|
| 1 | +apiVersion: apiextensions.k8s.io/v1 |
| 2 | +kind: CustomResourceDefinition |
| 3 | +metadata: |
| 4 | + annotations: |
| 5 | + controller-gen.kubebuilder.io/version: v0.19.0 |
| 6 | + creationTimestamp: null |
| 7 | + name: accessentries.eks.services.k8s.aws |
| 8 | +spec: |
| 9 | + group: eks.services.k8s.aws |
| 10 | + names: |
| 11 | + kind: AccessEntry |
| 12 | + listKind: AccessEntryList |
| 13 | + plural: accessentries |
| 14 | + singular: accessentry |
| 15 | + scope: Namespaced |
| 16 | + versions: |
| 17 | + - additionalPrinterColumns: |
| 18 | + - jsonPath: .spec.clusterName |
| 19 | + name: CLUSTER |
| 20 | + type: string |
| 21 | + - jsonPath: .spec.type |
| 22 | + name: TYPE |
| 23 | + type: string |
| 24 | + - jsonPath: .spec.username |
| 25 | + name: USERNAME |
| 26 | + type: string |
| 27 | + - jsonPath: .spec.principalARN |
| 28 | + name: PRINCIPALARN |
| 29 | + priority: 1 |
| 30 | + type: string |
| 31 | + - jsonPath: .status.conditions[?(@.type=="ACK.ResourceSynced")].status |
| 32 | + name: Synced |
| 33 | + type: string |
| 34 | + - jsonPath: .metadata.creationTimestamp |
| 35 | + name: Age |
| 36 | + type: date |
| 37 | + name: v1alpha1 |
| 38 | + schema: |
| 39 | + openAPIV3Schema: |
| 40 | + description: AccessEntry is the Schema for the AccessEntries API |
| 41 | + properties: |
| 42 | + apiVersion: |
| 43 | + description: |- |
| 44 | + APIVersion defines the versioned schema of this representation of an object. |
| 45 | + Servers should convert recognized schemas to the latest internal value, and |
| 46 | + may reject unrecognized values. |
| 47 | + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
| 48 | + type: string |
| 49 | + kind: |
| 50 | + description: |- |
| 51 | + Kind is a string value representing the REST resource this object represents. |
| 52 | + Servers may infer this from the endpoint the client submits requests to. |
| 53 | + Cannot be updated. |
| 54 | + In CamelCase. |
| 55 | + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| 56 | + type: string |
| 57 | + metadata: |
| 58 | + type: object |
| 59 | + spec: |
| 60 | + description: |- |
| 61 | + AccessEntrySpec defines the desired state of AccessEntry. |
| 62 | +
|
| 63 | + An access entry allows an IAM principal (user or role) to access your cluster. |
| 64 | + Access entries can replace the need to maintain the aws-auth ConfigMap for |
| 65 | + authentication. For more information about access entries, see Access entries |
| 66 | + (https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html) in |
| 67 | + the Amazon EKS User Guide. |
| 68 | + properties: |
| 69 | + accessPolicies: |
| 70 | + items: |
| 71 | + properties: |
| 72 | + accessScope: |
| 73 | + description: The scope of an AccessPolicy that's associated |
| 74 | + to an AccessEntry. |
| 75 | + properties: |
| 76 | + namespaces: |
| 77 | + items: |
| 78 | + type: string |
| 79 | + type: array |
| 80 | + type: |
| 81 | + type: string |
| 82 | + type: object |
| 83 | + policyARN: |
| 84 | + type: string |
| 85 | + type: object |
| 86 | + type: array |
| 87 | + clusterName: |
| 88 | + description: The name of your cluster. |
| 89 | + type: string |
| 90 | + clusterRef: |
| 91 | + description: "AWSResourceReferenceWrapper provides a wrapper around |
| 92 | + *AWSResourceReference\ntype to provide more user friendly syntax |
| 93 | + for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t |
| 94 | + \ name: my-api" |
| 95 | + properties: |
| 96 | + from: |
| 97 | + description: |- |
| 98 | + AWSResourceReference provides all the values necessary to reference another |
| 99 | + k8s resource for finding the identifier(Id/ARN/Name) |
| 100 | + properties: |
| 101 | + name: |
| 102 | + type: string |
| 103 | + namespace: |
| 104 | + type: string |
| 105 | + type: object |
| 106 | + type: object |
| 107 | + kubernetesGroups: |
| 108 | + description: |- |
| 109 | + The value for name that you've specified for kind: Group as a subject in |
| 110 | + a Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't |
| 111 | + confirm that the value for name exists in any bindings on your cluster. You |
| 112 | + can specify one or more names. |
| 113 | +
|
| 114 | + Kubernetes authorizes the principalArn of the access entry to access any |
| 115 | + cluster objects that you've specified in a Kubernetes Role or ClusterRole |
| 116 | + object that is also specified in a binding's roleRef. For more information |
| 117 | + about creating Kubernetes RoleBinding, ClusterRoleBinding, Role, or ClusterRole |
| 118 | + objects, see Using RBAC Authorization in the Kubernetes documentation (https://kubernetes.io/docs/reference/access-authn-authz/rbac/). |
| 119 | +
|
| 120 | + If you want Amazon EKS to authorize the principalArn (instead of, or in addition |
| 121 | + to Kubernetes authorizing the principalArn), you can associate one or more |
| 122 | + access policies to the access entry using AssociateAccessPolicy. If you associate |
| 123 | + any access policies, the principalARN has all permissions assigned in the |
| 124 | + associated access policies and all permissions in any Kubernetes Role or |
| 125 | + ClusterRole objects that the group names are bound to. |
| 126 | + items: |
| 127 | + type: string |
| 128 | + type: array |
| 129 | + principalARN: |
| 130 | + description: |- |
| 131 | + The ARN of the IAM principal for the AccessEntry. You can specify one ARN |
| 132 | + for each access entry. You can't specify the same ARN in more than one access |
| 133 | + entry. This value can't be changed after access entry creation. |
| 134 | +
|
| 135 | + The valid principals differ depending on the type of the access entry in |
| 136 | + the type field. For STANDARD access entries, you can use every IAM principal |
| 137 | + type. For nodes (EC2 (for EKS Auto Mode), EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX, |
| 138 | + and HYBRID_LINUX), the only valid ARN is IAM roles. You can't use the STS |
| 139 | + session principal type with access entries because this is a temporary principal |
| 140 | + for each session and not a permanent identity that can be assigned permissions. |
| 141 | +
|
| 142 | + IAM best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) |
| 143 | + recommend using IAM roles with temporary credentials, rather than IAM users |
| 144 | + with long-term credentials. |
| 145 | + type: string |
| 146 | + tags: |
| 147 | + additionalProperties: |
| 148 | + type: string |
| 149 | + description: |- |
| 150 | + Metadata that assists with categorization and organization. Each tag consists |
| 151 | + of a key and an optional value. You define both. Tags don't propagate to |
| 152 | + any other cluster or Amazon Web Services resources. |
| 153 | + type: object |
| 154 | + type: |
| 155 | + description: |- |
| 156 | + The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX, |
| 157 | + EC2_LINUX, EC2_WINDOWS, EC2 (for EKS Auto Mode), HYBRID_LINUX, and HYPERPOD_LINUX. |
| 158 | +
|
| 159 | + If the principalArn is for an IAM role that's used for self-managed Amazon |
| 160 | + EC2 nodes, specify EC2_LINUX or EC2_WINDOWS. Amazon EKS grants the necessary |
| 161 | + permissions to the node for you. If the principalArn is for any other purpose, |
| 162 | + specify STANDARD. If you don't specify a value, Amazon EKS sets the value |
| 163 | + to STANDARD. If you have the access mode of the cluster set to API_AND_CONFIG_MAP, |
| 164 | + it's unnecessary to create access entries for IAM roles used with Fargate |
| 165 | + profiles or managed Amazon EC2 nodes, because Amazon EKS creates entries |
| 166 | + in the aws-auth ConfigMap for the roles. You can't change this value once |
| 167 | + you've created the access entry. |
| 168 | +
|
| 169 | + If you set the value to EC2_LINUX or EC2_WINDOWS, you can't specify values |
| 170 | + for kubernetesGroups, or associate an AccessPolicy to the access entry. |
| 171 | + type: string |
| 172 | + username: |
| 173 | + description: |- |
| 174 | + The username to authenticate to Kubernetes with. We recommend not specifying |
| 175 | + a username and letting Amazon EKS specify it for you. For more information |
| 176 | + about the value Amazon EKS specifies for you, or constraints before specifying |
| 177 | + your own username, see Creating access entries (https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries) |
| 178 | + in the Amazon EKS User Guide. |
| 179 | + type: string |
| 180 | + required: |
| 181 | + - principalARN |
| 182 | + type: object |
| 183 | + status: |
| 184 | + description: AccessEntryStatus defines the observed state of AccessEntry |
| 185 | + properties: |
| 186 | + ackResourceMetadata: |
| 187 | + description: |- |
| 188 | + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member |
| 189 | + that is used to contain resource sync state, account ownership, |
| 190 | + constructed ARN for the resource |
| 191 | + properties: |
| 192 | + arn: |
| 193 | + description: |- |
| 194 | + ARN is the Amazon Resource Name for the resource. This is a |
| 195 | + globally-unique identifier and is set only by the ACK service controller |
| 196 | + once the controller has orchestrated the creation of the resource OR |
| 197 | + when it has verified that an "adopted" resource (a resource where the |
| 198 | + ARN annotation was set by the Kubernetes user on the CR) exists and |
| 199 | + matches the supplied CR's Spec field values. |
| 200 | + https://github.com/aws/aws-controllers-k8s/issues/270 |
| 201 | + type: string |
| 202 | + ownerAccountID: |
| 203 | + description: |- |
| 204 | + OwnerAccountID is the AWS Account ID of the account that owns the |
| 205 | + backend AWS service API resource. |
| 206 | + type: string |
| 207 | + region: |
| 208 | + description: Region is the AWS region in which the resource exists |
| 209 | + or will exist. |
| 210 | + type: string |
| 211 | + required: |
| 212 | + - ownerAccountID |
| 213 | + - region |
| 214 | + type: object |
| 215 | + conditions: |
| 216 | + description: |- |
| 217 | + All CRs managed by ACK have a common `Status.Conditions` member that |
| 218 | + contains a collection of `ackv1alpha1.Condition` objects that describe |
| 219 | + the various terminal states of the CR and its backend AWS service API |
| 220 | + resource |
| 221 | + items: |
| 222 | + description: |- |
| 223 | + Condition is the common struct used by all CRDs managed by ACK service |
| 224 | + controllers to indicate terminal states of the CR and its backend AWS |
| 225 | + service API resource |
| 226 | + properties: |
| 227 | + lastTransitionTime: |
| 228 | + description: Last time the condition transitioned from one status |
| 229 | + to another. |
| 230 | + format: date-time |
| 231 | + type: string |
| 232 | + message: |
| 233 | + description: A human readable message indicating details about |
| 234 | + the transition. |
| 235 | + type: string |
| 236 | + reason: |
| 237 | + description: The reason for the condition's last transition. |
| 238 | + type: string |
| 239 | + status: |
| 240 | + description: Status of the condition, one of True, False, Unknown. |
| 241 | + type: string |
| 242 | + type: |
| 243 | + description: Type is the type of the Condition |
| 244 | + type: string |
| 245 | + required: |
| 246 | + - status |
| 247 | + - type |
| 248 | + type: object |
| 249 | + type: array |
| 250 | + createdAt: |
| 251 | + description: The Unix epoch timestamp at object creation. |
| 252 | + format: date-time |
| 253 | + type: string |
| 254 | + modifiedAt: |
| 255 | + description: The Unix epoch timestamp for the last modification to |
| 256 | + the object. |
| 257 | + format: date-time |
| 258 | + type: string |
| 259 | + type: object |
| 260 | + type: object |
| 261 | + served: true |
| 262 | + storage: true |
| 263 | + subresources: |
| 264 | + status: {} |
| 265 | +status: |
| 266 | + acceptedNames: |
| 267 | + kind: "" |
| 268 | + plural: "" |
| 269 | + conditions: null |
| 270 | + storedVersions: null |
0 commit comments