1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: stable
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: accesscontextmanagerserviceperimeters.accesscontextmanager.cnrm.cloud.google.com
27spec:
28 group: accesscontextmanager.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: AccessContextManagerServicePerimeter
33 plural: accesscontextmanagerserviceperimeters
34 shortNames:
35 - gcpaccesscontextmanagerserviceperimeter
36 - gcpaccesscontextmanagerserviceperimeters
37 singular: accesscontextmanagerserviceperimeter
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 accessPolicyRef:
75 description: |-
76 The AccessContextManagerAccessPolicy this
77 AccessContextManagerServicePerimeter lives in.
78 oneOf:
79 - not:
80 required:
81 - external
82 required:
83 - name
84 - not:
85 anyOf:
86 - required:
87 - name
88 - required:
89 - namespace
90 required:
91 - external
92 properties:
93 external:
94 description: 'Allowed value: string of the format `accessPolicies/{{value}}`,
95 where {{value}} is the `name` field of an `AccessContextManagerAccessPolicy`
96 resource.'
97 type: string
98 name:
99 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
100 type: string
101 namespace:
102 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
103 type: string
104 type: object
105 description:
106 description: |-
107 Description of the ServicePerimeter and its use. Does not affect
108 behavior.
109 type: string
110 perimeterType:
111 description: |-
112 Immutable. Specifies the type of the Perimeter. There are two types: regular and
113 bridge. Regular Service Perimeter contains resources, access levels,
114 and restricted services. Every resource can be in at most
115 ONE regular Service Perimeter.
116
117 In addition to being in a regular service perimeter, a resource can also
118 be in zero or more perimeter bridges. A perimeter bridge only contains
119 resources. Cross project operations are permitted if all effected
120 resources share some perimeter (whether bridge or regular). Perimeter
121 Bridge does not contain access levels or services: those are governed
122 entirely by the regular perimeter that resource is in.
123
124 Perimeter Bridges are typically useful when building more complex
125 topologies with many independent perimeters that need to share some data
126 with a common perimeter, but should not be able to share data among
127 themselves. Default value: "PERIMETER_TYPE_REGULAR" Possible values: ["PERIMETER_TYPE_REGULAR", "PERIMETER_TYPE_BRIDGE"].
128 type: string
129 resourceID:
130 description: Immutable. Optional. The name of the resource. Used for
131 creation and acquisition. When unset, the value of `metadata.name`
132 is used as the default.
133 type: string
134 spec:
135 description: |-
136 Proposed (or dry run) ServicePerimeter configuration.
137 This configuration allows to specify and test ServicePerimeter configuration
138 without enforcing actual access restrictions. Only allowed to be set when
139 the 'useExplicitDryRunSpec' flag is set.
140 properties:
141 accessLevels:
142 items:
143 description: |-
144 (Optional) A list of AccessLevel resource names that allow resources within
145 the ServicePerimeter to be accessed from the internet. AccessLevels listed
146 must be in the same policy as this ServicePerimeter.
147 Referencing a nonexistent AccessLevel is a syntax error. If no
148 AccessLevel names are listed, resources within the perimeter can
149 only be accessed via GCP calls with request origins within the
150 perimeter. For Service Perimeter Bridge, must be empty.
151 oneOf:
152 - not:
153 required:
154 - external
155 required:
156 - name
157 - not:
158 anyOf:
159 - required:
160 - name
161 - required:
162 - namespace
163 required:
164 - external
165 properties:
166 external:
167 description: 'Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`,
168 where {{value}} is the `name` field of an `AccessContextManagerAccessLevel`
169 resource.'
170 type: string
171 name:
172 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
173 type: string
174 namespace:
175 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
176 type: string
177 type: object
178 type: array
179 egressPolicies:
180 description: |-
181 List of EgressPolicies to apply to the perimeter. A perimeter may
182 have multiple EgressPolicies, each of which is evaluated separately.
183 Access is granted if any EgressPolicy grants it. Must be empty for
184 a perimeter bridge.
185 items:
186 properties:
187 egressFrom:
188 description: Defines conditions on the source of a request
189 causing this 'EgressPolicy' to apply.
190 properties:
191 identities:
192 items:
193 description: |-
194 (Optional) A list of identities that are allowed access through this
195 EgressPolicy. Should be in the format of email address. The email
196 address should represent individual user or service account only.
197 oneOf:
198 - required:
199 - serviceAccountRef
200 - required:
201 - user
202 properties:
203 serviceAccountRef:
204 oneOf:
205 - not:
206 required:
207 - external
208 required:
209 - name
210 - not:
211 anyOf:
212 - required:
213 - name
214 - required:
215 - namespace
216 required:
217 - external
218 properties:
219 external:
220 description: 'Allowed value: string of the
221 format `serviceAccount:{{value}}`, where
222 {{value}} is the `email` field of an `IAMServiceAccount`
223 resource.'
224 type: string
225 name:
226 description: 'Name of the referent. More info:
227 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
228 type: string
229 namespace:
230 description: 'Namespace of the referent. More
231 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
232 type: string
233 type: object
234 user:
235 type: string
236 type: object
237 type: array
238 identityType:
239 description: |-
240 Specifies the type of identities that are allowed access to outside the
241 perimeter. If left unspecified, then members of 'identities' field will
242 be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
243 type: string
244 type: object
245 egressTo:
246 description: |-
247 Defines the conditions on the 'ApiOperation' and destination resources that
248 cause this 'EgressPolicy' to apply.
249 properties:
250 externalResources:
251 description: |-
252 A list of external resources that are allowed to be accessed. A request
253 matches if it contains an external resource in this list (Example:
254 s3://bucket/path). Currently '*' is not allowed.
255 items:
256 type: string
257 type: array
258 operations:
259 description: |-
260 A list of 'ApiOperations' that this egress rule applies to. A request matches
261 if it contains an operation/service in this list.
262 items:
263 properties:
264 methodSelectors:
265 description: |-
266 API methods or permissions to allow. Method or permission must belong
267 to the service specified by 'serviceName' field. A single MethodSelector
268 entry with '*' specified for the 'method' field will allow all methods
269 AND permissions for the service specified in 'serviceName'.
270 items:
271 properties:
272 method:
273 description: |-
274 Value for 'method' should be a valid method name for the corresponding
275 'serviceName' in 'ApiOperation'. If '*' used as value for method,
276 then ALL methods and permissions are allowed.
277 type: string
278 permission:
279 description: |-
280 Value for permission should be a valid Cloud IAM permission for the
281 corresponding 'serviceName' in 'ApiOperation'.
282 type: string
283 type: object
284 type: array
285 serviceName:
286 description: |-
287 The name of the API whose methods or permissions the 'IngressPolicy' or
288 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName
289 field set to '*' will allow all methods AND permissions for all services.
290 type: string
291 type: object
292 type: array
293 resources:
294 items:
295 description: |-
296 (Optional) A list of resources, currently only projects in the form
297 "projects/{project_number}". A request
298 matches if it contains a resource in this list.
299 properties:
300 projectRef:
301 oneOf:
302 - not:
303 required:
304 - external
305 required:
306 - name
307 - not:
308 anyOf:
309 - required:
310 - name
311 - required:
312 - namespace
313 required:
314 - external
315 properties:
316 external:
317 description: 'Allowed value: string of the
318 format `projects/{{value}}`, where {{value}}
319 is the `number` field of a `Project` resource.'
320 type: string
321 name:
322 description: 'Name of the referent. More info:
323 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
324 type: string
325 namespace:
326 description: 'Namespace of the referent. More
327 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
328 type: string
329 type: object
330 type: object
331 type: array
332 type: object
333 type: object
334 type: array
335 ingressPolicies:
336 description: |-
337 List of 'IngressPolicies' to apply to the perimeter. A perimeter may
338 have multiple 'IngressPolicies', each of which is evaluated
339 separately. Access is granted if any 'Ingress Policy' grants it.
340 Must be empty for a perimeter bridge.
341 items:
342 properties:
343 ingressFrom:
344 description: |-
345 Defines the conditions on the source of a request causing this 'IngressPolicy'
346 to apply.
347 properties:
348 identities:
349 items:
350 description: |-
351 (Optional) A list of identities that are allowed access through this
352 ingress policy. Should be in the format of email address. The email
353 address should represent individual user or service account only.
354 oneOf:
355 - required:
356 - serviceAccountRef
357 - required:
358 - user
359 properties:
360 serviceAccountRef:
361 oneOf:
362 - not:
363 required:
364 - external
365 required:
366 - name
367 - not:
368 anyOf:
369 - required:
370 - name
371 - required:
372 - namespace
373 required:
374 - external
375 properties:
376 external:
377 description: 'Allowed value: string of the
378 format `serviceAccount:{{value}}`, where
379 {{value}} is the `email` field of an `IAMServiceAccount`
380 resource.'
381 type: string
382 name:
383 description: 'Name of the referent. More info:
384 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
385 type: string
386 namespace:
387 description: 'Namespace of the referent. More
388 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
389 type: string
390 type: object
391 user:
392 type: string
393 type: object
394 type: array
395 identityType:
396 description: |-
397 Specifies the type of identities that are allowed access from outside the
398 perimeter. If left unspecified, then members of 'identities' field will be
399 allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
400 type: string
401 sources:
402 description: Sources that this 'IngressPolicy' authorizes
403 access from.
404 items:
405 properties:
406 accessLevelRef:
407 description: |-
408 An AccessLevel resource name that allow resources within the
409 ServicePerimeters to be accessed from the internet. AccessLevels
410 listed must be in the same policy as this ServicePerimeter.
411 Referencing a nonexistent AccessLevel will cause an error. If no
412 AccessLevel names are listed, resources within the perimeter can
413 only be accessed via Google Cloud calls with request origins within
414 the perimeter.
415 oneOf:
416 - not:
417 required:
418 - external
419 required:
420 - name
421 - not:
422 anyOf:
423 - required:
424 - name
425 - required:
426 - namespace
427 required:
428 - external
429 properties:
430 external:
431 description: 'Allowed value: string of the
432 format `{{parent}}/accessLevels/{{value}}`,
433 where {{value}} is the `name` field of an
434 `AccessContextManagerAccessLevel` resource.'
435 type: string
436 name:
437 description: 'Name of the referent. More info:
438 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
439 type: string
440 namespace:
441 description: 'Namespace of the referent. More
442 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
443 type: string
444 type: object
445 projectRef:
446 description: |-
447 (Optional) A Google Cloud resource that is allowed to ingress the
448 perimeter. Requests from these resources will be allowed to access
449 perimeter data. Currently only projects are allowed. Format
450 "projects/{project_number}" The project may be in any Google Cloud
451 organization, not just the organization that the perimeter is defined in.
452 oneOf:
453 - not:
454 required:
455 - external
456 required:
457 - name
458 - not:
459 anyOf:
460 - required:
461 - name
462 - required:
463 - namespace
464 required:
465 - external
466 properties:
467 external:
468 description: 'Allowed value: string of the
469 format `projects/{{value}}`, where {{value}}
470 is the `number` field of a `Project` resource.'
471 type: string
472 name:
473 description: 'Name of the referent. More info:
474 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
475 type: string
476 namespace:
477 description: 'Namespace of the referent. More
478 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
479 type: string
480 type: object
481 type: object
482 type: array
483 type: object
484 ingressTo:
485 description: |-
486 Defines the conditions on the 'ApiOperation' and request destination that cause
487 this 'IngressPolicy' to apply.
488 properties:
489 operations:
490 description: |-
491 A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'
492 are allowed to perform in this 'ServicePerimeter'.
493 items:
494 properties:
495 methodSelectors:
496 description: |-
497 API methods or permissions to allow. Method or permission must belong to
498 the service specified by serviceName field. A single 'MethodSelector' entry
499 with '*' specified for the method field will allow all methods AND
500 permissions for the service specified in 'serviceName'.
501 items:
502 properties:
503 method:
504 description: |-
505 Value for method should be a valid method name for the corresponding
506 serviceName in 'ApiOperation'. If '*' used as value for 'method', then
507 ALL methods and permissions are allowed.
508 type: string
509 permission:
510 description: |-
511 Value for permission should be a valid Cloud IAM permission for the
512 corresponding 'serviceName' in 'ApiOperation'.
513 type: string
514 type: object
515 type: array
516 serviceName:
517 description: |-
518 The name of the API whose methods or permissions the 'IngressPolicy' or
519 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'
520 field set to '*' will allow all methods AND permissions for all services.
521 type: string
522 type: object
523 type: array
524 resources:
525 items:
526 description: |-
527 A list of resources, currently only projects in the form
528 "projects/{project_number}", protected by this ServicePerimeter
529 that are allowed to be accessed by sources defined in the
530 corresponding IngressFrom. A request matches if it contains a
531 resource in this list.
532 properties:
533 projectRef:
534 oneOf:
535 - not:
536 required:
537 - external
538 required:
539 - name
540 - not:
541 anyOf:
542 - required:
543 - name
544 - required:
545 - namespace
546 required:
547 - external
548 properties:
549 external:
550 description: 'Allowed value: string of the
551 format `projects/{{value}}`, where {{value}}
552 is the `number` field of a `Project` resource.'
553 type: string
554 name:
555 description: 'Name of the referent. More info:
556 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
557 type: string
558 namespace:
559 description: 'Namespace of the referent. More
560 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
561 type: string
562 type: object
563 type: object
564 type: array
565 type: object
566 type: object
567 type: array
568 resources:
569 items:
570 description: |-
571 (Optional) A list of GCP resources that are inside of the service perimeter.
572 Currently only projects are allowed.
573 properties:
574 projectRef:
575 oneOf:
576 - not:
577 required:
578 - external
579 required:
580 - name
581 - not:
582 anyOf:
583 - required:
584 - name
585 - required:
586 - namespace
587 required:
588 - external
589 properties:
590 external:
591 description: 'Allowed value: string of the format `projects/{{value}}`,
592 where {{value}} is the `number` field of a `Project`
593 resource.'
594 type: string
595 name:
596 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
597 type: string
598 namespace:
599 description: 'Namespace of the referent. More info:
600 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
601 type: string
602 type: object
603 type: object
604 type: array
605 restrictedServices:
606 description: |-
607 GCP services that are subject to the Service Perimeter
608 restrictions. Must contain a list of services. For example, if
609 'storage.googleapis.com' is specified, access to the storage
610 buckets inside the perimeter must meet the perimeter's access
611 restrictions.
612 items:
613 type: string
614 type: array
615 vpcAccessibleServices:
616 description: |-
617 Specifies how APIs are allowed to communicate within the Service
618 Perimeter.
619 properties:
620 allowedServices:
621 description: |-
622 The list of APIs usable within the Service Perimeter.
623 Must be empty unless 'enableRestriction' is True.
624 items:
625 type: string
626 type: array
627 enableRestriction:
628 description: |-
629 Whether to restrict API calls within the Service Perimeter to the
630 list of APIs specified in 'allowedServices'.
631 type: boolean
632 type: object
633 type: object
634 status:
635 description: |-
636 ServicePerimeter configuration. Specifies sets of resources,
637 restricted services and access levels that determine
638 perimeter content and boundaries.
639 properties:
640 accessLevels:
641 items:
642 description: |-
643 (Optional) A list of AccessLevel resource names that allow resources within
644 the ServicePerimeter to be accessed from the internet. AccessLevels listed
645 must be in the same policy as this ServicePerimeter.
646 Referencing a nonexistent AccessLevel is a syntax error. If no
647 AccessLevel names are listed, resources within the perimeter can
648 only be accessed via GCP calls with request origins within the
649 perimeter. For Service Perimeter Bridge, must be empty.
650 oneOf:
651 - not:
652 required:
653 - external
654 required:
655 - name
656 - not:
657 anyOf:
658 - required:
659 - name
660 - required:
661 - namespace
662 required:
663 - external
664 properties:
665 external:
666 description: 'Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`,
667 where {{value}} is the `name` field of an `AccessContextManagerAccessLevel`
668 resource.'
669 type: string
670 name:
671 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
672 type: string
673 namespace:
674 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
675 type: string
676 type: object
677 type: array
678 egressPolicies:
679 description: |-
680 List of EgressPolicies to apply to the perimeter. A perimeter may
681 have multiple EgressPolicies, each of which is evaluated separately.
682 Access is granted if any EgressPolicy grants it. Must be empty for
683 a perimeter bridge.
684 items:
685 properties:
686 egressFrom:
687 description: Defines conditions on the source of a request
688 causing this 'EgressPolicy' to apply.
689 properties:
690 identities:
691 items:
692 description: |-
693 (Optional) A list of identities that are allowed access through this
694 EgressPolicy. Should be in the format of email address. The email
695 address should represent individual user or service account only.
696 oneOf:
697 - required:
698 - serviceAccountRef
699 - required:
700 - user
701 properties:
702 serviceAccountRef:
703 oneOf:
704 - not:
705 required:
706 - external
707 required:
708 - name
709 - not:
710 anyOf:
711 - required:
712 - name
713 - required:
714 - namespace
715 required:
716 - external
717 properties:
718 external:
719 description: 'Allowed value: string of the
720 format `serviceAccount:{{value}}`, where
721 {{value}} is the `email` field of an `IAMServiceAccount`
722 resource.'
723 type: string
724 name:
725 description: 'Name of the referent. More info:
726 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
727 type: string
728 namespace:
729 description: 'Namespace of the referent. More
730 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
731 type: string
732 type: object
733 user:
734 type: string
735 type: object
736 type: array
737 identityType:
738 description: |-
739 Specifies the type of identities that are allowed access to outside the
740 perimeter. If left unspecified, then members of 'identities' field will
741 be allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
742 type: string
743 type: object
744 egressTo:
745 description: |-
746 Defines the conditions on the 'ApiOperation' and destination resources that
747 cause this 'EgressPolicy' to apply.
748 properties:
749 externalResources:
750 description: |-
751 A list of external resources that are allowed to be accessed. A request
752 matches if it contains an external resource in this list (Example:
753 s3://bucket/path). Currently '*' is not allowed.
754 items:
755 type: string
756 type: array
757 operations:
758 description: |-
759 A list of 'ApiOperations' that this egress rule applies to. A request matches
760 if it contains an operation/service in this list.
761 items:
762 properties:
763 methodSelectors:
764 description: |-
765 API methods or permissions to allow. Method or permission must belong
766 to the service specified by 'serviceName' field. A single MethodSelector
767 entry with '*' specified for the 'method' field will allow all methods
768 AND permissions for the service specified in 'serviceName'.
769 items:
770 properties:
771 method:
772 description: |-
773 Value for 'method' should be a valid method name for the corresponding
774 'serviceName' in 'ApiOperation'. If '*' used as value for method,
775 then ALL methods and permissions are allowed.
776 type: string
777 permission:
778 description: |-
779 Value for permission should be a valid Cloud IAM permission for the
780 corresponding 'serviceName' in 'ApiOperation'.
781 type: string
782 type: object
783 type: array
784 serviceName:
785 description: |-
786 The name of the API whose methods or permissions the 'IngressPolicy' or
787 'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName
788 field set to '*' will allow all methods AND permissions for all services.
789 type: string
790 type: object
791 type: array
792 resources:
793 items:
794 description: |-
795 (Optional) A list of resources, currently only projects in the form
796 "projects/{project_number}". A request
797 matches if it contains a resource in this list.
798 properties:
799 projectRef:
800 oneOf:
801 - not:
802 required:
803 - external
804 required:
805 - name
806 - not:
807 anyOf:
808 - required:
809 - name
810 - required:
811 - namespace
812 required:
813 - external
814 properties:
815 external:
816 description: 'Allowed value: string of the
817 format `projects/{{value}}`, where {{value}}
818 is the `number` field of a `Project` resource.'
819 type: string
820 name:
821 description: 'Name of the referent. More info:
822 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
823 type: string
824 namespace:
825 description: 'Namespace of the referent. More
826 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
827 type: string
828 type: object
829 type: object
830 type: array
831 type: object
832 type: object
833 type: array
834 ingressPolicies:
835 description: |-
836 List of 'IngressPolicies' to apply to the perimeter. A perimeter may
837 have multiple 'IngressPolicies', each of which is evaluated
838 separately. Access is granted if any 'Ingress Policy' grants it.
839 Must be empty for a perimeter bridge.
840 items:
841 properties:
842 ingressFrom:
843 description: |-
844 Defines the conditions on the source of a request causing this 'IngressPolicy'
845 to apply.
846 properties:
847 identities:
848 items:
849 description: |-
850 (Optional) A list of identities that are allowed access through this
851 EgressPolicy. Should be in the format of email address. The email
852 address should represent individual user or service account only.
853 oneOf:
854 - required:
855 - serviceAccountRef
856 - required:
857 - user
858 properties:
859 serviceAccountRef:
860 oneOf:
861 - not:
862 required:
863 - external
864 required:
865 - name
866 - not:
867 anyOf:
868 - required:
869 - name
870 - required:
871 - namespace
872 required:
873 - external
874 properties:
875 external:
876 description: 'Allowed value: string of the
877 format `serviceAccount:{{value}}`, where
878 {{value}} is the `email` field of an `IAMServiceAccount`
879 resource.'
880 type: string
881 name:
882 description: 'Name of the referent. More info:
883 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
884 type: string
885 namespace:
886 description: 'Namespace of the referent. More
887 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
888 type: string
889 type: object
890 user:
891 type: string
892 type: object
893 type: array
894 identityType:
895 description: |-
896 Specifies the type of identities that are allowed access from outside the
897 perimeter. If left unspecified, then members of 'identities' field will be
898 allowed access. Possible values: ["IDENTITY_TYPE_UNSPECIFIED", "ANY_IDENTITY", "ANY_USER_ACCOUNT", "ANY_SERVICE_ACCOUNT"].
899 type: string
900 sources:
901 description: Sources that this 'IngressPolicy' authorizes
902 access from.
903 items:
904 properties:
905 accessLevelRef:
906 description: |-
907 An AccessLevel resource name that allow resources within the
908 ServicePerimeters to be accessed from the internet. AccessLevels
909 listed must be in the same policy as this ServicePerimeter.
910 Referencing a nonexistent AccessLevel will cause an error. If no
911 AccessLevel names are listed, resources within the perimeter can
912 only be accessed via Google Cloud calls with request origins within
913 the perimeter.
914 oneOf:
915 - not:
916 required:
917 - external
918 required:
919 - name
920 - not:
921 anyOf:
922 - required:
923 - name
924 - required:
925 - namespace
926 required:
927 - external
928 properties:
929 external:
930 description: 'Allowed value: string of the
931 format `{{parent}}/accessLevels/{{value}}`,
932 where {{value}} is the `name` field of an
933 `AccessContextManagerAccessLevel` resource.'
934 type: string
935 name:
936 description: 'Name of the referent. More info:
937 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
938 type: string
939 namespace:
940 description: 'Namespace of the referent. More
941 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
942 type: string
943 type: object
944 projectRef:
945 description: |-
946 (Optional) A Google Cloud resource that is allowed to ingress the
947 perimeter. Requests from these resources will be allowed to access
948 perimeter data. Currently only projects are allowed. Format
949 "projects/{project_number}" The project may be in any Google Cloud
950 organization, not just the organization that the perimeter is defined in.
951 oneOf:
952 - not:
953 required:
954 - external
955 required:
956 - name
957 - not:
958 anyOf:
959 - required:
960 - name
961 - required:
962 - namespace
963 required:
964 - external
965 properties:
966 external:
967 description: 'Allowed value: string of the
968 format `projects/{{value}}`, where {{value}}
969 is the `number` field of a `Project` resource.'
970 type: string
971 name:
972 description: 'Name of the referent. More info:
973 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
974 type: string
975 namespace:
976 description: 'Namespace of the referent. More
977 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
978 type: string
979 type: object
980 type: object
981 type: array
982 type: object
983 ingressTo:
984 description: |-
985 Defines the conditions on the 'ApiOperation' and request destination that cause
986 this 'IngressPolicy' to apply.
987 properties:
988 operations:
989 description: |-
990 A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'
991 are allowed to perform in this 'ServicePerimeter'.
992 items:
993 properties:
994 methodSelectors:
995 description: |-
996 API methods or permissions to allow. Method or permission must belong to
997 the service specified by serviceName field. A single 'MethodSelector' entry
998 with '*' specified for the method field will allow all methods AND
999 permissions for the service specified in 'serviceName'.
1000 items:
1001 properties:
1002 method:
1003 description: |-
1004 Value for method should be a valid method name for the corresponding
1005 serviceName in 'ApiOperation'. If '*' used as value for 'method', then
1006 ALL methods and permissions are allowed.
1007 type: string
1008 permission:
1009 description: |-
1010 Value for permission should be a valid Cloud IAM permission for the
1011 corresponding 'serviceName' in 'ApiOperation'.
1012 type: string
1013 type: object
1014 type: array
1015 serviceName:
1016 description: |-
1017 The name of the API whose methods or permissions the 'IngressPolicy' or
1018 'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'
1019 field set to '*' will allow all methods AND permissions for all services.
1020 type: string
1021 type: object
1022 type: array
1023 resources:
1024 items:
1025 description: |-
1026 A list of resources, currently only projects in the form
1027 "projects/{project_number}", protected by this ServicePerimeter
1028 that are allowed to be accessed by sources defined in the
1029 corresponding IngressFrom. A request matches if it contains a
1030 resource in this list.
1031 properties:
1032 projectRef:
1033 oneOf:
1034 - not:
1035 required:
1036 - external
1037 required:
1038 - name
1039 - not:
1040 anyOf:
1041 - required:
1042 - name
1043 - required:
1044 - namespace
1045 required:
1046 - external
1047 properties:
1048 external:
1049 description: 'Allowed value: string of the
1050 format `projects/{{value}}`, where {{value}}
1051 is the `number` field of a `Project` resource.'
1052 type: string
1053 name:
1054 description: 'Name of the referent. More info:
1055 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1056 type: string
1057 namespace:
1058 description: 'Namespace of the referent. More
1059 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1060 type: string
1061 type: object
1062 type: object
1063 type: array
1064 type: object
1065 type: object
1066 type: array
1067 resources:
1068 items:
1069 description: |-
1070 (Optional) A list of GCP resources that are inside of the service perimeter.
1071 Currently only projects are allowed.
1072 properties:
1073 projectRef:
1074 oneOf:
1075 - not:
1076 required:
1077 - external
1078 required:
1079 - name
1080 - not:
1081 anyOf:
1082 - required:
1083 - name
1084 - required:
1085 - namespace
1086 required:
1087 - external
1088 properties:
1089 external:
1090 description: 'Allowed value: string of the format `projects/{{value}}`,
1091 where {{value}} is the `number` field of a `Project`
1092 resource.'
1093 type: string
1094 name:
1095 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1096 type: string
1097 namespace:
1098 description: 'Namespace of the referent. More info:
1099 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1100 type: string
1101 type: object
1102 type: object
1103 type: array
1104 restrictedServices:
1105 description: |-
1106 GCP services that are subject to the Service Perimeter
1107 restrictions. Must contain a list of services. For example, if
1108 'storage.googleapis.com' is specified, access to the storage
1109 buckets inside the perimeter must meet the perimeter's access
1110 restrictions.
1111 items:
1112 type: string
1113 type: array
1114 vpcAccessibleServices:
1115 description: |-
1116 Specifies how APIs are allowed to communicate within the Service
1117 Perimeter.
1118 properties:
1119 allowedServices:
1120 description: |-
1121 The list of APIs usable within the Service Perimeter.
1122 Must be empty unless 'enableRestriction' is True.
1123 items:
1124 type: string
1125 type: array
1126 enableRestriction:
1127 description: |-
1128 Whether to restrict API calls within the Service Perimeter to the
1129 list of APIs specified in 'allowedServices'.
1130 type: boolean
1131 type: object
1132 type: object
1133 title:
1134 description: Human readable title. Must be unique within the Policy.
1135 type: string
1136 useExplicitDryRunSpec:
1137 description: |-
1138 Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists
1139 for all Service Perimeters, and that spec is identical to the status for those
1140 Service Perimeters. When this flag is set, it inhibits the generation of the
1141 implicit spec, thereby allowing the user to explicitly provide a
1142 configuration ("spec") to use in a dry-run version of the Service Perimeter.
1143 This allows the user to test changes to the enforced config ("status") without
1144 actually enforcing them. This testing is done through analyzing the differences
1145 between currently enforced and suggested restrictions. useExplicitDryRunSpec must
1146 bet set to True if any of the fields in the spec are set to non-default values.
1147 type: boolean
1148 required:
1149 - accessPolicyRef
1150 - title
1151 type: object
1152 status:
1153 properties:
1154 conditions:
1155 description: Conditions represent the latest available observation
1156 of the resource's current state.
1157 items:
1158 properties:
1159 lastTransitionTime:
1160 description: Last time the condition transitioned from one status
1161 to another.
1162 type: string
1163 message:
1164 description: Human-readable message indicating details about
1165 last transition.
1166 type: string
1167 reason:
1168 description: Unique, one-word, CamelCase reason for the condition's
1169 last transition.
1170 type: string
1171 status:
1172 description: Status is the status of the condition. Can be True,
1173 False, Unknown.
1174 type: string
1175 type:
1176 description: Type is the type of the condition.
1177 type: string
1178 type: object
1179 type: array
1180 createTime:
1181 description: Time the AccessPolicy was created in UTC.
1182 type: string
1183 observedGeneration:
1184 description: ObservedGeneration is the generation of the resource
1185 that was most recently observed by the Config Connector controller.
1186 If this is equal to metadata.generation, then that means that the
1187 current reported status reflects the most recent desired state of
1188 the resource.
1189 type: integer
1190 updateTime:
1191 description: Time the AccessPolicy was updated in UTC.
1192 type: string
1193 type: object
1194 required:
1195 - spec
1196 type: object
1197 served: true
1198 storage: true
1199 subresources:
1200 status: {}
1201status:
1202 acceptedNames:
1203 kind: ""
1204 plural: ""
1205 conditions: []
1206 storedVersions: []
View as plain text