CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/authentication/v1/schema.cue raw

  1package v1
  2
  3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  4
  5// BoundObjectReference is a reference to an object that a token
  6// is bound to.
  7#BoundObjectReference: {
  8	// API version of the referent.
  9	"apiVersion"?: string
 10
 11	// Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
 12	"kind"?: string
 13
 14	// Name of the referent.
 15	"name"?: string
 16
 17	// UID of the referent.
 18	"uid"?: string
 19}
 20
 21// SelfSubjectReview contains the user information that the
 22// kube-apiserver has about the user making this request. When
 23// using impersonation, users will receive the user info of the
 24// user being impersonated. If impersonation or request header
 25// authentication is used, any extra keys will have their case
 26// ignored and returned as lowercase.
 27#SelfSubjectReview: {
 28	// APIVersion defines the versioned schema of this representation
 29	// of an object. Servers should convert recognized schemas to the
 30	// latest internal value, and may reject unrecognized values.
 31	// More info:
 32	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 33	"apiVersion": "authentication.k8s.io/v1"
 34
 35	// Kind is a string value representing the REST resource this
 36	// object represents. Servers may infer this from the endpoint
 37	// the client submits requests to. Cannot be updated. In
 38	// CamelCase. More info:
 39	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 40	"kind": "SelfSubjectReview"
 41
 42	// Standard object's metadata. More info:
 43	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 44	"metadata"?: v1.#ObjectMeta
 45
 46	// Status is filled in by the server with the user attributes.
 47	"status"?: #SelfSubjectReviewStatus
 48}
 49
 50// SelfSubjectReviewStatus is filled by the kube-apiserver and
 51// sent back to a user.
 52#SelfSubjectReviewStatus: {
 53	// User attributes of the user making this request.
 54	"userInfo"?: #UserInfo
 55}
 56
 57// TokenRequest requests a token for a given service account.
 58#TokenRequest: {
 59	// APIVersion defines the versioned schema of this representation
 60	// of an object. Servers should convert recognized schemas to the
 61	// latest internal value, and may reject unrecognized values.
 62	// More info:
 63	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 64	"apiVersion": "authentication.k8s.io/v1"
 65
 66	// Kind is a string value representing the REST resource this
 67	// object represents. Servers may infer this from the endpoint
 68	// the client submits requests to. Cannot be updated. In
 69	// CamelCase. More info:
 70	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 71	"kind": "TokenRequest"
 72
 73	// Standard object's metadata. More info:
 74	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 75	"metadata"?: v1.#ObjectMeta
 76
 77	// Spec holds information about the request being evaluated
 78	"spec"!: #TokenRequestSpec
 79
 80	// Status is filled in by the server and indicates whether the
 81	// token can be authenticated.
 82	"status"?: #TokenRequestStatus
 83}
 84
 85// TokenRequestSpec contains client provided parameters of a token
 86// request.
 87#TokenRequestSpec: {
 88	// Audiences are the intendend audiences of the token. A recipient
 89	// of a token must identify themself with an identifier in the
 90	// list of audiences of the token, and otherwise should reject
 91	// the token. A token issued for multiple audiences may be used
 92	// to authenticate against any of the audiences listed but
 93	// implies a high degree of trust between the target audiences.
 94	"audiences"!: [...string]
 95
 96	// BoundObjectRef is a reference to an object that the token will
 97	// be bound to. The token will only be valid for as long as the
 98	// bound object exists. NOTE: The API server's TokenReview
 99	// endpoint will validate the BoundObjectRef, but other audiences
100	// may not. Keep ExpirationSeconds small if you want prompt
101	// revocation.
102	"boundObjectRef"?: #BoundObjectReference
103
104	// ExpirationSeconds is the requested duration of validity of the
105	// request. The token issuer may return a token with a different
106	// validity duration so a client needs to check the 'expiration'
107	// field in a response.
108	"expirationSeconds"?: int64 & int
109}
110
111// TokenRequestStatus is the result of a token request.
112#TokenRequestStatus: {
113	// ExpirationTimestamp is the time of expiration of the returned
114	// token.
115	"expirationTimestamp"!: v1.#Time
116
117	// Token is the opaque bearer token.
118	"token"!: string
119}
120
121// TokenReview attempts to authenticate a token to a known user.
122// Note: TokenReview requests may be cached by the webhook token
123// authenticator plugin in the kube-apiserver.
124#TokenReview: {
125	// APIVersion defines the versioned schema of this representation
126	// of an object. Servers should convert recognized schemas to the
127	// latest internal value, and may reject unrecognized values.
128	// More info:
129	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
130	"apiVersion": "authentication.k8s.io/v1"
131
132	// Kind is a string value representing the REST resource this
133	// object represents. Servers may infer this from the endpoint
134	// the client submits requests to. Cannot be updated. In
135	// CamelCase. More info:
136	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
137	"kind": "TokenReview"
138
139	// Standard object's metadata. More info:
140	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
141	"metadata"?: v1.#ObjectMeta
142
143	// Spec holds information about the request being evaluated
144	"spec"!: #TokenReviewSpec
145
146	// Status is filled in by the server and indicates whether the
147	// request can be authenticated.
148	"status"?: #TokenReviewStatus
149}
150
151// TokenReviewSpec is a description of the token authentication
152// request.
153#TokenReviewSpec: {
154	// Audiences is a list of the identifiers that the resource server
155	// presented with the token identifies as. Audience-aware token
156	// authenticators will verify that the token was intended for at
157	// least one of the audiences in this list. If no audiences are
158	// provided, the audience will default to the audience of the
159	// Kubernetes apiserver.
160	"audiences"?: [...string]
161
162	// Token is the opaque bearer token.
163	"token"?: string
164}
165
166// TokenReviewStatus is the result of the token authentication
167// request.
168#TokenReviewStatus: {
169	// Audiences are audience identifiers chosen by the authenticator
170	// that are compatible with both the TokenReview and token. An
171	// identifier is any identifier in the intersection of the
172	// TokenReviewSpec audiences and the token's audiences. A client
173	// of the TokenReview API that sets the spec.audiences field
174	// should validate that a compatible audience identifier is
175	// returned in the status.audiences field to ensure that the
176	// TokenReview server is audience aware. If a TokenReview returns
177	// an empty status.audience field where status.authenticated is
178	// "true", the token is valid against the audience of the
179	// Kubernetes API server.
180	"audiences"?: [...string]
181
182	// Authenticated indicates that the token was associated with a
183	// known user.
184	"authenticated"?: bool
185
186	// Error indicates that the token couldn't be checked
187	"error"?: string
188
189	// User is the UserInfo associated with the provided token.
190	"user"?: #UserInfo
191}
192
193// UserInfo holds the information about the user needed to
194// implement the user.Info interface.
195#UserInfo: {
196	// Any additional information provided by the authenticator.
197	"extra"?: [string]: [...string]
198
199	// The names of groups this user is a part of.
200	"groups"?: [...string]
201
202	// A unique value that identifies this user across time. If this
203	// user is deleted and another user by the same name is added,
204	// they will have different UIDs.
205	"uid"?: string
206
207	// The name that uniquely identifies this user among all active
208	// users.
209	"username"?: string
210}