Package v1alpha1 contains API Schema definitions for the authorization v1alpha1 API group
BindDefinition is the Schema for the binddefinitions API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
authorization.t-caas.telekom.com/v1alpha1 |
||
kind string |
BindDefinition |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec BindDefinitionSpec |
|||
status BindDefinitionStatus |
BindDefinitionSpec defines the desired state of BindDefinition.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
targetName string |
Name that will be prefixed to the concatenated string which is the name of the binding. Follows format "targetName-clusterrole/role-binding" where clusterrole/role is the in-cluster existing ClusterRole or Role. | Required: {} |
|
subjects Subject array |
List of subjects that will be bound to a target ClusterRole/Role. Can be "User", "Group" or "ServiceAccount". | Required: {} |
|
clusterRoleBindings ClusterBinding |
List of ClusterRoles to which subjects will be bound to. The list is a RoleRef which means we have to specify the full rbacv1.RoleRef schema. The result of specifying this field are ClusterRoleBindings. | Optional: {} |
|
roleBindings NamespaceBinding array |
List of ClusterRoles/Roles to which subjects will be bound to. The list is a RoleRef which means we have to specify the full rbacv1.RoleRef schema. The result of specifying the field are RoleBindings. | Optional: {} |
|
automountServiceAccountToken boolean |
AutomountServiceAccountToken controls whether to automount API credentials for ServiceAccounts created by this BindDefinition. Defaults to true for backward compatibility with Kubernetes native ServiceAccount behavior. Set to false to improve security by preventing automatic token mounting. Only applies when Subjects contain ServiceAccount entries that need to be auto-created. |
true | Optional: {} |
BindDefinitionStatus defines the observed state of BindDefinition.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGeneration integer |
ObservedGeneration is the last observed generation of the resource. This is used by kstatus to determine if the resource is current. |
Optional: {} |
|
bindReconciled boolean |
Not extremely important as most status updates are driven by Conditions. We read the JSONPath from this status field to signify completed reconciliation. | Optional: {} |
|
generatedServiceAccounts Subject array |
If the BindDefinition points to a subject of "Kind: ServiceAccount" and the service account is not present. The controller will reconcile it automatically. | Optional: {} |
|
missingRoleRefs string array |
MissingRoleRefs lists role references that could not be resolved during the last reconciliation. Format: "ClusterRole/<name>" or "Role/<namespace>/<name>". Empty when all referenced roles exist. |
Optional: {} |
|
externalServiceAccounts string array |
ExternalServiceAccounts lists ServiceAccounts referenced by this BindDefinition that already existed and are not owned by any BindDefinition. These SAs are used in bindings but not managed (created/deleted) by the controller. Format: "<namespace>/<name>". |
Optional: {} |
|
conditions Condition array |
Conditions defines current service state of the Bind definition. All conditions should evaluate to true to signify successful reconciliation. | Optional: {} |
| Type | Description |
|---|---|
Ready |
Whether the BindDefinition is fully reconciled. True even when RoleRefsValid is False — bindings are created regardless. |
Reconciling |
Controller is actively reconciling (abnormal-true pattern). |
Stalled |
An unrecoverable error occurred (abnormal-true pattern). |
RoleRefsValid |
Whether all referenced ClusterRoles and Roles exist. When False, the controller requeues every 10 s and emits a RoleRefNotFound warning event. The condition self-heals once the missing roles are created (e.g. by a RoleDefinition). |
Finalizer |
Set once the BindDefinition finalizer is in place. |
Created |
Set after all CRBs, RBs, and SAs have been applied. |
Deleted |
Set during the deletion workflow. |
| Metric | Type | Labels | Description |
|---|---|---|---|
auth_operator_role_refs_missing |
Gauge | binddefinition |
Number of missing role references per BindDefinition. 0 when all refs resolve. |
auth_operator_namespaces_active |
Gauge | binddefinition |
Number of active (non-terminating) namespaces matching the BindDefinition's selectors. |
auth_operator_reconcile_total |
Counter | controller, result |
Per-reconcile outcome. result is one of: success, degraded (missing role refs), error, finalized, skipped. |
| Scenario | Interval | Notes |
|---|---|---|
| All role refs valid | 60 s | Default drift-correction interval. |
| One or more role refs missing | 10 s | Faster poll until roles appear. |
| Owned resource changes | immediate | Triggered by watch on owned CRBs, SAs, RBs, and Namespaces. |
ClusterBinding defines cluster-scoped role bindings.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
clusterRoleRefs string array |
ClusterRoleRefs references an existing ClusterRole | Optional: {} |
NamespaceBinding defines namespace-scoped role bindings.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
clusterRoleRefs string array |
ClusterRoleRefs references an existing ClusterRole | Optional: {} |
|
roleRefs string array |
RoleRefs references a specific Role that has to exist in the target namespaces | Optional: {} |
|
namespace string |
Namespace of the Role that should be bound to the subjects. | Optional: {} |
|
namespaceSelector LabelSelector array |
NamespaceSelector is a label selector which will match namespaces that should have the RoleBinding/s. | Optional: {} |
Principal represents a requesting user or service account identity.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
user string |
User is the requesting user in SubjectAccessReview request. | Optional: {} |
|
groups string array |
Groups is the requesting user groups in SubjectAccessReview request. | Optional: {} |
|
namespace string |
Namespace is the requesting user namespace in case the requesting user is a ServiceAccount. | Optional: {} |
RoleDefinition is the Schema for the roledefinitions API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
authorization.t-caas.telekom.com/v1alpha1 |
||
kind string |
RoleDefinition |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec RoleDefinitionSpec |
|||
status RoleDefinitionStatus |
RoleDefinitionSpec defines the desired state of RoleDefinition.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
targetRole string |
The target role that will be reconciled. This can be a ClusterRole or a namespaced Role | Enum: [ClusterRole Role] Required: {} |
|
targetName string |
The name of the target role. This can be any name that accurately describes the ClusterRole/Role. Must be a valid Kubernetes name (max 63 characters for most resources). |
MaxLength: 63 MinLength: 5 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ Required: {} |
|
targetNamespace string |
The target namespace for the Role. This value is necessary when the "TargetRole" is "Role" | Optional: {} |
|
scopeNamespaced boolean |
The scope controls whether the API resource is namespaced or not. This can also be checked by running kubectl api-resources --namespaced=true/false |
Required: {} |
|
restrictedApis APIGroup array |
The restricted APIs field holds all API groups which will NOT be reconciled into the "TargetRole" The RBAC operator discovers all API groups available and removes those which are defined by "RestrictedAPIs" |
Optional: {} |
|
restrictedResources APIResource array |
The restricted resources field holds all resources which will NOT be reconciled into the "TargetRole" The RBAC operator discovers all API resources available and removes those which are defined by "RestrictedResources" |
Optional: {} |
|
restrictedVerbs string array |
The restricted verbs field holds all verbs which will NOT be reconciled into the "TargetRole" The RBAC operator discovers all resource verbs available and removes those which are defined by "RestrictedVerbs" |
Optional: {} |
RoleDefinitionStatus defines the observed state of RoleDefinition.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGeneration integer |
ObservedGeneration is the last observed generation of the resource. This is used by kstatus to determine if the resource is current. |
Optional: {} |
|
roleReconciled boolean |
Not extremely important as most status updates are driven by Conditions. We read the JSONPath from this status field to signify completed reconciliation. | Optional: {} |
|
conditions Condition array |
Conditions defines current service state of the Role definition. All conditions should evaluate to true to signify successful reconciliation. | Optional: {} |
WebhookAuthorizer is the Schema for the webhookauthorizers API.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersion string |
authorization.t-caas.telekom.com/v1alpha1 |
||
kind string |
WebhookAuthorizer |
||
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
||
spec WebhookAuthorizerSpec |
|||
status WebhookAuthorizerStatus |
WebhookAuthorizerSpec defines the desired state of WebhookAuthorizer.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceRules ResourceRule array |
Resources which will be used to evaluate the SubjectAccessReviewSpec.ResourceAttributes | Optional: {} |
|
nonResourceRules NonResourceRule array |
Resources which will be used to evaluate the SubjectAccessReviewSpec.NonResourceAttributes | Optional: {} |
|
allowedPrincipals Principal array |
AllowedPrincipals is a slice of principals this authorizer should allow. | Optional: {} |
|
deniedPrincipals Principal array |
DeniedPrincipals is a slice of principals this authorizer should deny. | Optional: {} |
|
namespaceSelector LabelSelector |
NamespaceSelector is a label selector to match namespaces that should allow the specified API calls. | Optional: {} |
WebhookAuthorizerStatus defines the observed state of WebhookAuthorizer.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGeneration integer |
ObservedGeneration is the last observed generation of the resource. This is used by kstatus to determine if the resource is current. |
Optional: {} |
|
authorizerConfigured boolean |
Not extremely important as most status updates are driven by Conditions. We read the JSONPath from this status field to signify webhook authorizer as configured. | Optional: {} |
|
conditions Condition array |
Conditions defines current service state of the Webhook authorizer. All conditions should evaluate to true to signify successful configuration. | Optional: {} |