diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml
index cabd7a92b984d..20b4fcef88676 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_accesslists.yaml
@@ -201,6 +201,7 @@ spec:
type: string
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml
index a262e618b0154..b96d4eb6e8734 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_githubconnectors.yaml
@@ -78,8 +78,7 @@ spec:
type: array
type: object
status:
- description: TeleportGithubConnectorStatus defines the observed state
- of TeleportGithubConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml
index cdb3a30050b51..7b5928ca4c255 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_loginrules.yaml
@@ -57,6 +57,7 @@ spec:
type: object
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml
index edd8bf5e13623..087bdc7d4a4b1 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oidcconnectors.yaml
@@ -123,8 +123,7 @@ spec:
type: string
type: object
status:
- description: TeleportOIDCConnectorStatus defines the observed state of
- TeleportOIDCConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml
index b16ac422df459..f6077e45c357f 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_oktaimportrules.yaml
@@ -95,6 +95,7 @@ spec:
type: integer
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
index 2b06cd779fb92..5d0fd744f42d9 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_provisiontokens.yaml
@@ -330,8 +330,7 @@ spec:
type: object
type: object
status:
- description: TeleportProvisionTokenStatus defines the observed state of
- TeleportProvisionToken
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
index d80e41f657dc0..7c2d9d259ae24 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_roles.yaml
@@ -1128,7 +1128,7 @@ spec:
type: object
type: object
status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
@@ -1210,1204 +1210,6 @@ spec:
storage: true
subresources:
status: {}
- - name: v6
- schema:
- openAPIV3Schema:
- description: Role is the Schema for the roles API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Role resource definition v6 from Teleport
- properties:
- allow:
- description: Allow is the set of conditions evaluated to grant access.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- deny:
- description: Deny is the set of conditions evaluated to deny access.
- Deny takes priority over allow.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- options:
- description: Options is for OpenSSH options like agent forwarding.
- properties:
- cert_extensions:
- description: CertExtensions specifies the key/values
- items:
- properties:
- mode:
- description: Mode is the type of extension to be used --
- currently critical-option is not supported
- x-kubernetes-int-or-string: true
- name:
- description: Name specifies the key to be used in the cert
- extension.
- type: string
- type:
- description: Type represents the certificate type being
- extended, only ssh is supported at this time.
- x-kubernetes-int-or-string: true
- value:
- description: Value specifies the value to be used in the
- cert extension.
- type: string
- type: object
- nullable: true
- type: array
- cert_format:
- description: CertificateFormat defines the format of the user
- certificate to allow compatibility with older versions of OpenSSH.
- type: string
- client_idle_timeout:
- description: ClientIdleTimeout sets disconnect clients on idle
- timeout behavior, if set to 0 means do not disconnect, otherwise
- is set to the idle duration.
- format: duration
- type: string
- create_db_user:
- description: CreateDatabaseUser enabled automatic database user
- creation.
- type: boolean
- create_db_user_mode:
- description: CreateDatabaseUserMode allows users to be automatically
- created on a database when not set to off.
- x-kubernetes-int-or-string: true
- create_desktop_user:
- description: CreateDesktopUser allows users to be automatically
- created on a Windows desktop
- type: boolean
- create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
- type: boolean
- create_host_user_mode:
- description: CreateHostUserMode allows users to be automatically
- created on a host when not set to off
- x-kubernetes-int-or-string: true
- desktop_clipboard:
- description: DesktopClipboard indicates whether clipboard sharing
- is allowed between the user's workstation and the remote desktop.
- It defaults to true unless explicitly set to false.
- type: boolean
- desktop_directory_sharing:
- description: DesktopDirectorySharing indicates whether directory
- sharing is allowed between the user's workstation and the remote
- desktop. It defaults to false unless explicitly set to true.
- type: boolean
- device_trust_mode:
- description: DeviceTrustMode is the device authorization mode
- used for the resources associated with the role. See DeviceTrust.Mode.
- Reserved for future use, not yet used by Teleport.
- type: string
- disconnect_expired_cert:
- description: DisconnectExpiredCert sets disconnect clients on
- expired certificates.
- type: boolean
- enhanced_recording:
- description: BPF defines what events to record for the BPF-based
- session recorder.
- items:
- type: string
- nullable: true
- type: array
- forward_agent:
- description: ForwardAgent is SSH agent forwarding.
- type: boolean
- idp:
- description: IDP is a set of options related to accessing IdPs
- within Teleport. Requires Teleport Enterprise.
- nullable: true
- properties:
- saml:
- description: SAML are options related to the Teleport SAML
- IdP.
- nullable: true
- properties:
- enabled:
- description: Enabled is set to true if this option allows
- access to the Teleport SAML IdP.
- type: boolean
- type: object
- type: object
- lock:
- description: Lock specifies the locking mode (strict|best_effort)
- to be applied with the role.
- type: string
- max_connections:
- description: MaxConnections defines the maximum number of concurrent
- connections a user may hold.
- format: int64
- type: integer
- max_kubernetes_connections:
- description: MaxKubernetesConnections defines the maximum number
- of concurrent Kubernetes sessions a user may hold.
- format: int64
- type: integer
- max_session_ttl:
- description: MaxSessionTTL defines how long a SSH session can
- last for.
- format: duration
- type: string
- max_sessions:
- description: MaxSessions defines the maximum number of concurrent
- sessions per connection.
- format: int64
- type: integer
- permit_x11_forwarding:
- description: PermitX11Forwarding authorizes use of X11 forwarding.
- type: boolean
- pin_source_ip:
- description: PinSourceIP forces the same client IP for certificate
- generation and usage
- type: boolean
- port_forwarding:
- description: PortForwarding defines if the certificate will have
- "permit-port-forwarding" in the certificate. PortForwarding
- is "yes" if not set, that's why this is a pointer
- type: boolean
- record_session:
- description: RecordDesktopSession indicates whether desktop access
- sessions should be recorded. It defaults to true unless explicitly
- set to false.
- nullable: true
- properties:
- default:
- description: Default indicates the default value for the services.
- type: string
- desktop:
- description: Desktop indicates whether desktop sessions should
- be recorded. It defaults to true unless explicitly set to
- false.
- type: boolean
- ssh:
- description: SSH indicates the session mode used on SSH sessions.
- type: string
- type: object
- request_access:
- description: RequestAccess defines the access request strategy
- (optional|note|always) where optional is the default.
- type: string
- request_prompt:
- description: RequestPrompt is an optional message which tells
- users what they aught to request.
- type: string
- require_session_mfa:
- description: RequireMFAType is the type of MFA requirement enforced
- for this user.
- x-kubernetes-int-or-string: true
- ssh_file_copy:
- description: SSHFileCopy indicates whether remote file operations
- via SCP or SFTP are allowed over an SSH session. It defaults
- to true unless explicitly set to false.
- type: boolean
- type: object
- type: object
- status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
- properties:
- conditions:
- description: Conditions represent the latest available observations
- of an object's state
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- teleportResourceID:
- format: int64
- type: integer
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
status:
acceptedNames:
kind: ""
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml
new file mode 100644
index 0000000000000..ff98950361a89
--- /dev/null
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv6.yaml
@@ -0,0 +1,1221 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv6.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV6
+ listKind: TeleportRoleV6List
+ plural: teleportrolesv6
+ shortNames:
+ - rolev6
+ - rolesv6
+ singular: teleportrolev6
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV6 is the Schema for the rolesv6 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v6 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml
new file mode 100644
index 0000000000000..aef922062327c
--- /dev/null
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_rolesv7.yaml
@@ -0,0 +1,1221 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv7.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV7
+ listKind: TeleportRoleV7List
+ plural: teleportrolesv7
+ shortNames:
+ - rolev7
+ - rolesv7
+ singular: teleportrolev7
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV7 is the Schema for the rolesv7 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v7 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via {{ `{{external.trait_name}}` }}
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml
index dc51a28419136..caaa7f3a5fb1e 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_samlconnectors.yaml
@@ -120,8 +120,7 @@ spec:
type: string
type: object
status:
- description: TeleportSAMLConnectorStatus defines the observed state of
- TeleportSAMLConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml
index 01c405d0adeed..030a2b6f59bf8 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/templates/resources.teleport.dev_users.yaml
@@ -106,7 +106,7 @@ spec:
type: array
type: object
status:
- description: TeleportUserStatus defines the observed state of TeleportUser
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/apis/resources/status.go b/integrations/operator/apis/resources/status.go
new file mode 100644
index 0000000000000..0569ba6f525e0
--- /dev/null
+++ b/integrations/operator/apis/resources/status.go
@@ -0,0 +1,41 @@
+/*
+ * Teleport
+ * Copyright (C) 2023 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see .
+ */
+
+package resources
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Status defines the observed state of the Teleport resource
+type Status struct {
+ // Conditions represent the latest available observations of an object's state
+ // +optional
+ Conditions []metav1.Condition `json:"conditions"`
+ // +optional
+ TeleportResourceID int64 `json:"teleportResourceID"`
+}
+
+// DeepCopyInto deep-copies one resource status into another.
+// Required to satisfy runtime.Object interface.
+func (status *Status) DeepCopyInto(out *Status) {
+ *out = Status{}
+ out.Conditions = make([]metav1.Condition, len(status.Conditions))
+ copy(out.Conditions, status.Conditions)
+ out.TeleportResourceID = status.TeleportResourceID
+}
diff --git a/integrations/operator/apis/resources/v1/accesslist_types.go b/integrations/operator/apis/resources/v1/accesslist_types.go
index c1901c52f2751..96e316f1b457e 100644
--- a/integrations/operator/apis/resources/v1/accesslist_types.go
+++ b/integrations/operator/apis/resources/v1/accesslist_types.go
@@ -37,21 +37,13 @@ type TeleportAccessList struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportAccessListSpec `json:"spec,omitempty"`
- Status TeleportAccessListStatus `json:"status,omitempty"`
+ Spec TeleportAccessListSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
// TeleportAccessListSpec defines the desired state of TeleportProvisionToken
type TeleportAccessListSpec accesslist.Spec
-type TeleportAccessListStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
// TeleportAccessListList contains a list of TeleportAccessList
diff --git a/integrations/operator/apis/resources/v1/loginrule_types.go b/integrations/operator/apis/resources/v1/loginrule_types.go
index cdef6076d5184..0886e01632d2c 100644
--- a/integrations/operator/apis/resources/v1/loginrule_types.go
+++ b/integrations/operator/apis/resources/v1/loginrule_types.go
@@ -39,8 +39,8 @@ type TeleportLoginRule struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportLoginRuleSpec `json:"spec,omitempty"`
- Status TeleportLoginRuleStatus `json:"status,omitempty"`
+ Spec TeleportLoginRuleSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
// TeleportLoginRuleSpec matches the JSON of generated CRD spec
@@ -51,14 +51,6 @@ type TeleportLoginRuleSpec struct {
TraitsMap map[string][]string `json:"traits_map,omitempty"`
}
-type TeleportLoginRuleStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
// TeleportLoginRuleList contains a list of TeleportLoginRule
diff --git a/integrations/operator/apis/resources/v1/okta_import_rule.go b/integrations/operator/apis/resources/v1/okta_import_rule.go
index 565758669f608..afb2d210de16f 100644
--- a/integrations/operator/apis/resources/v1/okta_import_rule.go
+++ b/integrations/operator/apis/resources/v1/okta_import_rule.go
@@ -38,8 +38,8 @@ type TeleportOktaImportRule struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportOktaImportRuleSpec `json:"spec,omitempty"`
- Status TeleportOktaImportRuleStatus `json:"status,omitempty"`
+ Spec TeleportOktaImportRuleSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
// TeleportOktaImportRuleSpec matches the JSON of generated CRD spec
@@ -71,14 +71,6 @@ type TeleportOktaImportRuleList struct {
Items []TeleportOktaImportRule `json:"items"`
}
-type TeleportOktaImportRuleStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
// ToTeleport returns an OktaImportRule, which wraps the actual
// [types.OktaImportRuleV1] and implements the necessary interface methods used
// by the TeleportResourceReconciler.
diff --git a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
index 65df96b7d764b..5f52e2e83dbb7 100644
--- a/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v1/zz_generated.deepcopy.go
@@ -23,7 +23,6 @@ along with this program. If not, see .
package v1
import (
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -96,28 +95,6 @@ func (in *TeleportAccessListSpec) DeepCopy() *TeleportAccessListSpec {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportAccessListStatus) DeepCopyInto(out *TeleportAccessListStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]metav1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportAccessListStatus.
-func (in *TeleportAccessListStatus) DeepCopy() *TeleportAccessListStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportAccessListStatus)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportLoginRule) DeepCopyInto(out *TeleportLoginRule) {
*out = *in
@@ -208,28 +185,6 @@ func (in *TeleportLoginRuleSpec) DeepCopy() *TeleportLoginRuleSpec {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportLoginRuleStatus) DeepCopyInto(out *TeleportLoginRuleStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]metav1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportLoginRuleStatus.
-func (in *TeleportLoginRuleStatus) DeepCopy() *TeleportLoginRuleStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportLoginRuleStatus)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportOktaImportRule) DeepCopyInto(out *TeleportOktaImportRule) {
*out = *in
@@ -374,25 +329,3 @@ func (in *TeleportOktaImportRuleSpec) DeepCopy() *TeleportOktaImportRuleSpec {
in.DeepCopyInto(out)
return out
}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportOktaImportRuleStatus) DeepCopyInto(out *TeleportOktaImportRuleStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]metav1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportOktaImportRuleStatus.
-func (in *TeleportOktaImportRuleStatus) DeepCopy() *TeleportOktaImportRuleStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportOktaImportRuleStatus)
- in.DeepCopyInto(out)
- return out
-}
diff --git a/integrations/operator/apis/resources/v2/provisiontoken_types.go b/integrations/operator/apis/resources/v2/provisiontoken_types.go
index 63233b7fd035e..3a83abb98568b 100644
--- a/integrations/operator/apis/resources/v2/provisiontoken_types.go
+++ b/integrations/operator/apis/resources/v2/provisiontoken_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportProvisionTokenSpec defines the desired state of TeleportProvisionToken
type TeleportProvisionTokenSpec types.ProvisionTokenSpecV2
-// TeleportProvisionTokenStatus defines the observed state of TeleportProvisionToken
-type TeleportProvisionTokenStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportProvisionToken struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportProvisionTokenSpec `json:"spec,omitempty"`
- Status TeleportProvisionTokenStatus `json:"status,omitempty"`
+ Spec TeleportProvisionTokenSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v2/samlconnector_types.go b/integrations/operator/apis/resources/v2/samlconnector_types.go
index 5d8ba62eeb3e8..b7a31d78ed471 100644
--- a/integrations/operator/apis/resources/v2/samlconnector_types.go
+++ b/integrations/operator/apis/resources/v2/samlconnector_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportSAMLConnectorSpec defines the desired state of TeleportSAMLConnector
type TeleportSAMLConnectorSpec types.SAMLConnectorSpecV2
-// TeleportSAMLConnectorStatus defines the observed state of TeleportSAMLConnector
-type TeleportSAMLConnectorStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportSAMLConnector struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportSAMLConnectorSpec `json:"spec,omitempty"`
- Status TeleportSAMLConnectorStatus `json:"status,omitempty"`
+ Spec TeleportSAMLConnectorSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v2/user_types.go b/integrations/operator/apis/resources/v2/user_types.go
index e29d8e5148e4a..1043520d50a39 100644
--- a/integrations/operator/apis/resources/v2/user_types.go
+++ b/integrations/operator/apis/resources/v2/user_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportUserSpec defines the desired state of TeleportUser
type TeleportUserSpec types.UserSpecV2
-// TeleportUserStatus defines the observed state of TeleportUser
-type TeleportUserStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportUser struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportUserSpec `json:"spec,omitempty"`
- Status TeleportUserStatus `json:"status,omitempty"`
+ Spec TeleportUserSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v2/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v2/zz_generated.deepcopy.go
index e08148579fd01..7310b23d61c62 100644
--- a/integrations/operator/apis/resources/v2/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v2/zz_generated.deepcopy.go
@@ -23,7 +23,6 @@ along with this program. If not, see .
package v2
import (
- "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -96,28 +95,6 @@ func (in *TeleportProvisionTokenSpec) DeepCopy() *TeleportProvisionTokenSpec {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportProvisionTokenStatus) DeepCopyInto(out *TeleportProvisionTokenStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportProvisionTokenStatus.
-func (in *TeleportProvisionTokenStatus) DeepCopy() *TeleportProvisionTokenStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportProvisionTokenStatus)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportSAMLConnector) DeepCopyInto(out *TeleportSAMLConnector) {
*out = *in
@@ -187,28 +164,6 @@ func (in *TeleportSAMLConnectorSpec) DeepCopy() *TeleportSAMLConnectorSpec {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportSAMLConnectorStatus) DeepCopyInto(out *TeleportSAMLConnectorStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportSAMLConnectorStatus.
-func (in *TeleportSAMLConnectorStatus) DeepCopy() *TeleportSAMLConnectorStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportSAMLConnectorStatus)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportUser) DeepCopyInto(out *TeleportUser) {
*out = *in
@@ -277,25 +232,3 @@ func (in *TeleportUserSpec) DeepCopy() *TeleportUserSpec {
in.DeepCopyInto(out)
return out
}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportUserStatus) DeepCopyInto(out *TeleportUserStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportUserStatus.
-func (in *TeleportUserStatus) DeepCopy() *TeleportUserStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportUserStatus)
- in.DeepCopyInto(out)
- return out
-}
diff --git a/integrations/operator/apis/resources/v3/githubconnector_types.go b/integrations/operator/apis/resources/v3/githubconnector_types.go
index 6f8c6ade74253..6de2c59209207 100644
--- a/integrations/operator/apis/resources/v3/githubconnector_types.go
+++ b/integrations/operator/apis/resources/v3/githubconnector_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportGithubConnectorSpec defines the desired state of TeleportGithubConnector
type TeleportGithubConnectorSpec types.GithubConnectorSpecV3
-// TeleportGithubConnectorStatus defines the observed state of TeleportGithubConnector
-type TeleportGithubConnectorStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportGithubConnector struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportGithubConnectorSpec `json:"spec,omitempty"`
- Status TeleportGithubConnectorStatus `json:"status,omitempty"`
+ Spec TeleportGithubConnectorSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v3/oidcconnector_types.go b/integrations/operator/apis/resources/v3/oidcconnector_types.go
index 02a8c8482068e..3eedf1d9b5264 100644
--- a/integrations/operator/apis/resources/v3/oidcconnector_types.go
+++ b/integrations/operator/apis/resources/v3/oidcconnector_types.go
@@ -34,15 +34,6 @@ func init() {
// TeleportOIDCConnectorSpec defines the desired state of TeleportOIDCConnector
type TeleportOIDCConnectorSpec types.OIDCConnectorSpecV3
-// TeleportOIDCConnectorStatus defines the observed state of TeleportOIDCConnector
-type TeleportOIDCConnectorStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions,omitempty"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID,omitempty"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -51,8 +42,8 @@ type TeleportOIDCConnector struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportOIDCConnectorSpec `json:"spec,omitempty"`
- Status TeleportOIDCConnectorStatus `json:"status,omitempty"`
+ Spec TeleportOIDCConnectorSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v3/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v3/zz_generated.deepcopy.go
index 3b06f2e539bd9..c46eb7ee65078 100644
--- a/integrations/operator/apis/resources/v3/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v3/zz_generated.deepcopy.go
@@ -23,7 +23,6 @@ along with this program. If not, see .
package v3
import (
- "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -96,28 +95,6 @@ func (in *TeleportGithubConnectorSpec) DeepCopy() *TeleportGithubConnectorSpec {
return out
}
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportGithubConnectorStatus) DeepCopyInto(out *TeleportGithubConnectorStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportGithubConnectorStatus.
-func (in *TeleportGithubConnectorStatus) DeepCopy() *TeleportGithubConnectorStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportGithubConnectorStatus)
- in.DeepCopyInto(out)
- return out
-}
-
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *TeleportOIDCConnector) DeepCopyInto(out *TeleportOIDCConnector) {
*out = *in
@@ -186,25 +163,3 @@ func (in *TeleportOIDCConnectorSpec) DeepCopy() *TeleportOIDCConnectorSpec {
in.DeepCopyInto(out)
return out
}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportOIDCConnectorStatus) DeepCopyInto(out *TeleportOIDCConnectorStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportOIDCConnectorStatus.
-func (in *TeleportOIDCConnectorStatus) DeepCopy() *TeleportOIDCConnectorStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportOIDCConnectorStatus)
- in.DeepCopyInto(out)
- return out
-}
diff --git a/integrations/operator/apis/resources/v5/role_types.go b/integrations/operator/apis/resources/v5/role_types.go
index eccf839f567dd..64d11c7b274c9 100644
--- a/integrations/operator/apis/resources/v5/role_types.go
+++ b/integrations/operator/apis/resources/v5/role_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportRoleSpec defines the desired state of TeleportRole
type TeleportRoleSpec types.RoleSpecV6
-// TeleportRoleStatus defines the observed state of TeleportRole
-type TeleportRoleStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportRoleSpec `json:"spec,omitempty"`
- Status TeleportRoleStatus `json:"status,omitempty"`
+ Spec TeleportRoleSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v5/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v5/zz_generated.deepcopy.go
index 58d67381aacb5..e78d327215bfb 100644
--- a/integrations/operator/apis/resources/v5/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v5/zz_generated.deepcopy.go
@@ -23,7 +23,6 @@ along with this program. If not, see .
package v5
import (
- "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -95,25 +94,3 @@ func (in *TeleportRoleSpec) DeepCopy() *TeleportRoleSpec {
in.DeepCopyInto(out)
return out
}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportRoleStatus) DeepCopyInto(out *TeleportRoleStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportRoleStatus.
-func (in *TeleportRoleStatus) DeepCopy() *TeleportRoleStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportRoleStatus)
- in.DeepCopyInto(out)
- return out
-}
diff --git a/integrations/operator/apis/resources/v6/role_types.go b/integrations/operator/apis/resources/v6/role_types.go
index 7d74b29bf3be5..7c54c3e8d287a 100644
--- a/integrations/operator/apis/resources/v6/role_types.go
+++ b/integrations/operator/apis/resources/v6/role_types.go
@@ -32,15 +32,6 @@ func init() {
// TeleportRoleSpec defines the desired state of TeleportRole
type TeleportRoleSpec types.RoleSpecV6
-// TeleportRoleStatus defines the observed state of TeleportRole
-type TeleportRoleStatus struct {
- // Conditions represent the latest available observations of an object's state
- // +optional
- Conditions []metav1.Condition `json:"conditions"`
- // +optional
- TeleportResourceID int64 `json:"teleportResourceID"`
-}
-
//+kubebuilder:object:root=true
//+kubebuilder:subresource:status
@@ -49,8 +40,8 @@ type TeleportRole struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- Spec TeleportRoleSpec `json:"spec,omitempty"`
- Status TeleportRoleStatus `json:"status,omitempty"`
+ Spec TeleportRoleSpec `json:"spec,omitempty"`
+ Status resources.Status `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
diff --git a/integrations/operator/apis/resources/v6/zz_generated.deepcopy.go b/integrations/operator/apis/resources/v6/zz_generated.deepcopy.go
index a600ce7541d51..a8e4181ce874d 100644
--- a/integrations/operator/apis/resources/v6/zz_generated.deepcopy.go
+++ b/integrations/operator/apis/resources/v6/zz_generated.deepcopy.go
@@ -23,7 +23,6 @@ along with this program. If not, see .
package v6
import (
- "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
@@ -95,25 +94,3 @@ func (in *TeleportRoleSpec) DeepCopy() *TeleportRoleSpec {
in.DeepCopyInto(out)
return out
}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TeleportRoleStatus) DeepCopyInto(out *TeleportRoleStatus) {
- *out = *in
- if in.Conditions != nil {
- in, out := &in.Conditions, &out.Conditions
- *out = make([]v1.Condition, len(*in))
- for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
- }
- }
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeleportRoleStatus.
-func (in *TeleportRoleStatus) DeepCopy() *TeleportRoleStatus {
- if in == nil {
- return nil
- }
- out := new(TeleportRoleStatus)
- in.DeepCopyInto(out)
- return out
-}
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml
index cabd7a92b984d..20b4fcef88676 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_accesslists.yaml
@@ -201,6 +201,7 @@ spec:
type: string
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml
index a262e618b0154..b96d4eb6e8734 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_githubconnectors.yaml
@@ -78,8 +78,7 @@ spec:
type: array
type: object
status:
- description: TeleportGithubConnectorStatus defines the observed state
- of TeleportGithubConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_loginrules.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_loginrules.yaml
index cdb3a30050b51..7b5928ca4c255 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_loginrules.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_loginrules.yaml
@@ -57,6 +57,7 @@ spec:
type: object
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
index edd8bf5e13623..087bdc7d4a4b1 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_oidcconnectors.yaml
@@ -123,8 +123,7 @@ spec:
type: string
type: object
status:
- description: TeleportOIDCConnectorStatus defines the observed state of
- TeleportOIDCConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_oktaimportrules.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_oktaimportrules.yaml
index b16ac422df459..f6077e45c357f 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_oktaimportrules.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_oktaimportrules.yaml
@@ -95,6 +95,7 @@ spec:
type: integer
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml
index 2b06cd779fb92..5d0fd744f42d9 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_provisiontokens.yaml
@@ -330,8 +330,7 @@ spec:
type: object
type: object
status:
- description: TeleportProvisionTokenStatus defines the observed state of
- TeleportProvisionToken
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
index 0864c45169eee..efb0953ce5759 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_roles.yaml
@@ -1128,7 +1128,7 @@ spec:
type: object
type: object
status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
@@ -1210,1204 +1210,6 @@ spec:
storage: true
subresources:
status: {}
- - name: v6
- schema:
- openAPIV3Schema:
- description: Role is the Schema for the roles API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Role resource definition v6 from Teleport
- properties:
- allow:
- description: Allow is the set of conditions evaluated to grant access.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via `{{external.trait_name}}`
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- deny:
- description: Deny is the set of conditions evaluated to deny access.
- Deny takes priority over allow.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via `{{external.trait_name}}`
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- options:
- description: Options is for OpenSSH options like agent forwarding.
- properties:
- cert_extensions:
- description: CertExtensions specifies the key/values
- items:
- properties:
- mode:
- description: Mode is the type of extension to be used --
- currently critical-option is not supported
- x-kubernetes-int-or-string: true
- name:
- description: Name specifies the key to be used in the cert
- extension.
- type: string
- type:
- description: Type represents the certificate type being
- extended, only ssh is supported at this time.
- x-kubernetes-int-or-string: true
- value:
- description: Value specifies the value to be used in the
- cert extension.
- type: string
- type: object
- nullable: true
- type: array
- cert_format:
- description: CertificateFormat defines the format of the user
- certificate to allow compatibility with older versions of OpenSSH.
- type: string
- client_idle_timeout:
- description: ClientIdleTimeout sets disconnect clients on idle
- timeout behavior, if set to 0 means do not disconnect, otherwise
- is set to the idle duration.
- format: duration
- type: string
- create_db_user:
- description: CreateDatabaseUser enabled automatic database user
- creation.
- type: boolean
- create_db_user_mode:
- description: CreateDatabaseUserMode allows users to be automatically
- created on a database when not set to off.
- x-kubernetes-int-or-string: true
- create_desktop_user:
- description: CreateDesktopUser allows users to be automatically
- created on a Windows desktop
- type: boolean
- create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
- type: boolean
- create_host_user_mode:
- description: CreateHostUserMode allows users to be automatically
- created on a host when not set to off
- x-kubernetes-int-or-string: true
- desktop_clipboard:
- description: DesktopClipboard indicates whether clipboard sharing
- is allowed between the user's workstation and the remote desktop.
- It defaults to true unless explicitly set to false.
- type: boolean
- desktop_directory_sharing:
- description: DesktopDirectorySharing indicates whether directory
- sharing is allowed between the user's workstation and the remote
- desktop. It defaults to false unless explicitly set to true.
- type: boolean
- device_trust_mode:
- description: DeviceTrustMode is the device authorization mode
- used for the resources associated with the role. See DeviceTrust.Mode.
- Reserved for future use, not yet used by Teleport.
- type: string
- disconnect_expired_cert:
- description: DisconnectExpiredCert sets disconnect clients on
- expired certificates.
- type: boolean
- enhanced_recording:
- description: BPF defines what events to record for the BPF-based
- session recorder.
- items:
- type: string
- nullable: true
- type: array
- forward_agent:
- description: ForwardAgent is SSH agent forwarding.
- type: boolean
- idp:
- description: IDP is a set of options related to accessing IdPs
- within Teleport. Requires Teleport Enterprise.
- nullable: true
- properties:
- saml:
- description: SAML are options related to the Teleport SAML
- IdP.
- nullable: true
- properties:
- enabled:
- description: Enabled is set to true if this option allows
- access to the Teleport SAML IdP.
- type: boolean
- type: object
- type: object
- lock:
- description: Lock specifies the locking mode (strict|best_effort)
- to be applied with the role.
- type: string
- max_connections:
- description: MaxConnections defines the maximum number of concurrent
- connections a user may hold.
- format: int64
- type: integer
- max_kubernetes_connections:
- description: MaxKubernetesConnections defines the maximum number
- of concurrent Kubernetes sessions a user may hold.
- format: int64
- type: integer
- max_session_ttl:
- description: MaxSessionTTL defines how long a SSH session can
- last for.
- format: duration
- type: string
- max_sessions:
- description: MaxSessions defines the maximum number of concurrent
- sessions per connection.
- format: int64
- type: integer
- permit_x11_forwarding:
- description: PermitX11Forwarding authorizes use of X11 forwarding.
- type: boolean
- pin_source_ip:
- description: PinSourceIP forces the same client IP for certificate
- generation and usage
- type: boolean
- port_forwarding:
- description: PortForwarding defines if the certificate will have
- "permit-port-forwarding" in the certificate. PortForwarding
- is "yes" if not set, that's why this is a pointer
- type: boolean
- record_session:
- description: RecordDesktopSession indicates whether desktop access
- sessions should be recorded. It defaults to true unless explicitly
- set to false.
- nullable: true
- properties:
- default:
- description: Default indicates the default value for the services.
- type: string
- desktop:
- description: Desktop indicates whether desktop sessions should
- be recorded. It defaults to true unless explicitly set to
- false.
- type: boolean
- ssh:
- description: SSH indicates the session mode used on SSH sessions.
- type: string
- type: object
- request_access:
- description: RequestAccess defines the access request strategy
- (optional|note|always) where optional is the default.
- type: string
- request_prompt:
- description: RequestPrompt is an optional message which tells
- users what they aught to request.
- type: string
- require_session_mfa:
- description: RequireMFAType is the type of MFA requirement enforced
- for this user.
- x-kubernetes-int-or-string: true
- ssh_file_copy:
- description: SSHFileCopy indicates whether remote file operations
- via SCP or SFTP are allowed over an SSH session. It defaults
- to true unless explicitly set to false.
- type: boolean
- type: object
- type: object
- status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
- properties:
- conditions:
- description: Conditions represent the latest available observations
- of an object's state
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- teleportResourceID:
- format: int64
- type: integer
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
status:
acceptedNames:
kind: ""
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml
new file mode 100644
index 0000000000000..709643feec3a1
--- /dev/null
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv6.yaml
@@ -0,0 +1,1221 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv6.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV6
+ listKind: TeleportRoleV6List
+ plural: teleportrolesv6
+ shortNames:
+ - rolev6
+ - rolesv6
+ singular: teleportrolev6
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV6 is the Schema for the rolesv6 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v6 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml
new file mode 100644
index 0000000000000..75363e092b2e8
--- /dev/null
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_rolesv7.yaml
@@ -0,0 +1,1221 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv7.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV7
+ listKind: TeleportRoleV7List
+ plural: teleportrolesv7
+ shortNames:
+ - rolev7
+ - rolesv7
+ singular: teleportrolev7
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV7 is the Schema for the rolesv7 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v7 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_db_user_mode:
+ description: CreateDatabaseUserMode allows users to be automatically
+ created on a database when not set to off.
+ x-kubernetes-int-or-string: true
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml
index dc51a28419136..caaa7f3a5fb1e 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_samlconnectors.yaml
@@ -120,8 +120,7 @@ spec:
type: string
type: object
status:
- description: TeleportSAMLConnectorStatus defines the observed state of
- TeleportSAMLConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
index 01c405d0adeed..030a2b6f59bf8 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
@@ -106,7 +106,7 @@ spec:
type: array
type: object
status:
- description: TeleportUserStatus defines the observed state of TeleportUser
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/controllers/resources/role_controller_test.go b/integrations/operator/controllers/resources/role_controller_test.go
index 36fdd55171a89..ce8f247f3d8ec 100644
--- a/integrations/operator/controllers/resources/role_controller_test.go
+++ b/integrations/operator/controllers/resources/role_controller_test.go
@@ -36,6 +36,7 @@ import (
"github.com/gravitational/teleport/api/types"
apiutils "github.com/gravitational/teleport/api/utils"
+ apiresources "github.com/gravitational/teleport/integrations/operator/apis/resources"
resourcesv5 "github.com/gravitational/teleport/integrations/operator/apis/resources/v5"
"github.com/gravitational/teleport/integrations/operator/controllers/resources"
)
@@ -409,7 +410,7 @@ func k8sCreateRole(ctx context.Context, t *testing.T, kc kclient.Client, role *r
func getRoleStatusConditionError(object map[string]interface{}) []metav1.Condition {
var conditionsWithError []metav1.Condition
- var status resourcesv5.TeleportRoleStatus
+ var status apiresources.Status
_ = mapstructure.Decode(object["status"], &status)
for _, condition := range status.Conditions {
diff --git a/integrations/operator/controllers/resources/user_controller_test.go b/integrations/operator/controllers/resources/user_controller_test.go
index 3192fc39cac99..38d56d3bf711a 100644
--- a/integrations/operator/controllers/resources/user_controller_test.go
+++ b/integrations/operator/controllers/resources/user_controller_test.go
@@ -37,8 +37,8 @@ import (
kclient "sigs.k8s.io/controller-runtime/pkg/client"
"github.com/gravitational/teleport/api/types"
+ apiresources "github.com/gravitational/teleport/integrations/operator/apis/resources"
v2 "github.com/gravitational/teleport/integrations/operator/apis/resources/v2"
- resourcesv5 "github.com/gravitational/teleport/integrations/operator/apis/resources/v5"
"github.com/gravitational/teleport/integrations/operator/controllers/resources"
"github.com/gravitational/teleport/integrations/operator/controllers/resources/testlib"
)
@@ -400,7 +400,7 @@ func k8sCreateUser(ctx context.Context, t *testing.T, kc kclient.Client, user *v
func getUserStatusConditionError(object map[string]interface{}) []metav1.Condition {
var conditionsWithError []metav1.Condition
- var status resourcesv5.TeleportRoleStatus
+ var status apiresources.Status
_ = mapstructure.Decode(object["status"], &status)
for _, condition := range status.Conditions {
diff --git a/integrations/operator/crdgen/handlerequest.go b/integrations/operator/crdgen/handlerequest.go
index 6ef0331b22a42..990a84af4bdfb 100644
--- a/integrations/operator/crdgen/handlerequest.go
+++ b/integrations/operator/crdgen/handlerequest.go
@@ -85,8 +85,12 @@ func generateSchema(file *File, groupName string, resp *gogoplugin.CodeGenerator
resources := []resource{
{name: "UserV2"},
+ // Role V5 is using the RoleV6 message
{name: "RoleV6", opts: []resourceSchemaOption{withVersionOverride(types.V5)}},
- {name: "RoleV6"},
+ // Role V6 and V7 have their own Kubernetes kind
+ {name: "RoleV6", opts: []resourceSchemaOption{withVersionInKindOverride()}},
+ // Role V7 is using the RoleV6 message
+ {name: "RoleV6", opts: []resourceSchemaOption{withVersionOverride(types.V7), withVersionInKindOverride()}},
{name: "SAMLConnectorV2"},
{name: "OIDCConnectorV3"},
{name: "GithubConnectorV3"},
@@ -122,10 +126,13 @@ func generateSchema(file *File, groupName string, resp *gogoplugin.CodeGenerator
}
for _, root := range generator.roots {
- crd := root.CustomResourceDefinition()
+ crd, err := root.CustomResourceDefinition()
+ if err != nil {
+ return trace.Wrap(err, "generating CRD")
+ }
data, err := yaml.Marshal(crd)
if err != nil {
- return trace.Wrap(err)
+ return trace.Wrap(err, "marshaling CRD")
}
name := fmt.Sprintf("%s_%s.yaml", groupName, root.pluralName)
content := string(data)
diff --git a/integrations/operator/crdgen/schemagen.go b/integrations/operator/crdgen/schemagen.go
index e550f9513e6c4..4d480828bca91 100644
--- a/integrations/operator/crdgen/schemagen.go
+++ b/integrations/operator/crdgen/schemagen.go
@@ -34,7 +34,13 @@ import (
"sigs.k8s.io/controller-tools/pkg/markers"
)
-const k8sKindPrefix = "Teleport"
+const (
+ k8sKindPrefix = "Teleport"
+ statusPackagePath = "github.com/gravitational/teleport/integrations/operator/apis"
+ statusPackageName = "resources"
+ statusPackage = statusPackagePath + "/" + statusPackageName
+ statusTypeName = "Status"
+)
// Add names to this array when adding support to new Teleport resources that could conflict with Kubernetes
var (
@@ -55,10 +61,21 @@ type RootSchema struct {
versions []SchemaVersion
name string
pluralName string
- kind string
+ // teleportKind is the kind of the Teleport resource
+ teleportKind string
+ // kubernetesKind is the kind of the Kubernetes resource. This is the
+ // teleportKind, prefixed by "Teleport" and potentially suffixed by the
+ // version. Since v15, resources with multiple versions are exposed through
+ // different kinds. At some point we will suffix all kinds by the version
+ // and deprecate the old resources.
+ kubernetesKind string
}
type SchemaVersion struct {
+ // Version is the Kubernetes CR API version. For single-version
+ // Teleport resource, this is equal to the Teleport resource Version for
+ // compatibility purposes. For multi-version resource, the value is always
+ // "v1" as the version is already in the CR kind.
Version string
Schema *Schema
}
@@ -92,8 +109,9 @@ func NewSchema() *Schema {
}
type resourceSchemaConfig struct {
- versionOverride string
- customSpecFields []string
+ versionOverride string
+ customSpecFields []string
+ kindContainsVersion bool
}
type resourceSchemaOption func(*resourceSchemaConfig)
@@ -104,6 +122,13 @@ func withVersionOverride(version string) resourceSchemaOption {
}
}
+// set this onlt on new multi-version resources
+func withVersionInKindOverride() resourceSchemaOption {
+ return func(cfg *resourceSchemaConfig) {
+ cfg.kindContainsVersion = true
+ }
+}
+
func withCustomSpecFields(customSpecFields []string) resourceSchemaOption {
return func(cfg *resourceSchemaConfig) {
cfg.customSpecFields = customSpecFields
@@ -165,20 +190,38 @@ func (generator *SchemaGenerator) addResource(file *File, name string, opts ...r
if cfg.versionOverride != "" {
resourceVersion = cfg.versionOverride
}
+ kubernetesKind := resourceKind
+ if cfg.kindContainsVersion {
+ kubernetesKind = resourceKind + strings.ToUpper(resourceVersion)
+ }
schema.Description = fmt.Sprintf("%s resource definition %s from Teleport", resourceKind, resourceVersion)
- root, ok := generator.roots[resourceKind]
+ root, ok := generator.roots[kubernetesKind]
if !ok {
+ pluralName := strings.ToLower(english.PluralWord(2, resourceKind, ""))
+ if cfg.kindContainsVersion {
+ pluralName = pluralName + resourceVersion
+ }
root = &RootSchema{
- groupName: generator.groupName,
- kind: resourceKind,
- name: strings.ToLower(resourceKind),
- pluralName: strings.ToLower(english.PluralWord(2, resourceKind, "")),
+ groupName: generator.groupName,
+ teleportKind: resourceKind,
+ kubernetesKind: kubernetesKind,
+ name: strings.ToLower(kubernetesKind),
+ pluralName: pluralName,
}
- generator.roots[resourceKind] = root
+ generator.roots[kubernetesKind] = root
+ }
+
+ // For legacy CRs with a single version, we use the Teleport version as the
+ // Kubernetes API version
+ kubernetesVersion := resourceVersion
+ if cfg.kindContainsVersion {
+ // For new multi-version resources we always set the version to "v1" as
+ // the Teleport version is also in the CR kind.
+ kubernetesVersion = "v1"
}
root.versions = append(root.versions, SchemaVersion{
- Version: resourceVersion,
+ Version: kubernetesVersion,
Schema: schema,
})
@@ -378,7 +421,7 @@ func (generator *SchemaGenerator) singularProp(field *Field, prop *apiextv1.JSON
return nil
}
-func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinition {
+func (root RootSchema) CustomResourceDefinition() (apiextv1.CustomResourceDefinition, error) {
crd := apiextv1.CustomResourceDefinition{
TypeMeta: metav1.TypeMeta{
APIVersion: apiextv1.SchemeGroupVersion.String(),
@@ -390,8 +433,8 @@ func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinit
Spec: apiextv1.CustomResourceDefinitionSpec{
Group: root.groupName,
Names: apiextv1.CustomResourceDefinitionNames{
- Kind: k8sKindPrefix + root.kind,
- ListKind: k8sKindPrefix + root.kind + "List",
+ Kind: k8sKindPrefix + root.kubernetesKind,
+ ListKind: k8sKindPrefix + root.kubernetesKind + "List",
Plural: strings.ToLower(k8sKindPrefix + root.pluralName),
Singular: strings.ToLower(k8sKindPrefix + root.name),
ShortNames: root.getShortNames(),
@@ -408,7 +451,11 @@ func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinit
registry := &markers.Registry{}
// CRD markers contain special markers used by the parser to discover properties
// e.g. `+kubebuilder:validation:Minimum=0`
- crdmarkers.Register(registry)
+ err := crdmarkers.Register(registry)
+ if err != nil {
+ return apiextv1.CustomResourceDefinition{},
+ trace.Wrap(err, "adding CRD markers to the registry")
+ }
parser := &crdtools.Parser{
Collector: &markers.Collector{Registry: registry},
Checker: &loader.TypeChecker{},
@@ -417,31 +464,20 @@ func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinit
// Some types are special and require manual overrides, like metav1.Time.
crdtools.AddKnownTypes(parser)
- pkgs, err := loader.LoadRoots("github.com/gravitational/teleport/integrations/operator/apis/...")
+ // Status does not exist in Teleport, only in the CR.
+ // We parse go's AST to find its struct and convert it in a schema.
+ statusSchema, err := getStatusSchema(parser)
if err != nil {
- fmt.Printf("parser error: %s", err)
+ return apiextv1.CustomResourceDefinition{},
+ trace.Wrap(err, "getting status schema from go's AST")
}
for i, schemaVersion := range root.versions {
- var statusType crdtools.TypeIdent
- versionName := schemaVersion.Version
schema := schemaVersion.Schema
- for _, pkg := range pkgs {
- // This if is a bit janky, condition checking should be stronger
- if pkg.Name == versionName {
- parser.NeedPackage(pkg)
- statusType = crdtools.TypeIdent{
- Package: pkg,
- Name: fmt.Sprintf("%s%sStatus", k8sKindPrefix, root.kind),
- }
- // Kubernetes CRDs don't support $ref in openapi schemas, we need a flattened schema
- parser.NeedFlattenedSchemaFor(statusType)
- }
- }
crd.Spec.Versions = append(crd.Spec.Versions, apiextv1.CustomResourceDefinitionVersion{
- Name: versionName,
+ Name: schemaVersion.Version,
Served: true,
// Storage the first version available.
Storage: i == 0,
@@ -451,7 +487,7 @@ func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinit
Schema: &apiextv1.CustomResourceValidation{
OpenAPIV3Schema: &apiextv1.JSONSchemaProps{
Type: "object",
- Description: fmt.Sprintf("%s is the Schema for the %s API", root.kind, root.pluralName),
+ Description: fmt.Sprintf("%s is the Schema for the %s API", root.kubernetesKind, root.pluralName),
Properties: map[string]apiextv1.JSONSchemaProps{
"apiVersion": {
Type: "string",
@@ -463,13 +499,13 @@ func (root RootSchema) CustomResourceDefinition() apiextv1.CustomResourceDefinit
},
"metadata": {Type: "object"},
"spec": schema.JSONSchemaProps,
- "status": parser.FlattenedSchemata[statusType],
+ "status": statusSchema,
},
},
},
})
}
- return crd
+ return crd, nil
}
// getShortNames returns the schema short names while ensuring they won't conflict with existing Kubernetes resources
@@ -480,3 +516,25 @@ func (root RootSchema) getShortNames() []string {
}
return []string{root.name, root.pluralName}
}
+
+func getStatusSchema(parser *crdtools.Parser) (apiextv1.JSONSchemaProps, error) {
+ pkgs, err := loader.LoadRoots(statusPackage)
+ if err != nil {
+ // Loader errors might be non-critical.
+ // e.g. the loader complains about the unknown "toolchain" directive in our go mod
+ fmt.Printf("loader error: %s", err)
+ }
+ var statusType crdtools.TypeIdent
+ for _, pkg := range pkgs {
+ if pkg.Name == "resources" {
+ parser.NeedPackage(pkg)
+ statusType = crdtools.TypeIdent{
+ Package: pkg,
+ Name: statusTypeName,
+ }
+ parser.NeedFlattenedSchemaFor(statusType)
+ return parser.FlattenedSchemata[statusType], nil
+ }
+ }
+ return apiextv1.JSONSchemaProps{}, trace.NotFound("Package %q not found, cannot generate status JSON Schema", statusPackage)
+}
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml
index 88cafa60554a5..4c9c2918d03ec 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_accesslists.yaml
@@ -170,6 +170,7 @@ spec:
type: string
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml
index a262e618b0154..b96d4eb6e8734 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_githubconnectors.yaml
@@ -78,8 +78,7 @@ spec:
type: array
type: object
status:
- description: TeleportGithubConnectorStatus defines the observed state
- of TeleportGithubConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_loginrules.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_loginrules.yaml
index cdb3a30050b51..7b5928ca4c255 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_loginrules.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_loginrules.yaml
@@ -57,6 +57,7 @@ spec:
type: object
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml
index edd8bf5e13623..087bdc7d4a4b1 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oidcconnectors.yaml
@@ -123,8 +123,7 @@ spec:
type: string
type: object
status:
- description: TeleportOIDCConnectorStatus defines the observed state of
- TeleportOIDCConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oktaimportrules.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oktaimportrules.yaml
index b16ac422df459..f6077e45c357f 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oktaimportrules.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_oktaimportrules.yaml
@@ -95,6 +95,7 @@ spec:
type: integer
type: object
status:
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
index e5ee2931647b9..a27f54890e348 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_provisiontokens.yaml
@@ -263,8 +263,7 @@ spec:
type: object
type: object
status:
- description: TeleportProvisionTokenStatus defines the observed state of
- TeleportProvisionToken
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
index 5678aae4b8eeb..6ae54691c5d4e 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_roles.yaml
@@ -1124,7 +1124,7 @@ spec:
type: object
type: object
status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
@@ -1206,1200 +1206,6 @@ spec:
storage: true
subresources:
status: {}
- - name: v6
- schema:
- openAPIV3Schema:
- description: Role is the Schema for the roles API
- properties:
- apiVersion:
- description: 'APIVersion defines the versioned schema of this representation
- of an object. Servers should convert recognized schemas to the latest
- internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
- type: string
- kind:
- description: 'Kind is a string value representing the REST resource this
- object represents. Servers may infer this from the endpoint the client
- submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
- type: string
- metadata:
- type: object
- spec:
- description: Role resource definition v6 from Teleport
- properties:
- allow:
- description: Allow is the set of conditions evaluated to grant access.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via `{{external.trait_name}}`
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- deny:
- description: Deny is the set of conditions evaluated to deny access.
- Deny takes priority over allow.
- properties:
- app_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: AppLabels is a map of labels used as part of the
- RBAC system.
- type: object
- app_labels_expression:
- description: AppLabelsExpression is a predicate expression used
- to allow/deny access to Apps.
- type: string
- aws_role_arns:
- description: AWSRoleARNs is a list of AWS role ARNs this role
- is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- azure_identities:
- description: AzureIdentities is a list of Azure identities this
- role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- cluster_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: ClusterLabels is a map of node labels (used to dynamically
- grant access to clusters).
- type: object
- cluster_labels_expression:
- description: ClusterLabelsExpression is a predicate expression
- used to allow/deny access to remote Teleport clusters.
- type: string
- db_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseLabels are used in RBAC system to allow/deny
- access to databases.
- type: object
- db_labels_expression:
- description: DatabaseLabelsExpression is a predicate expression
- used to allow/deny access to Databases.
- type: string
- db_names:
- description: DatabaseNames is a list of database names this role
- is allowed to connect to.
- items:
- type: string
- nullable: true
- type: array
- db_roles:
- description: DatabaseRoles is a list of databases roles for automatic
- user creation.
- items:
- type: string
- nullable: true
- type: array
- db_service_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: DatabaseServiceLabels are used in RBAC system to
- allow/deny access to Database Services.
- type: object
- db_service_labels_expression:
- description: DatabaseServiceLabelsExpression is a predicate expression
- used to allow/deny access to Database Services.
- type: string
- db_users:
- description: DatabaseUsers is a list of databases users this role
- is allowed to connect as.
- items:
- type: string
- nullable: true
- type: array
- desktop_groups:
- description: DesktopGroups is a list of groups for created desktop
- users to be added to
- items:
- type: string
- nullable: true
- type: array
- gcp_service_accounts:
- description: GCPServiceAccounts is a list of GCP service accounts
- this role is allowed to assume.
- items:
- type: string
- nullable: true
- type: array
- group_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: GroupLabels is a map of labels used as part of the
- RBAC system.
- type: object
- group_labels_expression:
- description: GroupLabelsExpression is a predicate expression used
- to allow/deny access to user groups.
- type: string
- host_groups:
- description: HostGroups is a list of groups for created users
- to be added to
- items:
- type: string
- nullable: true
- type: array
- host_sudoers:
- description: HostSudoers is a list of entries to include in a
- users sudoer file
- items:
- type: string
- nullable: true
- type: array
- impersonate:
- description: Impersonate specifies what users and roles this role
- is allowed to impersonate by issuing certificates or other possible
- means.
- nullable: true
- properties:
- roles:
- description: Roles is a list of resources this role is allowed
- to impersonate
- items:
- type: string
- nullable: true
- type: array
- users:
- description: Users is a list of resources this role is allowed
- to impersonate, could be an empty list or a Wildcard pattern
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- join_sessions:
- description: JoinSessions specifies policies to allow users to
- join other sessions.
- items:
- properties:
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is a list of permitted participant modes
- for this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- roles:
- description: Roles is a list of roles that you can join
- the session of.
- items:
- type: string
- nullable: true
- type: array
- type: object
- nullable: true
- type: array
- kubernetes_groups:
- description: KubeGroups is a list of kubernetes groups
- items:
- type: string
- nullable: true
- type: array
- kubernetes_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: KubernetesLabels is a map of kubernetes cluster labels
- used for RBAC.
- type: object
- kubernetes_labels_expression:
- description: KubernetesLabelsExpression is a predicate expression
- used to allow/deny access to kubernetes clusters.
- type: string
- kubernetes_resources:
- description: KubernetesResources is the Kubernetes Resources this
- Role grants access to.
- items:
- properties:
- kind:
- description: Kind specifies the Kubernetes Resource type.
- At the moment only "pod" is supported.
- type: string
- name:
- description: Name is the resource name. It supports wildcards.
- type: string
- namespace:
- description: Namespace is the resource namespace. It supports
- wildcards.
- type: string
- verbs:
- description: Verbs are the allowed Kubernetes verbs for
- the following resource.
- items:
- type: string
- nullable: true
- type: array
- type: object
- type: array
- kubernetes_users:
- description: KubeUsers is an optional kubernetes users to impersonate
- items:
- type: string
- nullable: true
- type: array
- logins:
- description: Logins is a list of *nix system logins.
- items:
- type: string
- nullable: true
- type: array
- node_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: NodeLabels is a map of node labels (used to dynamically
- grant access to nodes).
- type: object
- node_labels_expression:
- description: NodeLabelsExpression is a predicate expression used
- to allow/deny access to SSH nodes.
- type: string
- request:
- nullable: true
- properties:
- annotations:
- additionalProperties:
- items:
- type: string
- type: array
- description: Annotations is a collection of annotations to
- be programmatically appended to pending access requests
- at the time of their creation. These annotations serve as
- a mechanism to propagate extra information to plugins. Since
- these annotations support variable interpolation syntax,
- they also offer a mechanism for forwarding claims from an
- external identity provider, to a plugin via `{{external.trait_name}}`
- style substitutions.
- type: object
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- max_duration:
- description: MaxDuration is the amount of time the access
- will be granted for. If this is zero, the default duration
- is used.
- format: duration
- type: string
- roles:
- description: Roles is the name of roles which will match the
- request rule.
- items:
- type: string
- nullable: true
- type: array
- search_as_roles:
- description: SearchAsRoles is a list of extra roles which
- should apply to a user while they are searching for resources
- as part of a Resource Access Request, and defines the underlying
- roles which will be requested as part of any Resource Access
- Request.
- items:
- type: string
- nullable: true
- type: array
- suggested_reviewers:
- description: SuggestedReviewers is a list of reviewer suggestions. These
- can be teleport usernames, but that is not a requirement.
- items:
- type: string
- nullable: true
- type: array
- thresholds:
- description: Thresholds is a list of thresholds, one of which
- must be met in order for reviews to trigger a state-transition. If
- no thresholds are provided, a default threshold of 1 for
- approval and denial is used.
- items:
- properties:
- approve:
- description: Approve is the number of matching approvals
- needed for state-transition.
- format: int32
- type: integer
- deny:
- description: Deny is the number of denials needed for
- state-transition.
- format: int32
- type: integer
- filter:
- description: Filter is an optional predicate used to
- determine which reviews count toward this threshold.
- type: string
- name:
- description: Name is the optional human-readable name
- of the threshold.
- type: string
- type: object
- type: array
- type: object
- require_session_join:
- description: RequireSessionJoin specifies policies for required
- users to start a session.
- items:
- properties:
- count:
- description: Count is the amount of people that need to
- be matched for this policy to be fulfilled.
- format: int32
- type: integer
- filter:
- description: Filter is a predicate that determines what
- users count towards this policy.
- type: string
- kinds:
- description: Kinds are the session kinds this policy applies
- to.
- items:
- type: string
- nullable: true
- type: array
- modes:
- description: Modes is the list of modes that may be used
- to fulfill this policy.
- items:
- type: string
- nullable: true
- type: array
- name:
- description: Name is the name of the policy.
- type: string
- on_leave:
- description: OnLeave is the behaviour that's used when the
- policy is no longer fulfilled for a live session.
- type: string
- type: object
- nullable: true
- type: array
- review_requests:
- description: ReviewRequests defines conditions for submitting
- access reviews.
- nullable: true
- properties:
- claims_to_roles:
- description: ClaimsToRoles specifies a mapping from claims
- (traits) to teleport roles.
- items:
- properties:
- claim:
- description: Claim is a claim name.
- type: string
- roles:
- description: Roles is a list of static teleport roles
- to match.
- items:
- type: string
- nullable: true
- type: array
- value:
- description: Value is a claim value to match.
- type: string
- type: object
- type: array
- preview_as_roles:
- description: PreviewAsRoles is a list of extra roles which
- should apply to a reviewer while they are viewing a Resource
- Access Request for the purposes of viewing details such
- as the hostname and labels of requested resources.
- items:
- type: string
- nullable: true
- type: array
- roles:
- description: Roles is the name of roles which may be reviewed.
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where is an optional predicate which further
- limits which requests are reviewable.
- type: string
- type: object
- rules:
- description: Rules is a list of rules and their access levels.
- Rules are a high level construct used for access control.
- items:
- properties:
- actions:
- description: Actions specifies optional actions taken when
- this rule matches
- items:
- type: string
- nullable: true
- type: array
- resources:
- description: Resources is a list of resources
- items:
- type: string
- nullable: true
- type: array
- verbs:
- description: Verbs is a list of verbs
- items:
- type: string
- nullable: true
- type: array
- where:
- description: Where specifies optional advanced matcher
- type: string
- type: object
- type: array
- windows_desktop_labels:
- additionalProperties:
- x-kubernetes-preserve-unknown-fields: true
- description: WindowsDesktopLabels are used in the RBAC system
- to allow/deny access to Windows desktops.
- type: object
- windows_desktop_labels_expression:
- description: WindowsDesktopLabelsExpression is a predicate expression
- used to allow/deny access to Windows desktops.
- type: string
- windows_desktop_logins:
- description: WindowsDesktopLogins is a list of desktop login names
- allowed/denied for Windows desktops.
- items:
- type: string
- nullable: true
- type: array
- type: object
- options:
- description: Options is for OpenSSH options like agent forwarding.
- properties:
- cert_extensions:
- description: CertExtensions specifies the key/values
- items:
- properties:
- mode:
- description: Mode is the type of extension to be used --
- currently critical-option is not supported
- x-kubernetes-int-or-string: true
- name:
- description: Name specifies the key to be used in the cert
- extension.
- type: string
- type:
- description: Type represents the certificate type being
- extended, only ssh is supported at this time.
- x-kubernetes-int-or-string: true
- value:
- description: Value specifies the value to be used in the
- cert extension.
- type: string
- type: object
- nullable: true
- type: array
- cert_format:
- description: CertificateFormat defines the format of the user
- certificate to allow compatibility with older versions of OpenSSH.
- type: string
- client_idle_timeout:
- description: ClientIdleTimeout sets disconnect clients on idle
- timeout behavior, if set to 0 means do not disconnect, otherwise
- is set to the idle duration.
- format: duration
- type: string
- create_db_user:
- description: CreateDatabaseUser enabled automatic database user
- creation.
- type: boolean
- create_desktop_user:
- description: CreateDesktopUser allows users to be automatically
- created on a Windows desktop
- type: boolean
- create_host_user:
- description: CreateHostUser allows users to be automatically created
- on a host
- type: boolean
- create_host_user_mode:
- description: CreateHostUserMode allows users to be automatically
- created on a host when not set to off
- x-kubernetes-int-or-string: true
- desktop_clipboard:
- description: DesktopClipboard indicates whether clipboard sharing
- is allowed between the user's workstation and the remote desktop.
- It defaults to true unless explicitly set to false.
- type: boolean
- desktop_directory_sharing:
- description: DesktopDirectorySharing indicates whether directory
- sharing is allowed between the user's workstation and the remote
- desktop. It defaults to false unless explicitly set to true.
- type: boolean
- device_trust_mode:
- description: DeviceTrustMode is the device authorization mode
- used for the resources associated with the role. See DeviceTrust.Mode.
- Reserved for future use, not yet used by Teleport.
- type: string
- disconnect_expired_cert:
- description: DisconnectExpiredCert sets disconnect clients on
- expired certificates.
- type: boolean
- enhanced_recording:
- description: BPF defines what events to record for the BPF-based
- session recorder.
- items:
- type: string
- nullable: true
- type: array
- forward_agent:
- description: ForwardAgent is SSH agent forwarding.
- type: boolean
- idp:
- description: IDP is a set of options related to accessing IdPs
- within Teleport. Requires Teleport Enterprise.
- nullable: true
- properties:
- saml:
- description: SAML are options related to the Teleport SAML
- IdP.
- nullable: true
- properties:
- enabled:
- description: Enabled is set to true if this option allows
- access to the Teleport SAML IdP.
- type: boolean
- type: object
- type: object
- lock:
- description: Lock specifies the locking mode (strict|best_effort)
- to be applied with the role.
- type: string
- max_connections:
- description: MaxConnections defines the maximum number of concurrent
- connections a user may hold.
- format: int64
- type: integer
- max_kubernetes_connections:
- description: MaxKubernetesConnections defines the maximum number
- of concurrent Kubernetes sessions a user may hold.
- format: int64
- type: integer
- max_session_ttl:
- description: MaxSessionTTL defines how long a SSH session can
- last for.
- format: duration
- type: string
- max_sessions:
- description: MaxSessions defines the maximum number of concurrent
- sessions per connection.
- format: int64
- type: integer
- permit_x11_forwarding:
- description: PermitX11Forwarding authorizes use of X11 forwarding.
- type: boolean
- pin_source_ip:
- description: PinSourceIP forces the same client IP for certificate
- generation and usage
- type: boolean
- port_forwarding:
- description: PortForwarding defines if the certificate will have
- "permit-port-forwarding" in the certificate. PortForwarding
- is "yes" if not set, that's why this is a pointer
- type: boolean
- record_session:
- description: RecordDesktopSession indicates whether desktop access
- sessions should be recorded. It defaults to true unless explicitly
- set to false.
- nullable: true
- properties:
- default:
- description: Default indicates the default value for the services.
- type: string
- desktop:
- description: Desktop indicates whether desktop sessions should
- be recorded. It defaults to true unless explicitly set to
- false.
- type: boolean
- ssh:
- description: SSH indicates the session mode used on SSH sessions.
- type: string
- type: object
- request_access:
- description: RequestAccess defines the access request strategy
- (optional|note|always) where optional is the default.
- type: string
- request_prompt:
- description: RequestPrompt is an optional message which tells
- users what they aught to request.
- type: string
- require_session_mfa:
- description: RequireMFAType is the type of MFA requirement enforced
- for this user.
- x-kubernetes-int-or-string: true
- ssh_file_copy:
- description: SSHFileCopy indicates whether remote file operations
- via SCP or SFTP are allowed over an SSH session. It defaults
- to true unless explicitly set to false.
- type: boolean
- type: object
- type: object
- status:
- description: TeleportRoleStatus defines the observed state of TeleportRole
- properties:
- conditions:
- description: Conditions represent the latest available observations
- of an object's state
- items:
- description: "Condition contains details for one aspect of the current
- state of this API Resource.\n---\nThis struct is intended for
- direct use as an array at the field path .status.conditions. For
- example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
- observations of a foo's current state.\n\t // Known .status.conditions.type
- are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
- +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
- \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
- patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
- \ // other fields\n\t}"
- properties:
- lastTransitionTime:
- description: |-
- lastTransitionTime is the last time the condition transitioned from one status to another.
- This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
- format: date-time
- type: string
- message:
- description: |-
- message is a human readable message indicating details about the transition.
- This may be an empty string.
- maxLength: 32768
- type: string
- observedGeneration:
- description: |-
- observedGeneration represents the .metadata.generation that the condition was set based upon.
- For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
- with respect to the current state of the instance.
- format: int64
- minimum: 0
- type: integer
- reason:
- description: |-
- reason contains a programmatic identifier indicating the reason for the condition's last transition.
- Producers of specific condition types may define expected values and meanings for this field,
- and whether the values are considered a guaranteed API.
- The value should be a CamelCase string.
- This field may not be empty.
- maxLength: 1024
- minLength: 1
- pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
- type: string
- status:
- description: status of the condition, one of True, False, Unknown.
- enum:
- - "True"
- - "False"
- - Unknown
- type: string
- type:
- description: |-
- type of condition in CamelCase or in foo.example.com/CamelCase.
- ---
- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
- useful (see .node.status.conditions), the ability to deconflict is important.
- The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
- maxLength: 316
- pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
- type: string
- required:
- - lastTransitionTime
- - message
- - reason
- - status
- - type
- type: object
- type: array
- teleportResourceID:
- format: int64
- type: integer
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
status:
acceptedNames:
kind: ""
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml
new file mode 100644
index 0000000000000..c09e644792aaf
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv6.yaml
@@ -0,0 +1,1217 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv6.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV6
+ listKind: TeleportRoleV6List
+ plural: teleportrolesv6
+ shortNames:
+ - rolev6
+ - rolesv6
+ singular: teleportrolev6
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV6 is the Schema for the rolesv6 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v6 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml
new file mode 100644
index 0000000000000..7900d32138175
--- /dev/null
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_rolesv7.yaml
@@ -0,0 +1,1217 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ creationTimestamp: null
+ name: teleportrolesv7.resources.teleport.dev
+spec:
+ group: resources.teleport.dev
+ names:
+ kind: TeleportRoleV7
+ listKind: TeleportRoleV7List
+ plural: teleportrolesv7
+ shortNames:
+ - rolev7
+ - rolesv7
+ singular: teleportrolev7
+ scope: Namespaced
+ versions:
+ - name: v1
+ schema:
+ openAPIV3Schema:
+ description: RoleV7 is the Schema for the rolesv7 API
+ properties:
+ apiVersion:
+ description: 'APIVersion defines the versioned schema of this representation
+ of an object. Servers should convert recognized schemas to the latest
+ internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+ type: string
+ kind:
+ description: 'Kind is a string value representing the REST resource this
+ object represents. Servers may infer this from the endpoint the client
+ submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: Role resource definition v7 from Teleport
+ properties:
+ allow:
+ description: Allow is the set of conditions evaluated to grant access.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ deny:
+ description: Deny is the set of conditions evaluated to deny access.
+ Deny takes priority over allow.
+ properties:
+ app_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: AppLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ app_labels_expression:
+ description: AppLabelsExpression is a predicate expression used
+ to allow/deny access to Apps.
+ type: string
+ aws_role_arns:
+ description: AWSRoleARNs is a list of AWS role ARNs this role
+ is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ azure_identities:
+ description: AzureIdentities is a list of Azure identities this
+ role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ cluster_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: ClusterLabels is a map of node labels (used to dynamically
+ grant access to clusters).
+ type: object
+ cluster_labels_expression:
+ description: ClusterLabelsExpression is a predicate expression
+ used to allow/deny access to remote Teleport clusters.
+ type: string
+ db_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseLabels are used in RBAC system to allow/deny
+ access to databases.
+ type: object
+ db_labels_expression:
+ description: DatabaseLabelsExpression is a predicate expression
+ used to allow/deny access to Databases.
+ type: string
+ db_names:
+ description: DatabaseNames is a list of database names this role
+ is allowed to connect to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_roles:
+ description: DatabaseRoles is a list of databases roles for automatic
+ user creation.
+ items:
+ type: string
+ nullable: true
+ type: array
+ db_service_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: DatabaseServiceLabels are used in RBAC system to
+ allow/deny access to Database Services.
+ type: object
+ db_service_labels_expression:
+ description: DatabaseServiceLabelsExpression is a predicate expression
+ used to allow/deny access to Database Services.
+ type: string
+ db_users:
+ description: DatabaseUsers is a list of databases users this role
+ is allowed to connect as.
+ items:
+ type: string
+ nullable: true
+ type: array
+ desktop_groups:
+ description: DesktopGroups is a list of groups for created desktop
+ users to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ gcp_service_accounts:
+ description: GCPServiceAccounts is a list of GCP service accounts
+ this role is allowed to assume.
+ items:
+ type: string
+ nullable: true
+ type: array
+ group_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: GroupLabels is a map of labels used as part of the
+ RBAC system.
+ type: object
+ group_labels_expression:
+ description: GroupLabelsExpression is a predicate expression used
+ to allow/deny access to user groups.
+ type: string
+ host_groups:
+ description: HostGroups is a list of groups for created users
+ to be added to
+ items:
+ type: string
+ nullable: true
+ type: array
+ host_sudoers:
+ description: HostSudoers is a list of entries to include in a
+ users sudoer file
+ items:
+ type: string
+ nullable: true
+ type: array
+ impersonate:
+ description: Impersonate specifies what users and roles this role
+ is allowed to impersonate by issuing certificates or other possible
+ means.
+ nullable: true
+ properties:
+ roles:
+ description: Roles is a list of resources this role is allowed
+ to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ users:
+ description: Users is a list of resources this role is allowed
+ to impersonate, could be an empty list or a Wildcard pattern
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ join_sessions:
+ description: JoinSessions specifies policies to allow users to
+ join other sessions.
+ items:
+ properties:
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is a list of permitted participant modes
+ for this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ roles:
+ description: Roles is a list of roles that you can join
+ the session of.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ kubernetes_groups:
+ description: KubeGroups is a list of kubernetes groups
+ items:
+ type: string
+ nullable: true
+ type: array
+ kubernetes_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: KubernetesLabels is a map of kubernetes cluster labels
+ used for RBAC.
+ type: object
+ kubernetes_labels_expression:
+ description: KubernetesLabelsExpression is a predicate expression
+ used to allow/deny access to kubernetes clusters.
+ type: string
+ kubernetes_resources:
+ description: KubernetesResources is the Kubernetes Resources this
+ Role grants access to.
+ items:
+ properties:
+ kind:
+ description: Kind specifies the Kubernetes Resource type.
+ At the moment only "pod" is supported.
+ type: string
+ name:
+ description: Name is the resource name. It supports wildcards.
+ type: string
+ namespace:
+ description: Namespace is the resource namespace. It supports
+ wildcards.
+ type: string
+ verbs:
+ description: Verbs are the allowed Kubernetes verbs for
+ the following resource.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ type: array
+ kubernetes_users:
+ description: KubeUsers is an optional kubernetes users to impersonate
+ items:
+ type: string
+ nullable: true
+ type: array
+ logins:
+ description: Logins is a list of *nix system logins.
+ items:
+ type: string
+ nullable: true
+ type: array
+ node_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: NodeLabels is a map of node labels (used to dynamically
+ grant access to nodes).
+ type: object
+ node_labels_expression:
+ description: NodeLabelsExpression is a predicate expression used
+ to allow/deny access to SSH nodes.
+ type: string
+ request:
+ nullable: true
+ properties:
+ annotations:
+ additionalProperties:
+ items:
+ type: string
+ type: array
+ description: Annotations is a collection of annotations to
+ be programmatically appended to pending access requests
+ at the time of their creation. These annotations serve as
+ a mechanism to propagate extra information to plugins. Since
+ these annotations support variable interpolation syntax,
+ they also offer a mechanism for forwarding claims from an
+ external identity provider, to a plugin via `{{external.trait_name}}`
+ style substitutions.
+ type: object
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ max_duration:
+ description: MaxDuration is the amount of time the access
+ will be granted for. If this is zero, the default duration
+ is used.
+ format: duration
+ type: string
+ roles:
+ description: Roles is the name of roles which will match the
+ request rule.
+ items:
+ type: string
+ nullable: true
+ type: array
+ search_as_roles:
+ description: SearchAsRoles is a list of extra roles which
+ should apply to a user while they are searching for resources
+ as part of a Resource Access Request, and defines the underlying
+ roles which will be requested as part of any Resource Access
+ Request.
+ items:
+ type: string
+ nullable: true
+ type: array
+ suggested_reviewers:
+ description: SuggestedReviewers is a list of reviewer suggestions. These
+ can be teleport usernames, but that is not a requirement.
+ items:
+ type: string
+ nullable: true
+ type: array
+ thresholds:
+ description: Thresholds is a list of thresholds, one of which
+ must be met in order for reviews to trigger a state-transition. If
+ no thresholds are provided, a default threshold of 1 for
+ approval and denial is used.
+ items:
+ properties:
+ approve:
+ description: Approve is the number of matching approvals
+ needed for state-transition.
+ format: int32
+ type: integer
+ deny:
+ description: Deny is the number of denials needed for
+ state-transition.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is an optional predicate used to
+ determine which reviews count toward this threshold.
+ type: string
+ name:
+ description: Name is the optional human-readable name
+ of the threshold.
+ type: string
+ type: object
+ type: array
+ type: object
+ require_session_join:
+ description: RequireSessionJoin specifies policies for required
+ users to start a session.
+ items:
+ properties:
+ count:
+ description: Count is the amount of people that need to
+ be matched for this policy to be fulfilled.
+ format: int32
+ type: integer
+ filter:
+ description: Filter is a predicate that determines what
+ users count towards this policy.
+ type: string
+ kinds:
+ description: Kinds are the session kinds this policy applies
+ to.
+ items:
+ type: string
+ nullable: true
+ type: array
+ modes:
+ description: Modes is the list of modes that may be used
+ to fulfill this policy.
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ description: Name is the name of the policy.
+ type: string
+ on_leave:
+ description: OnLeave is the behaviour that's used when the
+ policy is no longer fulfilled for a live session.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ review_requests:
+ description: ReviewRequests defines conditions for submitting
+ access reviews.
+ nullable: true
+ properties:
+ claims_to_roles:
+ description: ClaimsToRoles specifies a mapping from claims
+ (traits) to teleport roles.
+ items:
+ properties:
+ claim:
+ description: Claim is a claim name.
+ type: string
+ roles:
+ description: Roles is a list of static teleport roles
+ to match.
+ items:
+ type: string
+ nullable: true
+ type: array
+ value:
+ description: Value is a claim value to match.
+ type: string
+ type: object
+ type: array
+ preview_as_roles:
+ description: PreviewAsRoles is a list of extra roles which
+ should apply to a reviewer while they are viewing a Resource
+ Access Request for the purposes of viewing details such
+ as the hostname and labels of requested resources.
+ items:
+ type: string
+ nullable: true
+ type: array
+ roles:
+ description: Roles is the name of roles which may be reviewed.
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where is an optional predicate which further
+ limits which requests are reviewable.
+ type: string
+ type: object
+ rules:
+ description: Rules is a list of rules and their access levels.
+ Rules are a high level construct used for access control.
+ items:
+ properties:
+ actions:
+ description: Actions specifies optional actions taken when
+ this rule matches
+ items:
+ type: string
+ nullable: true
+ type: array
+ resources:
+ description: Resources is a list of resources
+ items:
+ type: string
+ nullable: true
+ type: array
+ verbs:
+ description: Verbs is a list of verbs
+ items:
+ type: string
+ nullable: true
+ type: array
+ where:
+ description: Where specifies optional advanced matcher
+ type: string
+ type: object
+ type: array
+ windows_desktop_labels:
+ additionalProperties:
+ x-kubernetes-preserve-unknown-fields: true
+ description: WindowsDesktopLabels are used in the RBAC system
+ to allow/deny access to Windows desktops.
+ type: object
+ windows_desktop_labels_expression:
+ description: WindowsDesktopLabelsExpression is a predicate expression
+ used to allow/deny access to Windows desktops.
+ type: string
+ windows_desktop_logins:
+ description: WindowsDesktopLogins is a list of desktop login names
+ allowed/denied for Windows desktops.
+ items:
+ type: string
+ nullable: true
+ type: array
+ type: object
+ options:
+ description: Options is for OpenSSH options like agent forwarding.
+ properties:
+ cert_extensions:
+ description: CertExtensions specifies the key/values
+ items:
+ properties:
+ mode:
+ description: Mode is the type of extension to be used --
+ currently critical-option is not supported
+ x-kubernetes-int-or-string: true
+ name:
+ description: Name specifies the key to be used in the cert
+ extension.
+ type: string
+ type:
+ description: Type represents the certificate type being
+ extended, only ssh is supported at this time.
+ x-kubernetes-int-or-string: true
+ value:
+ description: Value specifies the value to be used in the
+ cert extension.
+ type: string
+ type: object
+ nullable: true
+ type: array
+ cert_format:
+ description: CertificateFormat defines the format of the user
+ certificate to allow compatibility with older versions of OpenSSH.
+ type: string
+ client_idle_timeout:
+ description: ClientIdleTimeout sets disconnect clients on idle
+ timeout behavior, if set to 0 means do not disconnect, otherwise
+ is set to the idle duration.
+ format: duration
+ type: string
+ create_db_user:
+ description: CreateDatabaseUser enabled automatic database user
+ creation.
+ type: boolean
+ create_desktop_user:
+ description: CreateDesktopUser allows users to be automatically
+ created on a Windows desktop
+ type: boolean
+ create_host_user:
+ description: CreateHostUser allows users to be automatically created
+ on a host
+ type: boolean
+ create_host_user_mode:
+ description: CreateHostUserMode allows users to be automatically
+ created on a host when not set to off
+ x-kubernetes-int-or-string: true
+ desktop_clipboard:
+ description: DesktopClipboard indicates whether clipboard sharing
+ is allowed between the user's workstation and the remote desktop.
+ It defaults to true unless explicitly set to false.
+ type: boolean
+ desktop_directory_sharing:
+ description: DesktopDirectorySharing indicates whether directory
+ sharing is allowed between the user's workstation and the remote
+ desktop. It defaults to false unless explicitly set to true.
+ type: boolean
+ device_trust_mode:
+ description: DeviceTrustMode is the device authorization mode
+ used for the resources associated with the role. See DeviceTrust.Mode.
+ Reserved for future use, not yet used by Teleport.
+ type: string
+ disconnect_expired_cert:
+ description: DisconnectExpiredCert sets disconnect clients on
+ expired certificates.
+ type: boolean
+ enhanced_recording:
+ description: BPF defines what events to record for the BPF-based
+ session recorder.
+ items:
+ type: string
+ nullable: true
+ type: array
+ forward_agent:
+ description: ForwardAgent is SSH agent forwarding.
+ type: boolean
+ idp:
+ description: IDP is a set of options related to accessing IdPs
+ within Teleport. Requires Teleport Enterprise.
+ nullable: true
+ properties:
+ saml:
+ description: SAML are options related to the Teleport SAML
+ IdP.
+ nullable: true
+ properties:
+ enabled:
+ description: Enabled is set to true if this option allows
+ access to the Teleport SAML IdP.
+ type: boolean
+ type: object
+ type: object
+ lock:
+ description: Lock specifies the locking mode (strict|best_effort)
+ to be applied with the role.
+ type: string
+ max_connections:
+ description: MaxConnections defines the maximum number of concurrent
+ connections a user may hold.
+ format: int64
+ type: integer
+ max_kubernetes_connections:
+ description: MaxKubernetesConnections defines the maximum number
+ of concurrent Kubernetes sessions a user may hold.
+ format: int64
+ type: integer
+ max_session_ttl:
+ description: MaxSessionTTL defines how long a SSH session can
+ last for.
+ format: duration
+ type: string
+ max_sessions:
+ description: MaxSessions defines the maximum number of concurrent
+ sessions per connection.
+ format: int64
+ type: integer
+ permit_x11_forwarding:
+ description: PermitX11Forwarding authorizes use of X11 forwarding.
+ type: boolean
+ pin_source_ip:
+ description: PinSourceIP forces the same client IP for certificate
+ generation and usage
+ type: boolean
+ port_forwarding:
+ description: PortForwarding defines if the certificate will have
+ "permit-port-forwarding" in the certificate. PortForwarding
+ is "yes" if not set, that's why this is a pointer
+ type: boolean
+ record_session:
+ description: RecordDesktopSession indicates whether desktop access
+ sessions should be recorded. It defaults to true unless explicitly
+ set to false.
+ nullable: true
+ properties:
+ default:
+ description: Default indicates the default value for the services.
+ type: string
+ desktop:
+ description: Desktop indicates whether desktop sessions should
+ be recorded. It defaults to true unless explicitly set to
+ false.
+ type: boolean
+ ssh:
+ description: SSH indicates the session mode used on SSH sessions.
+ type: string
+ type: object
+ request_access:
+ description: RequestAccess defines the access request strategy
+ (optional|note|always) where optional is the default.
+ type: string
+ request_prompt:
+ description: RequestPrompt is an optional message which tells
+ users what they aught to request.
+ type: string
+ require_session_mfa:
+ description: RequireMFAType is the type of MFA requirement enforced
+ for this user.
+ x-kubernetes-int-or-string: true
+ ssh_file_copy:
+ description: SSHFileCopy indicates whether remote file operations
+ via SCP or SFTP are allowed over an SSH session. It defaults
+ to true unless explicitly set to false.
+ type: boolean
+ type: object
+ type: object
+ status:
+ description: Status defines the observed state of the Teleport resource
+ properties:
+ conditions:
+ description: Conditions represent the latest available observations
+ of an object's state
+ items:
+ description: "Condition contains details for one aspect of the current
+ state of this API Resource.\n---\nThis struct is intended for
+ direct use as an array at the field path .status.conditions. For
+ example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
+ observations of a foo's current state.\n\t // Known .status.conditions.type
+ are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+ +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
+ \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
+ patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+ \ // other fields\n\t}"
+ properties:
+ lastTransitionTime:
+ description: |-
+ lastTransitionTime is the last time the condition transitioned from one status to another.
+ This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
+ format: date-time
+ type: string
+ message:
+ description: |-
+ message is a human readable message indicating details about the transition.
+ This may be an empty string.
+ maxLength: 32768
+ type: string
+ observedGeneration:
+ description: |-
+ observedGeneration represents the .metadata.generation that the condition was set based upon.
+ For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+ with respect to the current state of the instance.
+ format: int64
+ minimum: 0
+ type: integer
+ reason:
+ description: |-
+ reason contains a programmatic identifier indicating the reason for the condition's last transition.
+ Producers of specific condition types may define expected values and meanings for this field,
+ and whether the values are considered a guaranteed API.
+ The value should be a CamelCase string.
+ This field may not be empty.
+ maxLength: 1024
+ minLength: 1
+ pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+ type: string
+ status:
+ description: status of the condition, one of True, False, Unknown.
+ enum:
+ - "True"
+ - "False"
+ - Unknown
+ type: string
+ type:
+ description: |-
+ type of condition in CamelCase or in foo.example.com/CamelCase.
+ ---
+ Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+ useful (see .node.status.conditions), the ability to deconflict is important.
+ The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+ maxLength: 316
+ pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+ type: string
+ required:
+ - lastTransitionTime
+ - message
+ - reason
+ - status
+ - type
+ type: object
+ type: array
+ teleportResourceID:
+ format: int64
+ type: integer
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+status:
+ acceptedNames:
+ kind: ""
+ plural: ""
+ conditions: null
+ storedVersions: null
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml
index dc51a28419136..caaa7f3a5fb1e 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_samlconnectors.yaml
@@ -120,8 +120,7 @@ spec:
type: string
type: object
status:
- description: TeleportSAMLConnectorStatus defines the observed state of
- TeleportSAMLConnector
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations
diff --git a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
index 01c405d0adeed..030a2b6f59bf8 100644
--- a/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
+++ b/integrations/operator/crdgen/testdata/golden/resources.teleport.dev_users.yaml
@@ -106,7 +106,7 @@ spec:
type: array
type: object
status:
- description: TeleportUserStatus defines the observed state of TeleportUser
+ description: Status defines the observed state of the Teleport resource
properties:
conditions:
description: Conditions represent the latest available observations