|
| 1 | +apiVersion: apiextensions.k8s.io/v1 |
| 2 | +kind: CustomResourceDefinition |
| 3 | +metadata: |
| 4 | + annotations: |
| 5 | + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/2245 |
| 6 | + gateway.networking.k8s.io/bundle-version: v0.8.0 |
| 7 | + gateway.networking.k8s.io/channel: experimental |
| 8 | + creationTimestamp: null |
| 9 | + name: referencegrants.gateway.networking.k8s.io |
| 10 | +spec: |
| 11 | + group: gateway.networking.k8s.io |
| 12 | + names: |
| 13 | + categories: |
| 14 | + - gateway-api |
| 15 | + kind: ReferenceGrant |
| 16 | + listKind: ReferenceGrantList |
| 17 | + plural: referencegrants |
| 18 | + shortNames: |
| 19 | + - refgrant |
| 20 | + singular: referencegrant |
| 21 | + scope: Namespaced |
| 22 | + versions: |
| 23 | + - additionalPrinterColumns: |
| 24 | + - jsonPath: .metadata.creationTimestamp |
| 25 | + name: Age |
| 26 | + type: date |
| 27 | + deprecated: true |
| 28 | + deprecationWarning: The v1alpha2 version of ReferenceGrant has been deprecated |
| 29 | + and will be removed in a future release of the API. Please upgrade to v1beta1. |
| 30 | + name: v1alpha2 |
| 31 | + schema: |
| 32 | + openAPIV3Schema: |
| 33 | + description: "ReferenceGrant identifies kinds of resources in other namespaces |
| 34 | + that are trusted to reference the specified kinds of resources in the same |
| 35 | + namespace as the policy. \n Each ReferenceGrant can be used to represent |
| 36 | + a unique trust relationship. Additional Reference Grants can be used to |
| 37 | + add to the set of trusted sources of inbound references for the namespace |
| 38 | + they are defined within. \n A ReferenceGrant is required for all cross-namespace |
| 39 | + references in Gateway API (with the exception of cross-namespace Route-Gateway |
| 40 | + attachment, which is governed by the AllowedRoutes configuration on the |
| 41 | + Gateway, and cross-namespace Service ParentRefs on a \"consumer\" mesh Route, |
| 42 | + which defines routing rules applicable only to workloads in the Route namespace). |
| 43 | + ReferenceGrants allowing a reference from a Route to a Service are only |
| 44 | + applicable to BackendRefs. \n ReferenceGrant is a form of runtime verification |
| 45 | + allowing users to assert which cross-namespace object references are permitted. |
| 46 | + Implementations that support ReferenceGrant MUST NOT permit cross-namespace |
| 47 | + references which have no grant, and MUST respond to the removal of a grant |
| 48 | + by revoking the access that the grant allowed." |
| 49 | + properties: |
| 50 | + apiVersion: |
| 51 | + description: 'APIVersion defines the versioned schema of this representation |
| 52 | + of an object. Servers should convert recognized schemas to the latest |
| 53 | + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' |
| 54 | + type: string |
| 55 | + kind: |
| 56 | + description: 'Kind is a string value representing the REST resource this |
| 57 | + object represents. Servers may infer this from the endpoint the client |
| 58 | + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' |
| 59 | + type: string |
| 60 | + metadata: |
| 61 | + type: object |
| 62 | + spec: |
| 63 | + description: Spec defines the desired state of ReferenceGrant. |
| 64 | + properties: |
| 65 | + from: |
| 66 | + description: "From describes the trusted namespaces and kinds that |
| 67 | + can reference the resources described in \"To\". Each entry in this |
| 68 | + list MUST be considered to be an additional place that references |
| 69 | + can be valid from, or to put this another way, entries MUST be combined |
| 70 | + using OR. \n Support: Core" |
| 71 | + items: |
| 72 | + description: ReferenceGrantFrom describes trusted namespaces and |
| 73 | + kinds. |
| 74 | + properties: |
| 75 | + group: |
| 76 | + description: "Group is the group of the referent. When empty, |
| 77 | + the Kubernetes core API group is inferred. \n Support: Core" |
| 78 | + maxLength: 253 |
| 79 | + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ |
| 80 | + type: string |
| 81 | + kind: |
| 82 | + description: "Kind is the kind of the referent. Although implementations |
| 83 | + may support additional resources, the following types are |
| 84 | + part of the \"Core\" support level for this field. \n When |
| 85 | + used to permit a SecretObjectReference: \n * Gateway \n When |
| 86 | + used to permit a BackendObjectReference: \n * GRPCRoute * |
| 87 | + HTTPRoute * TCPRoute * TLSRoute * UDPRoute" |
| 88 | + maxLength: 63 |
| 89 | + minLength: 1 |
| 90 | + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ |
| 91 | + type: string |
| 92 | + namespace: |
| 93 | + description: "Namespace is the namespace of the referent. \n |
| 94 | + Support: Core" |
| 95 | + maxLength: 63 |
| 96 | + minLength: 1 |
| 97 | + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ |
| 98 | + type: string |
| 99 | + required: |
| 100 | + - group |
| 101 | + - kind |
| 102 | + - namespace |
| 103 | + type: object |
| 104 | + maxItems: 16 |
| 105 | + minItems: 1 |
| 106 | + type: array |
| 107 | + to: |
| 108 | + description: "To describes the resources that may be referenced by |
| 109 | + the resources described in \"From\". Each entry in this list MUST |
| 110 | + be considered to be an additional place that references can be valid |
| 111 | + to, or to put this another way, entries MUST be combined using OR. |
| 112 | + \n Support: Core" |
| 113 | + items: |
| 114 | + description: ReferenceGrantTo describes what Kinds are allowed as |
| 115 | + targets of the references. |
| 116 | + properties: |
| 117 | + group: |
| 118 | + description: "Group is the group of the referent. When empty, |
| 119 | + the Kubernetes core API group is inferred. \n Support: Core" |
| 120 | + maxLength: 253 |
| 121 | + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ |
| 122 | + type: string |
| 123 | + kind: |
| 124 | + description: "Kind is the kind of the referent. Although implementations |
| 125 | + may support additional resources, the following types are |
| 126 | + part of the \"Core\" support level for this field: \n * Secret |
| 127 | + when used to permit a SecretObjectReference * Service when |
| 128 | + used to permit a BackendObjectReference" |
| 129 | + maxLength: 63 |
| 130 | + minLength: 1 |
| 131 | + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ |
| 132 | + type: string |
| 133 | + name: |
| 134 | + description: Name is the name of the referent. When unspecified, |
| 135 | + this policy refers to all resources of the specified Group |
| 136 | + and Kind in the local namespace. |
| 137 | + maxLength: 253 |
| 138 | + minLength: 1 |
| 139 | + type: string |
| 140 | + required: |
| 141 | + - group |
| 142 | + - kind |
| 143 | + type: object |
| 144 | + maxItems: 16 |
| 145 | + minItems: 1 |
| 146 | + type: array |
| 147 | + required: |
| 148 | + - from |
| 149 | + - to |
| 150 | + type: object |
| 151 | + type: object |
| 152 | + served: true |
| 153 | + storage: false |
| 154 | + subresources: {} |
| 155 | + - additionalPrinterColumns: |
| 156 | + - jsonPath: .metadata.creationTimestamp |
| 157 | + name: Age |
| 158 | + type: date |
| 159 | + name: v1beta1 |
| 160 | + schema: |
| 161 | + openAPIV3Schema: |
| 162 | + description: "ReferenceGrant identifies kinds of resources in other namespaces |
| 163 | + that are trusted to reference the specified kinds of resources in the same |
| 164 | + namespace as the policy. \n Each ReferenceGrant can be used to represent |
| 165 | + a unique trust relationship. Additional Reference Grants can be used to |
| 166 | + add to the set of trusted sources of inbound references for the namespace |
| 167 | + they are defined within. \n All cross-namespace references in Gateway API |
| 168 | + (with the exception of cross-namespace Gateway-route attachment) require |
| 169 | + a ReferenceGrant. \n ReferenceGrant is a form of runtime verification allowing |
| 170 | + users to assert which cross-namespace object references are permitted. Implementations |
| 171 | + that support ReferenceGrant MUST NOT permit cross-namespace references which |
| 172 | + have no grant, and MUST respond to the removal of a grant by revoking the |
| 173 | + access that the grant allowed." |
| 174 | + properties: |
| 175 | + apiVersion: |
| 176 | + description: 'APIVersion defines the versioned schema of this representation |
| 177 | + of an object. Servers should convert recognized schemas to the latest |
| 178 | + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' |
| 179 | + type: string |
| 180 | + kind: |
| 181 | + description: 'Kind is a string value representing the REST resource this |
| 182 | + object represents. Servers may infer this from the endpoint the client |
| 183 | + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' |
| 184 | + type: string |
| 185 | + metadata: |
| 186 | + type: object |
| 187 | + spec: |
| 188 | + description: Spec defines the desired state of ReferenceGrant. |
| 189 | + properties: |
| 190 | + from: |
| 191 | + description: "From describes the trusted namespaces and kinds that |
| 192 | + can reference the resources described in \"To\". Each entry in this |
| 193 | + list MUST be considered to be an additional place that references |
| 194 | + can be valid from, or to put this another way, entries MUST be combined |
| 195 | + using OR. \n Support: Core" |
| 196 | + items: |
| 197 | + description: ReferenceGrantFrom describes trusted namespaces and |
| 198 | + kinds. |
| 199 | + properties: |
| 200 | + group: |
| 201 | + description: "Group is the group of the referent. When empty, |
| 202 | + the Kubernetes core API group is inferred. \n Support: Core" |
| 203 | + maxLength: 253 |
| 204 | + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ |
| 205 | + type: string |
| 206 | + kind: |
| 207 | + description: "Kind is the kind of the referent. Although implementations |
| 208 | + may support additional resources, the following types are |
| 209 | + part of the \"Core\" support level for this field. \n When |
| 210 | + used to permit a SecretObjectReference: \n * Gateway \n When |
| 211 | + used to permit a BackendObjectReference: \n * GRPCRoute * |
| 212 | + HTTPRoute * TCPRoute * TLSRoute * UDPRoute" |
| 213 | + maxLength: 63 |
| 214 | + minLength: 1 |
| 215 | + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ |
| 216 | + type: string |
| 217 | + namespace: |
| 218 | + description: "Namespace is the namespace of the referent. \n |
| 219 | + Support: Core" |
| 220 | + maxLength: 63 |
| 221 | + minLength: 1 |
| 222 | + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ |
| 223 | + type: string |
| 224 | + required: |
| 225 | + - group |
| 226 | + - kind |
| 227 | + - namespace |
| 228 | + type: object |
| 229 | + maxItems: 16 |
| 230 | + minItems: 1 |
| 231 | + type: array |
| 232 | + to: |
| 233 | + description: "To describes the resources that may be referenced by |
| 234 | + the resources described in \"From\". Each entry in this list MUST |
| 235 | + be considered to be an additional place that references can be valid |
| 236 | + to, or to put this another way, entries MUST be combined using OR. |
| 237 | + \n Support: Core" |
| 238 | + items: |
| 239 | + description: ReferenceGrantTo describes what Kinds are allowed as |
| 240 | + targets of the references. |
| 241 | + properties: |
| 242 | + group: |
| 243 | + description: "Group is the group of the referent. When empty, |
| 244 | + the Kubernetes core API group is inferred. \n Support: Core" |
| 245 | + maxLength: 253 |
| 246 | + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ |
| 247 | + type: string |
| 248 | + kind: |
| 249 | + description: "Kind is the kind of the referent. Although implementations |
| 250 | + may support additional resources, the following types are |
| 251 | + part of the \"Core\" support level for this field: \n * Secret |
| 252 | + when used to permit a SecretObjectReference * Service when |
| 253 | + used to permit a BackendObjectReference" |
| 254 | + maxLength: 63 |
| 255 | + minLength: 1 |
| 256 | + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ |
| 257 | + type: string |
| 258 | + name: |
| 259 | + description: Name is the name of the referent. When unspecified, |
| 260 | + this policy refers to all resources of the specified Group |
| 261 | + and Kind in the local namespace. |
| 262 | + maxLength: 253 |
| 263 | + minLength: 1 |
| 264 | + type: string |
| 265 | + required: |
| 266 | + - group |
| 267 | + - kind |
| 268 | + type: object |
| 269 | + maxItems: 16 |
| 270 | + minItems: 1 |
| 271 | + type: array |
| 272 | + required: |
| 273 | + - from |
| 274 | + - to |
| 275 | + type: object |
| 276 | + type: object |
| 277 | + served: true |
| 278 | + storage: true |
| 279 | + subresources: {} |
| 280 | +status: |
| 281 | + acceptedNames: |
| 282 | + kind: "" |
| 283 | + plural: "" |
| 284 | + conditions: null |
| 285 | + storedVersions: null |
0 commit comments