1# Copyright 2023 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15fullname:
16- spec
17shortname: spec
18description: ""
19type: object
20requirementlevel: Required
21children:
22- fullname:
23 - spec
24 - accessPolicyRef
25 shortname: accessPolicyRef
26 description: |-
27 The AccessContextManagerAccessPolicy this
28 AccessContextManagerAccessLevel lives in.
29 type: object
30 requirementlevel: Required
31 children:
32 - fullname:
33 - spec
34 - accessPolicyRef
35 - external
36 shortname: external
37 description: 'Allowed value: string of the format `accessPolicies/{{value}}`,
38 where {{value}} is the `name` field of an `AccessContextManagerAccessPolicy`
39 resource.'
40 type: string
41 requirementlevel: Optional
42 children: []
43 additionalproperties: []
44 - fullname:
45 - spec
46 - accessPolicyRef
47 - name
48 shortname: name
49 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
50 type: string
51 requirementlevel: Optional
52 children: []
53 additionalproperties: []
54 - fullname:
55 - spec
56 - accessPolicyRef
57 - namespace
58 shortname: namespace
59 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
60 type: string
61 requirementlevel: Optional
62 children: []
63 additionalproperties: []
64 additionalproperties: []
65- fullname:
66 - spec
67 - basic
68 shortname: basic
69 description: A set of predefined conditions for the access level and a combining
70 function.
71 type: object
72 requirementlevel: Optional
73 children:
74 - fullname:
75 - spec
76 - basic
77 - combiningFunction
78 shortname: combiningFunction
79 description: |-
80 How the conditions list should be combined to determine if a request
81 is granted this AccessLevel. If AND is used, each Condition in
82 conditions must be satisfied for the AccessLevel to be applied. If
83 OR is used, at least one Condition in conditions must be satisfied
84 for the AccessLevel to be applied. Default value: "AND" Possible values: ["AND", "OR"].
85 type: string
86 requirementlevel: Optional
87 children: []
88 additionalproperties: []
89 - fullname:
90 - spec
91 - basic
92 - conditions
93 shortname: conditions
94 description: A set of requirements for the AccessLevel to be granted.
95 type: list (object)
96 requirementlevel: RequiredWhenParentPresent
97 children:
98 - fullname:
99 - spec
100 - basic
101 - conditions
102 - '[]'
103 shortname: '[]'
104 description: ""
105 type: object
106 requirementlevel: RequiredWhenParentPresent
107 children:
108 - fullname:
109 - spec
110 - basic
111 - conditions
112 - '[]'
113 - devicePolicy
114 shortname: devicePolicy
115 description: |-
116 Device specific restrictions, all restrictions must hold for
117 the Condition to be true. If not specified, all devices are
118 allowed.
119 type: object
120 requirementlevel: Optional
121 children:
122 - fullname:
123 - spec
124 - basic
125 - conditions
126 - '[]'
127 - devicePolicy
128 - allowedDeviceManagementLevels
129 shortname: allowedDeviceManagementLevels
130 description: |-
131 A list of allowed device management levels.
132 An empty list allows all management levels. Possible values: ["MANAGEMENT_UNSPECIFIED", "NONE", "BASIC", "COMPLETE"].
133 type: list (string)
134 requirementlevel: Optional
135 children:
136 - fullname:
137 - spec
138 - basic
139 - conditions
140 - '[]'
141 - devicePolicy
142 - allowedDeviceManagementLevels
143 - '[]'
144 shortname: '[]'
145 description: ""
146 type: string
147 requirementlevel: Optional
148 children: []
149 additionalproperties: []
150 additionalproperties: []
151 - fullname:
152 - spec
153 - basic
154 - conditions
155 - '[]'
156 - devicePolicy
157 - allowedEncryptionStatuses
158 shortname: allowedEncryptionStatuses
159 description: |-
160 A list of allowed encryptions statuses.
161 An empty list allows all statuses. Possible values: ["ENCRYPTION_UNSPECIFIED", "ENCRYPTION_UNSUPPORTED", "UNENCRYPTED", "ENCRYPTED"].
162 type: list (string)
163 requirementlevel: Optional
164 children:
165 - fullname:
166 - spec
167 - basic
168 - conditions
169 - '[]'
170 - devicePolicy
171 - allowedEncryptionStatuses
172 - '[]'
173 shortname: '[]'
174 description: ""
175 type: string
176 requirementlevel: Optional
177 children: []
178 additionalproperties: []
179 additionalproperties: []
180 - fullname:
181 - spec
182 - basic
183 - conditions
184 - '[]'
185 - devicePolicy
186 - osConstraints
187 shortname: osConstraints
188 description: |-
189 A list of allowed OS versions.
190 An empty list allows all types and all versions.
191 type: list (object)
192 requirementlevel: Optional
193 children:
194 - fullname:
195 - spec
196 - basic
197 - conditions
198 - '[]'
199 - devicePolicy
200 - osConstraints
201 - '[]'
202 shortname: '[]'
203 description: ""
204 type: object
205 requirementlevel: Optional
206 children:
207 - fullname:
208 - spec
209 - basic
210 - conditions
211 - '[]'
212 - devicePolicy
213 - osConstraints
214 - '[]'
215 - minimumVersion
216 shortname: minimumVersion
217 description: |-
218 The minimum allowed OS version. If not set, any version
219 of this OS satisfies the constraint.
220 Format: "major.minor.patch" such as "10.5.301", "9.2.1".
221 type: string
222 requirementlevel: Optional
223 children: []
224 additionalproperties: []
225 - fullname:
226 - spec
227 - basic
228 - conditions
229 - '[]'
230 - devicePolicy
231 - osConstraints
232 - '[]'
233 - osType
234 shortname: osType
235 description: 'The operating system type of the device. Possible values:
236 ["OS_UNSPECIFIED", "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX",
237 "DESKTOP_CHROME_OS", "ANDROID", "IOS"].'
238 type: string
239 requirementlevel: RequiredWhenParentPresent
240 children: []
241 additionalproperties: []
242 - fullname:
243 - spec
244 - basic
245 - conditions
246 - '[]'
247 - devicePolicy
248 - osConstraints
249 - '[]'
250 - requireVerifiedChromeOs
251 shortname: requireVerifiedChromeOs
252 description: If you specify DESKTOP_CHROME_OS for osType, you can optionally
253 include requireVerifiedChromeOs to require Chrome Verified Access.
254 type: boolean
255 requirementlevel: Optional
256 children: []
257 additionalproperties: []
258 additionalproperties: []
259 additionalproperties: []
260 - fullname:
261 - spec
262 - basic
263 - conditions
264 - '[]'
265 - devicePolicy
266 - requireAdminApproval
267 shortname: requireAdminApproval
268 description: Whether the device needs to be approved by the customer admin.
269 type: boolean
270 requirementlevel: Optional
271 children: []
272 additionalproperties: []
273 - fullname:
274 - spec
275 - basic
276 - conditions
277 - '[]'
278 - devicePolicy
279 - requireCorpOwned
280 shortname: requireCorpOwned
281 description: Whether the device needs to be corp owned.
282 type: boolean
283 requirementlevel: Optional
284 children: []
285 additionalproperties: []
286 - fullname:
287 - spec
288 - basic
289 - conditions
290 - '[]'
291 - devicePolicy
292 - requireScreenLock
293 shortname: requireScreenLock
294 description: |-
295 Whether or not screenlock is required for the DevicePolicy
296 to be true. Defaults to false.
297 type: boolean
298 requirementlevel: Optional
299 children: []
300 additionalproperties: []
301 additionalproperties: []
302 - fullname:
303 - spec
304 - basic
305 - conditions
306 - '[]'
307 - ipSubnetworks
308 shortname: ipSubnetworks
309 description: |-
310 A list of CIDR block IP subnetwork specification. May be IPv4
311 or IPv6.
312 Note that for a CIDR IP address block, the specified IP address
313 portion must be properly truncated (i.e. all the host bits must
314 be zero) or the input is considered malformed. For example,
315 "192.0.2.0/24" is accepted but "192.0.2.1/24" is not. Similarly,
316 for IPv6, "2001:db8::/32" is accepted whereas "2001:db8::1/32"
317 is not. The originating IP of a request must be in one of the
318 listed subnets in order for this Condition to be true.
319 If empty, all IP addresses are allowed.
320 type: list (string)
321 requirementlevel: Optional
322 children:
323 - fullname:
324 - spec
325 - basic
326 - conditions
327 - '[]'
328 - ipSubnetworks
329 - '[]'
330 shortname: '[]'
331 description: ""
332 type: string
333 requirementlevel: Optional
334 children: []
335 additionalproperties: []
336 additionalproperties: []
337 - fullname:
338 - spec
339 - basic
340 - conditions
341 - '[]'
342 - members
343 shortname: members
344 description: ""
345 type: list (object)
346 requirementlevel: Optional
347 children:
348 - fullname:
349 - spec
350 - basic
351 - conditions
352 - '[]'
353 - members
354 - '[]'
355 shortname: '[]'
356 description: |-
357 An allowed list of members (users, service accounts).
358 Using groups is not supported.
359
360 The signed-in user originating the request must be a part of one
361 of the provided members. If not specified, a request may come
362 from any user (logged in/not logged in, not present in any
363 groups, etc.).
364 type: object
365 requirementlevel: Optional
366 children:
367 - fullname:
368 - spec
369 - basic
370 - conditions
371 - '[]'
372 - members
373 - '[]'
374 - serviceAccountRef
375 shortname: serviceAccountRef
376 description: ""
377 type: object
378 requirementlevel: Optional
379 children:
380 - fullname:
381 - spec
382 - basic
383 - conditions
384 - '[]'
385 - members
386 - '[]'
387 - serviceAccountRef
388 - external
389 shortname: external
390 description: 'Allowed value: string of the format `serviceAccount:{{value}}`,
391 where {{value}} is the `email` field of an `IAMServiceAccount` resource.'
392 type: string
393 requirementlevel: Optional
394 children: []
395 additionalproperties: []
396 - fullname:
397 - spec
398 - basic
399 - conditions
400 - '[]'
401 - members
402 - '[]'
403 - serviceAccountRef
404 - name
405 shortname: name
406 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
407 type: string
408 requirementlevel: Optional
409 children: []
410 additionalproperties: []
411 - fullname:
412 - spec
413 - basic
414 - conditions
415 - '[]'
416 - members
417 - '[]'
418 - serviceAccountRef
419 - namespace
420 shortname: namespace
421 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
422 type: string
423 requirementlevel: Optional
424 children: []
425 additionalproperties: []
426 additionalproperties: []
427 - fullname:
428 - spec
429 - basic
430 - conditions
431 - '[]'
432 - members
433 - '[]'
434 - user
435 shortname: user
436 description: ""
437 type: string
438 requirementlevel: Optional
439 children: []
440 additionalproperties: []
441 additionalproperties: []
442 additionalproperties: []
443 - fullname:
444 - spec
445 - basic
446 - conditions
447 - '[]'
448 - negate
449 shortname: negate
450 description: |-
451 Whether to negate the Condition. If true, the Condition becomes
452 a NAND over its non-empty fields, each field must be false for
453 the Condition overall to be satisfied. Defaults to false.
454 type: boolean
455 requirementlevel: Optional
456 children: []
457 additionalproperties: []
458 - fullname:
459 - spec
460 - basic
461 - conditions
462 - '[]'
463 - regions
464 shortname: regions
465 description: |-
466 The request must originate from one of the provided
467 countries/regions.
468 Format: A valid ISO 3166-1 alpha-2 code.
469 type: list (string)
470 requirementlevel: Optional
471 children:
472 - fullname:
473 - spec
474 - basic
475 - conditions
476 - '[]'
477 - regions
478 - '[]'
479 shortname: '[]'
480 description: ""
481 type: string
482 requirementlevel: Optional
483 children: []
484 additionalproperties: []
485 additionalproperties: []
486 - fullname:
487 - spec
488 - basic
489 - conditions
490 - '[]'
491 - requiredAccessLevels
492 shortname: requiredAccessLevels
493 description: ""
494 type: list (object)
495 requirementlevel: Optional
496 children:
497 - fullname:
498 - spec
499 - basic
500 - conditions
501 - '[]'
502 - requiredAccessLevels
503 - '[]'
504 shortname: '[]'
505 description: |-
506 A list of other access levels defined in the same policy.
507 Referencing an AccessContextManagerAccessLevel which does not exist
508 is an error. All access levels listed must be granted for the
509 condition to be true.
510 type: object
511 requirementlevel: Optional
512 children:
513 - fullname:
514 - spec
515 - basic
516 - conditions
517 - '[]'
518 - requiredAccessLevels
519 - '[]'
520 - external
521 shortname: external
522 description: 'Allowed value: The `name` field of an `AccessContextManagerAccessLevel`
523 resource.'
524 type: string
525 requirementlevel: Optional
526 children: []
527 additionalproperties: []
528 - fullname:
529 - spec
530 - basic
531 - conditions
532 - '[]'
533 - requiredAccessLevels
534 - '[]'
535 - name
536 shortname: name
537 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
538 type: string
539 requirementlevel: Optional
540 children: []
541 additionalproperties: []
542 - fullname:
543 - spec
544 - basic
545 - conditions
546 - '[]'
547 - requiredAccessLevels
548 - '[]'
549 - namespace
550 shortname: namespace
551 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
552 type: string
553 requirementlevel: Optional
554 children: []
555 additionalproperties: []
556 additionalproperties: []
557 additionalproperties: []
558 additionalproperties: []
559 additionalproperties: []
560 additionalproperties: []
561- fullname:
562 - spec
563 - custom
564 shortname: custom
565 description: |-
566 Custom access level conditions are set using the Cloud Common Expression Language to represent the necessary conditions for the level to apply to a request.
567 See CEL spec at: https://github.com/google/cel-spec.
568 type: object
569 requirementlevel: Optional
570 children:
571 - fullname:
572 - spec
573 - custom
574 - expr
575 shortname: expr
576 description: |-
577 Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language.
578 This page details the objects and attributes that are used to the build the CEL expressions for
579 custom access levels - https://cloud.google.com/access-context-manager/docs/custom-access-level-spec.
580 type: object
581 requirementlevel: RequiredWhenParentPresent
582 children:
583 - fullname:
584 - spec
585 - custom
586 - expr
587 - description
588 shortname: description
589 description: Description of the expression.
590 type: string
591 requirementlevel: Optional
592 children: []
593 additionalproperties: []
594 - fullname:
595 - spec
596 - custom
597 - expr
598 - expression
599 shortname: expression
600 description: Textual representation of an expression in Common Expression Language
601 syntax.
602 type: string
603 requirementlevel: RequiredWhenParentPresent
604 children: []
605 additionalproperties: []
606 - fullname:
607 - spec
608 - custom
609 - expr
610 - location
611 shortname: location
612 description: String indicating the location of the expression for error reporting,
613 e.g. a file name and a position in the file.
614 type: string
615 requirementlevel: Optional
616 children: []
617 additionalproperties: []
618 - fullname:
619 - spec
620 - custom
621 - expr
622 - title
623 shortname: title
624 description: Title for the expression, i.e. a short string describing its purpose.
625 type: string
626 requirementlevel: Optional
627 children: []
628 additionalproperties: []
629 additionalproperties: []
630 additionalproperties: []
631- fullname:
632 - spec
633 - description
634 shortname: description
635 description: Description of the AccessLevel and its use. Does not affect behavior.
636 type: string
637 requirementlevel: Optional
638 children: []
639 additionalproperties: []
640- fullname:
641 - spec
642 - resourceID
643 shortname: resourceID
644 description: Immutable. Optional. The name of the resource. Used for creation and
645 acquisition. When unset, the value of `metadata.name` is used as the default.
646 type: string
647 requirementlevel: Optional
648 children: []
649 additionalproperties: []
650- fullname:
651 - spec
652 - title
653 shortname: title
654 description: Human readable title. Must be unique within the Policy.
655 type: string
656 requirementlevel: Required
657 children: []
658 additionalproperties: []
659additionalproperties: []
View as plain text