From 8d0668b77372cbff517ce3da9f324c158f3a61bc Mon Sep 17 00:00:00 2001 From: Micah Hausler Date: Tue, 29 Oct 2024 16:53:48 -0500 Subject: [PATCH] Standardized principal extra key name --- cedarschema/k8s-authorization.cedarschema | 6 +- .../k8s-authorization.cedarschema.json | 6 +- cedarschema/k8s-full.cedarschema | 564 +---- cedarschema/k8s-full.cedarschema.json | 2123 +---------------- demo/admission-policy.yaml | 23 +- demo/authorization-policy.yaml | 12 +- docs/CedarSchemas.md | 19 +- docs/Demo.md | 10 +- docs/Limitations.md | 2 +- internal/schema/user_entities.go | 11 +- internal/server/authorizer/authorizer.go | 2 +- .../server/authorizer/entitiy_builders.go | 15 +- internal/server/handler.go | 3 + 13 files changed, 75 insertions(+), 2721 deletions(-) diff --git a/cedarschema/k8s-authorization.cedarschema b/cedarschema/k8s-authorization.cedarschema index e537db2..76589a3 100644 --- a/cedarschema/k8s-authorization.cedarschema +++ b/cedarschema/k8s-authorization.cedarschema @@ -15,7 +15,7 @@ namespace k8s { }; entity Group; entity Node in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String }; entity NonResourceURL = { @@ -31,12 +31,12 @@ namespace k8s { "subresource"?: __cedar::String }; entity ServiceAccount in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String, "namespace": __cedar::String }; entity User in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String }; entity UserUID; diff --git a/cedarschema/k8s-authorization.cedarschema.json b/cedarschema/k8s-authorization.cedarschema.json index 73841b3..327c814 100644 --- a/cedarschema/k8s-authorization.cedarschema.json +++ b/cedarschema/k8s-authorization.cedarschema.json @@ -11,7 +11,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { @@ -84,7 +84,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { @@ -109,7 +109,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { diff --git a/cedarschema/k8s-full.cedarschema b/cedarschema/k8s-full.cedarschema index a315fb1..43a00b1 100644 --- a/cedarschema/k8s-full.cedarschema +++ b/cedarschema/k8s-full.cedarschema @@ -1,27 +1,27 @@ namespace k8s::admission { action "all" appliesTo { principal: [k8s::Group, k8s::Node, k8s::ServiceAccount, k8s::User], - resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, io::cert_manager::acme::v1::Challenge, io::cert_manager::acme::v1::ChallengeList, io::cert_manager::acme::v1::Order, io::cert_manager::acme::v1::OrderList, io::cert_manager::v1::Certificate, io::cert_manager::v1::CertificateList, io::cert_manager::v1::CertificateRequest, io::cert_manager::v1::CertificateRequestList, io::cert_manager::v1::ClusterIssuer, io::cert_manager::v1::ClusterIssuerList, io::cert_manager::v1::Issuer, io::cert_manager::v1::IssuerList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], + resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], context: {} }; action "connect" in [Action::"all"] appliesTo { principal: [k8s::Group, k8s::Node, k8s::ServiceAccount, k8s::User], - resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, io::cert_manager::acme::v1::Challenge, io::cert_manager::acme::v1::ChallengeList, io::cert_manager::acme::v1::Order, io::cert_manager::acme::v1::OrderList, io::cert_manager::v1::Certificate, io::cert_manager::v1::CertificateList, io::cert_manager::v1::CertificateRequest, io::cert_manager::v1::CertificateRequestList, io::cert_manager::v1::ClusterIssuer, io::cert_manager::v1::ClusterIssuerList, io::cert_manager::v1::Issuer, io::cert_manager::v1::IssuerList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], + resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], context: {} }; action "create" in [Action::"all"] appliesTo { principal: [k8s::Group, k8s::Node, k8s::ServiceAccount, k8s::User], - resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, io::cert_manager::acme::v1::Challenge, io::cert_manager::acme::v1::ChallengeList, io::cert_manager::acme::v1::Order, io::cert_manager::acme::v1::OrderList, io::cert_manager::v1::Certificate, io::cert_manager::v1::CertificateList, io::cert_manager::v1::CertificateRequest, io::cert_manager::v1::CertificateRequestList, io::cert_manager::v1::ClusterIssuer, io::cert_manager::v1::ClusterIssuerList, io::cert_manager::v1::Issuer, io::cert_manager::v1::IssuerList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], + resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], context: {} }; action "delete" in [Action::"all"] appliesTo { principal: [k8s::Group, k8s::Node, k8s::ServiceAccount, k8s::User], - resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, io::cert_manager::acme::v1::Challenge, io::cert_manager::acme::v1::ChallengeList, io::cert_manager::acme::v1::Order, io::cert_manager::acme::v1::OrderList, io::cert_manager::v1::Certificate, io::cert_manager::v1::CertificateList, io::cert_manager::v1::CertificateRequest, io::cert_manager::v1::CertificateRequestList, io::cert_manager::v1::ClusterIssuer, io::cert_manager::v1::ClusterIssuerList, io::cert_manager::v1::Issuer, io::cert_manager::v1::IssuerList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], + resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], context: {} }; action "update" in [Action::"all"] appliesTo { principal: [k8s::Group, k8s::Node, k8s::ServiceAccount, k8s::User], - resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, io::cert_manager::acme::v1::Challenge, io::cert_manager::acme::v1::ChallengeList, io::cert_manager::acme::v1::Order, io::cert_manager::acme::v1::OrderList, io::cert_manager::v1::Certificate, io::cert_manager::v1::CertificateList, io::cert_manager::v1::CertificateRequest, io::cert_manager::v1::CertificateRequestList, io::cert_manager::v1::ClusterIssuer, io::cert_manager::v1::ClusterIssuerList, io::cert_manager::v1::Issuer, io::cert_manager::v1::IssuerList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], + resource: [admissionregistration::v1::MutatingWebhookConfiguration, admissionregistration::v1::MutatingWebhookConfigurationList, admissionregistration::v1::ValidatingAdmissionPolicy, admissionregistration::v1::ValidatingAdmissionPolicyBinding, admissionregistration::v1::ValidatingAdmissionPolicyBindingList, admissionregistration::v1::ValidatingAdmissionPolicyList, admissionregistration::v1::ValidatingWebhookConfiguration, admissionregistration::v1::ValidatingWebhookConfigurationList, apps::v1::ControllerRevision, apps::v1::ControllerRevisionList, apps::v1::DaemonSet, apps::v1::DaemonSetList, apps::v1::Deployment, apps::v1::DeploymentList, apps::v1::ReplicaSet, apps::v1::ReplicaSetList, apps::v1::StatefulSet, apps::v1::StatefulSetList, authentication::v1::SelfSubjectReview, authentication::v1::TokenRequest, authentication::v1::TokenReview, authorization::v1::LocalSubjectAccessReview, authorization::v1::SelfSubjectAccessReview, authorization::v1::SelfSubjectRulesReview, authorization::v1::SubjectAccessReview, autoscaling::v1::HorizontalPodAutoscaler, autoscaling::v1::HorizontalPodAutoscalerList, autoscaling::v1::Scale, autoscaling::v2::HorizontalPodAutoscaler, autoscaling::v2::HorizontalPodAutoscalerList, aws::k8s::cedar::v1alpha1::Policy, aws::k8s::cedar::v1alpha1::PolicyList, batch::v1::CronJob, batch::v1::CronJobList, batch::v1::Job, batch::v1::JobList, certificates::v1::CertificateSigningRequest, certificates::v1::CertificateSigningRequestList, coordination::v1::Lease, coordination::v1::LeaseList, core::v1::Binding, core::v1::ComponentStatus, core::v1::ComponentStatusList, core::v1::ConfigMap, core::v1::ConfigMapList, core::v1::Endpoints, core::v1::EndpointsList, core::v1::Event, core::v1::EventList, core::v1::LimitRange, core::v1::LimitRangeList, core::v1::Namespace, core::v1::NamespaceList, core::v1::Node, core::v1::NodeList, core::v1::PersistentVolume, core::v1::PersistentVolumeClaim, core::v1::PersistentVolumeClaimList, core::v1::PersistentVolumeList, core::v1::Pod, core::v1::PodList, core::v1::PodTemplate, core::v1::PodTemplateList, core::v1::ReplicationController, core::v1::ReplicationControllerList, core::v1::ResourceQuota, core::v1::ResourceQuotaList, core::v1::Secret, core::v1::SecretList, core::v1::Service, core::v1::ServiceAccount, core::v1::ServiceAccountList, core::v1::ServiceList, discovery::v1::EndpointSlice, discovery::v1::EndpointSliceList, events::v1::Event, events::v1::EventList, flowcontrol::v1::FlowSchema, flowcontrol::v1::FlowSchemaList, flowcontrol::v1::PriorityLevelConfiguration, flowcontrol::v1::PriorityLevelConfigurationList, flowcontrol::v1beta3::FlowSchema, flowcontrol::v1beta3::FlowSchemaList, flowcontrol::v1beta3::PriorityLevelConfiguration, flowcontrol::v1beta3::PriorityLevelConfigurationList, networking::v1::Ingress, networking::v1::IngressClass, networking::v1::IngressClassList, networking::v1::IngressList, networking::v1::NetworkPolicy, networking::v1::NetworkPolicyList, node::v1::RuntimeClass, node::v1::RuntimeClassList, policy::v1::Eviction, policy::v1::PodDisruptionBudget, policy::v1::PodDisruptionBudgetList, rbac::v1::ClusterRole, rbac::v1::ClusterRoleBinding, rbac::v1::ClusterRoleBindingList, rbac::v1::ClusterRoleList, rbac::v1::Role, rbac::v1::RoleBinding, rbac::v1::RoleBindingList, rbac::v1::RoleList, scheduling::v1::PriorityClass, scheduling::v1::PriorityClassList, storage::v1::CSIDriver, storage::v1::CSIDriverList, storage::v1::CSINode, storage::v1::CSINodeList, storage::v1::CSIStorageCapacity, storage::v1::CSIStorageCapacityList, storage::v1::StorageClass, storage::v1::StorageClassList, storage::v1::VolumeAttachment, storage::v1::VolumeAttachmentList], context: {} }; } @@ -43,7 +43,7 @@ namespace k8s { }; entity Group; entity Node in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String }; entity NonResourceURL = { @@ -59,12 +59,12 @@ namespace k8s { "subresource"?: __cedar::String }; entity ServiceAccount in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String, "namespace": __cedar::String }; entity User in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String }; entity UserUID; @@ -2508,552 +2508,6 @@ namespace flowcontrol::v1 { }; } -namespace io::cert_manager::v1 { - entity Certificate = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ObjectMeta, - "spec"?: { - "commonName"?: __cedar::String, - "dnsNames"?: Set < __cedar::String >, - "duration"?: __cedar::String, - "emailAddresses"?: Set < __cedar::String >, - "encodeUsagesInRequest"?: __cedar::Bool, - "ipAddresses"?: Set < __cedar::String >, - "isCA"?: __cedar::Bool, - "issuerRef"?: { - "group"?: __cedar::String, - "kind"?: __cedar::String, - "name"?: __cedar::String - }, - "keystores"?: { - "jks"?: { - "alias"?: __cedar::String, - "create"?: __cedar::Bool, - "passwordSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "pkcs12"?: { - "create"?: __cedar::Bool, - "passwordSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "profile"?: __cedar::String - } - }, - "literalSubject"?: __cedar::String, - "nameConstraints"?: { - "critical"?: __cedar::Bool, - "excluded"?: { - "dnsDomains"?: Set < __cedar::String >, - "emailAddresses"?: Set < __cedar::String >, - "ipRanges"?: Set < __cedar::String >, - "uriDomains"?: Set < __cedar::String > - }, - "permitted"?: { - "dnsDomains"?: Set < __cedar::String >, - "emailAddresses"?: Set < __cedar::String >, - "ipRanges"?: Set < __cedar::String >, - "uriDomains"?: Set < __cedar::String > - } - }, - "privateKey"?: { - "algorithm"?: __cedar::String, - "encoding"?: __cedar::String, - "rotationPolicy"?: __cedar::String, - "size"?: __cedar::Long - }, - "renewBefore"?: __cedar::String, - "renewBeforePercentage"?: __cedar::Long, - "revisionHistoryLimit"?: __cedar::Long, - "secretName"?: __cedar::String, - "secretTemplate"?: {}, - "subject"?: { - "countries"?: Set < __cedar::String >, - "localities"?: Set < __cedar::String >, - "organizationalUnits"?: Set < __cedar::String >, - "organizations"?: Set < __cedar::String >, - "postalCodes"?: Set < __cedar::String >, - "provinces"?: Set < __cedar::String >, - "serialNumber"?: __cedar::String, - "streetAddresses"?: Set < __cedar::String > - }, - "uris"?: Set < __cedar::String >, - "usages"?: Set < __cedar::String > - }, - "status"?: { - "failedIssuanceAttempts"?: __cedar::Long, - "lastFailureTime"?: __cedar::String, - "nextPrivateKeySecretName"?: __cedar::String, - "notAfter"?: __cedar::String, - "notBefore"?: __cedar::String, - "renewalTime"?: __cedar::String, - "revision"?: __cedar::Long - } - }; - entity CertificateList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; - entity CertificateRequest = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ObjectMeta, - "spec"?: { - "duration"?: __cedar::String, - "groups"?: Set < __cedar::String >, - "isCA"?: __cedar::Bool, - "issuerRef"?: { - "group"?: __cedar::String, - "kind"?: __cedar::String, - "name"?: __cedar::String - }, - "request"?: __cedar::String, - "uid"?: __cedar::String, - "usages"?: Set < __cedar::String >, - "username"?: __cedar::String - }, - "status"?: { - "ca"?: __cedar::String, - "certificate"?: __cedar::String, - "failureTime"?: __cedar::String - } - }; - entity CertificateRequestList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; - entity ClusterIssuer = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ObjectMeta, - "spec": { - "acme"?: { - "caBundle"?: __cedar::String, - "disableAccountKeyGeneration"?: __cedar::Bool, - "email"?: __cedar::String, - "enableDurationFeature"?: __cedar::Bool, - "externalAccountBinding"?: { - "keyAlgorithm"?: __cedar::String, - "keyID"?: __cedar::String, - "keySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "preferredChain"?: __cedar::String, - "privateKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "server"?: __cedar::String, - "skipTLSVerify"?: __cedar::Bool - }, - "ca"?: { - "crlDistributionPoints"?: Set < __cedar::String >, - "issuingCertificateURLs"?: Set < __cedar::String >, - "ocspServers"?: Set < __cedar::String >, - "secretName"?: __cedar::String - }, - "selfSigned"?: { - "crlDistributionPoints"?: Set < __cedar::String > - }, - "vault"?: { - "auth"?: { - "appRole"?: { - "path"?: __cedar::String, - "roleId"?: __cedar::String, - "secretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "clientCertificate"?: { - "mountPath"?: __cedar::String, - "name"?: __cedar::String, - "secretName"?: __cedar::String - }, - "kubernetes"?: { - "mountPath"?: __cedar::String, - "role"?: __cedar::String, - "secretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "serviceAccountRef"?: { - "audiences"?: Set < __cedar::String >, - "name"?: __cedar::String - } - }, - "tokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "caBundle"?: __cedar::String, - "caBundleSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientCertSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "namespace"?: __cedar::String, - "path"?: __cedar::String, - "server"?: __cedar::String - }, - "venafi"?: { - "cloud"?: { - "apiTokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "url"?: __cedar::String - }, - "tpp"?: { - "caBundle"?: __cedar::String, - "caBundleSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "credentialsRef"?: { - "name"?: __cedar::String - }, - "url"?: __cedar::String - }, - "zone"?: __cedar::String - } - }, - "status"?: { - "acme"?: { - "lastPrivateKeyHash"?: __cedar::String, - "lastRegisteredEmail"?: __cedar::String, - "uri"?: __cedar::String - } - } - }; - entity ClusterIssuerList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; - entity Issuer = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ObjectMeta, - "spec": { - "acme"?: { - "caBundle"?: __cedar::String, - "disableAccountKeyGeneration"?: __cedar::Bool, - "email"?: __cedar::String, - "enableDurationFeature"?: __cedar::Bool, - "externalAccountBinding"?: { - "keyAlgorithm"?: __cedar::String, - "keyID"?: __cedar::String, - "keySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "preferredChain"?: __cedar::String, - "privateKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "server"?: __cedar::String, - "skipTLSVerify"?: __cedar::Bool - }, - "ca"?: { - "crlDistributionPoints"?: Set < __cedar::String >, - "issuingCertificateURLs"?: Set < __cedar::String >, - "ocspServers"?: Set < __cedar::String >, - "secretName"?: __cedar::String - }, - "selfSigned"?: { - "crlDistributionPoints"?: Set < __cedar::String > - }, - "vault"?: { - "auth"?: { - "appRole"?: { - "path"?: __cedar::String, - "roleId"?: __cedar::String, - "secretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "clientCertificate"?: { - "mountPath"?: __cedar::String, - "name"?: __cedar::String, - "secretName"?: __cedar::String - }, - "kubernetes"?: { - "mountPath"?: __cedar::String, - "role"?: __cedar::String, - "secretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "serviceAccountRef"?: { - "audiences"?: Set < __cedar::String >, - "name"?: __cedar::String - } - }, - "tokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "caBundle"?: __cedar::String, - "caBundleSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientCertSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "namespace"?: __cedar::String, - "path"?: __cedar::String, - "server"?: __cedar::String - }, - "venafi"?: { - "cloud"?: { - "apiTokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "url"?: __cedar::String - }, - "tpp"?: { - "caBundle"?: __cedar::String, - "caBundleSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "credentialsRef"?: { - "name"?: __cedar::String - }, - "url"?: __cedar::String - }, - "zone"?: __cedar::String - } - }, - "status"?: { - "acme"?: { - "lastPrivateKeyHash"?: __cedar::String, - "lastRegisteredEmail"?: __cedar::String, - "uri"?: __cedar::String - } - } - }; - entity IssuerList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; -} - -namespace io::cert_manager::acme::v1 { - entity Challenge = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata": meta::v1::ObjectMeta, - "spec": { - "authorizationURL"?: __cedar::String, - "dnsName"?: __cedar::String, - "issuerRef"?: { - "group"?: __cedar::String, - "kind"?: __cedar::String, - "name"?: __cedar::String - }, - "key"?: __cedar::String, - "solver"?: { - "dns01"?: { - "acmeDNS"?: { - "accountSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "host"?: __cedar::String - }, - "akamai"?: { - "accessTokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientSecretSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "clientTokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "serviceConsumerDomain"?: __cedar::String - }, - "azureDNS"?: { - "clientID"?: __cedar::String, - "clientSecretSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "environment"?: __cedar::String, - "hostedZoneName"?: __cedar::String, - "managedIdentity"?: { - "clientID"?: __cedar::String, - "resourceID"?: __cedar::String - }, - "resourceGroupName"?: __cedar::String, - "subscriptionID"?: __cedar::String, - "tenantID"?: __cedar::String - }, - "cloudDNS"?: { - "hostedZoneName"?: __cedar::String, - "project"?: __cedar::String, - "serviceAccountSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "cloudflare"?: { - "apiKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "apiTokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "email"?: __cedar::String - }, - "cnameStrategy"?: __cedar::String, - "digitalocean"?: { - "tokenSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "rfc2136"?: { - "nameserver"?: __cedar::String, - "tsigAlgorithm"?: __cedar::String, - "tsigKeyName"?: __cedar::String, - "tsigSecretSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "route53"?: { - "accessKeyID"?: __cedar::String, - "accessKeyIDSecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - }, - "auth"?: { - "kubernetes"?: { - "serviceAccountRef"?: { - "audiences"?: Set < __cedar::String >, - "name"?: __cedar::String - } - } - }, - "hostedZoneID"?: __cedar::String, - "region"?: __cedar::String, - "role"?: __cedar::String, - "secretAccessKeySecretRef"?: { - "key"?: __cedar::String, - "name"?: __cedar::String - } - }, - "webhook"?: { - "groupName"?: __cedar::String, - "solverName"?: __cedar::String - } - }, - "http01"?: { - "gatewayHTTPRoute"?: { - "podTemplate"?: core::v1::PodTemplate, - "serviceType"?: __cedar::String - }, - "ingress"?: { - "class"?: __cedar::String, - "ingressClassName"?: __cedar::String, - "ingressTemplate"?: { - "metadata"?: {} - }, - "name"?: __cedar::String, - "podTemplate"?: core::v1::PodTemplate, - "serviceType"?: __cedar::String - } - }, - "selector"?: { - "dnsNames"?: Set < __cedar::String >, - "dnsZones"?: Set < __cedar::String > - } - }, - "token"?: __cedar::String, - "type"?: __cedar::String, - "url"?: __cedar::String, - "wildcard"?: __cedar::Bool - }, - "status"?: { - "presented"?: __cedar::Bool, - "processing"?: __cedar::Bool, - "reason"?: __cedar::String, - "state"?: __cedar::String - } - }; - entity ChallengeList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; - entity Order = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata": meta::v1::ObjectMeta, - "spec": { - "commonName"?: __cedar::String, - "dnsNames"?: Set < __cedar::String >, - "duration"?: __cedar::String, - "ipAddresses"?: Set < __cedar::String >, - "issuerRef"?: { - "group"?: __cedar::String, - "kind"?: __cedar::String, - "name"?: __cedar::String - }, - "request"?: __cedar::String - }, - "status"?: { - "certificate"?: __cedar::String, - "failureTime"?: __cedar::String, - "finalizeURL"?: __cedar::String, - "reason"?: __cedar::String, - "state"?: __cedar::String, - "url"?: __cedar::String - } - }; - entity OrderList = { - "apiVersion"?: __cedar::String, - "kind"?: __cedar::String, - "metadata"?: meta::v1::ListMeta - }; -} - namespace meta::v1 { type KeyValue = { "key": __cedar::String, @@ -3592,7 +3046,7 @@ namespace aws::k8s::cedar::v1alpha1 { "apiVersion"?: __cedar::String, "kind"?: __cedar::String, "metadata"?: meta::v1::ObjectMeta, - "spec"?: { + "spec": { "content"?: __cedar::String } }; diff --git a/cedarschema/k8s-full.cedarschema.json b/cedarschema/k8s-full.cedarschema.json index a97543e..7e16b41 100644 --- a/cedarschema/k8s-full.cedarschema.json +++ b/cedarschema/k8s-full.cedarschema.json @@ -2857,7 +2857,7 @@ }, "spec": { "type": "Record", - "required": false, + "required": true, "attributes": { "content": { "type": "String", @@ -10668,2061 +10668,6 @@ }, "actions": {} }, - "io::cert_manager::acme::v1": { - "entityTypes": { - "Challenge": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": true - }, - "spec": { - "type": "Record", - "required": true, - "attributes": { - "authorizationURL": { - "type": "String", - "required": false - }, - "dnsName": { - "type": "String", - "required": false - }, - "issuerRef": { - "type": "Record", - "required": false, - "attributes": { - "group": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "key": { - "type": "String", - "required": false - }, - "solver": { - "type": "Record", - "required": false, - "attributes": { - "dns01": { - "type": "Record", - "required": false, - "attributes": { - "acmeDNS": { - "type": "Record", - "required": false, - "attributes": { - "accountSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "host": { - "type": "String", - "required": false - } - } - }, - "akamai": { - "type": "Record", - "required": false, - "attributes": { - "accessTokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientSecretSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientTokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "serviceConsumerDomain": { - "type": "String", - "required": false - } - } - }, - "azureDNS": { - "type": "Record", - "required": false, - "attributes": { - "clientID": { - "type": "String", - "required": false - }, - "clientSecretSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "environment": { - "type": "String", - "required": false - }, - "hostedZoneName": { - "type": "String", - "required": false - }, - "managedIdentity": { - "type": "Record", - "required": false, - "attributes": { - "clientID": { - "type": "String", - "required": false - }, - "resourceID": { - "type": "String", - "required": false - } - } - }, - "resourceGroupName": { - "type": "String", - "required": false - }, - "subscriptionID": { - "type": "String", - "required": false - }, - "tenantID": { - "type": "String", - "required": false - } - } - }, - "cloudDNS": { - "type": "Record", - "required": false, - "attributes": { - "hostedZoneName": { - "type": "String", - "required": false - }, - "project": { - "type": "String", - "required": false - }, - "serviceAccountSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "cloudflare": { - "type": "Record", - "required": false, - "attributes": { - "apiKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "apiTokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "email": { - "type": "String", - "required": false - } - } - }, - "cnameStrategy": { - "type": "String", - "required": false - }, - "digitalocean": { - "type": "Record", - "required": false, - "attributes": { - "tokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "rfc2136": { - "type": "Record", - "required": false, - "attributes": { - "nameserver": { - "type": "String", - "required": false - }, - "tsigAlgorithm": { - "type": "String", - "required": false - }, - "tsigKeyName": { - "type": "String", - "required": false - }, - "tsigSecretSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "route53": { - "type": "Record", - "required": false, - "attributes": { - "accessKeyID": { - "type": "String", - "required": false - }, - "accessKeyIDSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "auth": { - "type": "Record", - "required": false, - "attributes": { - "kubernetes": { - "type": "Record", - "required": false, - "attributes": { - "serviceAccountRef": { - "type": "Record", - "required": false, - "attributes": { - "audiences": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "name": { - "type": "String", - "required": false - } - } - } - } - } - } - }, - "hostedZoneID": { - "type": "String", - "required": false - }, - "region": { - "type": "String", - "required": false - }, - "role": { - "type": "String", - "required": false - }, - "secretAccessKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "webhook": { - "type": "Record", - "required": false, - "attributes": { - "groupName": { - "type": "String", - "required": false - }, - "solverName": { - "type": "String", - "required": false - } - } - } - } - }, - "http01": { - "type": "Record", - "required": false, - "attributes": { - "gatewayHTTPRoute": { - "type": "Record", - "required": false, - "attributes": { - "podTemplate": { - "type": "core::v1::PodTemplate", - "required": false - }, - "serviceType": { - "type": "String", - "required": false - } - } - }, - "ingress": { - "type": "Record", - "required": false, - "attributes": { - "class": { - "type": "String", - "required": false - }, - "ingressClassName": { - "type": "String", - "required": false - }, - "ingressTemplate": { - "type": "Record", - "required": false, - "attributes": { - "metadata": { - "type": "Record", - "required": false, - "attributes": {} - } - } - }, - "name": { - "type": "String", - "required": false - }, - "podTemplate": { - "type": "core::v1::PodTemplate", - "required": false - }, - "serviceType": { - "type": "String", - "required": false - } - } - } - } - }, - "selector": { - "type": "Record", - "required": false, - "attributes": { - "dnsNames": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "dnsZones": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - } - } - }, - "token": { - "type": "String", - "required": false - }, - "type": { - "type": "String", - "required": false - }, - "url": { - "type": "String", - "required": false - }, - "wildcard": { - "type": "Boolean", - "required": false - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "presented": { - "type": "Boolean", - "required": false - }, - "processing": { - "type": "Boolean", - "required": false - }, - "reason": { - "type": "String", - "required": false - }, - "state": { - "type": "String", - "required": false - } - } - } - } - } - }, - "ChallengeList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - }, - "Order": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": true - }, - "spec": { - "type": "Record", - "required": true, - "attributes": { - "commonName": { - "type": "String", - "required": false - }, - "dnsNames": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "duration": { - "type": "String", - "required": false - }, - "ipAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "issuerRef": { - "type": "Record", - "required": false, - "attributes": { - "group": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "request": { - "type": "String", - "required": false - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "certificate": { - "type": "String", - "required": false - }, - "failureTime": { - "type": "String", - "required": false - }, - "finalizeURL": { - "type": "String", - "required": false - }, - "reason": { - "type": "String", - "required": false - }, - "state": { - "type": "String", - "required": false - }, - "url": { - "type": "String", - "required": false - } - } - } - } - } - }, - "OrderList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - } - }, - "actions": {} - }, - "io::cert_manager::v1": { - "entityTypes": { - "Certificate": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": false - }, - "spec": { - "type": "Record", - "required": false, - "attributes": { - "commonName": { - "type": "String", - "required": false - }, - "dnsNames": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "duration": { - "type": "String", - "required": false - }, - "emailAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "encodeUsagesInRequest": { - "type": "Boolean", - "required": false - }, - "ipAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "isCA": { - "type": "Boolean", - "required": false - }, - "issuerRef": { - "type": "Record", - "required": false, - "attributes": { - "group": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "keystores": { - "type": "Record", - "required": false, - "attributes": { - "jks": { - "type": "Record", - "required": false, - "attributes": { - "alias": { - "type": "String", - "required": false - }, - "create": { - "type": "Boolean", - "required": false - }, - "passwordSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "pkcs12": { - "type": "Record", - "required": false, - "attributes": { - "create": { - "type": "Boolean", - "required": false - }, - "passwordSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "profile": { - "type": "String", - "required": false - } - } - } - } - }, - "literalSubject": { - "type": "String", - "required": false - }, - "nameConstraints": { - "type": "Record", - "required": false, - "attributes": { - "critical": { - "type": "Boolean", - "required": false - }, - "excluded": { - "type": "Record", - "required": false, - "attributes": { - "dnsDomains": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "emailAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "ipRanges": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "uriDomains": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - }, - "permitted": { - "type": "Record", - "required": false, - "attributes": { - "dnsDomains": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "emailAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "ipRanges": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "uriDomains": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - } - } - }, - "privateKey": { - "type": "Record", - "required": false, - "attributes": { - "algorithm": { - "type": "String", - "required": false - }, - "encoding": { - "type": "String", - "required": false - }, - "rotationPolicy": { - "type": "String", - "required": false - }, - "size": { - "type": "Long", - "required": false - } - } - }, - "renewBefore": { - "type": "String", - "required": false - }, - "renewBeforePercentage": { - "type": "Long", - "required": false - }, - "revisionHistoryLimit": { - "type": "Long", - "required": false - }, - "secretName": { - "type": "String", - "required": false - }, - "secretTemplate": { - "type": "Record", - "required": false, - "attributes": {} - }, - "subject": { - "type": "Record", - "required": false, - "attributes": { - "countries": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "localities": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "organizationalUnits": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "organizations": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "postalCodes": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "provinces": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "serialNumber": { - "type": "String", - "required": false - }, - "streetAddresses": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - }, - "uris": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "usages": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "failedIssuanceAttempts": { - "type": "Long", - "required": false - }, - "lastFailureTime": { - "type": "String", - "required": false - }, - "nextPrivateKeySecretName": { - "type": "String", - "required": false - }, - "notAfter": { - "type": "String", - "required": false - }, - "notBefore": { - "type": "String", - "required": false - }, - "renewalTime": { - "type": "String", - "required": false - }, - "revision": { - "type": "Long", - "required": false - } - } - } - } - } - }, - "CertificateList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - }, - "CertificateRequest": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": false - }, - "spec": { - "type": "Record", - "required": false, - "attributes": { - "duration": { - "type": "String", - "required": false - }, - "groups": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "isCA": { - "type": "Boolean", - "required": false - }, - "issuerRef": { - "type": "Record", - "required": false, - "attributes": { - "group": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "request": { - "type": "String", - "required": false - }, - "uid": { - "type": "String", - "required": false - }, - "usages": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "username": { - "type": "String", - "required": false - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "ca": { - "type": "String", - "required": false - }, - "certificate": { - "type": "String", - "required": false - }, - "failureTime": { - "type": "String", - "required": false - } - } - } - } - } - }, - "CertificateRequestList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - }, - "ClusterIssuer": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": false - }, - "spec": { - "type": "Record", - "required": true, - "attributes": { - "acme": { - "type": "Record", - "required": false, - "attributes": { - "caBundle": { - "type": "String", - "required": false - }, - "disableAccountKeyGeneration": { - "type": "Boolean", - "required": false - }, - "email": { - "type": "String", - "required": false - }, - "enableDurationFeature": { - "type": "Boolean", - "required": false - }, - "externalAccountBinding": { - "type": "Record", - "required": false, - "attributes": { - "keyAlgorithm": { - "type": "String", - "required": false - }, - "keyID": { - "type": "String", - "required": false - }, - "keySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "preferredChain": { - "type": "String", - "required": false - }, - "privateKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "server": { - "type": "String", - "required": false - }, - "skipTLSVerify": { - "type": "Boolean", - "required": false - } - } - }, - "ca": { - "type": "Record", - "required": false, - "attributes": { - "crlDistributionPoints": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "issuingCertificateURLs": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "ocspServers": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "secretName": { - "type": "String", - "required": false - } - } - }, - "selfSigned": { - "type": "Record", - "required": false, - "attributes": { - "crlDistributionPoints": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - }, - "vault": { - "type": "Record", - "required": false, - "attributes": { - "auth": { - "type": "Record", - "required": false, - "attributes": { - "appRole": { - "type": "Record", - "required": false, - "attributes": { - "path": { - "type": "String", - "required": false - }, - "roleId": { - "type": "String", - "required": false - }, - "secretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "clientCertificate": { - "type": "Record", - "required": false, - "attributes": { - "mountPath": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - }, - "secretName": { - "type": "String", - "required": false - } - } - }, - "kubernetes": { - "type": "Record", - "required": false, - "attributes": { - "mountPath": { - "type": "String", - "required": false - }, - "role": { - "type": "String", - "required": false - }, - "secretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "serviceAccountRef": { - "type": "Record", - "required": false, - "attributes": { - "audiences": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "tokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "caBundle": { - "type": "String", - "required": false - }, - "caBundleSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientCertSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "namespace": { - "type": "String", - "required": false - }, - "path": { - "type": "String", - "required": false - }, - "server": { - "type": "String", - "required": false - } - } - }, - "venafi": { - "type": "Record", - "required": false, - "attributes": { - "cloud": { - "type": "Record", - "required": false, - "attributes": { - "apiTokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "url": { - "type": "String", - "required": false - } - } - }, - "tpp": { - "type": "Record", - "required": false, - "attributes": { - "caBundle": { - "type": "String", - "required": false - }, - "caBundleSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "credentialsRef": { - "type": "Record", - "required": false, - "attributes": { - "name": { - "type": "String", - "required": false - } - } - }, - "url": { - "type": "String", - "required": false - } - } - }, - "zone": { - "type": "String", - "required": false - } - } - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "acme": { - "type": "Record", - "required": false, - "attributes": { - "lastPrivateKeyHash": { - "type": "String", - "required": false - }, - "lastRegisteredEmail": { - "type": "String", - "required": false - }, - "uri": { - "type": "String", - "required": false - } - } - } - } - } - } - } - }, - "ClusterIssuerList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - }, - "Issuer": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ObjectMeta", - "required": false - }, - "spec": { - "type": "Record", - "required": true, - "attributes": { - "acme": { - "type": "Record", - "required": false, - "attributes": { - "caBundle": { - "type": "String", - "required": false - }, - "disableAccountKeyGeneration": { - "type": "Boolean", - "required": false - }, - "email": { - "type": "String", - "required": false - }, - "enableDurationFeature": { - "type": "Boolean", - "required": false - }, - "externalAccountBinding": { - "type": "Record", - "required": false, - "attributes": { - "keyAlgorithm": { - "type": "String", - "required": false - }, - "keyID": { - "type": "String", - "required": false - }, - "keySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "preferredChain": { - "type": "String", - "required": false - }, - "privateKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "server": { - "type": "String", - "required": false - }, - "skipTLSVerify": { - "type": "Boolean", - "required": false - } - } - }, - "ca": { - "type": "Record", - "required": false, - "attributes": { - "crlDistributionPoints": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "issuingCertificateURLs": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "ocspServers": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "secretName": { - "type": "String", - "required": false - } - } - }, - "selfSigned": { - "type": "Record", - "required": false, - "attributes": { - "crlDistributionPoints": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - } - } - }, - "vault": { - "type": "Record", - "required": false, - "attributes": { - "auth": { - "type": "Record", - "required": false, - "attributes": { - "appRole": { - "type": "Record", - "required": false, - "attributes": { - "path": { - "type": "String", - "required": false - }, - "roleId": { - "type": "String", - "required": false - }, - "secretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "clientCertificate": { - "type": "Record", - "required": false, - "attributes": { - "mountPath": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - }, - "secretName": { - "type": "String", - "required": false - } - } - }, - "kubernetes": { - "type": "Record", - "required": false, - "attributes": { - "mountPath": { - "type": "String", - "required": false - }, - "role": { - "type": "String", - "required": false - }, - "secretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "serviceAccountRef": { - "type": "Record", - "required": false, - "attributes": { - "audiences": { - "type": "Set", - "required": false, - "element": { - "type": "String" - } - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "tokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - } - } - }, - "caBundle": { - "type": "String", - "required": false - }, - "caBundleSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientCertSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "clientKeySecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "namespace": { - "type": "String", - "required": false - }, - "path": { - "type": "String", - "required": false - }, - "server": { - "type": "String", - "required": false - } - } - }, - "venafi": { - "type": "Record", - "required": false, - "attributes": { - "cloud": { - "type": "Record", - "required": false, - "attributes": { - "apiTokenSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "url": { - "type": "String", - "required": false - } - } - }, - "tpp": { - "type": "Record", - "required": false, - "attributes": { - "caBundle": { - "type": "String", - "required": false - }, - "caBundleSecretRef": { - "type": "Record", - "required": false, - "attributes": { - "key": { - "type": "String", - "required": false - }, - "name": { - "type": "String", - "required": false - } - } - }, - "credentialsRef": { - "type": "Record", - "required": false, - "attributes": { - "name": { - "type": "String", - "required": false - } - } - }, - "url": { - "type": "String", - "required": false - } - } - }, - "zone": { - "type": "String", - "required": false - } - } - } - } - }, - "status": { - "type": "Record", - "required": false, - "attributes": { - "acme": { - "type": "Record", - "required": false, - "attributes": { - "lastPrivateKeyHash": { - "type": "String", - "required": false - }, - "lastRegisteredEmail": { - "type": "String", - "required": false - }, - "uri": { - "type": "String", - "required": false - } - } - } - } - } - } - } - }, - "IssuerList": { - "shape": { - "type": "Record", - "attributes": { - "apiVersion": { - "type": "String", - "required": false - }, - "kind": { - "type": "String", - "required": false - }, - "metadata": { - "type": "meta::v1::ListMeta", - "required": false - } - } - } - } - }, - "actions": {} - }, "k8s": { "entityTypes": { "Group": { @@ -12735,7 +10680,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { @@ -12808,7 +10753,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { @@ -12833,7 +10778,7 @@ "shape": { "type": "Record", "attributes": { - "extras": { + "extra": { "type": "Set", "required": false, "element": { @@ -13294,18 +11239,6 @@ "flowcontrol::v1beta3::FlowSchemaList", "flowcontrol::v1beta3::PriorityLevelConfiguration", "flowcontrol::v1beta3::PriorityLevelConfigurationList", - "io::cert_manager::acme::v1::Challenge", - "io::cert_manager::acme::v1::ChallengeList", - "io::cert_manager::acme::v1::Order", - "io::cert_manager::acme::v1::OrderList", - "io::cert_manager::v1::Certificate", - "io::cert_manager::v1::CertificateList", - "io::cert_manager::v1::CertificateRequest", - "io::cert_manager::v1::CertificateRequestList", - "io::cert_manager::v1::ClusterIssuer", - "io::cert_manager::v1::ClusterIssuerList", - "io::cert_manager::v1::Issuer", - "io::cert_manager::v1::IssuerList", "networking::v1::Ingress", "networking::v1::IngressClass", "networking::v1::IngressClassList", @@ -13434,18 +11367,6 @@ "flowcontrol::v1beta3::FlowSchemaList", "flowcontrol::v1beta3::PriorityLevelConfiguration", "flowcontrol::v1beta3::PriorityLevelConfigurationList", - "io::cert_manager::acme::v1::Challenge", - "io::cert_manager::acme::v1::ChallengeList", - "io::cert_manager::acme::v1::Order", - "io::cert_manager::acme::v1::OrderList", - "io::cert_manager::v1::Certificate", - "io::cert_manager::v1::CertificateList", - "io::cert_manager::v1::CertificateRequest", - "io::cert_manager::v1::CertificateRequestList", - "io::cert_manager::v1::ClusterIssuer", - "io::cert_manager::v1::ClusterIssuerList", - "io::cert_manager::v1::Issuer", - "io::cert_manager::v1::IssuerList", "networking::v1::Ingress", "networking::v1::IngressClass", "networking::v1::IngressClassList", @@ -13579,18 +11500,6 @@ "flowcontrol::v1beta3::FlowSchemaList", "flowcontrol::v1beta3::PriorityLevelConfiguration", "flowcontrol::v1beta3::PriorityLevelConfigurationList", - "io::cert_manager::acme::v1::Challenge", - "io::cert_manager::acme::v1::ChallengeList", - "io::cert_manager::acme::v1::Order", - "io::cert_manager::acme::v1::OrderList", - "io::cert_manager::v1::Certificate", - "io::cert_manager::v1::CertificateList", - "io::cert_manager::v1::CertificateRequest", - "io::cert_manager::v1::CertificateRequestList", - "io::cert_manager::v1::ClusterIssuer", - "io::cert_manager::v1::ClusterIssuerList", - "io::cert_manager::v1::Issuer", - "io::cert_manager::v1::IssuerList", "networking::v1::Ingress", "networking::v1::IngressClass", "networking::v1::IngressClassList", @@ -13724,18 +11633,6 @@ "flowcontrol::v1beta3::FlowSchemaList", "flowcontrol::v1beta3::PriorityLevelConfiguration", "flowcontrol::v1beta3::PriorityLevelConfigurationList", - "io::cert_manager::acme::v1::Challenge", - "io::cert_manager::acme::v1::ChallengeList", - "io::cert_manager::acme::v1::Order", - "io::cert_manager::acme::v1::OrderList", - "io::cert_manager::v1::Certificate", - "io::cert_manager::v1::CertificateList", - "io::cert_manager::v1::CertificateRequest", - "io::cert_manager::v1::CertificateRequestList", - "io::cert_manager::v1::ClusterIssuer", - "io::cert_manager::v1::ClusterIssuerList", - "io::cert_manager::v1::Issuer", - "io::cert_manager::v1::IssuerList", "networking::v1::Ingress", "networking::v1::IngressClass", "networking::v1::IngressClassList", @@ -13869,18 +11766,6 @@ "flowcontrol::v1beta3::FlowSchemaList", "flowcontrol::v1beta3::PriorityLevelConfiguration", "flowcontrol::v1beta3::PriorityLevelConfigurationList", - "io::cert_manager::acme::v1::Challenge", - "io::cert_manager::acme::v1::ChallengeList", - "io::cert_manager::acme::v1::Order", - "io::cert_manager::acme::v1::OrderList", - "io::cert_manager::v1::Certificate", - "io::cert_manager::v1::CertificateList", - "io::cert_manager::v1::CertificateRequest", - "io::cert_manager::v1::CertificateRequestList", - "io::cert_manager::v1::ClusterIssuer", - "io::cert_manager::v1::ClusterIssuerList", - "io::cert_manager::v1::Issuer", - "io::cert_manager::v1::IssuerList", "networking::v1::Ingress", "networking::v1::IngressClass", "networking::v1::IngressClassList", diff --git a/demo/admission-policy.yaml b/demo/admission-policy.yaml index 29aa344..60c5ce9 100644 --- a/demo/admission-policy.yaml +++ b/demo/admission-policy.yaml @@ -36,8 +36,8 @@ metadata: spec: content: | // On Kubernetes versions 1.29+ with the `ServiceAccountTokenPodNodeInfo` flag enabled, - // Kubernetes injects a node name into the Service Account token, which gets propagated - // into the user's info extras map. We transform the map into a set of key/value + // Kubernetes injects a node name into the Service Account token, which gets propagated + // into the user's info extra info map. We transform the map into a set of key/value // records with key of string and value as a set of strings. // // This allows a service account to modify the status of a node only for the node included in the SA token's @@ -47,11 +47,13 @@ spec: action in [k8s::Action::"get", k8s::Action::"update", k8s::Action::"patch"], resource is k8s::Resource ) when { - principal.name == "default" && + principal.name == "default" && principal.namespace == "default" && resource.apiGroup == "" && resource.resource == "nodes" && + resource has subresource && resource.subresource == "status" && + resource has name && principal.extra.contains({ "key": "authentication.kubernetes.io/node-name", "values": [resource.name]}) @@ -62,10 +64,11 @@ spec: action == k8s::Action::"get", resource is k8s::Resource ) when { - principal.name == "default" && + principal.name == "default" && principal.namespace == "default" && resource.apiGroup == "" && resource.resource == "nodes" && + resource has name && principal.extra.contains({ "key": "authentication.kubernetes.io/node-name", "values": [resource.name]}) @@ -82,8 +85,8 @@ spec: permit ( principal is k8s::User, action in [ - k8s::Action::"create", - k8s::Action::"list", + k8s::Action::"create", + k8s::Action::"list", k8s::Action::"watch", k8s::Action::"update", k8s::Action::"patch", @@ -107,7 +110,7 @@ spec: } unless { resource has labelSelector && resource.labelSelector.containsAny([ - {"key": "owner","operator": "=", "values": [principal.name]}, + {"key": "owner","operator": "=", "values": [principal.name]}, {"key": "owner","operator": "==", "values": [principal.name]}, {"key": "owner","operator": "in", "values": [principal.name]}]) }; @@ -125,7 +128,7 @@ spec: resource.metadata.labels.contains({"key": "owner", "value": principal.name}) }; - // admission policy forbidding users in "requires-labels" group from updating or deleting + // admission policy forbidding users in "requires-labels" group from updating or deleting // resources that they don't own forbid ( principal is k8s::User, @@ -134,7 +137,7 @@ spec: ) when { principal in k8s::Group::"requires-labels" } unless { - context has oldObject && + context has oldObject && context.oldObject has metadata && context.oldObject.metadata has labels && context.oldObject.metadata.labels.contains({"key": "owner", "value": principal.name}) @@ -146,7 +149,7 @@ spec: action == k8s::admission::Action::"update", resource ) when { - principal in k8s::Group::"requires-labels" && + principal in k8s::Group::"requires-labels" && resource has metadata && resource.metadata has labels && resource.metadata.labels.contains({"key": "owner", "value": principal.name}) != true diff --git a/demo/authorization-policy.yaml b/demo/authorization-policy.yaml index df82f31..d66a1cc 100644 --- a/demo/authorization-policy.yaml +++ b/demo/authorization-policy.yaml @@ -108,7 +108,7 @@ spec: resource.apiGroup == "" && resource has labelSelector && resource.labelSelector.containsAny([ - {"key": "owner","operator": "=", "values": [principal.name]}, + {"key": "owner","operator": "=", "values": [principal.name]}, {"key": "owner","operator": "==", "values": [principal.name]}, {"key": "owner","operator": "in", "values": [principal.name]}]) }; @@ -141,17 +141,19 @@ spec: resource is k8s::ServiceAccount ) when { principal.name == "test-user" && + resource has namespace && resource.namespace == "default" && resource.name == "service-manager" }; - - // SA named 'service-manager' can act on services in its own namespace + + // SA named 'service-manager' can act on services in its own namespace permit ( principal is k8s::ServiceAccount, action, resource is k8s::Resource ) when { - principal.name == "service-manager" && // no principal.namespace restriction + principal.name == "service-manager" && // no specific principal.namespace restriction resource.resource == "services" && - resource.namespace == principal.namespace + resource has namespace && + resource.namespace == principal.namespace }; \ No newline at end of file diff --git a/docs/CedarSchemas.md b/docs/CedarSchemas.md index c3a969e..3bf0d46 100644 --- a/docs/CedarSchemas.md +++ b/docs/CedarSchemas.md @@ -37,10 +37,10 @@ This project supports the following Principal entities: ``` * `k8s::User`. Users are identified by the user's UID as reported by the authenticator. The group list comes in from the Kubernetes authenticator (webhook, serviceaccount, OIDC, etc), so we dynamically build the list of group Entities for a request. - Kubernetes authenticators can also includes extra key/value information on a user, and that is encoded in the 'extras' attribute. + Kubernetes authenticators can also includes extra key/value information on a user, and that is encoded in the 'extra' attribute. ```cedarschema entity User in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String, }; type Extra = { @@ -51,7 +51,7 @@ This project supports the following Principal entities: * `k8s::ServiceAccount`. When a user's name in a [SubjectAccessReview] starts with `system:serviceaccount:`, the authorizer sets the principal type to `k8s::ServiceAccount` with the following attributes. ```cedarschema entity ServiceAccount in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String, "namespace": __cedar::String, }; @@ -61,7 +61,7 @@ This project supports the following Principal entities: Cedar can allow or forbid any of those reqeusts. ```cedarschema entity Node in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String, }; ``` @@ -90,7 +90,8 @@ permit ( action in k8s::Action::"readOnly", // allows any get/list/watch resource is k8s::Resource ) unless { - resource.resource == "secrets" + resource.resource == "secrets" && + resource.apiGroup == "" // "" is the core API group in Kubernetes }; ``` @@ -168,7 +169,8 @@ We define two primary resource types for this authorizer: resource is k8s::Resource ) when { resource.resource == "deployments" && - resource.apiGroup == "apps" + resource.apiGroup == "apps" && + resource has namespace // require a namespace name so cluster-scoped collection requests are not permitted } unless { // permit doesn't apply under these conditions resource has namespace && @@ -259,7 +261,6 @@ To make an impersonated request as another user, Kubernetes sends multiple autho action == k8s::Action::"impersonate", resource is k8s::User ) when { - principal in k8s::Group::"actors" && principal.name == "markhamill" && resource.name == "lukeskywaker" }; @@ -281,7 +282,7 @@ To make an impersonated request as another user, Kubernetes sends multiple autho ```cedar // On Kubernetes versions 1.29+ with the `ServiceAccountTokenPodNodeInfo` flag enabled, // Kubernetes injects a node name into the Service Account token, which gets propagated - // into the user's info extras map. We transform the map into a set of key/value + // into the user's info extra map. We transform the map into a set of key/value // records with key of string and value as a set of strings. // // This allows a service account to impersonate only the node included in the SA token's @@ -346,7 +347,7 @@ Resources for Admission policies are derived from the Kubernetes API Group and v The resource entity structure matches that of the Kubernetes API structure, with some special cases. ```cedar -// Forbid pods with hostNet work in namespaces other than kube-system +// Forbid pods with hostNetwork in namespaces other than kube-system forbid ( principal, action in [k8s::admission::Action::"create", k8s::admission::Action::"update"], diff --git a/docs/Demo.md b/docs/Demo.md index 2edf91b..935fe0b 100644 --- a/docs/Demo.md +++ b/docs/Demo.md @@ -107,7 +107,7 @@ Lets write two policies for our test-user: ```cedar @description("test-user can get/list/watch pods") permit ( - principal, + principal is k8s::User, action in [k8s::Action::"get", k8s::Action::"list", k8s::Action::"watch"], resource is k8s::Resource ) when { @@ -117,9 +117,9 @@ permit ( resource.resource == "pods" }; -@description("forbid test-user to get/list/watch nodes" +@description("forbid test-user to get/list/watch nodes") forbid ( - principal, + principal is k8s::User, action in [k8s::Action::"get", k8s::Action::"list", k8s::Action::"watch"], resource is k8s::Resource ) when { @@ -178,6 +178,7 @@ permit ( resource is k8s::Resource ) unless { resource.resource == "secrets" && + resource has namespace && resource.namespace == "default" && // "" is the core API group in Kubernetes resource.apiGroup == "" @@ -240,7 +241,9 @@ permit ( resource is k8s::ServiceAccount ) when { principal.name == "test-user" && + resource has namespace && resource.namespace == "default" && + resource has name && resource.name == "service-manager" }; @@ -252,6 +255,7 @@ permit ( ) when { principal.name == "service-manager" && // no principal.namespace restriction resource.resource == "services" && + resource has namespace && resource.namespace == principal.namespace }; ``` diff --git a/docs/Limitations.md b/docs/Limitations.md index ef7b740..7c0fb85 100644 --- a/docs/Limitations.md +++ b/docs/Limitations.md @@ -43,7 +43,7 @@ namespace k8s { "values"?: Set < __cedar::String > }; entity User in [Group] = { - "extras"?: Set < Extra >, + "extra"?: Set < Extra >, "name": __cedar::String }; // ... diff --git a/internal/schema/user_entities.go b/internal/schema/user_entities.go index eb580bd..75b4b0b 100644 --- a/internal/schema/user_entities.go +++ b/internal/schema/user_entities.go @@ -13,6 +13,7 @@ const ( UserEntityType = cedartypes.EntityType("k8s::" + UserPrincipalType) GroupEntityType = cedartypes.EntityType("k8s::" + GroupPrincipalType) + ExtraValuesEntityType = cedartypes.EntityType("k8s::" + ExtraValuesType) ServiceAccountEntityType = cedartypes.EntityType("k8s::" + ServiceAccountPrincipalType) NodeEntityType = cedartypes.EntityType("k8s::" + NodePrincipalType) ) @@ -24,8 +25,8 @@ func UserEntity() Entity { Shape: EntityShape{ Type: "Record", Attributes: map[string]EntityAttribute{ - "name": {Type: "String", Required: true}, - "extras": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, + "name": {Type: "String", Required: true}, + "extra": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, }, }, } @@ -47,7 +48,7 @@ func ServiceAccountEntity() Entity { Attributes: map[string]EntityAttribute{ "name": {Type: "String", Required: true}, "namespace": {Type: "String", Required: true}, - "extras": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, + "extra": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, }, }, } @@ -59,8 +60,8 @@ func NodeEntity() Entity { Shape: EntityShape{ Type: "Record", Attributes: map[string]EntityAttribute{ - "name": {Type: "String", Required: true}, - "extras": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, + "name": {Type: "String", Required: true}, + "extra": {Type: "Set", Element: &EntityAttributeElement{Type: ExtraValuesType}}, }, }, } diff --git a/internal/server/authorizer/authorizer.go b/internal/server/authorizer/authorizer.go index beb8cb9..cc04c82 100644 --- a/internal/server/authorizer/authorizer.go +++ b/internal/server/authorizer/authorizer.go @@ -57,7 +57,7 @@ func (e *cedarWebhookAuthorizer) Authorize(ctx context.Context, requestAttribute klog.V(3).Info("Request entities ", string(entityJson)) klog.V(3).Info("Cedar request ", string(requestJson)) ok, diagnostic := e.store.PolicySet(ctx).IsAuthorized(entities, request) - klog.V(9).Info("Authorize", "ok", ok, "Diagnostic", diagnosticToReason(diagnostic)) + klog.V(9).InfoS("Authorize", "ok", ok, "Diagnostic", diagnosticToReason(diagnostic)) if ok { return authorizer.DecisionAllow, diagnosticToReason(diagnostic), nil } else if !ok && len(diagnostic.Reasons) > 0 { diff --git a/internal/server/authorizer/entitiy_builders.go b/internal/server/authorizer/entitiy_builders.go index 2d99142..a4373c8 100644 --- a/internal/server/authorizer/entitiy_builders.go +++ b/internal/server/authorizer/entitiy_builders.go @@ -70,13 +70,14 @@ func ImpersonatedResourceToCedarEntity(attributes authorizer.Attributes) cedarty ID: cedartypes.String(attributes.GetName()), } respAttributes[cedartypes.String("name")] = cedartypes.String(attributes.GetName()) - // TODO: Once attribute-maps are a thing, add this, or something like it - // case "userextras": - // uid = cedartypes.EntityUID{ - // Type: UIDEntity, - // ID: cedartypes.String(attributes.GetSubresource()), - // } - // respAttributes[cedartypes.String("userExtras")] = cedartypes.AttributesRecord(attributes.GetName()) + // TODO: Once attribute-maps are a thing, use that structure instead + case "userextras": + uid = cedartypes.EntityUID{ + Type: schema.ExtraValuesEntityType, + ID: cedartypes.String(attributes.GetSubresource()), + } + respAttributes[cedartypes.String("key")] = cedartypes.String(attributes.GetSubresource()) + respAttributes[cedartypes.String("values")] = cedartypes.NewSet([]cedartypes.Value{cedartypes.String(attributes.GetName())}) } return cedartypes.Entity{ UID: uid, diff --git a/internal/server/handler.go b/internal/server/handler.go index c655639..d6b51ac 100644 --- a/internal/server/handler.go +++ b/internal/server/handler.go @@ -107,6 +107,9 @@ func authorizeHandlerFunc(authorizer cedarauthorizer.Authorizer, errorInjector * return } + sarJson, _ := json.Marshal(sar) + klog.V(11).Infof("SubjectAccessReview JSON: %s", string(sarJson)) + attributes := GetAuthorizerAttributes(sar) authorizationDecision, reason, err = errorInjector.InjectIfEnabled(authorizer.Authorize(r.Context(), attributes)) writeResponse(w, requestId, err, authorizationDecision, reason)