1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/system: "true"
24 name: iampartialpolicies.iam.cnrm.cloud.google.com
25spec:
26 group: iam.cnrm.cloud.google.com
27 names:
28 categories:
29 - gcp
30 kind: IAMPartialPolicy
31 plural: iampartialpolicies
32 shortNames:
33 - gcpiampartialpolicy
34 - gcpiampartialpolicies
35 singular: iampartialpolicy
36 scope: Namespaced
37 versions:
38 - additionalPrinterColumns:
39 - jsonPath: .metadata.creationTimestamp
40 name: Age
41 type: date
42 - description: When 'True' the most recent reconcile of the resource succeeded
43 jsonPath: .status.conditions[?(@.type=='Ready')].status
44 name: Ready
45 type: string
46 - description: The reason for the value in 'Ready'
47 jsonPath: .status.conditions[?(@.type=='Ready')].reason
48 name: Status
49 type: string
50 - jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
51 name: Status Age
52 type: date
53 name: v1beta1
54 schema:
55 openAPIV3Schema:
56 description: IAMPartialPolicy is the Schema for the iampartialpolicy API
57 properties:
58 apiVersion:
59 description: 'APIVersion defines the versioned schema of this representation
60 of an object. Servers should convert recognized schemas to the latest
61 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
62 type: string
63 kind:
64 description: 'Kind is a string value representing the REST resource this
65 object represents. Servers may infer this from the endpoint the client
66 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
67 type: string
68 metadata:
69 type: object
70 spec:
71 description: IAMPartialPolicySpec defines the desired state of IAMPartialPolicy
72 properties:
73 bindings:
74 description: Optional. The list of IAM bindings managed by Config
75 Connector.
76 items:
77 description: Specifies the members to bind to an IAM role.
78 properties:
79 condition:
80 description: Optional. The condition under which the binding
81 applies.
82 properties:
83 description:
84 type: string
85 expression:
86 type: string
87 title:
88 type: string
89 required:
90 - expression
91 - title
92 type: object
93 members:
94 description: Optional. The list of IAM users to be bound to
95 the role.
96 items:
97 oneOf:
98 - required:
99 - member
100 - required:
101 - memberFrom
102 properties:
103 member:
104 description: The IAM identity to be bound to the role.
105 Exactly one of 'member' or 'memberFrom' must be used.
106 type: string
107 memberFrom:
108 description: The IAM identity to be bound to the role.
109 Exactly one of 'member' or 'memberFrom' must be used,
110 and only one subfield within 'memberFrom' can be used.
111 oneOf:
112 - required:
113 - logSinkRef
114 - required:
115 - serviceAccountRef
116 - required:
117 - serviceIdentityRef
118 - required:
119 - sqlInstanceRef
120 properties:
121 logSinkRef:
122 description: The LoggingLogSink whose writer identity
123 (i.e. its 'status.writerIdentity') is to be bound
124 to the role.
125 properties:
126 name:
127 type: string
128 namespace:
129 type: string
130 required:
131 - name
132 type: object
133 serviceAccountRef:
134 description: The IAMServiceAccount to be bound to
135 the role.
136 properties:
137 name:
138 type: string
139 namespace:
140 type: string
141 required:
142 - name
143 type: object
144 serviceIdentityRef:
145 description: The ServiceIdentity whose service account
146 (i.e., its 'status.email') is to be bound to the
147 role.
148 properties:
149 name:
150 type: string
151 namespace:
152 type: string
153 required:
154 - name
155 type: object
156 sqlInstanceRef:
157 description: The SQLInstance whose service account
158 (i.e. its 'status.serviceAccountEmailAddress') is
159 to be bound to the role.
160 properties:
161 name:
162 type: string
163 namespace:
164 type: string
165 required:
166 - name
167 type: object
168 type: object
169 type: object
170 type: array
171 role:
172 description: Required. The role to bind the users to.
173 pattern: ^((projects|organizations)/[^/]+/)?roles/[\w_\.]+$
174 type: string
175 required:
176 - role
177 type: object
178 type: array
179 resourceRef:
180 description: Immutable. Required. The GCP resource to set the IAM
181 policy on.
182 oneOf:
183 - not:
184 required:
185 - external
186 required:
187 - name
188 - not:
189 anyOf:
190 - required:
191 - name
192 - required:
193 - namespace
194 required:
195 - external
196 - not:
197 anyOf:
198 - required:
199 - name
200 - required:
201 - namespace
202 - required:
203 - apiVersion
204 - required:
205 - external
206 properties:
207 apiVersion:
208 type: string
209 external:
210 type: string
211 kind:
212 type: string
213 name:
214 type: string
215 namespace:
216 type: string
217 required:
218 - kind
219 type: object
220 required:
221 - resourceRef
222 type: object
223 status:
224 description: IAMPartialPolicyStatus defines the observed state of IAMPartialPolicy
225 properties:
226 allBindings:
227 description: AllBindings surfaces all IAM bindings for the referenced
228 resource.
229 items:
230 description: Specifies the members to bind to an IAM role.
231 properties:
232 condition:
233 description: Optional. The condition under which the binding
234 applies.
235 properties:
236 description:
237 type: string
238 expression:
239 type: string
240 title:
241 type: string
242 required:
243 - expression
244 - title
245 type: object
246 members:
247 description: Optional. The list of IAM users to be bound to
248 the role.
249 items:
250 type: string
251 type: array
252 role:
253 description: Required. The role to bind the users to.
254 type: string
255 required:
256 - role
257 type: object
258 type: array
259 conditions:
260 description: Conditions represent the latest available observations
261 of the IAM policy's current state.
262 items:
263 properties:
264 lastTransitionTime:
265 description: Last time the condition transitioned from one status
266 to another.
267 type: string
268 message:
269 description: Human-readable message indicating details about
270 last transition.
271 type: string
272 reason:
273 description: Unique, one-word, CamelCase reason for the condition's
274 last transition.
275 type: string
276 status:
277 description: Status is the status of the condition. Can be True,
278 False, Unknown.
279 type: string
280 type:
281 description: Type is the type of the condition.
282 type: string
283 type: object
284 type: array
285 lastAppliedBindings:
286 description: LastAppliedBindings is the list of IAM bindings that
287 were most recently applied by Config Connector.
288 items:
289 description: Specifies the members to bind to an IAM role.
290 properties:
291 condition:
292 description: Optional. The condition under which the binding
293 applies.
294 properties:
295 description:
296 type: string
297 expression:
298 type: string
299 title:
300 type: string
301 required:
302 - expression
303 - title
304 type: object
305 members:
306 description: Optional. The list of IAM users to be bound to
307 the role.
308 items:
309 type: string
310 type: array
311 role:
312 description: Required. The role to bind the users to.
313 type: string
314 required:
315 - role
316 type: object
317 type: array
318 observedGeneration:
319 description: ObservedGeneration is the generation of the resource
320 that was most recently observed by the Config Connector controller.
321 If this is equal to metadata.generation, then that means that the
322 current reported status reflects the most recent desired state of
323 the resource.
324 format: int64
325 type: integer
326 type: object
327 type: object
328 served: true
329 storage: true
330 subresources:
331 status: {}
332status:
333 acceptedNames:
334 kind: ""
335 plural: ""
336 conditions: []
337 storedVersions: []
View as plain text