Text file
src/github.com/openshift/api/authorization/v1/0000_03_authorization-openshift_01_rolebindingrestriction.crd.yaml
1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/470
6 include.release.openshift.io/ibm-cloud-managed: "true"
7 include.release.openshift.io/self-managed-high-availability: "true"
8 include.release.openshift.io/single-node-developer: "true"
9 name: rolebindingrestrictions.authorization.openshift.io
10spec:
11 group: authorization.openshift.io
12 names:
13 kind: RoleBindingRestriction
14 listKind: RoleBindingRestrictionList
15 plural: rolebindingrestrictions
16 singular: rolebindingrestriction
17 scope: Namespaced
18 versions:
19 - name: v1
20 schema:
21 openAPIV3Schema:
22 description: "RoleBindingRestriction is an object that can be matched against a subject (user, group, or service account) to determine whether rolebindings on that subject are allowed in the namespace to which the RoleBindingRestriction belongs. If any one of those RoleBindingRestriction objects matches a subject, rolebindings on that subject in the namespace are allowed. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
23 type: object
24 properties:
25 apiVersion:
26 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
27 type: string
28 kind:
29 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
30 type: string
31 metadata:
32 type: object
33 spec:
34 description: Spec defines the matcher.
35 type: object
36 properties:
37 grouprestriction:
38 description: GroupRestriction matches against group subjects.
39 type: object
40 properties:
41 groups:
42 description: Groups is a list of groups used to match against an individual user's groups. If the user is a member of one of the whitelisted groups, the user is allowed to be bound to a role.
43 type: array
44 items:
45 type: string
46 nullable: true
47 labels:
48 description: Selectors specifies a list of label selectors over group labels.
49 type: array
50 items:
51 description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
52 type: object
53 properties:
54 matchExpressions:
55 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
56 type: array
57 items:
58 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
59 type: object
60 required:
61 - key
62 - operator
63 properties:
64 key:
65 description: key is the label key that the selector applies to.
66 type: string
67 operator:
68 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
69 type: string
70 values:
71 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
72 type: array
73 items:
74 type: string
75 matchLabels:
76 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
77 type: object
78 additionalProperties:
79 type: string
80 x-kubernetes-map-type: atomic
81 nullable: true
82 nullable: true
83 serviceaccountrestriction:
84 description: ServiceAccountRestriction matches against service-account subjects.
85 type: object
86 properties:
87 namespaces:
88 description: Namespaces specifies a list of literal namespace names.
89 type: array
90 items:
91 type: string
92 serviceaccounts:
93 description: ServiceAccounts specifies a list of literal service-account names.
94 type: array
95 items:
96 description: ServiceAccountReference specifies a service account and namespace by their names.
97 type: object
98 properties:
99 name:
100 description: Name is the name of the service account.
101 type: string
102 namespace:
103 description: Namespace is the namespace of the service account. Service accounts from inside the whitelisted namespaces are allowed to be bound to roles. If Namespace is empty, then the namespace of the RoleBindingRestriction in which the ServiceAccountReference is embedded is used.
104 type: string
105 nullable: true
106 userrestriction:
107 description: UserRestriction matches against user subjects.
108 type: object
109 properties:
110 groups:
111 description: Groups specifies a list of literal group names.
112 type: array
113 items:
114 type: string
115 nullable: true
116 labels:
117 description: Selectors specifies a list of label selectors over user labels.
118 type: array
119 items:
120 description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
121 type: object
122 properties:
123 matchExpressions:
124 description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
125 type: array
126 items:
127 description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
128 type: object
129 required:
130 - key
131 - operator
132 properties:
133 key:
134 description: key is the label key that the selector applies to.
135 type: string
136 operator:
137 description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
138 type: string
139 values:
140 description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
141 type: array
142 items:
143 type: string
144 matchLabels:
145 description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
146 type: object
147 additionalProperties:
148 type: string
149 x-kubernetes-map-type: atomic
150 nullable: true
151 users:
152 description: Users specifies a list of literal user names.
153 type: array
154 items:
155 type: string
156 nullable: true
157 served: true
158 storage: true
View as plain text