1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: alpha
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: accesscontextmanageraccesslevelconditions.accesscontextmanager.cnrm.cloud.google.com
27spec:
28 group: accesscontextmanager.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: AccessContextManagerAccessLevelCondition
33 plural: accesscontextmanageraccesslevelconditions
34 shortNames:
35 - gcpaccesscontextmanageraccesslevelcondition
36 - gcpaccesscontextmanageraccesslevelconditions
37 singular: accesscontextmanageraccesslevelcondition
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1alpha1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 accessLevelRef:
75 oneOf:
76 - not:
77 required:
78 - external
79 required:
80 - name
81 - not:
82 anyOf:
83 - required:
84 - name
85 - required:
86 - namespace
87 required:
88 - external
89 properties:
90 external:
91 description: 'Allowed value: The `name` field of an `AccessContextManagerAccessLevel`
92 resource.'
93 type: string
94 name:
95 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
96 type: string
97 namespace:
98 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
99 type: string
100 type: object
101 devicePolicy:
102 description: |-
103 Immutable. Device specific restrictions, all restrictions must hold for
104 the Condition to be true. If not specified, all devices are
105 allowed.
106 properties:
107 allowedDeviceManagementLevels:
108 description: |-
109 Immutable. A list of allowed device management levels.
110 An empty list allows all management levels. Possible values: ["MANAGEMENT_UNSPECIFIED", "NONE", "BASIC", "COMPLETE"].
111 items:
112 type: string
113 type: array
114 allowedEncryptionStatuses:
115 description: |-
116 Immutable. A list of allowed encryptions statuses.
117 An empty list allows all statuses. Possible values: ["ENCRYPTION_UNSPECIFIED", "ENCRYPTION_UNSUPPORTED", "UNENCRYPTED", "ENCRYPTED"].
118 items:
119 type: string
120 type: array
121 osConstraints:
122 description: |-
123 Immutable. A list of allowed OS versions.
124 An empty list allows all types and all versions.
125 items:
126 properties:
127 minimumVersion:
128 description: |-
129 Immutable. The minimum allowed OS version. If not set, any version
130 of this OS satisfies the constraint.
131 Format: "major.minor.patch" such as "10.5.301", "9.2.1".
132 type: string
133 osType:
134 description: 'Immutable. The operating system type of the
135 device. Possible values: ["OS_UNSPECIFIED", "DESKTOP_MAC",
136 "DESKTOP_WINDOWS", "DESKTOP_LINUX", "DESKTOP_CHROME_OS",
137 "ANDROID", "IOS"].'
138 type: string
139 required:
140 - osType
141 type: object
142 type: array
143 requireAdminApproval:
144 description: Immutable. Whether the device needs to be approved
145 by the customer admin.
146 type: boolean
147 requireCorpOwned:
148 description: Immutable. Whether the device needs to be corp owned.
149 type: boolean
150 requireScreenLock:
151 description: |-
152 Immutable. Whether or not screenlock is required for the DevicePolicy
153 to be true. Defaults to false.
154 type: boolean
155 type: object
156 ipSubnetworks:
157 description: |-
158 Immutable. A list of CIDR block IP subnetwork specification. May be IPv4
159 or IPv6.
160 Note that for a CIDR IP address block, the specified IP address
161 portion must be properly truncated (i.e. all the host bits must
162 be zero) or the input is considered malformed. For example,
163 "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
164 for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
165 is not. The originating IP of a request must be in one of the
166 listed subnets in order for this Condition to be true.
167 If empty, all IP addresses are allowed.
168 items:
169 type: string
170 type: array
171 members:
172 description: |-
173 Immutable. An allowed list of members (users, service accounts).
174 Using groups is not supported yet.
175
176 The signed-in user originating the request must be a part of one
177 of the provided members. If not specified, a request may come
178 from any user (logged in/not logged in, not present in any
179 groups, etc.).
180 Formats: 'user:{emailid}', 'serviceAccount:{emailid}'.
181 items:
182 type: string
183 type: array
184 negate:
185 description: |-
186 Immutable. Whether to negate the Condition. If true, the Condition becomes
187 a NAND over its non-empty fields, each field must be false for
188 the Condition overall to be satisfied. Defaults to false.
189 type: boolean
190 regions:
191 description: |-
192 Immutable. The request must originate from one of the provided
193 countries/regions.
194 Format: A valid ISO 3166-1 alpha-2 code.
195 items:
196 type: string
197 type: array
198 requiredAccessLevels:
199 description: |-
200 Immutable. A list of other access levels defined in the same Policy,
201 referenced by resource name. Referencing an AccessLevel which
202 does not exist is an error. All access levels listed must be
203 granted for the Condition to be true.
204 Format: accessPolicies/{policy_id}/accessLevels/{short_name}.
205 items:
206 type: string
207 type: array
208 resourceID:
209 description: Immutable. Optional. The accessLevel of the resource.
210 Used for creation and acquisition. When unset, the value of `metadata.name`
211 is used as the default.
212 type: string
213 type: object
214 status:
215 properties:
216 conditions:
217 description: Conditions represent the latest available observation
218 of the resource's current state.
219 items:
220 properties:
221 lastTransitionTime:
222 description: Last time the condition transitioned from one status
223 to another.
224 type: string
225 message:
226 description: Human-readable message indicating details about
227 last transition.
228 type: string
229 reason:
230 description: Unique, one-word, CamelCase reason for the condition's
231 last transition.
232 type: string
233 status:
234 description: Status is the status of the condition. Can be True,
235 False, Unknown.
236 type: string
237 type:
238 description: Type is the type of the condition.
239 type: string
240 type: object
241 type: array
242 observedGeneration:
243 description: ObservedGeneration is the generation of the resource
244 that was most recently observed by the Config Connector controller.
245 If this is equal to metadata.generation, then that means that the
246 current reported status reflects the most recent desired state of
247 the resource.
248 type: integer
249 type: object
250 type: object
251 served: true
252 storage: true
253 subresources:
254 status: {}
255status:
256 acceptedNames:
257 kind: ""
258 plural: ""
259 conditions: []
260 storedVersions: []
View as plain text