Skip to main content

ClusterPlatformRole

ClusterPlatformRole defines what a role can do across the registered platform products. The role is product-agnostic; per-product action vocabularies live under spec.productActions[], keyed by API group. Bind a role to principals with ClusterPlatformRoleBinding or PlatformRoleBinding, and attach it to an MCP target with ToolhiveAuthorizationPolicy.

API: platform.enterprise.stacklok.com/v1alpha1 · Scope: Cluster · Short names: cpr, clusterplatformrole

Example

clusterplatformrole.yaml
apiVersion: platform.enterprise.stacklok.com/v1alpha1
kind: ClusterPlatformRole
metadata:
  name: my-clusterplatformrole
spec:
  productActions:
    - actions:
        - <string>
      apiGroup: <string>

Schema

spec

ClusterPlatformRoleSpec defines the desired state of ClusterPlatformRole.

FieldTypeDescription
descriptionstring

Description is a human-readable description of the role.

productActionsrequiredobject[]

ProductActions groups action identifiers by product apiGroup so a single role can carry distinct vocabularies per product. MaxItems is bounded so the apiserver's CEL cost estimator does not multiply the inner actions[].XValidation budget by an unbounded outer iteration.

spec.productActions[]

ProductActions groups action identifiers by product apiGroup so a single role can carry distinct vocabularies per product. MaxItems is bounded so the apiserver's CEL cost estimator does not multiply the inner actions[].XValidation budget by an unbounded outer iteration.

FieldTypeDescription
actionsrequiredstring[]

Actions is the list of product action identifiers granted by this entry. The wildcard "*" expands to the product's registered vocabulary at compile time and must be the only entry when present.

apiGrouprequiredstring

APIGroup identifies the product whose vocabulary this entry uses (e.g. `toolhive.enterprise.stacklok.com`). Cedar compilation picks the entry whose APIGroup matches the product the policy targets.


minLength 1
↑ Back to spec

status

ClusterPlatformRoleStatus defines the observed state of ClusterPlatformRole.

FieldTypeDescription
conditionsobject[]

Conditions represent the latest available observations of the role's state.

observedGenerationinteger

ObservedGeneration is the metadata.generation last reconciled.


format int64

status.conditions[]

Conditions represent the latest available observations of the role's state.

FieldTypeDescription
lastTransitionTimerequiredstring

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.


format date-time
messagerequiredstring

message is a human readable message indicating details about the transition. This may be an empty string.


maxLength 32768
observedGenerationinteger

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.


format int64 · min 0
reasonrequiredstring

reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.


pattern ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ · minLength 1 · maxLength 1024
statusrequiredstring

status of the condition, one of True, False, Unknown.


enum: True | False | Unknown
typerequiredstring

type of condition in CamelCase or in foo.example.com/CamelCase.


pattern ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ · maxLength 316
↑ Back to status

Referenced by: