mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 01:03:40 +00:00
40861809a6
This PR includes a new Role resource version that is compatible with V5 spec. The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>: - `*/*`: matches all pods in all namespaces. - `default/*`: matches all pods in the `default` namespace. - `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace. For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied. Part of #18434
2035 lines
96 KiB
YAML
2035 lines
96 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
creationTimestamp: null
|
|
name: teleportroles.resources.teleport.dev
|
|
spec:
|
|
group: resources.teleport.dev
|
|
names:
|
|
kind: TeleportRole
|
|
listKind: TeleportRoleList
|
|
plural: teleportroles
|
|
singular: teleportrole
|
|
scope: Namespaced
|
|
versions:
|
|
- name: v5
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: Role is the Schema for the roles API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Role resource definition v5 from Teleport
|
|
properties:
|
|
allow:
|
|
description: Allow is the set of conditions evaluated to grant access.
|
|
properties:
|
|
app_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: AppLabels is a map of labels used as part of the
|
|
RBAC system.
|
|
type: object
|
|
aws_role_arns:
|
|
description: AWSRoleARNs is a list of AWS role ARNs this role
|
|
is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
azure_identities:
|
|
description: AzureIdentities is a list of Azure identities this
|
|
role is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
cluster_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: ClusterLabels is a map of node labels (used to dynamically
|
|
grant access to clusters).
|
|
type: object
|
|
db_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: DatabaseLabels are used in RBAC system to allow/deny
|
|
access to databases.
|
|
type: object
|
|
db_names:
|
|
description: DatabaseNames is a list of database names this role
|
|
is allowed to connect to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
db_users:
|
|
description: DatabaseUsers is a list of databaes users this role
|
|
is allowed to connect as.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_groups:
|
|
description: HostGroups is a list of groups for created users
|
|
to be added to
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_sudoers:
|
|
description: HostSudoers is a list of entries to include in a
|
|
users sudoer file
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
impersonate:
|
|
description: Impersonate specifies what users and roles this role
|
|
is allowed to impersonate by issuing certificates or other possible
|
|
means.
|
|
nullable: true
|
|
properties:
|
|
roles:
|
|
description: Roles is a list of resources this role is allowed
|
|
to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
users:
|
|
description: Users is a list of resources this role is allowed
|
|
to impersonate, could be an empty list or a Wildcard pattern
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
join_sessions:
|
|
description: JoinSessions specifies policies to allow users to
|
|
join other sessions.
|
|
items:
|
|
properties:
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is a list of permitted participant modes
|
|
for this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of roles that you can join
|
|
the session of.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
kubernetes_groups:
|
|
description: KubeGroups is a list of kubernetes groups
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
kubernetes_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: KubernetesLabels is a map of kubernetes cluster labels
|
|
used for RBAC.
|
|
type: object
|
|
kubernetes_resources:
|
|
description: KubernetesResources is the Kubernetes Resources this
|
|
Role grants access to.
|
|
items:
|
|
properties:
|
|
kind:
|
|
description: Kind specifies the Kubernetes Resource type.
|
|
At the moment only "pod" is supported.
|
|
type: string
|
|
name:
|
|
description: Name is the resource name. It supports wildcards.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the resource namespace. It supports
|
|
wildcards.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
kubernetes_users:
|
|
description: KubeUsers is an optional kubernetes users to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
logins:
|
|
description: Logins is a list of *nix system logins.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
node_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: NodeLabels is a map of node labels (used to dynamically
|
|
grant access to nodes).
|
|
type: object
|
|
request:
|
|
nullable: true
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Annotations is a collection of annotations to
|
|
be programmatically appended to pending access requests
|
|
at the time of their creation. These annotations serve as
|
|
a mechanism to propagate extra information to plugins. Since
|
|
these annotations support variable interpolation syntax,
|
|
they also offer a mechanism for forwarding claims from an
|
|
external identity provider, to a plugin via `{{external.trait_name}}`
|
|
style substitutions.
|
|
type: object
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which will match the
|
|
request rule.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
search_as_roles:
|
|
description: SearchAsRoles is a list of extra roles which
|
|
should apply to a user while they are searching for resources
|
|
as part of a Resource Access Request, and defines the underlying
|
|
roles which will be requested as part of any Resource Access
|
|
Request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
suggested_reviewers:
|
|
description: SuggestedReviewers is a list of reviewer suggestions. These
|
|
can be teleport usernames, but that is not a requirement.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
thresholds:
|
|
description: Thresholds is a list of thresholds, one of which
|
|
must be met in order for reviews to trigger a state-transition. If
|
|
no thresholds are provided, a default threshold of 1 for
|
|
approval and denial is used.
|
|
items:
|
|
properties:
|
|
approve:
|
|
description: Approve is the number of matching approvals
|
|
needed for state-transition.
|
|
format: int32
|
|
type: integer
|
|
deny:
|
|
description: Deny is the number of denials needed for
|
|
state-transition.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is an optional predicate used to
|
|
determine which reviews count toward this threshold.
|
|
type: string
|
|
name:
|
|
description: Name is the optional human-readable name
|
|
of the threshold.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
require_session_join:
|
|
description: RequireSessionJoin specifies policies for required
|
|
users to start a session.
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count is the amount of people that need to
|
|
be matched for this policy to be fulfilled.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is a predicate that determines what
|
|
users count towards this policy.
|
|
type: string
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is the list of modes that may be used
|
|
to fulfill this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
on_leave:
|
|
description: OnLeave is the behaviour that's used when the
|
|
policy is no longer fulfilled for a live session.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
review_requests:
|
|
description: ReviewRequests defines conditions for submitting
|
|
access reviews.
|
|
nullable: true
|
|
properties:
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
preview_as_roles:
|
|
description: PreviewAsRoles is a list of extra roles which
|
|
should apply to a reviewer while they are viewing a Resource
|
|
Access Request for the purposes of viewing details such
|
|
as the hostname and labels of requested resources.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which may be reviewed.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where is an optional predicate which further
|
|
limits which requests are reviewable.
|
|
type: string
|
|
type: object
|
|
rules:
|
|
description: Rules is a list of rules and their access levels.
|
|
Rules are a high level construct used for access control.
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions specifies optional actions taken when
|
|
this rule matches
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
resources:
|
|
description: Resources is a list of resources
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
verbs:
|
|
description: Verbs is a list of verbs
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
type: array
|
|
windows_desktop_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: WindowsDesktopLabels are used in the RBAC system
|
|
to allow/deny access to Windows desktops.
|
|
type: object
|
|
windows_desktop_logins:
|
|
description: WindowsDesktopLogins is a list of desktop login names
|
|
allowed/denied for Windows desktops.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny is the set of conditions evaluated to deny access.
|
|
Deny takes priority over allow.
|
|
properties:
|
|
app_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: AppLabels is a map of labels used as part of the
|
|
RBAC system.
|
|
type: object
|
|
aws_role_arns:
|
|
description: AWSRoleARNs is a list of AWS role ARNs this role
|
|
is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
azure_identities:
|
|
description: AzureIdentities is a list of Azure identities this
|
|
role is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
cluster_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: ClusterLabels is a map of node labels (used to dynamically
|
|
grant access to clusters).
|
|
type: object
|
|
db_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: DatabaseLabels are used in RBAC system to allow/deny
|
|
access to databases.
|
|
type: object
|
|
db_names:
|
|
description: DatabaseNames is a list of database names this role
|
|
is allowed to connect to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
db_users:
|
|
description: DatabaseUsers is a list of databaes users this role
|
|
is allowed to connect as.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_groups:
|
|
description: HostGroups is a list of groups for created users
|
|
to be added to
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_sudoers:
|
|
description: HostSudoers is a list of entries to include in a
|
|
users sudoer file
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
impersonate:
|
|
description: Impersonate specifies what users and roles this role
|
|
is allowed to impersonate by issuing certificates or other possible
|
|
means.
|
|
nullable: true
|
|
properties:
|
|
roles:
|
|
description: Roles is a list of resources this role is allowed
|
|
to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
users:
|
|
description: Users is a list of resources this role is allowed
|
|
to impersonate, could be an empty list or a Wildcard pattern
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
join_sessions:
|
|
description: JoinSessions specifies policies to allow users to
|
|
join other sessions.
|
|
items:
|
|
properties:
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is a list of permitted participant modes
|
|
for this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of roles that you can join
|
|
the session of.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
kubernetes_groups:
|
|
description: KubeGroups is a list of kubernetes groups
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
kubernetes_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: KubernetesLabels is a map of kubernetes cluster labels
|
|
used for RBAC.
|
|
type: object
|
|
kubernetes_resources:
|
|
description: KubernetesResources is the Kubernetes Resources this
|
|
Role grants access to.
|
|
items:
|
|
properties:
|
|
kind:
|
|
description: Kind specifies the Kubernetes Resource type.
|
|
At the moment only "pod" is supported.
|
|
type: string
|
|
name:
|
|
description: Name is the resource name. It supports wildcards.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the resource namespace. It supports
|
|
wildcards.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
kubernetes_users:
|
|
description: KubeUsers is an optional kubernetes users to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
logins:
|
|
description: Logins is a list of *nix system logins.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
node_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: NodeLabels is a map of node labels (used to dynamically
|
|
grant access to nodes).
|
|
type: object
|
|
request:
|
|
nullable: true
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Annotations is a collection of annotations to
|
|
be programmatically appended to pending access requests
|
|
at the time of their creation. These annotations serve as
|
|
a mechanism to propagate extra information to plugins. Since
|
|
these annotations support variable interpolation syntax,
|
|
they also offer a mechanism for forwarding claims from an
|
|
external identity provider, to a plugin via `{{external.trait_name}}`
|
|
style substitutions.
|
|
type: object
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which will match the
|
|
request rule.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
search_as_roles:
|
|
description: SearchAsRoles is a list of extra roles which
|
|
should apply to a user while they are searching for resources
|
|
as part of a Resource Access Request, and defines the underlying
|
|
roles which will be requested as part of any Resource Access
|
|
Request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
suggested_reviewers:
|
|
description: SuggestedReviewers is a list of reviewer suggestions. These
|
|
can be teleport usernames, but that is not a requirement.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
thresholds:
|
|
description: Thresholds is a list of thresholds, one of which
|
|
must be met in order for reviews to trigger a state-transition. If
|
|
no thresholds are provided, a default threshold of 1 for
|
|
approval and denial is used.
|
|
items:
|
|
properties:
|
|
approve:
|
|
description: Approve is the number of matching approvals
|
|
needed for state-transition.
|
|
format: int32
|
|
type: integer
|
|
deny:
|
|
description: Deny is the number of denials needed for
|
|
state-transition.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is an optional predicate used to
|
|
determine which reviews count toward this threshold.
|
|
type: string
|
|
name:
|
|
description: Name is the optional human-readable name
|
|
of the threshold.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
require_session_join:
|
|
description: RequireSessionJoin specifies policies for required
|
|
users to start a session.
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count is the amount of people that need to
|
|
be matched for this policy to be fulfilled.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is a predicate that determines what
|
|
users count towards this policy.
|
|
type: string
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is the list of modes that may be used
|
|
to fulfill this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
on_leave:
|
|
description: OnLeave is the behaviour that's used when the
|
|
policy is no longer fulfilled for a live session.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
review_requests:
|
|
description: ReviewRequests defines conditions for submitting
|
|
access reviews.
|
|
nullable: true
|
|
properties:
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
preview_as_roles:
|
|
description: PreviewAsRoles is a list of extra roles which
|
|
should apply to a reviewer while they are viewing a Resource
|
|
Access Request for the purposes of viewing details such
|
|
as the hostname and labels of requested resources.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which may be reviewed.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where is an optional predicate which further
|
|
limits which requests are reviewable.
|
|
type: string
|
|
type: object
|
|
rules:
|
|
description: Rules is a list of rules and their access levels.
|
|
Rules are a high level construct used for access control.
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions specifies optional actions taken when
|
|
this rule matches
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
resources:
|
|
description: Resources is a list of resources
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
verbs:
|
|
description: Verbs is a list of verbs
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
type: array
|
|
windows_desktop_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: WindowsDesktopLabels are used in the RBAC system
|
|
to allow/deny access to Windows desktops.
|
|
type: object
|
|
windows_desktop_logins:
|
|
description: WindowsDesktopLogins is a list of desktop login names
|
|
allowed/denied for Windows desktops.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
options:
|
|
description: Options is for OpenSSH options like agent forwarding.
|
|
properties:
|
|
cert_extensions:
|
|
description: CertExtensions specifies the key/values
|
|
items:
|
|
properties:
|
|
mode:
|
|
description: Mode is the type of extension to be used --
|
|
currently critical-option is not supported
|
|
format: int32
|
|
type: integer
|
|
name:
|
|
description: Name specifies the key to be used in the cert
|
|
extension.
|
|
type: string
|
|
type:
|
|
description: Type represents the certificate type being
|
|
extended, only ssh is supported at this time.
|
|
format: int32
|
|
type: integer
|
|
value:
|
|
description: Value specifies the valueg to be used in the
|
|
cert extension.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
cert_format:
|
|
description: CertificateFormat defines the format of the user
|
|
certificate to allow compatibility with older versions of OpenSSH.
|
|
type: string
|
|
client_idle_timeout:
|
|
description: ClientIdleTimeout sets disconnect clients on idle
|
|
timeout behavior, if set to 0 means do not disconnect, otherwise
|
|
is set to the idle duration.
|
|
format: duration
|
|
type: string
|
|
create_host_user:
|
|
description: CreateHostUser allows users to be automatically created
|
|
on a host
|
|
type: boolean
|
|
desktop_clipboard:
|
|
description: DesktopClipboard indicates whether clipboard sharing
|
|
is allowed between the user's workstation and the remote desktop.
|
|
It defaults to true unless explicitly set to false.
|
|
type: boolean
|
|
desktop_directory_sharing:
|
|
description: DesktopDirectorySharing indicates whether directory
|
|
sharing is allowed between the user's workstation and the remote
|
|
desktop. It defaults to false unless explicitly set to true.
|
|
type: boolean
|
|
disconnect_expired_cert:
|
|
description: DisconnectExpiredCert sets disconnect clients on
|
|
expired certificates.
|
|
type: boolean
|
|
enhanced_recording:
|
|
description: BPF defines what events to record for the BPF-based
|
|
session recorder.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
forward_agent:
|
|
description: ForwardAgent is SSH agent forwarding.
|
|
type: boolean
|
|
lock:
|
|
description: Lock specifies the locking mode (strict|best_effort)
|
|
to be applied with the role.
|
|
type: string
|
|
max_connections:
|
|
description: MaxConnections defines the maximum number of concurrent
|
|
connections a user may hold.
|
|
format: int64
|
|
type: integer
|
|
max_kubernetes_connections:
|
|
description: MaxKubernetesConnections defines the maximum number
|
|
of concurrent Kubernetes sessions a user may hold.
|
|
format: int64
|
|
type: integer
|
|
max_session_ttl:
|
|
description: MaxSessionTTL defines how long a SSH session can
|
|
last for.
|
|
format: duration
|
|
type: string
|
|
max_sessions:
|
|
description: MaxSessions defines the maximum number of concurrent
|
|
sessions per connection.
|
|
format: int64
|
|
type: integer
|
|
permit_x11_forwarding:
|
|
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
|
type: boolean
|
|
pin_source_ip:
|
|
description: PinSourceIP forces the same client IP for certificate
|
|
generation and usage
|
|
type: boolean
|
|
port_forwarding:
|
|
description: PortForwarding defines if the certificate will have
|
|
"permit-port-forwarding" in the certificate. PortForwarding
|
|
is "yes" if not set, that's why this is a pointer
|
|
type: boolean
|
|
record_session:
|
|
description: RecordDesktopSession indicates whether desktop access
|
|
sessions should be recorded. It defaults to true unless explicitly
|
|
set to false.
|
|
nullable: true
|
|
properties:
|
|
default:
|
|
description: Default indicates the default value for the services.
|
|
type: string
|
|
desktop:
|
|
description: Desktop indicates whether desktop sessions should
|
|
be recorded. It defaults to true unless explicitly set to
|
|
false.
|
|
type: boolean
|
|
ssh:
|
|
description: SSH indicates the session mode used on SSH sessions.
|
|
type: string
|
|
type: object
|
|
request_access:
|
|
description: RequestAccess defines the access request stategy
|
|
(optional|note|always) where optional is the default.
|
|
type: string
|
|
request_prompt:
|
|
description: RequestPrompt is an optional message which tells
|
|
users what they aught to
|
|
type: string
|
|
require_session_mfa:
|
|
description: RequireMFAType is the type of MFA requirement enforced
|
|
for this user.
|
|
format: int32
|
|
type: integer
|
|
ssh_file_copy:
|
|
description: SSHFileCopy indicates whether remote file operations
|
|
via SCP or SFTP are allowed over an SSH session. It defaults
|
|
to true unless explicitly set to false.
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: TeleportRoleStatus defines the observed state of TeleportRole
|
|
properties:
|
|
conditions:
|
|
description: Conditions represent the latest available observations
|
|
of an object's state
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
\n type FooStatus struct{ // Represents the observations of a
|
|
foo's current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
teleportResourceID:
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
- name: v6
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: Role is the Schema for the roles API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Role resource definition v6 from Teleport
|
|
properties:
|
|
allow:
|
|
description: Allow is the set of conditions evaluated to grant access.
|
|
properties:
|
|
app_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: AppLabels is a map of labels used as part of the
|
|
RBAC system.
|
|
type: object
|
|
aws_role_arns:
|
|
description: AWSRoleARNs is a list of AWS role ARNs this role
|
|
is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
azure_identities:
|
|
description: AzureIdentities is a list of Azure identities this
|
|
role is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
cluster_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: ClusterLabels is a map of node labels (used to dynamically
|
|
grant access to clusters).
|
|
type: object
|
|
db_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: DatabaseLabels are used in RBAC system to allow/deny
|
|
access to databases.
|
|
type: object
|
|
db_names:
|
|
description: DatabaseNames is a list of database names this role
|
|
is allowed to connect to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
db_users:
|
|
description: DatabaseUsers is a list of databaes users this role
|
|
is allowed to connect as.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_groups:
|
|
description: HostGroups is a list of groups for created users
|
|
to be added to
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_sudoers:
|
|
description: HostSudoers is a list of entries to include in a
|
|
users sudoer file
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
impersonate:
|
|
description: Impersonate specifies what users and roles this role
|
|
is allowed to impersonate by issuing certificates or other possible
|
|
means.
|
|
nullable: true
|
|
properties:
|
|
roles:
|
|
description: Roles is a list of resources this role is allowed
|
|
to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
users:
|
|
description: Users is a list of resources this role is allowed
|
|
to impersonate, could be an empty list or a Wildcard pattern
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
join_sessions:
|
|
description: JoinSessions specifies policies to allow users to
|
|
join other sessions.
|
|
items:
|
|
properties:
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is a list of permitted participant modes
|
|
for this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of roles that you can join
|
|
the session of.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
kubernetes_groups:
|
|
description: KubeGroups is a list of kubernetes groups
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
kubernetes_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: KubernetesLabels is a map of kubernetes cluster labels
|
|
used for RBAC.
|
|
type: object
|
|
kubernetes_resources:
|
|
description: KubernetesResources is the Kubernetes Resources this
|
|
Role grants access to.
|
|
items:
|
|
properties:
|
|
kind:
|
|
description: Kind specifies the Kubernetes Resource type.
|
|
At the moment only "pod" is supported.
|
|
type: string
|
|
name:
|
|
description: Name is the resource name. It supports wildcards.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the resource namespace. It supports
|
|
wildcards.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
kubernetes_users:
|
|
description: KubeUsers is an optional kubernetes users to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
logins:
|
|
description: Logins is a list of *nix system logins.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
node_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: NodeLabels is a map of node labels (used to dynamically
|
|
grant access to nodes).
|
|
type: object
|
|
request:
|
|
nullable: true
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Annotations is a collection of annotations to
|
|
be programmatically appended to pending access requests
|
|
at the time of their creation. These annotations serve as
|
|
a mechanism to propagate extra information to plugins. Since
|
|
these annotations support variable interpolation syntax,
|
|
they also offer a mechanism for forwarding claims from an
|
|
external identity provider, to a plugin via `{{external.trait_name}}`
|
|
style substitutions.
|
|
type: object
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which will match the
|
|
request rule.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
search_as_roles:
|
|
description: SearchAsRoles is a list of extra roles which
|
|
should apply to a user while they are searching for resources
|
|
as part of a Resource Access Request, and defines the underlying
|
|
roles which will be requested as part of any Resource Access
|
|
Request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
suggested_reviewers:
|
|
description: SuggestedReviewers is a list of reviewer suggestions. These
|
|
can be teleport usernames, but that is not a requirement.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
thresholds:
|
|
description: Thresholds is a list of thresholds, one of which
|
|
must be met in order for reviews to trigger a state-transition. If
|
|
no thresholds are provided, a default threshold of 1 for
|
|
approval and denial is used.
|
|
items:
|
|
properties:
|
|
approve:
|
|
description: Approve is the number of matching approvals
|
|
needed for state-transition.
|
|
format: int32
|
|
type: integer
|
|
deny:
|
|
description: Deny is the number of denials needed for
|
|
state-transition.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is an optional predicate used to
|
|
determine which reviews count toward this threshold.
|
|
type: string
|
|
name:
|
|
description: Name is the optional human-readable name
|
|
of the threshold.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
require_session_join:
|
|
description: RequireSessionJoin specifies policies for required
|
|
users to start a session.
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count is the amount of people that need to
|
|
be matched for this policy to be fulfilled.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is a predicate that determines what
|
|
users count towards this policy.
|
|
type: string
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is the list of modes that may be used
|
|
to fulfill this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
on_leave:
|
|
description: OnLeave is the behaviour that's used when the
|
|
policy is no longer fulfilled for a live session.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
review_requests:
|
|
description: ReviewRequests defines conditions for submitting
|
|
access reviews.
|
|
nullable: true
|
|
properties:
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
preview_as_roles:
|
|
description: PreviewAsRoles is a list of extra roles which
|
|
should apply to a reviewer while they are viewing a Resource
|
|
Access Request for the purposes of viewing details such
|
|
as the hostname and labels of requested resources.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which may be reviewed.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where is an optional predicate which further
|
|
limits which requests are reviewable.
|
|
type: string
|
|
type: object
|
|
rules:
|
|
description: Rules is a list of rules and their access levels.
|
|
Rules are a high level construct used for access control.
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions specifies optional actions taken when
|
|
this rule matches
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
resources:
|
|
description: Resources is a list of resources
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
verbs:
|
|
description: Verbs is a list of verbs
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
type: array
|
|
windows_desktop_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: WindowsDesktopLabels are used in the RBAC system
|
|
to allow/deny access to Windows desktops.
|
|
type: object
|
|
windows_desktop_logins:
|
|
description: WindowsDesktopLogins is a list of desktop login names
|
|
allowed/denied for Windows desktops.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
deny:
|
|
description: Deny is the set of conditions evaluated to deny access.
|
|
Deny takes priority over allow.
|
|
properties:
|
|
app_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: AppLabels is a map of labels used as part of the
|
|
RBAC system.
|
|
type: object
|
|
aws_role_arns:
|
|
description: AWSRoleARNs is a list of AWS role ARNs this role
|
|
is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
azure_identities:
|
|
description: AzureIdentities is a list of Azure identities this
|
|
role is allowed to assume.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
cluster_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: ClusterLabels is a map of node labels (used to dynamically
|
|
grant access to clusters).
|
|
type: object
|
|
db_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: DatabaseLabels are used in RBAC system to allow/deny
|
|
access to databases.
|
|
type: object
|
|
db_names:
|
|
description: DatabaseNames is a list of database names this role
|
|
is allowed to connect to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
db_users:
|
|
description: DatabaseUsers is a list of databaes users this role
|
|
is allowed to connect as.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_groups:
|
|
description: HostGroups is a list of groups for created users
|
|
to be added to
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
host_sudoers:
|
|
description: HostSudoers is a list of entries to include in a
|
|
users sudoer file
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
impersonate:
|
|
description: Impersonate specifies what users and roles this role
|
|
is allowed to impersonate by issuing certificates or other possible
|
|
means.
|
|
nullable: true
|
|
properties:
|
|
roles:
|
|
description: Roles is a list of resources this role is allowed
|
|
to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
users:
|
|
description: Users is a list of resources this role is allowed
|
|
to impersonate, could be an empty list or a Wildcard pattern
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
join_sessions:
|
|
description: JoinSessions specifies policies to allow users to
|
|
join other sessions.
|
|
items:
|
|
properties:
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is a list of permitted participant modes
|
|
for this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of roles that you can join
|
|
the session of.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
kubernetes_groups:
|
|
description: KubeGroups is a list of kubernetes groups
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
kubernetes_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: KubernetesLabels is a map of kubernetes cluster labels
|
|
used for RBAC.
|
|
type: object
|
|
kubernetes_resources:
|
|
description: KubernetesResources is the Kubernetes Resources this
|
|
Role grants access to.
|
|
items:
|
|
properties:
|
|
kind:
|
|
description: Kind specifies the Kubernetes Resource type.
|
|
At the moment only "pod" is supported.
|
|
type: string
|
|
name:
|
|
description: Name is the resource name. It supports wildcards.
|
|
type: string
|
|
namespace:
|
|
description: Namespace is the resource namespace. It supports
|
|
wildcards.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
kubernetes_users:
|
|
description: KubeUsers is an optional kubernetes users to impersonate
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
logins:
|
|
description: Logins is a list of *nix system logins.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
node_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: NodeLabels is a map of node labels (used to dynamically
|
|
grant access to nodes).
|
|
type: object
|
|
request:
|
|
nullable: true
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
items:
|
|
type: string
|
|
type: array
|
|
description: Annotations is a collection of annotations to
|
|
be programmatically appended to pending access requests
|
|
at the time of their creation. These annotations serve as
|
|
a mechanism to propagate extra information to plugins. Since
|
|
these annotations support variable interpolation syntax,
|
|
they also offer a mechanism for forwarding claims from an
|
|
external identity provider, to a plugin via `{{external.trait_name}}`
|
|
style substitutions.
|
|
type: object
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which will match the
|
|
request rule.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
search_as_roles:
|
|
description: SearchAsRoles is a list of extra roles which
|
|
should apply to a user while they are searching for resources
|
|
as part of a Resource Access Request, and defines the underlying
|
|
roles which will be requested as part of any Resource Access
|
|
Request.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
suggested_reviewers:
|
|
description: SuggestedReviewers is a list of reviewer suggestions. These
|
|
can be teleport usernames, but that is not a requirement.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
thresholds:
|
|
description: Thresholds is a list of thresholds, one of which
|
|
must be met in order for reviews to trigger a state-transition. If
|
|
no thresholds are provided, a default threshold of 1 for
|
|
approval and denial is used.
|
|
items:
|
|
properties:
|
|
approve:
|
|
description: Approve is the number of matching approvals
|
|
needed for state-transition.
|
|
format: int32
|
|
type: integer
|
|
deny:
|
|
description: Deny is the number of denials needed for
|
|
state-transition.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is an optional predicate used to
|
|
determine which reviews count toward this threshold.
|
|
type: string
|
|
name:
|
|
description: Name is the optional human-readable name
|
|
of the threshold.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
require_session_join:
|
|
description: RequireSessionJoin specifies policies for required
|
|
users to start a session.
|
|
items:
|
|
properties:
|
|
count:
|
|
description: Count is the amount of people that need to
|
|
be matched for this policy to be fulfilled.
|
|
format: int32
|
|
type: integer
|
|
filter:
|
|
description: Filter is a predicate that determines what
|
|
users count towards this policy.
|
|
type: string
|
|
kinds:
|
|
description: Kinds are the session kinds this policy applies
|
|
to.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
modes:
|
|
description: Modes is the list of modes that may be used
|
|
to fulfill this policy.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
name:
|
|
description: Name is the name of the policy.
|
|
type: string
|
|
on_leave:
|
|
description: OnLeave is the behaviour that's used when the
|
|
policy is no longer fulfilled for a live session.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
review_requests:
|
|
description: ReviewRequests defines conditions for submitting
|
|
access reviews.
|
|
nullable: true
|
|
properties:
|
|
claims_to_roles:
|
|
description: ClaimsToRoles specifies a mapping from claims
|
|
(traits) to teleport roles.
|
|
items:
|
|
properties:
|
|
claim:
|
|
description: Claim is a claim name.
|
|
type: string
|
|
roles:
|
|
description: Roles is a list of static teleport roles
|
|
to match.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
value:
|
|
description: Value is a claim value to match.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
preview_as_roles:
|
|
description: PreviewAsRoles is a list of extra roles which
|
|
should apply to a reviewer while they are viewing a Resource
|
|
Access Request for the purposes of viewing details such
|
|
as the hostname and labels of requested resources.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
roles:
|
|
description: Roles is the name of roles which may be reviewed.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where is an optional predicate which further
|
|
limits which requests are reviewable.
|
|
type: string
|
|
type: object
|
|
rules:
|
|
description: Rules is a list of rules and their access levels.
|
|
Rules are a high level construct used for access control.
|
|
items:
|
|
properties:
|
|
actions:
|
|
description: Actions specifies optional actions taken when
|
|
this rule matches
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
resources:
|
|
description: Resources is a list of resources
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
verbs:
|
|
description: Verbs is a list of verbs
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
where:
|
|
description: Where specifies optional advanced matcher
|
|
type: string
|
|
type: object
|
|
type: array
|
|
windows_desktop_labels:
|
|
additionalProperties:
|
|
x-kubernetes-preserve-unknown-fields: true
|
|
description: WindowsDesktopLabels are used in the RBAC system
|
|
to allow/deny access to Windows desktops.
|
|
type: object
|
|
windows_desktop_logins:
|
|
description: WindowsDesktopLogins is a list of desktop login names
|
|
allowed/denied for Windows desktops.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
type: object
|
|
options:
|
|
description: Options is for OpenSSH options like agent forwarding.
|
|
properties:
|
|
cert_extensions:
|
|
description: CertExtensions specifies the key/values
|
|
items:
|
|
properties:
|
|
mode:
|
|
description: Mode is the type of extension to be used --
|
|
currently critical-option is not supported
|
|
format: int32
|
|
type: integer
|
|
name:
|
|
description: Name specifies the key to be used in the cert
|
|
extension.
|
|
type: string
|
|
type:
|
|
description: Type represents the certificate type being
|
|
extended, only ssh is supported at this time.
|
|
format: int32
|
|
type: integer
|
|
value:
|
|
description: Value specifies the valueg to be used in the
|
|
cert extension.
|
|
type: string
|
|
type: object
|
|
nullable: true
|
|
type: array
|
|
cert_format:
|
|
description: CertificateFormat defines the format of the user
|
|
certificate to allow compatibility with older versions of OpenSSH.
|
|
type: string
|
|
client_idle_timeout:
|
|
description: ClientIdleTimeout sets disconnect clients on idle
|
|
timeout behavior, if set to 0 means do not disconnect, otherwise
|
|
is set to the idle duration.
|
|
format: duration
|
|
type: string
|
|
create_host_user:
|
|
description: CreateHostUser allows users to be automatically created
|
|
on a host
|
|
type: boolean
|
|
desktop_clipboard:
|
|
description: DesktopClipboard indicates whether clipboard sharing
|
|
is allowed between the user's workstation and the remote desktop.
|
|
It defaults to true unless explicitly set to false.
|
|
type: boolean
|
|
desktop_directory_sharing:
|
|
description: DesktopDirectorySharing indicates whether directory
|
|
sharing is allowed between the user's workstation and the remote
|
|
desktop. It defaults to false unless explicitly set to true.
|
|
type: boolean
|
|
disconnect_expired_cert:
|
|
description: DisconnectExpiredCert sets disconnect clients on
|
|
expired certificates.
|
|
type: boolean
|
|
enhanced_recording:
|
|
description: BPF defines what events to record for the BPF-based
|
|
session recorder.
|
|
items:
|
|
type: string
|
|
nullable: true
|
|
type: array
|
|
forward_agent:
|
|
description: ForwardAgent is SSH agent forwarding.
|
|
type: boolean
|
|
lock:
|
|
description: Lock specifies the locking mode (strict|best_effort)
|
|
to be applied with the role.
|
|
type: string
|
|
max_connections:
|
|
description: MaxConnections defines the maximum number of concurrent
|
|
connections a user may hold.
|
|
format: int64
|
|
type: integer
|
|
max_kubernetes_connections:
|
|
description: MaxKubernetesConnections defines the maximum number
|
|
of concurrent Kubernetes sessions a user may hold.
|
|
format: int64
|
|
type: integer
|
|
max_session_ttl:
|
|
description: MaxSessionTTL defines how long a SSH session can
|
|
last for.
|
|
format: duration
|
|
type: string
|
|
max_sessions:
|
|
description: MaxSessions defines the maximum number of concurrent
|
|
sessions per connection.
|
|
format: int64
|
|
type: integer
|
|
permit_x11_forwarding:
|
|
description: PermitX11Forwarding authorizes use of X11 forwarding.
|
|
type: boolean
|
|
pin_source_ip:
|
|
description: PinSourceIP forces the same client IP for certificate
|
|
generation and usage
|
|
type: boolean
|
|
port_forwarding:
|
|
description: PortForwarding defines if the certificate will have
|
|
"permit-port-forwarding" in the certificate. PortForwarding
|
|
is "yes" if not set, that's why this is a pointer
|
|
type: boolean
|
|
record_session:
|
|
description: RecordDesktopSession indicates whether desktop access
|
|
sessions should be recorded. It defaults to true unless explicitly
|
|
set to false.
|
|
nullable: true
|
|
properties:
|
|
default:
|
|
description: Default indicates the default value for the services.
|
|
type: string
|
|
desktop:
|
|
description: Desktop indicates whether desktop sessions should
|
|
be recorded. It defaults to true unless explicitly set to
|
|
false.
|
|
type: boolean
|
|
ssh:
|
|
description: SSH indicates the session mode used on SSH sessions.
|
|
type: string
|
|
type: object
|
|
request_access:
|
|
description: RequestAccess defines the access request stategy
|
|
(optional|note|always) where optional is the default.
|
|
type: string
|
|
request_prompt:
|
|
description: RequestPrompt is an optional message which tells
|
|
users what they aught to
|
|
type: string
|
|
require_session_mfa:
|
|
description: RequireMFAType is the type of MFA requirement enforced
|
|
for this user.
|
|
format: int32
|
|
type: integer
|
|
ssh_file_copy:
|
|
description: SSHFileCopy indicates whether remote file operations
|
|
via SCP or SFTP are allowed over an SSH session. It defaults
|
|
to true unless explicitly set to false.
|
|
type: boolean
|
|
type: object
|
|
type: object
|
|
status:
|
|
description: TeleportRoleStatus defines the observed state of TeleportRole
|
|
properties:
|
|
conditions:
|
|
description: Conditions represent the latest available observations
|
|
of an object's state
|
|
items:
|
|
description: "Condition contains details for one aspect of the current
|
|
state of this API Resource. --- This struct is intended for direct
|
|
use as an array at the field path .status.conditions. For example,
|
|
\n type FooStatus struct{ // Represents the observations of a
|
|
foo's current state. // Known .status.conditions.type are: \"Available\",
|
|
\"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
|
|
// +listType=map // +listMapKey=type Conditions []metav1.Condition
|
|
`json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
|
|
protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
teleportResourceID:
|
|
format: int64
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: false
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: null
|
|
storedVersions: null
|