1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/system: "true"
24 name: iampolicies.iam.cnrm.cloud.google.com
25spec:
26 group: iam.cnrm.cloud.google.com
27 names:
28 categories:
29 - gcp
30 kind: IAMPolicy
31 plural: iampolicies
32 shortNames:
33 - gcpiampolicy
34 - gcpiampolicies
35 singular: iampolicy
36 scope: Namespaced
37 versions:
38 - additionalPrinterColumns:
39 - jsonPath: .metadata.creationTimestamp
40 name: Age
41 type: date
42 - description: When 'True' the most recent reconcile of the resource succeeded
43 jsonPath: .status.conditions[?(@.type=='Ready')].status
44 name: Ready
45 type: string
46 - description: The reason for the value in 'Ready'
47 jsonPath: .status.conditions[?(@.type=='Ready')].reason
48 name: Status
49 type: string
50 - jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
51 name: Status Age
52 type: date
53 name: v1beta1
54 schema:
55 openAPIV3Schema:
56 description: IAMPolicy is the Schema for the iampolicies API
57 properties:
58 apiVersion:
59 description: 'APIVersion defines the versioned schema of this representation
60 of an object. Servers should convert recognized schemas to the latest
61 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
62 type: string
63 kind:
64 description: 'Kind is a string value representing the REST resource this
65 object represents. Servers may infer this from the endpoint the client
66 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
67 type: string
68 metadata:
69 type: object
70 spec:
71 description: IAMPolicySpec defines the desired state of IAMPolicy
72 properties:
73 auditConfigs:
74 description: Optional. The list of IAM audit configs.
75 items:
76 description: Specifies the Cloud Audit Logs configuration for the
77 IAM policy.
78 properties:
79 auditLogConfigs:
80 description: Required. The configuration for logging of each
81 type of permission.
82 items:
83 properties:
84 exemptedMembers:
85 description: Identities that do not cause logging for
86 this type of permission. The format is the same as that
87 for 'members' in IAMPolicy/IAMPolicyMember.
88 items:
89 type: string
90 type: array
91 logType:
92 description: Permission type for which logging is to be
93 configured. Must be one of 'DATA_READ', 'DATA_WRITE',
94 or 'ADMIN_READ'.
95 pattern: ^(DATA_READ|DATA_WRITE|ADMIN_READ)$
96 type: string
97 required:
98 - logType
99 type: object
100 type: array
101 service:
102 description: 'Required. The service for which to enable Data
103 Access audit logs. The special value ''allServices'' covers
104 all services. Note that if there are audit configs covering
105 both ''allServices'' and a specific service, then the union
106 of the two audit configs is used for that service: the ''logTypes''
107 specified in each ''auditLogConfig'' are enabled, and the
108 ''exemptedMembers'' in each ''auditLogConfg'' are exempted.'
109 type: string
110 required:
111 - auditLogConfigs
112 - service
113 type: object
114 type: array
115 bindings:
116 description: Optional. The list of IAM bindings.
117 items:
118 description: Specifies the members to bind to an IAM role.
119 properties:
120 condition:
121 description: Optional. The condition under which the binding
122 applies.
123 properties:
124 description:
125 type: string
126 expression:
127 type: string
128 title:
129 type: string
130 required:
131 - expression
132 - title
133 type: object
134 members:
135 description: Optional. The list of IAM users to be bound to
136 the role.
137 items:
138 type: string
139 type: array
140 role:
141 description: Required. The role to bind the users to.
142 pattern: ^((projects|organizations)/[^/]+/)?roles/[\w_\.]+$
143 type: string
144 required:
145 - role
146 type: object
147 type: array
148 resourceRef:
149 description: Immutable. Required. The GCP resource to set the IAM
150 policy on.
151 oneOf:
152 - not:
153 required:
154 - external
155 required:
156 - name
157 - not:
158 anyOf:
159 - required:
160 - name
161 - required:
162 - namespace
163 required:
164 - external
165 - not:
166 anyOf:
167 - required:
168 - name
169 - required:
170 - namespace
171 - required:
172 - apiVersion
173 - required:
174 - external
175 properties:
176 apiVersion:
177 type: string
178 external:
179 type: string
180 kind:
181 type: string
182 name:
183 type: string
184 namespace:
185 type: string
186 required:
187 - kind
188 type: object
189 required:
190 - resourceRef
191 type: object
192 status:
193 description: IAMPolicyStatus defines the observed state of IAMPolicy
194 properties:
195 conditions:
196 description: Conditions represent the latest available observations
197 of the IAM policy's current state.
198 items:
199 properties:
200 lastTransitionTime:
201 description: Last time the condition transitioned from one status
202 to another.
203 type: string
204 message:
205 description: Human-readable message indicating details about
206 last transition.
207 type: string
208 reason:
209 description: Unique, one-word, CamelCase reason for the condition's
210 last transition.
211 type: string
212 status:
213 description: Status is the status of the condition. Can be True,
214 False, Unknown.
215 type: string
216 type:
217 description: Type is the type of the condition.
218 type: string
219 type: object
220 type: array
221 observedGeneration:
222 description: ObservedGeneration is the generation of the resource
223 that was most recently observed by the Config Connector controller.
224 If this is equal to metadata.generation, then that means that the
225 current reported status reflects the most recent desired state of
226 the resource.
227 format: int64
228 type: integer
229 type: object
230 type: object
231 served: true
232 storage: true
233 subresources:
234 status: {}
235status:
236 acceptedNames:
237 kind: ""
238 plural: ""
239 conditions: []
240 storedVersions: []
View as plain text