{ "properties": { "apiVersion": { "description": "apiVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources", "type": "string" }, "kind": { "description": "kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "accessPolicyRef": { "description": "The AccessContextManagerAccessPolicy this\nAccessContextManagerServicePerimeter lives in.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `accessPolicies/{{value}}`, where {{value}} is the `name` field of an `AccessContextManagerAccessPolicy` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "description": { "description": "Description of the ServicePerimeter and its use. Does not affect\nbehavior.", "type": "string" }, "perimeterType": { "description": "Immutable. Specifies the type of the Perimeter. There are two types: regular and\nbridge. Regular Service Perimeter contains resources, access levels,\nand restricted services. Every resource can be in at most\nONE regular Service Perimeter.\n\nIn addition to being in a regular service perimeter, a resource can also\nbe in zero or more perimeter bridges. A perimeter bridge only contains\nresources. Cross project operations are permitted if all effected\nresources share some perimeter (whether bridge or regular). Perimeter\nBridge does not contain access levels or services: those are governed\nentirely by the regular perimeter that resource is in.\n\nPerimeter Bridges are typically useful when building more complex\ntopologies with many independent perimeters that need to share some data\nwith a common perimeter, but should not be able to share data among\nthemselves. Default value: \"PERIMETER_TYPE_REGULAR\" Possible values: [\"PERIMETER_TYPE_REGULAR\", \"PERIMETER_TYPE_BRIDGE\"].", "type": "string" }, "resourceID": { "description": "Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.", "type": "string" }, "spec": { "description": "Proposed (or dry run) ServicePerimeter configuration.\nThis configuration allows to specify and test ServicePerimeter configuration\nwithout enforcing actual access restrictions. Only allowed to be set when\nthe 'useExplicitDryRunSpec' flag is set.", "properties": { "accessLevels": { "items": { "description": "(Optional) A list of AccessLevel resource names that allow resources within\nthe ServicePerimeter to be accessed from the internet. AccessLevels listed\nmust be in the same policy as this ServicePerimeter.\nReferencing a nonexistent AccessLevel is a syntax error. If no\nAccessLevel names are listed, resources within the perimeter can\nonly be accessed via GCP calls with request origins within the\nperimeter. For Service Perimeter Bridge, must be empty.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`, where {{value}} is the `name` field of an `AccessContextManagerAccessLevel` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "egressPolicies": { "description": "List of EgressPolicies to apply to the perimeter. A perimeter may\nhave multiple EgressPolicies, each of which is evaluated separately.\nAccess is granted if any EgressPolicy grants it. Must be empty for\na perimeter bridge.", "items": { "properties": { "egressFrom": { "description": "Defines conditions on the source of a request causing this 'EgressPolicy' to apply.", "properties": { "identities": { "items": { "description": "(Optional) A list of identities that are allowed access through this\nEgressPolicy. Should be in the format of email address. The email\naddress should represent individual user or service account only.", "oneOf": [ { "required": [ "serviceAccountRef" ] }, { "required": [ "user" ] } ], "properties": { "serviceAccountRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `serviceAccount:{{value}}`, where {{value}} is the `email` field of an `IAMServiceAccount` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "user": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "identityType": { "description": "Specifies the type of identities that are allowed access to outside the\nperimeter. If left unspecified, then members of 'identities' field will\nbe allowed access. Possible values: [\"IDENTITY_TYPE_UNSPECIFIED\", \"ANY_IDENTITY\", \"ANY_USER_ACCOUNT\", \"ANY_SERVICE_ACCOUNT\"].", "type": "string" } }, "type": "object", "additionalProperties": false }, "egressTo": { "description": "Defines the conditions on the 'ApiOperation' and destination resources that\ncause this 'EgressPolicy' to apply.", "properties": { "externalResources": { "description": "A list of external resources that are allowed to be accessed. A request\nmatches if it contains an external resource in this list (Example:\ns3://bucket/path). Currently '*' is not allowed.", "items": { "type": "string" }, "type": "array" }, "operations": { "description": "A list of 'ApiOperations' that this egress rule applies to. A request matches\nif it contains an operation/service in this list.", "items": { "properties": { "methodSelectors": { "description": "API methods or permissions to allow. Method or permission must belong\nto the service specified by 'serviceName' field. A single MethodSelector\nentry with '*' specified for the 'method' field will allow all methods\nAND permissions for the service specified in 'serviceName'.", "items": { "properties": { "method": { "description": "Value for 'method' should be a valid method name for the corresponding\n'serviceName' in 'ApiOperation'. If '*' used as value for method,\nthen ALL methods and permissions are allowed.", "type": "string" }, "permission": { "description": "Value for permission should be a valid Cloud IAM permission for the\ncorresponding 'serviceName' in 'ApiOperation'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "serviceName": { "description": "The name of the API whose methods or permissions the 'IngressPolicy' or\n'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName\nfield set to '*' will allow all methods AND permissions for all services.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "(Optional) A list of resources, currently only projects in the form\n\"projects/{project_number}\". A request\nmatches if it contains a resource in this list.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "ingressPolicies": { "description": "List of 'IngressPolicies' to apply to the perimeter. A perimeter may\nhave multiple 'IngressPolicies', each of which is evaluated\nseparately. Access is granted if any 'Ingress Policy' grants it.\nMust be empty for a perimeter bridge.", "items": { "properties": { "ingressFrom": { "description": "Defines the conditions on the source of a request causing this 'IngressPolicy'\nto apply.", "properties": { "identities": { "items": { "description": "(Optional) A list of identities that are allowed access through this\ningress policy. Should be in the format of email address. The email\naddress should represent individual user or service account only.", "oneOf": [ { "required": [ "serviceAccountRef" ] }, { "required": [ "user" ] } ], "properties": { "serviceAccountRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `serviceAccount:{{value}}`, where {{value}} is the `email` field of an `IAMServiceAccount` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "user": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "identityType": { "description": "Specifies the type of identities that are allowed access from outside the\nperimeter. If left unspecified, then members of 'identities' field will be\nallowed access. Possible values: [\"IDENTITY_TYPE_UNSPECIFIED\", \"ANY_IDENTITY\", \"ANY_USER_ACCOUNT\", \"ANY_SERVICE_ACCOUNT\"].", "type": "string" }, "sources": { "description": "Sources that this 'IngressPolicy' authorizes access from.", "items": { "properties": { "accessLevelRef": { "description": "An AccessLevel resource name that allow resources within the\nServicePerimeters to be accessed from the internet. AccessLevels\nlisted must be in the same policy as this ServicePerimeter.\nReferencing a nonexistent AccessLevel will cause an error. If no\nAccessLevel names are listed, resources within the perimeter can\nonly be accessed via Google Cloud calls with request origins within\nthe perimeter.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`, where {{value}} is the `name` field of an `AccessContextManagerAccessLevel` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "projectRef": { "description": "(Optional) A Google Cloud resource that is allowed to ingress the\nperimeter. Requests from these resources will be allowed to access\nperimeter data. Currently only projects are allowed. Format\n\"projects/{project_number}\" The project may be in any Google Cloud\norganization, not just the organization that the perimeter is defined in.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "ingressTo": { "description": "Defines the conditions on the 'ApiOperation' and request destination that cause\nthis 'IngressPolicy' to apply.", "properties": { "operations": { "description": "A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'\nare allowed to perform in this 'ServicePerimeter'.", "items": { "properties": { "methodSelectors": { "description": "API methods or permissions to allow. Method or permission must belong to\nthe service specified by serviceName field. A single 'MethodSelector' entry\nwith '*' specified for the method field will allow all methods AND\npermissions for the service specified in 'serviceName'.", "items": { "properties": { "method": { "description": "Value for method should be a valid method name for the corresponding\nserviceName in 'ApiOperation'. If '*' used as value for 'method', then\nALL methods and permissions are allowed.", "type": "string" }, "permission": { "description": "Value for permission should be a valid Cloud IAM permission for the\ncorresponding 'serviceName' in 'ApiOperation'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "serviceName": { "description": "The name of the API whose methods or permissions the 'IngressPolicy' or\n'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'\nfield set to '*' will allow all methods AND permissions for all services.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "A list of resources, currently only projects in the form\n\"projects/{project_number}\", protected by this ServicePerimeter\nthat are allowed to be accessed by sources defined in the\ncorresponding IngressFrom. A request matches if it contains a\nresource in this list.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "(Optional) A list of GCP resources that are inside of the service perimeter.\nCurrently only projects are allowed.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "restrictedServices": { "description": "GCP services that are subject to the Service Perimeter\nrestrictions. Must contain a list of services. For example, if\n'storage.googleapis.com' is specified, access to the storage\nbuckets inside the perimeter must meet the perimeter's access\nrestrictions.", "items": { "type": "string" }, "type": "array" }, "vpcAccessibleServices": { "description": "Specifies how APIs are allowed to communicate within the Service\nPerimeter.", "properties": { "allowedServices": { "description": "The list of APIs usable within the Service Perimeter.\nMust be empty unless 'enableRestriction' is True.", "items": { "type": "string" }, "type": "array" }, "enableRestriction": { "description": "Whether to restrict API calls within the Service Perimeter to the\nlist of APIs specified in 'allowedServices'.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "status": { "description": "ServicePerimeter configuration. Specifies sets of resources,\nrestricted services and access levels that determine\nperimeter content and boundaries.", "properties": { "accessLevels": { "items": { "description": "(Optional) A list of AccessLevel resource names that allow resources within\nthe ServicePerimeter to be accessed from the internet. AccessLevels listed\nmust be in the same policy as this ServicePerimeter.\nReferencing a nonexistent AccessLevel is a syntax error. If no\nAccessLevel names are listed, resources within the perimeter can\nonly be accessed via GCP calls with request origins within the\nperimeter. For Service Perimeter Bridge, must be empty.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`, where {{value}} is the `name` field of an `AccessContextManagerAccessLevel` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "egressPolicies": { "description": "List of EgressPolicies to apply to the perimeter. A perimeter may\nhave multiple EgressPolicies, each of which is evaluated separately.\nAccess is granted if any EgressPolicy grants it. Must be empty for\na perimeter bridge.", "items": { "properties": { "egressFrom": { "description": "Defines conditions on the source of a request causing this 'EgressPolicy' to apply.", "properties": { "identities": { "items": { "description": "(Optional) A list of identities that are allowed access through this\nEgressPolicy. Should be in the format of email address. The email\naddress should represent individual user or service account only.", "oneOf": [ { "required": [ "serviceAccountRef" ] }, { "required": [ "user" ] } ], "properties": { "serviceAccountRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `serviceAccount:{{value}}`, where {{value}} is the `email` field of an `IAMServiceAccount` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "user": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "identityType": { "description": "Specifies the type of identities that are allowed access to outside the\nperimeter. If left unspecified, then members of 'identities' field will\nbe allowed access. Possible values: [\"IDENTITY_TYPE_UNSPECIFIED\", \"ANY_IDENTITY\", \"ANY_USER_ACCOUNT\", \"ANY_SERVICE_ACCOUNT\"].", "type": "string" } }, "type": "object", "additionalProperties": false }, "egressTo": { "description": "Defines the conditions on the 'ApiOperation' and destination resources that\ncause this 'EgressPolicy' to apply.", "properties": { "externalResources": { "description": "A list of external resources that are allowed to be accessed. A request\nmatches if it contains an external resource in this list (Example:\ns3://bucket/path). Currently '*' is not allowed.", "items": { "type": "string" }, "type": "array" }, "operations": { "description": "A list of 'ApiOperations' that this egress rule applies to. A request matches\nif it contains an operation/service in this list.", "items": { "properties": { "methodSelectors": { "description": "API methods or permissions to allow. Method or permission must belong\nto the service specified by 'serviceName' field. A single MethodSelector\nentry with '*' specified for the 'method' field will allow all methods\nAND permissions for the service specified in 'serviceName'.", "items": { "properties": { "method": { "description": "Value for 'method' should be a valid method name for the corresponding\n'serviceName' in 'ApiOperation'. If '*' used as value for method,\nthen ALL methods and permissions are allowed.", "type": "string" }, "permission": { "description": "Value for permission should be a valid Cloud IAM permission for the\ncorresponding 'serviceName' in 'ApiOperation'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "serviceName": { "description": "The name of the API whose methods or permissions the 'IngressPolicy' or\n'EgressPolicy' want to allow. A single 'ApiOperation' with serviceName\nfield set to '*' will allow all methods AND permissions for all services.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "(Optional) A list of resources, currently only projects in the form\n\"projects/{project_number}\". A request\nmatches if it contains a resource in this list.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "ingressPolicies": { "description": "List of 'IngressPolicies' to apply to the perimeter. A perimeter may\nhave multiple 'IngressPolicies', each of which is evaluated\nseparately. Access is granted if any 'Ingress Policy' grants it.\nMust be empty for a perimeter bridge.", "items": { "properties": { "ingressFrom": { "description": "Defines the conditions on the source of a request causing this 'IngressPolicy'\nto apply.", "properties": { "identities": { "items": { "description": "(Optional) A list of identities that are allowed access through this\nEgressPolicy. Should be in the format of email address. The email\naddress should represent individual user or service account only.", "oneOf": [ { "required": [ "serviceAccountRef" ] }, { "required": [ "user" ] } ], "properties": { "serviceAccountRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `serviceAccount:{{value}}`, where {{value}} is the `email` field of an `IAMServiceAccount` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "user": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "identityType": { "description": "Specifies the type of identities that are allowed access from outside the\nperimeter. If left unspecified, then members of 'identities' field will be\nallowed access. Possible values: [\"IDENTITY_TYPE_UNSPECIFIED\", \"ANY_IDENTITY\", \"ANY_USER_ACCOUNT\", \"ANY_SERVICE_ACCOUNT\"].", "type": "string" }, "sources": { "description": "Sources that this 'IngressPolicy' authorizes access from.", "items": { "properties": { "accessLevelRef": { "description": "An AccessLevel resource name that allow resources within the\nServicePerimeters to be accessed from the internet. AccessLevels\nlisted must be in the same policy as this ServicePerimeter.\nReferencing a nonexistent AccessLevel will cause an error. If no\nAccessLevel names are listed, resources within the perimeter can\nonly be accessed via Google Cloud calls with request origins within\nthe perimeter.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `{{parent}}/accessLevels/{{value}}`, where {{value}} is the `name` field of an `AccessContextManagerAccessLevel` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false }, "projectRef": { "description": "(Optional) A Google Cloud resource that is allowed to ingress the\nperimeter. Requests from these resources will be allowed to access\nperimeter data. Currently only projects are allowed. Format\n\"projects/{project_number}\" The project may be in any Google Cloud\norganization, not just the organization that the perimeter is defined in.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "ingressTo": { "description": "Defines the conditions on the 'ApiOperation' and request destination that cause\nthis 'IngressPolicy' to apply.", "properties": { "operations": { "description": "A list of 'ApiOperations' the sources specified in corresponding 'IngressFrom'\nare allowed to perform in this 'ServicePerimeter'.", "items": { "properties": { "methodSelectors": { "description": "API methods or permissions to allow. Method or permission must belong to\nthe service specified by serviceName field. A single 'MethodSelector' entry\nwith '*' specified for the method field will allow all methods AND\npermissions for the service specified in 'serviceName'.", "items": { "properties": { "method": { "description": "Value for method should be a valid method name for the corresponding\nserviceName in 'ApiOperation'. If '*' used as value for 'method', then\nALL methods and permissions are allowed.", "type": "string" }, "permission": { "description": "Value for permission should be a valid Cloud IAM permission for the\ncorresponding 'serviceName' in 'ApiOperation'.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "serviceName": { "description": "The name of the API whose methods or permissions the 'IngressPolicy' or\n'EgressPolicy' want to allow. A single 'ApiOperation' with 'serviceName'\nfield set to '*' will allow all methods AND permissions for all services.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "A list of resources, currently only projects in the form\n\"projects/{project_number}\", protected by this ServicePerimeter\nthat are allowed to be accessed by sources defined in the\ncorresponding IngressFrom. A request matches if it contains a\nresource in this list.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "resources": { "items": { "description": "(Optional) A list of GCP resources that are inside of the service perimeter.\nCurrently only projects are allowed.", "properties": { "projectRef": { "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "Allowed value: string of the format `projects/{{value}}`, where {{value}} is the `number` field of a `Project` resource.", "type": "string" }, "name": { "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" }, "namespace": { "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "restrictedServices": { "description": "GCP services that are subject to the Service Perimeter\nrestrictions. Must contain a list of services. For example, if\n'storage.googleapis.com' is specified, access to the storage\nbuckets inside the perimeter must meet the perimeter's access\nrestrictions.", "items": { "type": "string" }, "type": "array" }, "vpcAccessibleServices": { "description": "Specifies how APIs are allowed to communicate within the Service\nPerimeter.", "properties": { "allowedServices": { "description": "The list of APIs usable within the Service Perimeter.\nMust be empty unless 'enableRestriction' is True.", "items": { "type": "string" }, "type": "array" }, "enableRestriction": { "description": "Whether to restrict API calls within the Service Perimeter to the\nlist of APIs specified in 'allowedServices'.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "title": { "description": "Human readable title. Must be unique within the Policy.", "type": "string" }, "useExplicitDryRunSpec": { "description": "Use explicit dry run spec flag. Ordinarily, a dry-run spec implicitly exists\nfor all Service Perimeters, and that spec is identical to the status for those\nService Perimeters. When this flag is set, it inhibits the generation of the\nimplicit spec, thereby allowing the user to explicitly provide a\nconfiguration (\"spec\") to use in a dry-run version of the Service Perimeter.\nThis allows the user to test changes to the enforced config (\"status\") without\nactually enforcing them. This testing is done through analyzing the differences\nbetween currently enforced and suggested restrictions. useExplicitDryRunSpec must\nbet set to True if any of the fields in the spec are set to non-default values.", "type": "boolean" } }, "required": [ "accessPolicyRef", "title" ], "type": "object", "additionalProperties": false }, "status": { "properties": { "conditions": { "description": "Conditions represent the latest available observation of the resource's current state.", "items": { "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "type": "string" }, "message": { "description": "Human-readable message indicating details about last transition.", "type": "string" }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status is the status of the condition. Can be True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the condition.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "createTime": { "description": "Time the AccessPolicy was created in UTC.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.", "type": "integer" }, "updateTime": { "description": "Time the AccessPolicy was updated in UTC.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }