You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We forgot to update the Helm chart in the recent PR that added the
community gallery image rule. This takes care of that.
Signed-off-by: Matt Welke <matt.welke@spectrocloud.com>
description: AzureValidator is the Schema for the azurevalidators API
21
21
properties:
22
22
apiVersion:
23
-
description: 'APIVersion defines the versioned schema of this representation
24
-
of an object. Servers should convert recognized schemas to the latest
25
-
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
23
+
description: |-
24
+
APIVersion defines the versioned schema of this representation of an object.
25
+
Servers should convert recognized schemas to the latest internal value, and
26
+
may reject unrecognized values.
27
+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
26
28
type: string
27
29
kind:
28
-
description: 'Kind is a string value representing the REST resource this
29
-
object represents. Servers may infer this from the endpoint the client
30
-
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
30
+
description: |-
31
+
Kind is a string value representing the REST resource this object represents.
32
+
Servers may infer this from the endpoint the client submits requests to.
33
+
Cannot be updated.
34
+
In CamelCase.
35
+
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
31
36
type: string
32
37
metadata:
33
38
type: object
34
39
spec:
35
40
description: AzureValidatorSpec defines the desired state of AzureValidator
36
41
properties:
37
42
auth:
43
+
description: AzureAuth defines authentication configuration for an
44
+
AzureValidator.
38
45
properties:
39
46
implicit:
40
-
description: If true, the AzureValidator will use the Azure SDK's
41
-
default credential chain to authenticate. Set to true if using
42
-
WorkloadIdentityCredentials.
47
+
description: |-
48
+
If true, the AzureValidator will use the Azure SDK's default credential chain to authenticate.
49
+
Set to true if using WorkloadIdentityCredentials.
43
50
type: boolean
44
51
secretName:
45
-
description: Name of a Secret in the same namespace as the AzureValidator
46
-
that contains Azure credentials. The secret data's keys and
47
-
values are expected to align with valid Azure environment variable
48
-
credentials, per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
52
+
description: |-
53
+
Name of a Secret in the same namespace as the AzureValidator that contains Azure credentials.
54
+
The secret data's keys and values are expected to align with valid Azure environment variable credentials,
55
+
per the options defined in https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#readme-environment-variables.
49
56
type: string
50
57
required:
51
58
- implicit
52
59
type: object
60
+
communityGalleryImageRules:
61
+
description: |-
62
+
Rules for validating that images exist in an Azure Compute Gallery published as a community
63
+
gallery.
64
+
items:
65
+
description: |-
66
+
CommunityGalleryImageRule verifies that one or more images in a community gallery exist and are
67
+
accessible by a particular subscription.
68
+
properties:
69
+
gallery:
70
+
description: Gallery is the community gallery.
71
+
properties:
72
+
location:
73
+
description: Location is the location of the community gallery
74
+
(e.g. "westus").
75
+
maxLength: 50
76
+
type: string
77
+
name:
78
+
description: Name is the name of the community gallery.
79
+
maxLength: 200
80
+
type: string
81
+
required:
82
+
- location
83
+
- name
84
+
type: object
85
+
images:
86
+
description: Images is a list of image names.
87
+
items:
88
+
type: string
89
+
maxItems: 1000
90
+
minItems: 1
91
+
type: array
92
+
name:
93
+
description: |-
94
+
Name is a unique identifier for the rule in the validator. Used to ensure conditions do not
95
+
overwrite each other.
96
+
maxLength: 200
97
+
type: string
98
+
subscriptionID:
99
+
description: SubscriptionID is the ID of the subscription.
100
+
type: string
101
+
required:
102
+
- gallery
103
+
- images
104
+
- name
105
+
- subscriptionID
106
+
type: object
107
+
type: array
53
108
rbacRules:
54
-
description: Rules for validating that the correct role assignments
55
-
have been created in Azure RBAC to provide needed permissions.
109
+
description: |-
110
+
Rules for validating that the correct role assignments have been created in Azure RBAC to
111
+
provide needed permissions.
56
112
items:
57
-
description: Conveys that a specified security principal (aka principal)
58
-
should have the specified permissions, via roles. It doesn't matter
59
-
which roles provide the permissions as long as enough role assignments
60
-
exist that the principal has all of the permissions and no deny
61
-
assignments exist that deny the permissions.
113
+
description: |-
114
+
RBACRule verifies that a security principal has permissions via role assignments and that no deny
115
+
assignments deny the permissions.
62
116
properties:
63
117
name:
64
-
description: Unique identifier for the rule in the validator.
65
-
Used to ensure conditions do not overwrite each other.
118
+
description: |-
119
+
Unique identifier for the rule in the validator. Used to ensure conditions do not overwrite
120
+
each other.
66
121
type: string
67
122
permissionSets:
68
-
description: The permissions that the principal must have. If
69
-
the principal has permissions less than this, validation will
70
-
fail. If the principal has permissions equal to or more than
71
-
this (e.g., inherited permissions from higher level scope,
72
-
more roles than needed) validation will pass.
123
+
description: |-
124
+
The permissions that the principal must have. If the principal has permissions less than
125
+
this, validation will fail. If the principal has permissions equal to or more than this
126
+
(e.g., inherited permissions from higher level scope, more roles than needed) validation
127
+
will pass.
73
128
items:
74
-
description: Conveys that the security principal should be
75
-
the member of a role assignment that provides the specified
76
-
role for the specified scope. Scope can be either subscription,
129
+
description: |-
130
+
PermissionSet is part of an RBAC rule and verifies that a security principal has the specified
131
+
permissions (via role assignments) at the specified scope. Scope can be either subscription,
77
132
resource group, or resource.
78
133
properties:
79
134
actions:
80
-
description: If provided, the actions that the role must
81
-
be able to perform. Must not contain any wildcards.
82
-
If not specified, the role is assumed to already be
83
-
able to perform all required actions.
135
+
description: |-
136
+
Actions is a list of actions that the role must be able to perform. Must not contain any
137
+
wildcards. If not specified, the role is assumed to already be able to perform all required
138
+
actions.
84
139
items:
85
-
description: ActionStr is a type used for Action strings
86
-
and DataAction strings. Alias exists to enable kubebuilder
87
-
max string length validation for arrays of these.
140
+
description: |-
141
+
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable
142
+
kubebuilder max string length validation for arrays of these.
88
143
maxLength: 200
89
144
type: string
90
145
maxItems: 1000
@@ -93,14 +148,14 @@ spec:
93
148
- message: Actions cannot have wildcards.
94
149
rule: self.all(item, !item.contains('*'))
95
150
dataActions:
96
-
description: If provided, the data actions that the role
97
-
must be able to perform. Must not contain any wildcards.
98
-
If not provided, the role is assumed to already be able
99
-
to perform all required data actions.
151
+
description: |-
152
+
DataActions is a list of data actions that the role must be able to perform. Must not
153
+
contain any wildcards. If not provided, the role is assumed to already be able to perform
154
+
all required data actions.
100
155
items:
101
-
description: ActionStr is a type used for Action strings
102
-
and DataAction strings. Alias exists to enable kubebuilder
103
-
max string length validation for arrays of these.
156
+
description: |-
157
+
ActionStr is a type used for Action strings and DataAction strings. Alias exists to enable
158
+
kubebuilder max string length validation for arrays of these.
104
159
maxLength: 200
105
160
type: string
106
161
maxItems: 1000
@@ -109,11 +164,10 @@ spec:
109
164
- message: DataActions cannot have wildcards.
110
165
rule: self.all(item, !item.contains('*'))
111
166
scope:
112
-
description: The minimum scope of the role. Role assignments
113
-
found at higher level scopes will satisfy this. For
114
-
example, a role assignment found with subscription scope
115
-
will satisfy a permission set where the role scope specified
116
-
is a resource group within that subscription.
167
+
description: |-
168
+
Scope is the minimum scope of the role. Role assignments found at higher level scopes will
169
+
satisfy this. For example, a role assignment found with subscription scope will satisfy a
170
+
permission set where the role scope specified is a resource group within that subscription.
0 commit comments