ClusterPlatformRoleBinding
ClusterPlatformRoleBinding maps IdP groups and roles (read from the configured
groups_claim and roles_claim on the incoming JWT) to a
ClusterPlatformRole, effective across every
namespace. Use PlatformRoleBinding when you want a
namespace-scoped grant instead.
API: platform.enterprise.stacklok.com/v1alpha1 · Scope: Cluster ·
Short names: cprb, clusterplatformrolebinding
Example
apiVersion: platform.enterprise.stacklok.com/v1alpha1
kind: ClusterPlatformRoleBinding
metadata:
name: my-clusterplatformrolebinding
spec:
bindings:
- from:
- {}
roleRef:
kind: ClusterPlatformRole
name: <string>
Schema
spec
ClusterPlatformRoleBindingSpec defines the desired state of ClusterPlatformRoleBinding.
| Field | Type | Description |
|---|---|---|
bindingsrequired | object[] | Bindings is the list of role-to-principal mappings. |
spec.bindings[]
Bindings is the list of role-to-principal mappings.
| Field | Type | Description |
|---|---|---|
fromrequired | object[] | From is the list of principal conditions that receive the role. |
roleRefrequired | object | RoleRef references the ClusterPlatformRole to bind. |
spec.bindings.from[]
From is the list of principal conditions that receive the role.
| Field | Type | Description |
|---|---|---|
groups | string[] | Groups is the list of OIDC groups a principal must belong to. |
roles | string[] | Roles is the list of OIDC roles a principal must have. |
spec.bindings.roleRef
RoleRef references the ClusterPlatformRole to bind.
| Field | Type | Description |
|---|---|---|
kindrequired | string | enum: ClusterPlatformRole |
namerequired | string | minLength 1 |
status
ClusterPlatformRoleBindingStatus defines the observed state of ClusterPlatformRoleBinding.
| Field | Type | Description |
|---|---|---|
conditions | object[] | Conditions represent the latest available observations of the binding's state. |
observedGeneration | integer | ObservedGeneration is the most recent generation observed by the controller. format int64 |
roleCount | integer | RoleCount is the number of role binding entries in Spec.Bindings. format int32 |
status.conditions[]
Conditions represent the latest available observations of the binding's state.
| Field | Type | Description |
|---|---|---|
lastTransitionTimerequired | string | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format date-time |
messagerequired | string | message is a human readable message indicating details about the transition. This may be an empty string. maxLength 32768 |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format int64 · min 0 |
reasonrequired | string | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. pattern ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ · minLength 1 · maxLength 1024 |
statusrequired | string | status of the condition, one of True, False, Unknown. enum: True | False | Unknown |
typerequired | string | type of condition in CamelCase or in foo.example.com/CamelCase. pattern ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ · maxLength 316 |
Related resources
References:
- ClusterPlatformRole - via
spec.bindings[].roleRef