1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: stable
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: accesscontextmanageraccesslevels.accesscontextmanager.cnrm.cloud.google.com
27spec:
28 group: accesscontextmanager.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: AccessContextManagerAccessLevel
33 plural: accesscontextmanageraccesslevels
34 shortNames:
35 - gcpaccesscontextmanageraccesslevel
36 - gcpaccesscontextmanageraccesslevels
37 singular: accesscontextmanageraccesslevel
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 accessPolicyRef:
75 description: |-
76 The AccessContextManagerAccessPolicy this
77 AccessContextManagerAccessLevel lives in.
78 oneOf:
79 - not:
80 required:
81 - external
82 required:
83 - name
84 - not:
85 anyOf:
86 - required:
87 - name
88 - required:
89 - namespace
90 required:
91 - external
92 properties:
93 external:
94 description: 'Allowed value: string of the format `accessPolicies/{{value}}`,
95 where {{value}} is the `name` field of an `AccessContextManagerAccessPolicy`
96 resource.'
97 type: string
98 name:
99 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
100 type: string
101 namespace:
102 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
103 type: string
104 type: object
105 basic:
106 description: A set of predefined conditions for the access level and
107 a combining function.
108 properties:
109 combiningFunction:
110 description: |-
111 How the conditions list should be combined to determine if a request
112 is granted this AccessLevel. If AND is used, each Condition in
113 conditions must be satisfied for the AccessLevel to be applied. If
114 OR is used, at least one Condition in conditions must be satisfied
115 for the AccessLevel to be applied. Default value: "AND" Possible values: ["AND", "OR"].
116 type: string
117 conditions:
118 description: A set of requirements for the AccessLevel to be granted.
119 items:
120 properties:
121 devicePolicy:
122 description: |-
123 Device specific restrictions, all restrictions must hold for
124 the Condition to be true. If not specified, all devices are
125 allowed.
126 properties:
127 allowedDeviceManagementLevels:
128 description: |-
129 A list of allowed device management levels.
130 An empty list allows all management levels. Possible values: ["MANAGEMENT_UNSPECIFIED", "NONE", "BASIC", "COMPLETE"].
131 items:
132 type: string
133 type: array
134 allowedEncryptionStatuses:
135 description: |-
136 A list of allowed encryptions statuses.
137 An empty list allows all statuses. Possible values: ["ENCRYPTION_UNSPECIFIED", "ENCRYPTION_UNSUPPORTED", "UNENCRYPTED", "ENCRYPTED"].
138 items:
139 type: string
140 type: array
141 osConstraints:
142 description: |-
143 A list of allowed OS versions.
144 An empty list allows all types and all versions.
145 items:
146 properties:
147 minimumVersion:
148 description: |-
149 The minimum allowed OS version. If not set, any version
150 of this OS satisfies the constraint.
151 Format: "major.minor.patch" such as "10.5.301", "9.2.1".
152 type: string
153 osType:
154 description: 'The operating system type of the
155 device. Possible values: ["OS_UNSPECIFIED",
156 "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX",
157 "DESKTOP_CHROME_OS", "ANDROID", "IOS"].'
158 type: string
159 requireVerifiedChromeOs:
160 description: If you specify DESKTOP_CHROME_OS
161 for osType, you can optionally include requireVerifiedChromeOs
162 to require Chrome Verified Access.
163 type: boolean
164 required:
165 - osType
166 type: object
167 type: array
168 requireAdminApproval:
169 description: Whether the device needs to be approved
170 by the customer admin.
171 type: boolean
172 requireCorpOwned:
173 description: Whether the device needs to be corp owned.
174 type: boolean
175 requireScreenLock:
176 description: |-
177 Whether or not screenlock is required for the DevicePolicy
178 to be true. Defaults to false.
179 type: boolean
180 type: object
181 ipSubnetworks:
182 description: |-
183 A list of CIDR block IP subnetwork specification. May be IPv4
184 or IPv6.
185 Note that for a CIDR IP address block, the specified IP address
186 portion must be properly truncated (i.e. all the host bits must
187 be zero) or the input is considered malformed. For example,
188 "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
189 for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
190 is not. The originating IP of a request must be in one of the
191 listed subnets in order for this Condition to be true.
192 If empty, all IP addresses are allowed.
193 items:
194 type: string
195 type: array
196 members:
197 items:
198 description: |-
199 An allowed list of members (users, service accounts).
200 Using groups is not supported.
201
202 The signed-in user originating the request must be a part of one
203 of the provided members. If not specified, a request may come
204 from any user (logged in/not logged in, not present in any
205 groups, etc.).
206 oneOf:
207 - required:
208 - serviceAccountRef
209 - required:
210 - user
211 properties:
212 serviceAccountRef:
213 oneOf:
214 - not:
215 required:
216 - external
217 required:
218 - name
219 - not:
220 anyOf:
221 - required:
222 - name
223 - required:
224 - namespace
225 required:
226 - external
227 properties:
228 external:
229 description: 'Allowed value: string of the format
230 `serviceAccount:{{value}}`, where {{value}}
231 is the `email` field of an `IAMServiceAccount`
232 resource.'
233 type: string
234 name:
235 description: 'Name of the referent. More info:
236 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
237 type: string
238 namespace:
239 description: 'Namespace of the referent. More
240 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
241 type: string
242 type: object
243 user:
244 type: string
245 type: object
246 type: array
247 negate:
248 description: |-
249 Whether to negate the Condition. If true, the Condition becomes
250 a NAND over its non-empty fields, each field must be false for
251 the Condition overall to be satisfied. Defaults to false.
252 type: boolean
253 regions:
254 description: |-
255 The request must originate from one of the provided
256 countries/regions.
257 Format: A valid ISO 3166-1 alpha-2 code.
258 items:
259 type: string
260 type: array
261 requiredAccessLevels:
262 items:
263 description: |-
264 A list of other access levels defined in the same policy.
265 Referencing an AccessContextManagerAccessLevel which does not exist
266 is an error. All access levels listed must be granted for the
267 condition to be true.
268 oneOf:
269 - not:
270 required:
271 - external
272 required:
273 - name
274 - not:
275 anyOf:
276 - required:
277 - name
278 - required:
279 - namespace
280 required:
281 - external
282 properties:
283 external:
284 description: 'Allowed value: The `name` field of an
285 `AccessContextManagerAccessLevel` resource.'
286 type: string
287 name:
288 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
289 type: string
290 namespace:
291 description: 'Namespace of the referent. More info:
292 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
293 type: string
294 type: object
295 type: array
296 type: object
297 type: array
298 required:
299 - conditions
300 type: object
301 custom:
302 description: |-
303 Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request.
304 See CEL spec at: https://github.com/google/cel-spec.
305 properties:
306 expr:
307 description: |-
308 Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
309 This page details the objects and attributes that are used to the build the CEL expressions for
310 custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
311 properties:
312 description:
313 description: Description of the expression.
314 type: string
315 expression:
316 description: Textual representation of an expression in Common
317 Expression Language syntax.
318 type: string
319 location:
320 description: String indicating the location of the expression
321 for error reporting, e.g. a file name and a position in
322 the file.
323 type: string
324 title:
325 description: Title for the expression, i.e. a short string
326 describing its purpose.
327 type: string
328 required:
329 - expression
330 type: object
331 required:
332 - expr
333 type: object
334 description:
335 description: Description of the AccessLevel and its use. Does not
336 affect behavior.
337 type: string
338 resourceID:
339 description: Immutable. Optional. The name of the resource. Used for
340 creation and acquisition. When unset, the value of `metadata.name`
341 is used as the default.
342 type: string
343 title:
344 description: Human readable title. Must be unique within the Policy.
345 type: string
346 required:
347 - accessPolicyRef
348 - title
349 type: object
350 status:
351 properties:
352 conditions:
353 description: Conditions represent the latest available observation
354 of the resource's current state.
355 items:
356 properties:
357 lastTransitionTime:
358 description: Last time the condition transitioned from one status
359 to another.
360 type: string
361 message:
362 description: Human-readable message indicating details about
363 last transition.
364 type: string
365 reason:
366 description: Unique, one-word, CamelCase reason for the condition's
367 last transition.
368 type: string
369 status:
370 description: Status is the status of the condition. Can be True,
371 False, Unknown.
372 type: string
373 type:
374 description: Type is the type of the condition.
375 type: string
376 type: object
377 type: array
378 observedGeneration:
379 description: ObservedGeneration is the generation of the resource
380 that was most recently observed by the Config Connector controller.
381 If this is equal to metadata.generation, then that means that the
382 current reported status reflects the most recent desired state of
383 the resource.
384 type: integer
385 type: object
386 required:
387 - spec
388 type: object
389 served: true
390 storage: true
391 subresources:
392 status: {}
393status:
394 acceptedNames:
395 kind: ""
396 plural: ""
397 conditions: []
398 storedVersions: []
View as plain text