Skip to content

Commit 6ccbd8e

Browse files
config: add policyrule and subject schema
1 parent 35f4720 commit 6ccbd8e

1 file changed

Lines changed: 82 additions & 0 deletions

File tree

config/schemas/config.yaml

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -832,6 +832,80 @@ $defs:
832832
description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.
833833
type: string
834834
type: object
835+
io.k8s.api.rbac.v1.Subject:
836+
description: Subject contains a reference to the object or user identities a role
837+
binding applies to. This can either hold a direct API object reference, or a
838+
value for non-objects such as user and group names.
839+
properties:
840+
apiGroup:
841+
description: APIGroup holds the API group of the referenced subject. Defaults
842+
to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
843+
for User and Group subjects.
844+
type: string
845+
kind:
846+
description: Kind of object being referenced. Values defined by this API group
847+
are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized
848+
the kind value, the Authorizer should report an error.
849+
type: string
850+
enum:
851+
- Group
852+
- ServiceAccount
853+
- User
854+
name:
855+
description: Name of the object being referenced.
856+
type: string
857+
namespace:
858+
description: Namespace of the referenced object. If the object kind is non-namespace,
859+
such as "User" or "Group", and this value is not empty the Authorizer should
860+
report an error.
861+
type: string
862+
required:
863+
- kind
864+
- name
865+
type: object
866+
io.k8s.api.rbac.v1.PolicyRule:
867+
description: PolicyRule holds information that describes a policy rule, but does
868+
not contain information about who the rule applies to or which namespace the rule
869+
applies to.
870+
properties:
871+
apiGroups:
872+
description: APIGroups is the name of the APIGroup that contains the resources. If
873+
multiple API groups are specified, any action requested against one of the
874+
enumerated resources in any API group will be allowed.
875+
items:
876+
type: string
877+
type: array
878+
nonResourceURLs:
879+
description: NonResourceURLs is a set of partial urls that a user should have
880+
access to. *s are allowed, but only as the full, final step in the path Since
881+
non-resource URLs are not namespaced, this field is only applicable for ClusterRoles
882+
referenced from a ClusterRoleBinding. Rules can either apply to API resources
883+
(such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but
884+
not both.
885+
items:
886+
type: string
887+
type: array
888+
resourceNames:
889+
description: ResourceNames is an optional white list of names that the rule
890+
applies to. An empty set means that everything is allowed.
891+
items:
892+
type: string
893+
type: array
894+
resources:
895+
description: Resources is a list of resources this rule applies to. ResourceAll
896+
represents all resources.
897+
items:
898+
type: string
899+
type: array
900+
verbs:
901+
description: Verbs is a list of Verbs that apply to ALL the ResourceKinds and
902+
AttributeRestrictions contained in this rule. VerbAll represents all kinds.
903+
items:
904+
type: string
905+
type: array
906+
required:
907+
- verbs
908+
type: object
835909
cronSchedule:
836910
type: string
837911
pattern: ^(((\*\/)?([0-5]?[0-9])((\,|\-|\/)([0-5]?[0-9]))*|\*)[^\S\r\n]+((\*\/)?((2[0-3]|1[0-9]|[0-9]|00))((\,|\-|\/)(2[0-3]|1[0-9]|[0-9]|00))*|\*)[^\S\r\n]+((\*\/)?([1-9]|[12][0-9]|3[01])((\,|\-|\/)([1-9]|[12][0-9]|3[01]))*|\*)[^\S\r\n]+((\*\/)?([1-9]|1[0-2])((\,|\-|\/)([1-9]|1[0-2]))*|\*|(jan|feb|mar|apr|may|jun|jul|aug|sep|oct|nov|dec))[^\S\r\n]+((\*\/)?[0-6]((\,|\-|\/)[0-6])*|\*|00|(sun|mon|tue|wed|thu|fri|sat)))$|^@(annually|yearly|monthly|weekly|daily|hourly|reboot)$
@@ -1487,6 +1561,8 @@ properties:
14871561
description: |
14881562
PolicyRules for this Role
14891563
Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-v1/
1564+
items:
1565+
$ref: '#/$defs/io.k8s.api.rbac.v1.PolicyRule'
14901566
type: array
14911567
default: []
14921568
additionalProperties: false
@@ -1521,6 +1597,8 @@ properties:
15211597
description: |
15221598
Configure Subjects that a role apply to
15231599
Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/role-binding-v1/
1600+
items:
1601+
$ref: '#/$defs/io.k8s.api.rbac.v1.Subject'
15241602
type: array
15251603
default: []
15261604
additionalProperties: false
@@ -1538,6 +1616,8 @@ properties:
15381616
description: |
15391617
PolicyRules for this ClusterRole
15401618
Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/
1619+
items:
1620+
$ref: '#/$defs/io.k8s.api.rbac.v1.PolicyRule'
15411621
type: array
15421622
default: []
15431623
additionalProperties: false
@@ -1563,6 +1643,8 @@ properties:
15631643
description: |
15641644
Configure Subjects that a role apply to
15651645
Reference: https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-binding-v1/
1646+
items:
1647+
$ref: '#/$defs/io.k8s.api.rbac.v1.Subject'
15661648
type: array
15671649
default: []
15681650
additionalProperties: false

0 commit comments

Comments
 (0)