{ "description": "GlobalRole defines rules that can be applied to the local cluster and or every downstream cluster.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "builtin": { "description": "Builtin specifies that this GlobalRole was created by Rancher if true. Immutable.", "type": "boolean" }, "description": { "description": "Description holds text that describes the resource.", "type": "string" }, "displayName": { "description": "DisplayName is the human-readable name displayed in the UI for this resource.", "type": "string" }, "inheritedClusterRoles": { "description": "InheritedClusterRoles are the names of RoleTemplates whose permissions are granted by this GlobalRole in every\ncluster besides the local cluster. To grant permissions in the local cluster, use the Rules field.", "items": { "type": "string" }, "type": "array" }, "inheritedFleetWorkspacePermissions": { "description": "InheritedFleetWorkspacePermissions are the permissions granted by this GlobalRole in every fleet workspace besides\nthe local one.", "properties": { "resourceRules": { "description": "ResourceRules rules granted in all backing namespaces for all fleet workspaces besides the local one.", "items": { "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", "properties": { "apiGroups": { "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "verbs" ], "type": "object", "additionalProperties": false }, "type": "array" }, "workspaceVerbs": { "description": "WorkspaceVerbs verbs used to grant permissions to the cluster-wide fleetworkspace resources. ResourceNames for\nthis rule will contain all fleet workspace names except local.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "namespacedRules": { "additionalProperties": { "items": { "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", "properties": { "apiGroups": { "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "verbs" ], "type": "object", "additionalProperties": false }, "type": "array" }, "description": "NamespacedRules are the rules that are active in each namespace of this GlobalRole.\nThese are applied to the local cluster only.\n* has no special meaning in the keys - these keys are read as raw strings\nand must exactly match with one existing namespace.", "type": "object" }, "newUserDefault": { "description": "NewUserDefault specifies that all new users created should be bound to this GlobalRole if true.", "type": "boolean" }, "rules": { "description": "Rules holds a list of PolicyRules that are applied to the local cluster only.", "items": { "description": "PolicyRule holds information that describes a policy rule, but does not contain information\nabout who the rule applies to or which namespace the rule applies to.", "properties": { "apiGroups": { "description": "APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of\nthe enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "nonResourceURLs": { "description": "NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path\nSince non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.\nRules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to. '*' represents all resources.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "verbs": { "description": "Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "verbs" ], "type": "object", "additionalProperties": false }, "type": "array" }, "status": { "description": "Status is the most recently observed status of the GlobalRole.", "properties": { "conditions": { "description": "Conditions is a slice of Condition, indicating the status of specific backing RBAC objects.\nThere is one condition per ClusterRole and Role managed by the GlobalRole.", "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "lastUpdateTime": { "description": "LastUpdate is a k8s timestamp of the last time the status was updated.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the most recent generation (metadata.generation in GlobalRole CR)\nobserved by the controller. Populated by the system.", "format": "int64", "type": "integer" }, "summary": { "description": "Summary is a string. One of \"Complete\", \"InProgress\" or \"Error\".", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }