PlatformRoleBinding
PlatformRoleBinding is the namespace-scoped sibling of
ClusterPlatformRoleBinding. Namespace owners
use it to grant a ClusterPlatformRole to IdP
principals for the
ToolhiveAuthorizationPolicy resources in
the same namespace, without involving the cluster admin.
API: platform.enterprise.stacklok.com/v1alpha1 · Scope: Namespaced ·
Short names: prb, platformrolebinding
Example
apiVersion: platform.enterprise.stacklok.com/v1alpha1
kind: PlatformRoleBinding
metadata:
name: my-platformrolebinding
namespace: default
spec:
bindings:
- from:
- {}
roleRef:
kind: ClusterPlatformRole
name: <string>
Schema
spec
PlatformRoleBindingSpec defines the desired state of PlatformRoleBinding.
| Field | Type | Description |
|---|---|---|
bindingsrequired | object[] | Bindings is the list of role-to-principal mappings. |
spec.bindings[]
Bindings is the list of role-to-principal mappings.
| Field | Type | Description |
|---|---|---|
fromrequired | object[] | From is the list of principal conditions that receive the role. |
roleRefrequired | object | RoleRef references the ClusterPlatformRole to bind. |
spec.bindings.from[]
From is the list of principal conditions that receive the role.
| Field | Type | Description |
|---|---|---|
groups | string[] | Groups is the list of OIDC groups a principal must belong to. |
roles | string[] | Roles is the list of OIDC roles a principal must have. |
spec.bindings.roleRef
RoleRef references the ClusterPlatformRole to bind.
| Field | Type | Description |
|---|---|---|
kindrequired | string | enum: ClusterPlatformRole |
namerequired | string | minLength 1 |
status
PlatformRoleBindingStatus defines the observed state of PlatformRoleBinding.
| Field | Type | Description |
|---|---|---|
conditions | object[] | Conditions represent the latest available observations of the binding's state. |
observedGeneration | integer | ObservedGeneration is the most recent generation observed by the controller. format int64 |
roleCount | integer | RoleCount is the number of role binding entries in Spec.Bindings. format int32 |
status.conditions[]
Conditions represent the latest available observations of the binding's state.
| Field | Type | Description |
|---|---|---|
lastTransitionTimerequired | string | lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format date-time |
messagerequired | string | message is a human readable message indicating details about the transition. This may be an empty string. maxLength 32768 |
observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format int64 · min 0 |
reasonrequired | string | reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. pattern ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ · minLength 1 · maxLength 1024 |
statusrequired | string | status of the condition, one of True, False, Unknown. enum: True | False | Unknown |
typerequired | string | type of condition in CamelCase or in foo.example.com/CamelCase. pattern ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ · maxLength 316 |
Related resources
References:
- ClusterPlatformRole - via
spec.bindings[].roleRef