Skip to content

Latest commit

 

History

History
614 lines (614 loc) · 11.4 KB

security.md

File metadata and controls

614 lines (614 loc) · 11.4 KB

Packages:

security.gardener.cloud/v1alpha1

Package v1alpha1 is a version of the API.

Resource Types:

CredentialsBinding

CredentialsBinding represents a binding to credentials in the same or another namespace.

Field Description
apiVersion
string
security.gardener.cloud/v1alpha1
kind
string
CredentialsBinding
metadata
Kubernetes meta/v1.ObjectMeta
(Optional)

Standard object metadata.

Refer to the Kubernetes API documentation for the fields of the metadata field.
provider
CredentialsBindingProvider

Provider defines the provider type of the CredentialsBinding. This field is immutable.

credentialsRef
Kubernetes core/v1.ObjectReference

CredentialsRef is a reference to a resource holding the credentials. Accepted resources are core/v1.Secret and security.gardener.cloud/v1alpha1.WorkloadIdentity This field is immutable.

quotas
[]Kubernetes core/v1.ObjectReference
(Optional)

Quotas is a list of references to Quota objects in the same or another namespace. This field is immutable.

WorkloadIdentity

WorkloadIdentity is resource that allows workloads to be presented before external systems by giving them identities managed by the Gardener API server. The identity of such workload is represented by JSON Web Token issued by the Gardener API server. Workload identities are designed to be used by components running in the Gardener environment, seed or runtime cluster, that make use of identity federation inspired by the OIDC protocol.

Field Description
apiVersion
string
security.gardener.cloud/v1alpha1
kind
string
WorkloadIdentity
metadata
Kubernetes meta/v1.ObjectMeta
(Optional)

Standard object metadata.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
WorkloadIdentitySpec

Spec configures the JSON Web Token issued by the Gardener API server.



audiences
[]string

Audiences specify the list of recipients that the JWT is intended for. The values of this field will be set in the ‘aud’ claim.

targetSystem
TargetSystem

TargetSystem represents specific configurations for the system that will accept the JWTs.

status
WorkloadIdentityStatus

Status contain the latest observed status of the WorkloadIdentity.

ContextObject

(Appears on: TokenRequestSpec)

ContextObject identifies the object the token is requested for.

Field Description
kind
string

Kind of the object the token is requested for. Valid kinds are ‘Shoot’, ‘Seed’, etc.

apiVersion
string

API version of the object the token is requested for.

name
string

Name of the object the token is requested for.

namespace
string
(Optional)

Namespace of the object the token is requested for.

uid
k8s.io/apimachinery/pkg/types.UID

UID of the object the token is requested for.

CredentialsBindingProvider

(Appears on: CredentialsBinding)

CredentialsBindingProvider defines the provider type of the CredentialsBinding.

Field Description
type
string

Type is the type of the provider.

TargetSystem

(Appears on: WorkloadIdentitySpec)

TargetSystem represents specific configurations for the system that will accept the JWTs.

Field Description
type
string

Type is the type of the target system.

providerConfig
k8s.io/apimachinery/pkg/runtime.RawExtension
(Optional)

ProviderConfig is the configuration passed to extension resource.

TokenRequest

TokenRequest is a resource that is used to request WorkloadIdentity tokens.

Field Description
metadata
Kubernetes meta/v1.ObjectMeta

Standard object metadata.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TokenRequestSpec

Spec holds configuration settings for the requested token.



contextObject
ContextObject
(Optional)

ContextObject identifies the object the token is requested for.

expirationSeconds
int64
(Optional)

ExpirationSeconds specifies for how long the requested token should be valid.

status
TokenRequestStatus

Status bears the issued token with additional information back to the client.

TokenRequestSpec

(Appears on: TokenRequest)

TokenRequestSpec holds configuration settings for the requested token.

Field Description
contextObject
ContextObject
(Optional)

ContextObject identifies the object the token is requested for.

expirationSeconds
int64
(Optional)

ExpirationSeconds specifies for how long the requested token should be valid.

TokenRequestStatus

(Appears on: TokenRequest)

TokenRequestStatus bears the issued token with additional information back to the client.

Field Description
token
string

Token is the issued token.

expirationTimestamp
Kubernetes meta/v1.Time

ExpirationTimestamp is the time of expiration of the returned token.

WorkloadIdentitySpec

(Appears on: WorkloadIdentity)

WorkloadIdentitySpec configures the JSON Web Token issued by the Gardener API server.

Field Description
audiences
[]string

Audiences specify the list of recipients that the JWT is intended for. The values of this field will be set in the ‘aud’ claim.

targetSystem
TargetSystem

TargetSystem represents specific configurations for the system that will accept the JWTs.

WorkloadIdentityStatus

(Appears on: WorkloadIdentity)

WorkloadIdentityStatus contain the latest observed status of the WorkloadIdentity.

Field Description
sub
string

Sub contains the computed value of the subject that is going to be set in JWTs ‘sub’ claim.


Generated with gen-crd-api-reference-docs