1package v1
2
3import "cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
4
5// AggregationRule describes how to locate ClusterRoles to
6// aggregate into the ClusterRole
7#AggregationRule: {
8 // ClusterRoleSelectors holds a list of selectors which will be
9 // used to find ClusterRoles and create the rules. If any of the
10 // selectors match, then the ClusterRole's permissions will be
11 // added
12 "clusterRoleSelectors"?: [...v1.#LabelSelector]
13}
14
15// ClusterRole is a cluster level, logical grouping of PolicyRules
16// that can be referenced as a unit by a RoleBinding or
17// ClusterRoleBinding.
18#ClusterRole: {
19 // AggregationRule is an optional field that describes how to
20 // build the Rules for this ClusterRole. If AggregationRule is
21 // set, then the Rules are controller managed and direct changes
22 // to Rules will be stomped by the controller.
23 "aggregationRule"?: #AggregationRule
24
25 // APIVersion defines the versioned schema of this representation
26 // of an object. Servers should convert recognized schemas to the
27 // latest internal value, and may reject unrecognized values.
28 // More info:
29 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
30 "apiVersion": "rbac.authorization.k8s.io/v1"
31
32 // Kind is a string value representing the REST resource this
33 // object represents. Servers may infer this from the endpoint
34 // the client submits requests to. Cannot be updated. In
35 // CamelCase. More info:
36 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
37 "kind": "ClusterRole"
38
39 // Standard object's metadata.
40 "metadata"?: v1.#ObjectMeta
41
42 // Rules holds all the PolicyRules for this ClusterRole
43 "rules"?: [...#PolicyRule]
44}
45
46// ClusterRoleBinding references a ClusterRole, but not contain
47// it. It can reference a ClusterRole in the global namespace,
48// and adds who information via Subject.
49#ClusterRoleBinding: {
50 // APIVersion defines the versioned schema of this representation
51 // of an object. Servers should convert recognized schemas to the
52 // latest internal value, and may reject unrecognized values.
53 // More info:
54 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
55 "apiVersion": "rbac.authorization.k8s.io/v1"
56
57 // Kind is a string value representing the REST resource this
58 // object represents. Servers may infer this from the endpoint
59 // the client submits requests to. Cannot be updated. In
60 // CamelCase. More info:
61 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
62 "kind": "ClusterRoleBinding"
63
64 // Standard object's metadata.
65 "metadata"?: v1.#ObjectMeta
66
67 // RoleRef can only reference a ClusterRole in the global
68 // namespace. If the RoleRef cannot be resolved, the Authorizer
69 // must return an error. This field is immutable.
70 "roleRef"!: #RoleRef
71
72 // Subjects holds references to the objects the role applies to.
73 "subjects"?: [...#Subject]
74}
75
76// ClusterRoleBindingList is a collection of ClusterRoleBindings
77#ClusterRoleBindingList: {
78 // APIVersion defines the versioned schema of this representation
79 // of an object. Servers should convert recognized schemas to the
80 // latest internal value, and may reject unrecognized values.
81 // More info:
82 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
83 "apiVersion": "rbac.authorization.k8s.io/v1"
84
85 // Items is a list of ClusterRoleBindings
86 "items"!: [...#ClusterRoleBinding]
87
88 // Kind is a string value representing the REST resource this
89 // object represents. Servers may infer this from the endpoint
90 // the client submits requests to. Cannot be updated. In
91 // CamelCase. More info:
92 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
93 "kind": "ClusterRoleBindingList"
94
95 // Standard object's metadata.
96 "metadata"?: v1.#ListMeta
97}
98
99// ClusterRoleList is a collection of ClusterRoles
100#ClusterRoleList: {
101 // APIVersion defines the versioned schema of this representation
102 // of an object. Servers should convert recognized schemas to the
103 // latest internal value, and may reject unrecognized values.
104 // More info:
105 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
106 "apiVersion": "rbac.authorization.k8s.io/v1"
107
108 // Items is a list of ClusterRoles
109 "items"!: [...#ClusterRole]
110
111 // Kind is a string value representing the REST resource this
112 // object represents. Servers may infer this from the endpoint
113 // the client submits requests to. Cannot be updated. In
114 // CamelCase. More info:
115 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
116 "kind": "ClusterRoleList"
117
118 // Standard object's metadata.
119 "metadata"?: v1.#ListMeta
120}
121
122// PolicyRule holds information that describes a policy rule, but
123// does not contain information about who the rule applies to or
124// which namespace the rule applies to.
125#PolicyRule: {
126 // APIGroups is the name of the APIGroup that contains the
127 // resources. If multiple API groups are specified, any action
128 // requested against one of the enumerated resources in any API
129 // group will be allowed. "" represents the core API group and
130 // "*" represents all API groups.
131 "apiGroups"?: [...string]
132
133 // NonResourceURLs is a set of partial urls that a user should
134 // have access to. *s are allowed, but only as the full, final
135 // step in the path Since non-resource URLs are not namespaced,
136 // this field is only applicable for ClusterRoles referenced from
137 // a ClusterRoleBinding. Rules can either apply to API resources
138 // (such as "pods" or "secrets") or non-resource URL paths (such
139 // as "/api"), but not both.
140 "nonResourceURLs"?: [...string]
141
142 // ResourceNames is an optional white list of names that the rule
143 // applies to. An empty set means that everything is allowed.
144 "resourceNames"?: [...string]
145
146 // Resources is a list of resources this rule applies to. '*'
147 // represents all resources.
148 "resources"?: [...string]
149
150 // Verbs is a list of Verbs that apply to ALL the ResourceKinds
151 // contained in this rule. '*' represents all verbs.
152 "verbs"!: [...string]
153}
154
155// Role is a namespaced, logical grouping of PolicyRules that can
156// be referenced as a unit by a RoleBinding.
157#Role: {
158 // APIVersion defines the versioned schema of this representation
159 // of an object. Servers should convert recognized schemas to the
160 // latest internal value, and may reject unrecognized values.
161 // More info:
162 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
163 "apiVersion": "rbac.authorization.k8s.io/v1"
164
165 // Kind is a string value representing the REST resource this
166 // object represents. Servers may infer this from the endpoint
167 // the client submits requests to. Cannot be updated. In
168 // CamelCase. More info:
169 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
170 "kind": "Role"
171
172 // Standard object's metadata.
173 "metadata"?: v1.#ObjectMeta
174
175 // Rules holds all the PolicyRules for this Role
176 "rules"?: [...#PolicyRule]
177}
178
179// RoleBinding references a role, but does not contain it. It can
180// reference a Role in the same namespace or a ClusterRole in the
181// global namespace. It adds who information via Subjects and
182// namespace information by which namespace it exists in.
183// RoleBindings in a given namespace only have effect in that
184// namespace.
185#RoleBinding: {
186 // APIVersion defines the versioned schema of this representation
187 // of an object. Servers should convert recognized schemas to the
188 // latest internal value, and may reject unrecognized values.
189 // More info:
190 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
191 "apiVersion": "rbac.authorization.k8s.io/v1"
192
193 // Kind is a string value representing the REST resource this
194 // object represents. Servers may infer this from the endpoint
195 // the client submits requests to. Cannot be updated. In
196 // CamelCase. More info:
197 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
198 "kind": "RoleBinding"
199
200 // Standard object's metadata.
201 "metadata"?: v1.#ObjectMeta
202
203 // RoleRef can reference a Role in the current namespace or a
204 // ClusterRole in the global namespace. If the RoleRef cannot be
205 // resolved, the Authorizer must return an error. This field is
206 // immutable.
207 "roleRef"!: #RoleRef
208
209 // Subjects holds references to the objects the role applies to.
210 "subjects"?: [...#Subject]
211}
212
213// RoleBindingList is a collection of RoleBindings
214#RoleBindingList: {
215 // APIVersion defines the versioned schema of this representation
216 // of an object. Servers should convert recognized schemas to the
217 // latest internal value, and may reject unrecognized values.
218 // More info:
219 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
220 "apiVersion": "rbac.authorization.k8s.io/v1"
221
222 // Items is a list of RoleBindings
223 "items"!: [...#RoleBinding]
224
225 // Kind is a string value representing the REST resource this
226 // object represents. Servers may infer this from the endpoint
227 // the client submits requests to. Cannot be updated. In
228 // CamelCase. More info:
229 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
230 "kind": "RoleBindingList"
231
232 // Standard object's metadata.
233 "metadata"?: v1.#ListMeta
234}
235
236// RoleList is a collection of Roles
237#RoleList: {
238 // APIVersion defines the versioned schema of this representation
239 // of an object. Servers should convert recognized schemas to the
240 // latest internal value, and may reject unrecognized values.
241 // More info:
242 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
243 "apiVersion": "rbac.authorization.k8s.io/v1"
244
245 // Items is a list of Roles
246 "items"!: [...#Role]
247
248 // Kind is a string value representing the REST resource this
249 // object represents. Servers may infer this from the endpoint
250 // the client submits requests to. Cannot be updated. In
251 // CamelCase. More info:
252 // https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
253 "kind": "RoleList"
254
255 // Standard object's metadata.
256 "metadata"?: v1.#ListMeta
257}
258
259// RoleRef contains information that points to the role being used
260#RoleRef: {
261 // APIGroup is the group for the resource being referenced
262 "apiGroup"!: string
263
264 // Kind is the type of resource being referenced
265 "kind"!: string
266
267 // Name is the name of resource being referenced
268 "name"!: string
269}
270
271// Subject contains a reference to the object or user identities a
272// role binding applies to. This can either hold a direct API
273// object reference, or a value for non-objects such as user and
274// group names.
275#Subject: {
276 // APIGroup holds the API group of the referenced subject.
277 // Defaults to "" for ServiceAccount subjects. Defaults to
278 // "rbac.authorization.k8s.io" for User and Group subjects.
279 "apiGroup"?: string
280
281 // Kind of object being referenced. Values defined by this API
282 // group are "User", "Group", and "ServiceAccount". If the
283 // Authorizer does not recognized the kind value, the Authorizer
284 // should report an error.
285 "kind"!: string
286
287 // Name of the object being referenced.
288 "name"!: string
289
290 // Namespace of the referenced object. If the object kind is
291 // non-namespace, such as "User" or "Group", and this value is
292 // not empty the Authorizer should report an error.
293 "namespace"?: string
294}