1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: iamworkloadidentitypoolproviders.iam.cnrm.cloud.google.com
27spec:
28 group: iam.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: IAMWorkloadIdentityPoolProvider
33 plural: iamworkloadidentitypoolproviders
34 shortNames:
35 - gcpiamworkloadidentitypoolprovider
36 - gcpiamworkloadidentitypoolproviders
37 singular: iamworkloadidentitypoolprovider
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 attributeCondition:
75 description: '[A Common Expression Language](https://opensource.google/projects/cel)
76 expression, in plain text, to restrict what otherwise valid authentication
77 credentials issued by the provider should not be accepted. The expression
78 must output a boolean representing whether to allow the federation.
79 The following keywords may be referenced in the expressions: * `assertion`:
80 JSON representing the authentication credential issued by the provider.
81 * `google`: The Google attributes mapped from the assertion in the
82 `attribute_mappings`. * `attribute`: The custom attributes mapped
83 from the assertion in the `attribute_mappings`. The maximum length
84 of the attribute condition expression is 4096 characters. If unspecified,
85 all valid authentication credential are accepted. The following
86 example shows how to only allow credentials with a mapped `google.groups`
87 value of `admins`: ``` "''admins'' in google.groups" ```'
88 type: string
89 attributeMapping:
90 additionalProperties:
91 type: string
92 description: 'Maps attributes from authentication credentials issued
93 by an external identity provider to Google Cloud attributes, such
94 as `subject` and `segment`. Each key must be a string specifying
95 the Google Cloud IAM attribute to map to. The following keys are
96 supported: * `google.subject`: The principal IAM is authenticating.
97 You can reference this value in IAM bindings. This is also the subject
98 that appears in Cloud Logging logs. Cannot exceed 127 characters.
99 * `google.groups`: Groups the external identity belongs to. You
100 can grant groups access to resources using an IAM `principalSet`
101 binding; access applies to all members of the group. You can also
102 provide custom attributes by specifying `attribute.{custom_attribute}`,
103 where `{custom_attribute}` is the name of the custom attribute to
104 be mapped. You can define a maximum of 50 custom attributes. The
105 maximum length of a mapped attribute key is 100 characters, and
106 the key may only contain the characters [a-z0-9_]. You can reference
107 these attributes in IAM policies to define fine-grained access for
108 a workload to Google Cloud resources. For example: * `google.subject`:
109 `principal://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/subject/{value}`
110 * `google.groups`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/group/{value}`
111 * `attribute.{custom_attribute}`: `principalSet://iam.googleapis.com/projects/{project}/locations/{location}/workloadIdentityPools/{pool}/attribute.{custom_attribute}/{value}`
112 Each value must be a [Common Expression Language] (https://opensource.google/projects/cel)
113 function that maps an identity provider credential to the normalized
114 attribute specified by the corresponding map key. You can use the
115 `assertion` keyword in the expression to access a JSON representation
116 of the authentication credential issued by the provider. The maximum
117 length of an attribute mapping expression is 2048 characters. When
118 evaluated, the total size of all mapped attributes must not exceed
119 8KB. For AWS providers, if no attribute mapping is defined, the
120 following default mapping applies: ``` { "google.subject":"assertion.arn",
121 "attribute.aws_role": "assertion.arn.contains(''assumed-role'')"
122 " ? assertion.arn.extract(''{account_arn}assumed-role/'')" " + ''assumed-role/''"
123 " + assertion.arn.extract(''assumed-role/{role_name}/'')" " : assertion.arn",
124 } ``` If any custom attribute mappings are defined, they must include
125 a mapping to the `google.subject` attribute. For OIDC providers,
126 you must supply a custom mapping, which must include the `google.subject`
127 attribute. For example, the following maps the `sub` claim of the
128 incoming credential to the `subject` attribute on a Google token:
129 ``` {"google.subject": "assertion.sub"} ```'
130 type: object
131 aws:
132 description: An Amazon Web Services identity provider.
133 properties:
134 accountId:
135 description: Required. The AWS account ID.
136 type: string
137 stsUri:
138 description: A list of AWS STS URIs that can be used when exchanging
139 credentials. If not provided, any valid AWS STS URI is allowed.
140 URIs must use the form `https://sts.amazonaws.com` or `https://sts.{region}.amazonaws.com`,
141 where {region} is a valid AWS region. You can specify a maximum
142 of 25 URIs.
143 items:
144 type: string
145 type: array
146 required:
147 - accountId
148 type: object
149 description:
150 description: A description for the provider. Cannot exceed 256 characters.
151 type: string
152 disabled:
153 description: Whether the provider is disabled. You cannot use a disabled
154 provider to exchange tokens. However, existing tokens still grant
155 access.
156 type: boolean
157 displayName:
158 description: A display name for the provider. Cannot exceed 32 characters.
159 type: string
160 location:
161 description: Immutable. The location for the resource
162 type: string
163 oidc:
164 description: An OpenId Connect 1.0 identity provider.
165 properties:
166 allowedAudiences:
167 description: 'Acceptable values for the `aud` field (audience)
168 in the OIDC token. Token exchange requests are rejected if the
169 token audience does not match one of the configured values.
170 Each audience may be at most 256 characters. A maximum of 10
171 audiences may be configured. If this list is empty, the OIDC
172 token audience must be equal to the full canonical resource
173 name of the WorkloadIdentityPoolProvider, with or without the
174 HTTPS prefix. For example: ``` //iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
175 https://iam.googleapis.com/projects//locations//workloadIdentityPools//providers/
176 ```'
177 items:
178 type: string
179 type: array
180 issuerUri:
181 description: Required. The OIDC issuer URL. Must be an HTTPS endpoint.
182 type: string
183 required:
184 - issuerUri
185 type: object
186 projectRef:
187 description: Immutable. The Project that this resource belongs to.
188 oneOf:
189 - not:
190 required:
191 - external
192 required:
193 - name
194 - not:
195 anyOf:
196 - required:
197 - name
198 - required:
199 - namespace
200 required:
201 - external
202 properties:
203 external:
204 description: |-
205 The project for the resource
206
207 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
208 type: string
209 name:
210 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
211 type: string
212 namespace:
213 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
214 type: string
215 type: object
216 resourceID:
217 description: Immutable. Optional. The name of the resource. Used for
218 creation and acquisition. When unset, the value of `metadata.name`
219 is used as the default.
220 type: string
221 workloadIdentityPoolRef:
222 description: Immutable.
223 oneOf:
224 - not:
225 required:
226 - external
227 required:
228 - name
229 - not:
230 anyOf:
231 - required:
232 - name
233 - required:
234 - namespace
235 required:
236 - external
237 properties:
238 external:
239 description: |-
240 The workloadIdentityPool for the resource
241
242 Allowed value: The Google Cloud resource name of an `IAMWorkloadIdentityPool` resource (format: `projects/{{project}}/locations/{{location}}/workloadIdentityPools/{{name}}`).
243 type: string
244 name:
245 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
246 type: string
247 namespace:
248 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
249 type: string
250 type: object
251 required:
252 - location
253 - projectRef
254 - workloadIdentityPoolRef
255 type: object
256 status:
257 properties:
258 conditions:
259 description: Conditions represent the latest available observation
260 of the resource's current state.
261 items:
262 properties:
263 lastTransitionTime:
264 description: Last time the condition transitioned from one status
265 to another.
266 type: string
267 message:
268 description: Human-readable message indicating details about
269 last transition.
270 type: string
271 reason:
272 description: Unique, one-word, CamelCase reason for the condition's
273 last transition.
274 type: string
275 status:
276 description: Status is the status of the condition. Can be True,
277 False, Unknown.
278 type: string
279 type:
280 description: Type is the type of the condition.
281 type: string
282 type: object
283 type: array
284 observedGeneration:
285 description: ObservedGeneration is the generation of the resource
286 that was most recently observed by the Config Connector controller.
287 If this is equal to metadata.generation, then that means that the
288 current reported status reflects the most recent desired state of
289 the resource.
290 type: integer
291 state:
292 description: 'Output only. The state of the provider. Possible values:
293 STATE_UNSPECIFIED, ACTIVE, DELETED'
294 type: string
295 type: object
296 required:
297 - spec
298 type: object
299 served: true
300 storage: true
301 subresources:
302 status: {}
303status:
304 acceptedNames:
305 kind: ""
306 plural: ""
307 conditions: []
308 storedVersions: []
View as plain text