{ "description": "RoleTemplate holds configuration for a template that is used to create kubernetes Roles and ClusterRoles\n(in the rbac.authorization.k8s.io group) for a cluster or project.", "properties": { "administrative": { "description": "Administrative field is deprecated and no longer used.", "type": "boolean" }, "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "builtin": { "description": "Builtin if true specifies that this RoleTemplate was created by Rancher and is immutable.\nDefault to false.", "type": "boolean" }, "clusterCreatorDefault": { "description": "ClusterCreatorDefault if true, a binding with this RoleTemplate will be created for a users when they create a new cluster.\nClusterCreatorDefault is only evaluated if the context of the RoleTemplate is set to cluster.\nDefault to false.", "type": "boolean" }, "context": { "description": "Context describes if the roleTemplate applies to clusters or projects.\nValid values are \"project\", \"cluster\" or \"\".", "enum": [ "project", "cluster", "" ], "type": "string" }, "description": { "description": "Description holds text that describes the resource.", "type": "string" }, "displayName": { "description": "DisplayName is the human-readable name displayed in the UI for this resource.", "type": "string" }, "external": { "description": "External if true specifies that rules for this RoleTemplate should be gathered from a ClusterRole with the matching name.\nIf set to true the Rules on the template will not be evaluated.\nExternal's value is only evaluated if the RoleTemplate's context is set to \"cluster\"\nDefault to false.", "type": "boolean" }, "externalRules": { "description": "ExternalRules hold the external PolicyRules that will be used for authorization.\nThis field is required when External=true and no underlying ClusterRole exists in the local cluster.\nThis field is just used when the feature flag 'external-rules' is on.", "items": { "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", "properties": { "apiGroups": { "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "verbs" ], "type": "object", "additionalProperties": false }, "type": "array" }, "hidden": { "description": "Hidden if true informs the Rancher UI not to display this RoleTemplate.\nDefault to false.", "type": "boolean" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "locked": { "description": "Locked if true, new bindings will not be able to use this RoleTemplate.\nDefault to false.", "type": "boolean" }, "metadata": { "type": "object" }, "projectCreatorDefault": { "description": "ProjectCreatorDefault if true, a binding with this RoleTemplate will be created for a user when they create a new project.\nProjectCreatorDefault is only evaluated if the context of the RoleTemplate is set to project.\nDefault to false.", "type": "boolean" }, "roleTemplateNames": { "description": "RoleTemplateNames list of RoleTemplate names that this RoleTemplate will inherit.\nThis RoleTemplate will grant all rules defined in an inherited RoleTemplate.\nInherited RoleTemplates must already exist.", "items": { "type": "string" }, "type": "array" }, "rules": { "description": "Rules hold all the PolicyRules for this RoleTemplate.", "items": { "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", "properties": { "apiGroups": { "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "verbs" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object" }