:
975 operations:
976 description: |-
977 A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'
978 are allowed to perform in this 'ServicePerimeter'.
979 items:
980 properties:
981 methodSelectors:
982 description: |-
983 API methods or permissions to allow. Method or permission must belong to
984 the service specified by serviceName field. A single 'MethodSelector' entry
985 with '*' specified for the method field will allow all methods AND
986 permissions for the service specified in 'serviceName'.
987 items:
988 properties:
989 method:
990 description: |-
991 Value for method should be a valid method name for the corresponding
992 serviceName in 'ApiOperation'. If '*' used as value for 'method', then
993 ALL methods and permissions are allowed.
994 type: string
995 permission:
996 description: |-
997 Value for permission should be a valid Cloud IAM permission for the
998 corresponding 'serviceName' in 'ApiOperation'.
999 type: string
1000 type: object
1001 type: array
1002 serviceName:
1003 description: |-
1004 The name of the API whose methods or permissions the 'IngressPolicy' or
1005 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'
1006 field set to '*' will allow all methods AND permissions for all services.
1007 type: string
1008 type: object
1009 type: array
1010 resources:
1011 items:
1012 description: |-
1013 A list of resources, currently only projects in the form
1014 "projects/{project_number}", protected by this ServicePerimeter
1015 that are allowed to be accessed by sources defined in the
1016 corresponding IngressFrom. A request matches if it contains a
1017 resource in this list.
1018 properties:
1019 projectRef:
1020 oneOf:
1021 - not:
1022 required:
1023 - external
1024 required:
1025 - name
1026 - not:
1027 anyOf:
1028 - required:
1029 - name
1030 - required:
1031 - namespace
1032 required:
1033 - external
1034 properties:
1035 external:
1036 description: 'Allowed value: string of the
1037 format `projects/{{value}}`, where {{value}}
1038 is the `number` field of a `Project` resource.'
1039 type: string
1040 name:
1041 description: 'Name of the referent. More info:
1042 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1043 type: string
1044 namespace:
1045 description: 'Namespace of the referent. More
1046 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1047 type: string
1048 type: object
1049 type: object
1050 type: array
1051 type: object
1052 type: object
1053 type: array
1054 resources:
1055 items:
1056 description: |-
1057 (Optional) A list of GCP resources that are inside of the service perimeter.
1058 Currently only projects are allowed.
1059 properties:
1060 projectRef:
1061 oneOf:
1062 - not:
1063 required:
1064 - external
1065 required:
1066 - name
1067 - not:
1068 anyOf:
1069 - required:
1070 - name
1071 - required:
1072 - namespace
1073 required:
1074 - external
1075 properties:
1076 external:
1077 description: 'Allowed value: string of the format `projects/{{value}}`,
1078 where {{value}} is the `number` field of a `Project`
1079 resource.'
1080 type: string
1081 name:
1082 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1083 type: string
1084 namespace:
1085 description: 'Namespace of the referent. More info:
1086 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1087 type: string
1088 type: object
1089 type: object
1090 type: array
1091 restrictedServices:
1092 description: |-
1093 GCP services that are subject to the Service Perimeter
1094 restrictions. Must contain a list of services. For example, if
1095 'storage.googleapis.com' is specified, access to the storage
1096 buckets inside the perimeter must meet the perimeter's access
1097 restrictions.
1098 items:
1099 type: string
1100 type: array
1101 vpcAccessibleServices:
1102 description: |-
1103 Specifies how APIs are allowed to communicate within the Service
1104 Perimeter.
1105 properties:
1106 allowedServices:
1107 description: |-
1108 The list of APIs usable within the Service Perimeter.
1109 Must be empty unless 'enableRestriction' is True.
1110 items:
1111 type: string
1112 type: array
1113 enableRestriction:
1114 description: |-
1115 Whether to restrict API calls within the Service Perimeter to the
1116 list of APIs specified in 'allowedServices'.
1117 type: boolean
1118 type: object
1119 type: object
1120 title:
1121 description: Human readable title. Must be unique within the Policy.
1122 type: string
1123 useExplicitDryRunSpec:
1124 description: |-
1125 Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists
1126 for all Service Perimeters, and that spec is identical to the status for those
1127 Service Perimeters. When this flag is set, it inhibits the generation of the
1128 implicit spec, thereby allowing the user to explicitly provide a
1129 configuration ("spec") to use in a dry-run version of the Service Perimeter.
1130 This allows the user to test changes to the enforced config ("status") without
1131 actually enforcing them. This testing is done through analyzing the differences
1132 between currently enforced and suggested restrictions. useExplicitDryRunSpec must
1133 bet set to True if any of the fields in the spec are set to non-default values.
1134 type: boolean
1135 required:
1136 - accessPolicyRef
1137 - title
1138 type: object
1139 status:
1140 properties:
1141 conditions:
1142 description: Conditions represent the latest available observation
1143 of the resource's current state.
1144 items:
1145 properties:
1146 lastTransitionTime:
1147 description: Last time the condition transitioned from one status
1148 to another.
1149 type: string
1150 message:
1151 description: Human-readable message indicating details about
1152 last transition.
1153 type: string
1154 reason:
1155 description: Unique, one-word, CamelCase reason for the condition's
1156 last transition.
1157 type: string
1158 status:
1159 description: Status is the status of the condition. Can be True,
1160 False, Unknown.
1161 type: string
1162 type:
1163 description: Type is the type of the condition.
1164 type: string
1165 type: object
1166 type: array
1167 createTime:
1168 description: Time the AccessPolicy was created in UTC.
1169 type: string
1170 observedGeneration:
1171 description: ObservedGeneration is the generation of the resource
1172 that was most recently observed by the Config Connector controller.
1173 If this is equal to metadata.generation, then that means that the
1174 current reported status reflects the most recent desired state of
1175 the resource.
1176 type: integer
1177 updateTime:
1178 description: Time the AccessPolicy was updated in UTC.
1179 type: string
1180 type: object
1181 required:
1182 - spec
1183 type: object
1184 served: true
1185 storage: true
1186 subresources:
1187 status: {}
1188status:
1189 acceptedNames:
1190 kind: ""
1191 plural: ""
1192 conditions: []
1193 storedVersions: []
View as plain text