Custom Resource Definitions
Last updated on
API Reference
Packages:
weebo.si.rs/v1
Resource Types:
ProxyKubeApi
↩ ParentAuto-generated derived type for ProxyKubeApiSpec via CustomResource
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | weebo.si.rs/v1 | true |
| kind | string | ProxyKubeApi | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | true | |
| status | object | false |
ProxyKubeApi.spec
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| cert | object | Certificate for the Kubernetes API | true |
| service | object | Service to expose the proxy | true |
| auth_config | object | Main configuration for authentication | false |
| dashboard_group | string | If the proxy exposition is accessible via the dashboard
the oidc group that allow access to the dashboard, should be unique
Default: to the resource namespace + resource name | false |
| enabled | boolean | Enable or disable the proxy Default: true | false |
| expose_via_dashboard | boolean | If the proxy exposition should be accessible via the Dashboard
Default: false Default: true | false |
| security_config | object | Security configuration | false |
ProxyKubeApi.spec.cert
↩ ParentCertificate for the Kubernetes API
| Name | Type | Description | Required |
|---|---|---|---|
| Cert | string | Base64 encoded cert | false |
| ConfigMap | object | Configmap | false |
| Insecure | boolean | Insecure, do not use TLS | false |
| Secret | object | Use a cert from a secret | false |
ProxyKubeApi.spec.cert.ConfigMap
↩ ParentConfigmap
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | true | |
| name | string | true | |
| namespace | string | false |
ProxyKubeApi.spec.cert.Secret
↩ ParentUse a cert from a secret
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | true | |
| name | string | true | |
| namespace | string | false |
ProxyKubeApi.spec.service
↩ ParentService to expose the proxy
| Name | Type | Description | Required |
|---|---|---|---|
| ExternalService | object | External service | false |
| KubernetesService | object | Kubernetes service | false |
ProxyKubeApi.spec.service.ExternalService
↩ ParentExternal service
| Name | Type | Description | Required |
|---|---|---|---|
| url | string | URL of the external service (e.g. https://example.com) | true |
ProxyKubeApi.spec.service.KubernetesService
↩ ParentKubernetes service
| Name | Type | Description | Required |
|---|---|---|---|
| name | string | Name of the service | true |
| namespace | string | If not set, will use the resource namespace | false |
| port | integer | Port of the service Format: uint16 | false |
| port_name | string | Port name of the service | false |
ProxyKubeApi.spec.auth_config
↩ ParentMain configuration for authentication
| Name | Type | Description | Required |
|---|---|---|---|
| oidc_provider | object | true | |
| disable_validation | boolean | Disable validation of the token against the configured JWT authenticators, OIDC provider or Kubernetes API
If the AuthenticationConfiguration is not provided, does not validate the token against any of the configured JWT authenticators, OIDC provider or Kubernetes API
Default : false Default: false | false |
| jwt | []object | Default: [] | false |
| validate_against | enum | Validate against the configured JWT authenticators, OIDC provider or Kubernetes API
Default : OidcProvider if enabled, otherwise JwtAuthenticators if configured, otherwise Kubernetes Enum: OidcProvider, Kubernetes | false |
ProxyKubeApi.spec.auth_config.oidc_provider
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| client_id | string | true | |
| issuer_url | string | true | |
| client_secret | string | false | |
| enabled | boolean | Default: false | false |
| extra_scope | string | Default: | false |
ProxyKubeApi.spec.auth_config.jwt[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| claim_mappings | object | true | |
| claim_validation_rules | []object | true | |
| issuer | object | true | |
| user_validation_rules | []object | true |
ProxyKubeApi.spec.auth_config.jwt[index].claim_mappings
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| extra | []object | true | |
| groups | object | false | |
| uid | object | false | |
| username | object | false |
ProxyKubeApi.spec.auth_config.jwt[index].claim_mappings.extra[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| key | string | true | |
| value_expression | string | true |
ProxyKubeApi.spec.auth_config.jwt[index].claim_mappings.groups
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | true | |
| expression | string | true | |
| prefix | string | false |
ProxyKubeApi.spec.auth_config.jwt[index].claim_mappings.uid
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | false | |
| expression | string | false |
ProxyKubeApi.spec.auth_config.jwt[index].claim_mappings.username
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | true | |
| expression | string | true | |
| prefix | string | false |
ProxyKubeApi.spec.auth_config.jwt[index].claim_validation_rules[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | true | |
| expression | string | true | |
| message | string | true | |
| required_value | string | true |
ProxyKubeApi.spec.auth_config.jwt[index].issuer
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| audience_match_policy | enum | Enum: MatchAny | true |
| audiences | []string | true | |
| egress_selector | enum | Enum: controlplane, cluster | true |
| url | string | true | |
| certificate_authority | string | false | |
| discovery_url | string | false |
ProxyKubeApi.spec.auth_config.jwt[index].user_validation_rules[index]
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| expression | string | true | |
| message | string | true |
ProxyKubeApi.spec.security_config
↩ ParentSecurity configuration
| Name | Type | Description | Required |
|---|---|---|---|
| allowed_ressources | []object | Allowed resources, limit the access to the proxy to only these resources, if empty all resources are allowed | true |
| enabled | boolean | Whether the token is validated beforehand Default: true | false |
ProxyKubeApi.spec.security_config.allowed_ressources[index]
↩ ParentEnum of the allowed paths configuration, currently only supports path and crd, but can be extended in the future
| Name | Type | Description | Required |
|---|---|---|---|
| Path | object | Allowed path configuration, used in conjunction with the allowed_paths configuration | false |
ProxyKubeApi.spec.security_config.allowed_ressources[index].Path
↩ ParentAllowed path configuration, used in conjunction with the allowed_paths configuration
| Name | Type | Description | Required |
|---|---|---|---|
| path | string | The path to allow, if the request path equals this path, it will be allowed | true |
| parametised | boolean | Wether or not the path is parametised
if true, the path will be treated as a template, it either handle wildcard parameters, like "" or "dev-", or mustache-like parameters, like "{{username}}" or "{{group}}"
for example, if the path is "/api/v1/namespaces//pods", it will allow all requests to pods in any namespace
if the path is "/api/v1/namespaces/dev-/pods", it will allow all requests to pods in namespaces that start with "dev-"
It will also try to detect mustache-like parameters, for example, if the path is "/api/v1/namespaces/{{username}}/pods"
it will allow all requests to pods in namespaces carrying the username as a parameter
if the selected field is an array, like the groups claim, it will try to match any of the values in the array
for example, if the groups claim is ["dev-alice", "dev-bob"] and the path is "/api/v1/namespaces/{{group}}/pods", it will allow all requests to pods in namespaces that match either "dev-alice" or "dev-bob"
Allowed parameters are : {{username}} and {{group}}
default: false Default: false | false |
ProxyKubeApi.status
↩ Parent| Name | Type | Description | Required |
|---|---|---|---|
| exposed | boolean | true | |
| error | string | false | |
| path | string | false |
Have feedback?
Share on GitHub