{ "properties": { "metadata": { "properties": { "name": { "maxLength": 63, "type": "string" } }, "type": "object", "additionalProperties": false }, "spec": { "properties": { "enforcementAction": { "type": "string" }, "match": { "properties": { "excludedNamespaces": { "description": "`excludedNamespaces` is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix-based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`.", "items": { "pattern": "^(\\*|\\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\*|-\\*)?$", "type": "string" }, "type": "array" }, "kinds": { "items": { "description": "The Group and Kind of objects that should be matched. If multiple groups/kinds combinations are specified, an incoming resource need only match one to be in scope.", "properties": { "apiGroups": { "items": { "nullable": true, "type": "string" }, "type": "array" }, "kinds": { "items": { "nullable": true, "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "labelSelector": { "description": "`labelSelector` is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.", "properties": { "matchExpressions": { "description": "a list of label selection expressions. A selected resource will match all of these expressions.", "items": { "description": "a selector that specifies a label key, a set of label values, an operator that defines the relationship between the two that will match the selector.", "properties": { "key": { "description": "the label key that the selector applies to.", "type": "string" }, "operator": { "description": "the relationship between the label and value set that defines a matching selection.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "a set of label values.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "A mapping of label keys to sets of allowed label values for those keys. A selected resource will match all of these expressions.", "type": "object", "x-kubernetes-preserve-unknown-fields": true } }, "type": "object", "additionalProperties": false }, "name": { "description": "`name` is the name of an object. If defined, it matches against objects with the specified name. Name also supports a prefix-based glob. For example, `name: pod-*` matches both `pod-a` and `pod-b`.", "pattern": "^(\\*|\\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\*|-\\*)?$", "type": "string" }, "namespaceSelector": { "description": "`namespaceSelector` is a label selector against an object's containing namespace or the object itself, if the object is a namespace.", "properties": { "matchExpressions": { "description": "a list of label selection expressions. A selected resource will match all of these expressions.", "items": { "description": "a selector that specifies a label key, a set of label values, an operator that defines the relationship between the two that will match the selector.", "properties": { "key": { "description": "the label key that the selector applies to.", "type": "string" }, "operator": { "description": "the relationship between the label and value set that defines a matching selection.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "a set of label values.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "A mapping of label keys to sets of allowed label values for those keys. A selected resource will match all of these expressions.", "type": "object", "x-kubernetes-preserve-unknown-fields": true } }, "type": "object", "additionalProperties": false }, "namespaces": { "description": "`namespaces` is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix-based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`.", "items": { "pattern": "^(\\*|\\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\*|-\\*)?$", "type": "string" }, "type": "array" }, "scope": { "description": "`scope` determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)", "enum": [ "*", "Cluster", "Namespaced" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "parameters": { "properties": { "kafkaUserExceptions": { "description": "The list of KafkaUsers who may decalare permissions for topics that do not exist as KafkaTopics", "items": { "type": "string" }, "type": "array" }, "kafkaUserNoReadTopics": { "description": "The list of KafkaUsers who may not declare a topic acl other than describe operations", "items": { "type": "string" }, "type": "array" }, "kafkaUsersAllowedToDeleteTopics": { "description": "The list of KafkaUsers who may not declare a topic acl other than describe operations", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "status": { "x-kubernetes-preserve-unknown-fields": true } }, "type": "object" }