{ "description": "AccessEntry is the Schema for the AccessEntries API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "AccessEntrySpec defines the desired state of AccessEntry.\n\nAn access entry allows an IAM principal (user or role) to access your cluster.\nAccess entries can replace the need to maintain the aws-auth ConfigMap for\nauthentication. For more information about access entries, see Access entries\n(https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html) in\nthe Amazon EKS User Guide.", "properties": { "accessPolicies": { "items": { "properties": { "accessScope": { "description": "The scope of an AccessPolicy that's associated to an AccessEntry.", "properties": { "namespaces": { "items": { "type": "string" }, "type": "array" }, "type": { "type": "string" } }, "type": "object", "additionalProperties": false }, "policyARN": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "clusterName": { "description": "The name of your cluster.", "type": "string" }, "clusterRef": { "description": "AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference\ntype to provide more user friendly syntax for references using 'from' field\nEx:\nAPIIDRef:\n\n\tfrom:\n\t name: my-api", "properties": { "from": { "description": "AWSResourceReference provides all the values necessary to reference another\nk8s resource for finding the identifier(Id/ARN/Name)", "properties": { "name": { "type": "string" }, "namespace": { "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "kubernetesGroups": { "description": "The value for name that you've specified for kind: Group as a subject in\na Kubernetes RoleBinding or ClusterRoleBinding object. Amazon EKS doesn't\nconfirm that the value for name exists in any bindings on your cluster. You\ncan specify one or more names.\n\nKubernetes authorizes the principalArn of the access entry to access any\ncluster objects that you've specified in a Kubernetes Role or ClusterRole\nobject that is also specified in a binding's roleRef. For more information\nabout creating Kubernetes RoleBinding, ClusterRoleBinding, Role, or ClusterRole\nobjects, see Using RBAC Authorization in the Kubernetes documentation (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).\n\nIf you want Amazon EKS to authorize the principalArn (instead of, or in addition\nto Kubernetes authorizing the principalArn), you can associate one or more\naccess policies to the access entry using AssociateAccessPolicy. If you associate\nany access policies, the principalARN has all permissions assigned in the\nassociated access policies and all permissions in any Kubernetes Role or\nClusterRole objects that the group names are bound to.", "items": { "type": "string" }, "type": "array" }, "principalARN": { "description": "The ARN of the IAM principal for the AccessEntry. You can specify one ARN\nfor each access entry. You can't specify the same ARN in more than one access\nentry. This value can't be changed after access entry creation.\n\nThe valid principals differ depending on the type of the access entry in\nthe type field. For STANDARD access entries, you can use every IAM principal\ntype. For nodes (EC2 (for EKS Auto Mode), EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX,\nand HYBRID_LINUX), the only valid ARN is IAM roles. You can't use the STS\nsession principal type with access entries because this is a temporary principal\nfor each session and not a permanent identity that can be assigned permissions.\n\nIAM best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp)\nrecommend using IAM roles with temporary credentials, rather than IAM users\nwith long-term credentials.", "type": "string" }, "tags": { "additionalProperties": { "type": "string" }, "description": "Metadata that assists with categorization and organization. Each tag consists\nof a key and an optional value. You define both. Tags don't propagate to\nany other cluster or Amazon Web Services resources.", "type": "object" }, "type": { "description": "The type of the new access entry. Valid values are STANDARD, FARGATE_LINUX,\nEC2_LINUX, EC2_WINDOWS, EC2 (for EKS Auto Mode), HYBRID_LINUX, and HYPERPOD_LINUX.\n\nIf the principalArn is for an IAM role that's used for self-managed Amazon\nEC2 nodes, specify EC2_LINUX or EC2_WINDOWS. Amazon EKS grants the necessary\npermissions to the node for you. If the principalArn is for any other purpose,\nspecify STANDARD. If you don't specify a value, Amazon EKS sets the value\nto STANDARD. If you have the access mode of the cluster set to API_AND_CONFIG_MAP,\nit's unnecessary to create access entries for IAM roles used with Fargate\nprofiles or managed Amazon EC2 nodes, because Amazon EKS creates entries\nin the aws-auth ConfigMap for the roles. You can't change this value once\nyou've created the access entry.\n\nIf you set the value to EC2_LINUX or EC2_WINDOWS, you can't specify values\nfor kubernetesGroups, or associate an AccessPolicy to the access entry.", "type": "string" }, "username": { "description": "The username to authenticate to Kubernetes with. We recommend not specifying\na username and letting Amazon EKS specify it for you. For more information\nabout the value Amazon EKS specifies for you, or constraints before specifying\nyour own username, see Creating access entries (https://docs.aws.amazon.com/eks/latest/userguide/access-entries.html#creating-access-entries)\nin the Amazon EKS User Guide.", "type": "string" } }, "required": [ "principalARN" ], "type": "object", "additionalProperties": false }, "status": { "description": "AccessEntryStatus defines the observed state of AccessEntry", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member\nthat is used to contain resource sync state, account ownership,\nconstructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a\nglobally-unique identifier and is set only by the ACK service controller\nonce the controller has orchestrated the creation of the resource OR\nwhen it has verified that an \"adopted\" resource (a resource where the\nARN annotation was set by the Kubernetes user on the CR) exists and\nmatches the supplied CR's Spec field values.\nhttps://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the\nbackend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRs managed by ACK have a common `Status.Conditions` member that\ncontains a collection of `ackv1alpha1.Condition` objects that describe\nthe various terminal states of the CR and its backend AWS service API\nresource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service\ncontrollers to indicate terminal states of the CR and its backend AWS\nservice API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "createdAt": { "description": "The Unix epoch timestamp at object creation.", "format": "date-time", "type": "string" }, "modifiedAt": { "description": "The Unix epoch timestamp for the last modification to the object.", "format": "date-time", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }