{ "description": "AWSClusterRoleIdentity is the Schema for the awsclusterroleidentities API\nIt is used to assume a role using the provided sourceRef.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec for this AWSClusterRoleIdentity.", "properties": { "allowedNamespaces": { "description": "AllowedNamespaces is used to identify which namespaces are allowed to use the identity from.\nNamespaces can be selected either using an array of namespaces or with label selector.\nAn empty allowedNamespaces object indicates that AWSClusters can use this identity from any namespace.\nIf this object is nil, no namespaces will be allowed (default behaviour, if this field is not provided)\nA namespace should be either in the NamespaceList or match with Selector to use the identity.", "nullable": true, "properties": { "list": { "description": "An nil or empty list indicates that AWSClusters cannot use the identity from any namespace.", "items": { "type": "string" }, "nullable": true, "type": "array" }, "selector": { "description": "An empty selector indicates that AWSClusters cannot use this\nAWSClusterIdentity from any namespace.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "durationSeconds": { "description": "The duration, in seconds, of the role session before it is renewed.", "format": "int32", "maximum": 43200, "minimum": 900, "type": "integer" }, "externalID": { "description": "A unique identifier that might be required when you assume a role in another account.\nIf the administrator of the account to which the role belongs provided you with an\nexternal ID, then provide that value in the ExternalId parameter. This value can be\nany string, such as a passphrase or account number. A cross-account role is usually\nset up to trust everyone in an account. Therefore, the administrator of the trusting\naccount might send an external ID to the administrator of the trusted account. That\nway, only someone with the ID can assume the role, rather than everyone in the\naccount. For more information about the external ID, see How to Use an External ID\nWhen Granting Access to Your AWS Resources to a Third Party in the IAM User Guide.", "type": "string" }, "inlinePolicy": { "description": "An IAM policy as a JSON-encoded string that you want to use as an inline session policy.", "type": "string" }, "policyARNs": { "description": "The Amazon Resource Names (ARNs) of the IAM managed policies that you want\nto use as managed session policies.\nThe policies must exist in the same account as the role.", "items": { "type": "string" }, "type": "array" }, "roleARN": { "description": "The Amazon Resource Name (ARN) of the role to assume.", "type": "string" }, "sessionName": { "description": "An identifier for the assumed role session", "type": "string" }, "sourceIdentityRef": { "description": "SourceIdentityRef is a reference to another identity which will be chained to do\nrole assumption. All identity types are accepted.", "properties": { "kind": { "description": "Kind of the identity.", "enum": [ "AWSClusterControllerIdentity", "AWSClusterRoleIdentity", "AWSClusterStaticIdentity" ], "type": "string" }, "name": { "description": "Name of the identity.", "minLength": 1, "type": "string" } }, "required": [ "kind", "name" ], "type": "object", "additionalProperties": false } }, "required": [ "roleARN" ], "type": "object", "additionalProperties": false } }, "type": "object" }