policydelivery.appvia.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the policydelivery v1alpha1 API group
Exported Resource Types
- AccessPolicy
- AccessRole
- AccessRoleBinding
- ClusterPolicy
- GlobalAccessPolicy
- GlobalAccessRole
- GlobalClusterPolicy
AccessPolicy
AccessPolicy represents a targeted policy
| Field | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||||||||||
kind | AccessPolicy | ||||||||||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||||||||||
| spec AccessPolicySpec | Spec is the specification of the access policy
| ||||||||||||
| status AccessPolicyStatus | Status is the status of the access policy
|
AccessRole
AccessRole represents a set of Kubernetes RBAC rules that can use used for user access
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||||
kind | AccessRole | ||||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||||
| spec AccessRoleSpec | Spec is the specification of the access role
| ||||||
| status AccessRoleStatus | Status is the status of the access role
|
AccessRoleBinding
AccessRoleBinding represents actual access to a cluster for subjects
| Field | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||||||||
kind | AccessRoleBinding | ||||||||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||||||||
| spec AccessRoleBindingSpec |
| ||||||||||
| status AccessRoleBindingStatus |
|
ClusterPolicy
ClusterPolicy represents a cluster targeted policy
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||||
kind | ClusterPolicy | ||||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||||
| spec ClusterPolicySpec |
| ||||||
| status ClusterPolicyStatus |
|
GlobalAccessPolicy
GlobalAccessPolicy represents a Global Access Policy to define Shared Access Policies
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||
kind | GlobalAccessPolicy | ||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||
| spec GlobalAccessPolicySpec | Spec is the specification of the global access policy
| ||||
| status GlobalAccessPolicyStatus | Status is the status of the global access policy
|
GlobalAccessRole
GlobalAccessRole represents a global set of Kubernetes RBAC rules that can use used for user access
| Field | Description | ||||
|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||
kind | GlobalAccessRole | ||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||
| spec GlobalAccessRoleSpec | Spec is the specification of the global access role
| ||||
| status GlobalAccessRoleStatus | Status is the status of the global access roles
|
GlobalClusterPolicy
ClusterPolicy represents a cluster targeted policy
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
apiVersion | policydelivery.appvia.io/v1alpha1 | ||||||
kind | GlobalClusterPolicy | ||||||
| metadata Kubernetes meta/v1.ObjectMeta | Refer to the Kubernetes API documentation for the fields of the metadata field. | ||||||
| spec ClusterPolicySpec |
| ||||||
| status ClusterPolicyStatus |
|
Internal Resource Types
- AccessPolicySpec
- AccessPolicyStatus
- AccessRoleAssignRequest
- AccessRoleAssumeRequest
- AccessRoleBindingSpec
- AccessRoleBindingStatus
- AccessRoleSpec
- AccessRoleStatus
- AssumeActionIfPresent
- ClusterConstraint
- ClusterPolicySpec
- ClusterPolicyStatus
- ClusterPolicyTarget
- Constraints
- DaysOfWeekConstraint
- GlobalAccessPolicySpec
- GlobalAccessPolicyStatus
- GlobalAccessRoleSpec
- GlobalAccessRoleStatus
- GlobalOrScopedAccessPolicy
- GlobalOrScopedAccessRole
- GlobalOrScopedClusterPolicy
- KubeRBACParameters
- KubeRBACParametersDeprecated
- KyvernoPolicySpec
- NamespaceConstraint
- NetworkConstraint
- PolicyProviderDetails
- PolicyType
- StageConstraint
- Subject
- SubjectKind
- TimeConstraint
- WeekDay
AccessPolicySpec
(Appears on: AccessPolicy, GlobalAccessPolicySpec)
AccessPolicySpec defines the desired state of AccessPolicy
| Field | Description |
|---|---|
| accessRoleRefs []string | AccessRoleRefs is the set of AccessRoles (in this workspace) that this policy grants access to create AccessRoleBindings for. This is the ‘what’ exactly is granted access to. |
| description string | Description is a human-readable description of the policy Should describe what sort of function the policy provides (e.g. support for production clusters) |
| groups []string | Groups is the list of workspace groups that are permitted access by this access policy. This is the ‘who’ in the access question. At least one group or wayfinder group must be specified. |
| wayfinderGroups []string | WayfinderGroups is the list of Wayfinder groups that are permitted access by this access policy. This is the ‘who’ in the access question At least one group or wayfinder group must be specified. |
| constraints Constraints | Constraints are the collection of constraints which control access to the roles This is a combination of when and where |
| subjectType string | SubjectKind is the type of the subject for this policy |
AccessPolicyStatus
(Appears on: AccessPolicy)
AccessPolicyStatus defines the status of an AccessPolicy
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
AccessRoleAssignRequest
AccessRoleAssignRequest is the body that should be provided to the assign subresource of an AccessRole to create a permanent AccessRoleBinding for a specified subject.
| Field | Description |
|---|---|
| subject Subject | Subject is the user or access token that has this access in Wayfinder |
| clusterRef Ownership | ClusterRef provides reference to the cluster for this access |
| namespaceClaimRef string | NamespaceClaimRef is the namespacesClaim this binding is valid for |
AccessRoleAssumeRequest
AccessRoleAssumeRequest is the body that should be provided to the assume subresource of an AccessRole to create a temporary AccessRoleBinding for the current user.
| Field | Description |
|---|---|
| expiration Kubernetes meta/v1.Time | Expiration is the expiration time for the role assumption |
| clusterRef Ownership | ClusterRef provides reference to the cluster for this access |
| namespaceClaimRef string | NamespaceClaimRef is the namespacesClaim this binding is valid for |
| ifPresent AssumeActionIfPresent | IfPresent controls what to do if the requesting user already has a valid access role binding for the given role and target. Default if unspecified: CreateNew |
AccessRoleBindingSpec
(Appears on: AccessRoleBinding)
AccessRoleBindingSpec defines the desired state of AccessRoleBinding Will create a ClusterPolicy with a role binding only
| Field | Description |
|---|---|
| expiration Kubernetes meta/v1.Time | Expiration is the expiration time for any policy to exist Omitting this will make the policy persistent |
| accessRoleRef string | AccessRoleRef is the reference to the AccessRole (in this namespace) |
| clusterRef Ownership | ClusterRef provides reference to the cluster for this access Must be specified if NamespaceClaimRef is not set Must be specified if the reference role specified ClusterWide |
| namespaceClaimRef string | NamespaceClaimRef is the namespacesClaim this binding is valid for Will create a roleBinding for the namespace referenced Must be specified if the AccessRoleRef specifies ClusterScope=false Is an error if the ClusterScope=true |
| subject Subject | Subject is the user or access token that has this access in Wayfinder |
AccessRoleBindingStatus
(Appears on: AccessRoleBinding)
AccessRoleBindingStatus defines the status of an AccessRoleBinding
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
AccessRoleSpec
(Appears on: AccessRole, GlobalAccessRoleSpec)
AccessRoleSpec defines the desired state of AccessRole
| Field | Description |
|---|---|
| clusterScope bool | ClusterScope indicates if the access role is cluster-wide or not will be used to validate if a AccessPolicyTarget is valid or not |
| description string | Description is a human-readable description of the role Should describe what the role would provide access to when bound to a user |
| rules []Kubernetes rbac/v1.PolicyRule | Rules is rules |
AccessRoleStatus
(Appears on: AccessRole)
AccessPolicyStatus defines the status of an AccessPolicy
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
AssumeActionIfPresent
(string alias)
(Appears on: AccessRoleAssumeRequest)
| Value | Description |
|---|---|
| "CreateIfNearExpiry" | |
| "CreateNew" | |
| "DoNotCreate" |
ClusterConstraint
(Appears on: Constraints)
ClusterConstraint places a constraint around the cluster
| Field | Description |
|---|---|
| allowed Kubernetes meta/v1.LabelSelector | Allowed is a collection of clusters permitted access on the role |
| denied Kubernetes meta/v1.LabelSelector | Denied provides the means to denied one or more clusters from the role |
ClusterPolicySpec
(Appears on: ClusterPolicy, GlobalClusterPolicy)
ClusterPolicySpec defines the specification of a policy in a cluster or namespace
| Field | Description |
|---|---|
| description string | Description contains an optional description for this cluster policy |
| target ClusterPolicyTarget | Target contains targeting information for this cluster policy |
| policy PolicyProviderDetails | Policy details |
ClusterPolicyStatus
(Appears on: ClusterPolicy, GlobalClusterPolicy)
ClusterPolicyStatus defines the status of a cluster policy
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
| RoutingStatus RoutingStatus | (Members of RoutingStatus are embedded into this type.) |
ClusterPolicyTarget
(Appears on: ClusterPolicySpec)
ClusterPolicyTarget is the targeting specification for this cluster policy Not convinced this is required as a PolicyBinding can create one of these per cluster or namespace
| Field | Description |
|---|---|
| cluster Kubernetes meta/v1.LabelSelector | Cluster specifies labels for clusters to target with this policy |
| namespace Kubernetes meta/v1.LabelSelector | Namespace specifies labels for namespace claims to target with this policy. Note that is namespace claims not labels on the namespaces in target clusters. |
Constraints
(Appears on: AccessPolicySpec)
Constraints defines a constraint to assuming access to an AccessRole aka creating an AccessRoleBinding
| Field | Description |
|---|---|
| clusters ClusterConstraint | Clusters constrains access to matching clusters |
| namespaces NamespaceConstraint | Namespaces constraints access to matching namespaces |
| days DaysOfWeekConstraint | Days constrains access to the days of week |
| ttl Kubernetes meta/v1.Duration | TTL is the length of a session. A user’s access will be revoked after this amount of time. |
| networks NetworkConstraint | Networks allows defines one of more networks from which the user assuming the role can come from |
| time TimeConstraint | Time provides a time of day constraint when assuming the policy. The assumption must occur within the alloted time frame to assume the role |
DaysOfWeekConstraint
(Appears on: Constraints)
DaysOfWeekConstraint places a constraint on the day of week when the role can be assumed
| Field | Description |
|---|---|
| allowed []WeekDay | Allowed are the days permitted in access These are the values from the Weekday type .String() method |
| denied []WeekDay | Denied is a collection of days which are not permitted to access the role |
GlobalAccessPolicySpec
(Appears on: GlobalAccessPolicy)
GlobalAccessPolicySpec defines the desired state of a GlobalAccessPolicy
| Field | Description |
|---|---|
| accessPolicyTemplate AccessPolicySpec | AccessPolicyTemplate is the spec of a resulting AccessPolicy |
| workspaceSelector Kubernetes meta/v1.LabelSelector | WorkspaceSelector is a selector for Workspaces that will get this template |
GlobalAccessPolicyStatus
(Appears on: GlobalAccessPolicy)
GlobalAccessPolicyStatus defines the status of a GlobalAccessPolicy
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
GlobalAccessRoleSpec
(Appears on: GlobalAccessRole)
GlobalAccessRoleSpec defines the Kubernetes RBAC rules for user access to clusters across all workspaces Defines the rules for which workspaces will get cluster access role updates
| Field | Description |
|---|---|
| accessRoleTemplate AccessRoleSpec | AccessRoleTemplate is the template for any AccessRole created |
| workspaceSelector Kubernetes meta/v1.LabelSelector | WorkspaceSelector is a selector for Workspaces that will get this template |
GlobalAccessRoleStatus
(Appears on: GlobalAccessRole)
GlobalAccessRoleStatus defines the status of a GlobalAccessRole
| Field | Description |
|---|---|
| CommonStatus CommonStatus | (Members of CommonStatus are embedded into this type.) |
GlobalOrScopedAccessPolicy
GlobalOrScopedAccessPolicy represents either type of access policy in a consistent way
GlobalOrScopedAccessRole
GlobalOrScopedAccessRole represents either type of access role in a consistent way
GlobalOrScopedClusterPolicy
KubeRBACParameters
(Appears on: PolicyProviderDetails)
KubeRBACParameters is the parameters for
| Field | Description |
|---|---|
| KubeRBACParametersDeprecated KubeRBACParametersDeprecated | (Members of KubeRBACParametersDeprecated are embedded into this type.) |
| rules []Kubernetes rbac/v1.PolicyRule | Rules is rules Leave blank to specify only a binding is to be created |
| subjects []Kubernetes rbac/v1.Subject | Subjects / principles who the rules apply to - user - group - serviceaccount Note only a service account can specify the namespace |
| roleRef Kubernetes rbac/v1.RoleRef | RoleRef is a reference to the Role or ClusterRole within the target cluster - must exist if no rules are specified |
| clusterScoped bool | ClusterScoped specifies whether the create role/bindings should be cluster scoped |
KubeRBACParametersDeprecated
(Appears on: KubeRBACParameters)
| Field | Description |
|---|---|
| roleNameOverride string | RoleNameOverride is the name of the Role or ClusterRole if different from the clusterpolicy name - useful when creating just a role binding or referencing a clusterwide role - must be specified when ClusterWideRole is set to true |
| clusterScopedRoleOverride bool | ClusterScopedRoleOverride specifies the role referenced by the RoleBinding is a ClusterRole - specify true to override the default when targeting a namespaced role / role binding - ignored when targeting a ClusterRole |
| roleBindingNameOverride string | RoleBindingOverrideName is the name of the RoleBinding or ClusterRoleBinding if different from the clusterpolicy name Leave blank to have it derived from the name of the clusterpolicy name Specify a unique name depending on the subject and role combination - useful when creating just a role binding or referencing a clusterwide role kubebuilder:validation:Optional |
KyvernoPolicySpec
(Appears on: PolicyProviderDetails)
| Field | Description |
|---|---|
| rules []github.com/appvia/wayfinder/server/policydelivery/extapis/kyverno/v1.Rule | Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources. |
| applyRules github.com/appvia/wayfinder/server/policydelivery/extapis/kyverno/v1.ApplyRulesType | (Optional) ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to |
| failurePolicy github.com/appvia/wayfinder/server/policydelivery/extapis/kyverno/v1.FailurePolicyType | (Optional) FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead |
| validationFailureAction github.com/appvia/wayfinder/server/policydelivery/extapis/kyverno/v1.ValidationFailureAction | (Optional) ValidationFailureAction defines if a validation policy rule violation should block the admission review request (enforce), or allow (audit) the admission review request and report an error in a policy report. Optional. Allowed values are audit or enforce. The default value is “Audit”. |
| validationFailureActionOverrides []github.com/appvia/wayfinder/server/policydelivery/extapis/kyverno/v1.ValidationFailureActionOverride | (Optional) ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction namespace-wise. It overrides ValidationFailureAction for the specified namespaces. |
| background bool | (Optional) Background controls if rules are applied to existing resources during a background scan. Optional. Default value is “true”. The value must be set to “false” if the policy rule uses variables that are only available in the admission review request (e.g. user name). |
| schemaValidation bool | (Optional) SchemaValidation skips validation checks for policies as well as patched resources. Optional. The default value is set to “true”, it must be set to “false” to disable the validation checks. |
| webhookTimeoutSeconds int32 | WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. After the configured time expires, the admission request may fail, or may simply ignore the policy results, based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. |
| mutateExistingOnPolicyUpdate bool | (Optional) MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is “false”. |
| generateExistingOnPolicyUpdate bool | (Optional) GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources If is set to “true” generate rule will be triggered and applied to existing matched resources. Defaults to “false” if not specified. |
NamespaceConstraint
(Appears on: Constraints)
NamespaceConstraint places a constraint around the namespaces on clusters
| Field | Description |
|---|---|
| allowed Kubernetes meta/v1.LabelSelector | Allowed is a collection of namespaces permitted access to the role |
| denied Kubernetes meta/v1.LabelSelector | Denied provides the means to denied one or more namespaces from the role |
NetworkConstraint
(Appears on: Constraints)
NetworkConstraint provides a collection of network ranges which the user can come from
| Field | Description |
|---|---|
| allowed []string | Allowed is a collection of network which they must originate from |
| denied []string | Denied is a collection of networks cidrs which will be denied regardless |
PolicyProviderDetails
(Appears on: ClusterPolicySpec)
PolicyProviderDetails
| Field | Description |
|---|---|
| type PolicyType | PolicyType is the specific type of policy |
| kuberbac KubeRBACParameters | KubeRBAC holds the kubernetes rbac details |
| kyverno KyvernoPolicySpec | Kyverno holds the spec for a kyverno policy |
PolicyType
(string alias)
(Appears on: PolicyProviderDetails)
PolicyType represents the concrete type of a policy to provide
| Value | Description |
|---|---|
| "KubeRBAC" | PolicyTypeKubeRBAC is for kubernetes rbac |
| "Kyverno" | PolicyTypeKyverno is for kyverno policies |
StageConstraint
StageConstraint places a further constraint around which clusters can be accessed
| Field | Description |
|---|---|
| allowed []string | Allowed are the stages the clusters the access is allowed to be assumed on |
| denied []string | Denied are the stages the clusters the access is NOT allowed to be assumed on |
Subject
(Appears on: AccessRoleAssignRequest, AccessRoleBindingSpec)
Subject defines a subject for AccessPolicies / AccessRoleBindings etc.
| Field | Description |
|---|---|
| kind string | Kind of object being referenced. Initially supported values include “User”, “AccessToken”, “WayfinderGroup” and “WorkspaceGroup” |
| name string | Name of the object being referenced. |
| workspace WorkspaceKey | Workspace is the workspace of the subject - only applicable to kind ‘AccessToken’ |
SubjectKind
(string alias)
SubjectKind represents types of subject that Wayfinder can use
TimeConstraint
(Appears on: Constraints)
TimeConstraint provides a control around the time a user can assume one of more roles in wayfinder
| Field | Description |
|---|---|
| from string | Before indicates nothing before this time can access the AccessRole |
| to string | After indicate the nothing after this time access the role |
WeekDay
(string alias)
(Appears on: DaysOfWeekConstraint)
WeekDay