Space API

The Space API describes the types and parameters for the core Space components.

Kind
Group/Version
admin.spaces.upbound.io/v1alpha1
admin.spaces.upbound.io/v1alpha1
SpaceBackupConfig defines the configuration to backup a Space.
A SpaceBackupConfigSpec represents the configuration to backup or restore a Space.
ObjectStorage specifies the object storage configuration for the given provider.
Bucket is the name of the bucket to store backups in.
Config is a free-form map of configuration options for the object storage provider. See https://github.com/thanos-io/objstore?tab=readme-ov-file for more information on the formats for each supported cloud provider. Bucket and Provider will override the required values in the config.
Credentials specifies the credentials to access the object storage.
Env is a reference to an environment variable that contains credentials that must be used to connect to the provider.
Name is the name of an environment variable.
Fs is a reference to a filesystem location that contains credentials that must be used to connect to the provider.
Path is a filesystem path.
A SecretRef is a reference to a secret key that contains the credentials that must be used to connect to the provider.
Default: credentials
The key to select.
Name of the secret.
Namespace of the secret.
Source of the credentials. Source ‘Secret’ requires ‘get’ permissions on the referenced Secret.
Prefix is the prefix to use for all backups using this SharedBackupConfig, e.g. ‘prod/cluster1’, resulting in backups for controlplane ‘ctp1’ in namespace ’ns1’ being stored in ‘prod/cluster1/ns1/ctp1’.
Provider is the name of the object storage provider.
admin.spaces.upbound.io/v1alpha1
admin.spaces.upbound.io/v1alpha1
SpaceBackup represents a single backup of a ControlPlane.
SpaceBackupSpec defines a backup over a set of Match
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlaneBackups is the definition of the control plane backups,
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
Default: Orphan
DeletionPolicy is the policy for the backup.
Exclude is the selector for resources that should be excluded from the backup. If both Match and Exclude are specified, the Exclude selector will be applied after the Match selector. By default, only SpaceBackups are excluded.
ControlPlanes specifies the control planes selected. A control plane is matched if any of the control plane selectors matches, if not specified any control plane in the selected groups is matched.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Extras specifies the extra resources selected.
APIGroup is the group of the resource.
Kind is the kind of the resource.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Groups specifies the groups selected. A group is matched if any of the group selectors matches, if not specified any group is matched. Group selector is ANDed with all other selectors, so no resource in a group not matching the group selector will be included in the backup.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Spaces specifies the spaces selected.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.

Match is the selector for resources that should be included in the backup. By default, we’ll back up all Groups and for each Group:

  • All ControlPlanes.
  • All Secrets.
  • All other Space API resources, e.g. SharedBackupConfigs, SharedUpboundPolicies, Backups, etc…
ControlPlanes specifies the control planes selected. A control plane is matched if any of the control plane selectors matches, if not specified any control plane in the selected groups is matched.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Extras specifies the extra resources selected.
APIGroup is the group of the resource.
Kind is the kind of the resource.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Groups specifies the groups selected. A group is matched if any of the group selectors matches, if not specified any group is matched. Group selector is ANDed with all other selectors, so no resource in a group not matching the group selector will be included in the backup.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Spaces specifies the spaces selected.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
SpaceBackupStatus represents the observed state of a Backup.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
Default: Pending
Phase is the current phase of the backup.
Retries is the number of times the backup has been retried.
admin.spaces.upbound.io/v1alpha1
admin.spaces.upbound.io/v1alpha1
SpaceBackupSchedule represents a single ControlPlane schedule for Backups.
SpaceBackupScheduleSpec defines a space backup schedule.
ConfigRef is a reference to the backup configuration. ApiGroup is optional and defaults to ‘spaces.upbound.io’. Kind is required, and the only supported value is ‘SharedBackupConfig’ at the moment. Name is required.
APIGroup is the group for the resource being referenced.
Kind is the type of resource being referenced.
Name is the name of resource being referenced.
ControlPlaneBackups is the definition of the control plane backups,
ExcludedResources is a slice of resource names that are not included in the backup. Used to filter the included extra resources.
Default: Orphan
DeletionPolicy is the policy for the backup.
Exclude is the selector for resources that should be excluded from the backup. If both Match and Exclude are specified, the Exclude selector will be applied after the Match selector. By default, only SpaceBackups are excluded.
ControlPlanes specifies the control planes selected. A control plane is matched if any of the control plane selectors matches, if not specified any control plane in the selected groups is matched.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Extras specifies the extra resources selected.
APIGroup is the group of the resource.
Kind is the kind of the resource.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Groups specifies the groups selected. A group is matched if any of the group selectors matches, if not specified any group is matched. Group selector is ANDed with all other selectors, so no resource in a group not matching the group selector will be included in the backup.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Spaces specifies the spaces selected.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.

Match is the selector for resources that should be included in the backup. By default, we’ll back up all Groups and for each Group:

  • All ControlPlanes.
  • All Secrets.
  • All other Space API resources, e.g. SharedBackupConfigs, SharedUpboundPolicies, Backups, etc…
ControlPlanes specifies the control planes selected. A control plane is matched if any of the control plane selectors matches, if not specified any control plane in the selected groups is matched.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Extras specifies the extra resources selected.
APIGroup is the group of the resource.
Kind is the kind of the resource.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Groups specifies the groups selected. A group is matched if any of the group selectors matches, if not specified any group is matched. Group selector is ANDed with all other selectors, so no resource in a group not matching the group selector will be included in the backup.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Spaces specifies the spaces selected.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
Schedule in Cron format, see https://en.wikipedia.org/wiki/Cron.
Suspend specifies whether the schedule is suspended. If true, no SpaceBackups will be created, but running backups will be allowed to complete.
TTL is the time to live for the backup. After this time, the backup will be eligible for garbage collection. If not set, the backup will not be garbage collected.
UseOwnerReferencesBackup specifies whether an ownership chain should be established between this resource and the Backup it creates. If set to true, the Backup will be garbage collected when this resource is deleted.
SpaceBackupScheduleStatus represents the observed state of a SpaceBackupSchedule.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
LastBackup is the last time a Backup was run for this Schedule schedule
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
authorization.spaces.upbound.io/v1alpha1
authorization.spaces.upbound.io/v1alpha1
A ObjectRoleBinding binds a namespaced API object to a set of subjects, at varying access levels. For now, there can be at most one ObjectRoleBinding pointing to each API object.
ObjectRoleBindingSpec is ObjectRoleBinding’s spec.
Object references the object to which the listed subjects should have access at varying levels. The object value is immutable after creation.
APIGroup defines the apiGroup of the object being pointed to. With some minor differences, this is essentially matched as a DNS subdomain, like how Kubernetes validates it. The Kubernetes legacy core group is denoted as ‘core’.
Name points to the .metadata.name of the object targeted. Kubernetes validates this as a DNS 1123 subdomain.
Resource defines the resource type (often kind in plural, e.g. controlplanes) being pointed to. With some minor differences, this is essentially matched as a DNS label, like how Kubernetes validates it.
Subjects should be a map type with both kind+name as a key
Kind of subject being referenced. Values defined by this API group are for now only ‘UpboundTeam’.
Name (identifier) of the subject (of the specified kind) being referenced. The identifier must be 2-100 chars, [a-zA-Z0-9-], no repeating dashes, can’t start/end with a dash. Notably, a UUID fits that format.
Role this subject has on the associated Object. The list of valid roles is defined for each target API resource separately. For namespaces, valid values are ‘viewer’, ’editor’, and ‘admin’. The format of this is essentially a RFC 1035 label with underscores instead of dashes, minimum three characters long.
ObjectRoleBindingStatus is RoleBindings’ status.
observability.spaces.upbound.io/v1alpha1
observability.spaces.upbound.io/v1alpha1
SharedTelemetryConfig defines a telemetry configuration over a set of ControlPlanes.
SharedTelemetryConfigSpec defines a telemetry configuration over a set of ControlPlanes.
ControlPlaneSelector defines the selector for ControlPlanes on which to configure telemetry.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
ExportPipeline defines the telemetry exporter pipeline to configure on the selected ControlPlanes.
Metrics defines the metrics exporter pipeline to configure on the selected ControlPlanes. The value has to be present in the spec.exporters field.
Traces defines the traces exporter pipeline to configure on the selected ControlPlanes. The value has to be present in the spec.exporters field.
Exporters defines the exporters to configure on the selected ControlPlanes. Untyped as we use the underlying OpenTelemetryOperator to configure the OpenTelemetry collector’s exporters. Use the OpenTelemetry Collector documentation to configure the exporters. Currently only supported exporters are push based exporters.
SharedTelemetryConfigStatus represents the observed state of a SharedTelemetryConfig.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
list of provisioning failures.
Conditions of the resource.
LastTransitionTime is the last time this condition transitioned from one status to another.
A Message containing details about this condition’s last transition from one status to another, if any.
ObservedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
A Reason for this condition’s last transition from one status to another.
Status of this condition; is it currently True, False, or Unknown?
Type of this condition. At most one of each condition type may apply to a resource at any point in time.
ControlPlane name where the failure occurred.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
ObservedGeneration is the latest metadata.generation which resulted in either a ready state, or stalled due to error it can not recover from without human intervention.
List of successfully provisioned targets.
SelectedControlPlanes represents the names of the selected ControlPlanes.
policy.spaces.upbound.io/v1alpha1
policy.spaces.upbound.io/v1alpha1
SharedUpboundPolicy specifies a shared Kyverno policy projected into the specified ControlPlanes of the same namespace as SharedUpboundPolicy.
SharedUpboundPolicySpec defines the desired state of SharedUpboundPolicy.
Default: true
Admission controls if rules are applied during admission. Optional. Default value is ’true'.
ApplyRules controls how rules in a policy are applied. Rule are processed in the order of declaration. When set to One processing stops after a rule has been applied i.e. the rule matches and results in a pass, fail, or error. When set to All all rules in the policy are processed. The default is All.
Default: true
Background controls if rules are applied to existing resources during a background scan. Optional. Default value is ’true’. The value must be set to ‘false’ if the policy rule uses variables that are only available in the admission review request (e.g. user name).
The policy is projected only to control planes matching the provided selector. Either names or a labelSelector must be specified.
A resource is matched if any of the label selector matches. In case when the list is empty, resource is matched too.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
A resource is selected if its metadata.name matches any of the provided names. In case when the list is empty, resource is matched too.
FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. Rules within the same policy share the same failure behavior. This field should not be accessed directly, instead GetFailurePolicy() should be used. Allowed values are Ignore or Fail. Defaults to Fail.
GenerateExisting controls whether to trigger generate rule in existing resources If is set to ’true’ generate rule will be triggered and applied to existing matched resources. Defaults to ‘false’ if not specified.
Deprecated, use generateExisting instead
MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. Default value is ‘false’.
The metadata of the policy to be created.
Annotations that are set on projected resource.
Labels that are set on projected resource.
PolicyName is the name to use when creating policy within a control plane. optional, if not set, SharedUpboundPolicy name will be used. When set, it is immutable.
Rules is a list of Rule instances. A Policy contains multiple rules and each rule can validate, mutate, or generate resources.
CELPreconditions are used to determine if a policy rule should be applied by evaluating a set of CEL conditions. It can only be used with the validate.cel subrule

Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:

‘object’ - The object from the incoming request. The value is null for DELETE requests. ‘oldObject’ - The existing object. The value is null for CREATE requests. ‘request’ - Attributes of the admission request(https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/admission#AdmissionRequest). ‘authorizer’ - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz ‘authorizer.requestResource’ - A CEL ResourceCheck constructed from the ‘authorizer’ and configured with the request resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/

Required.

Name is an identifier for this match condition, used for strategic merging of MatchConditions, as well as providing an identifier for logging purposes. A good name should be descriptive of the associated expression. Name must be a qualified name consisting of alphanumeric characters, ‘-’, ‘’ or ‘.’, and must start and end with an alphanumeric character (e.g. ‘MyName’, or ‘my.name’, or ‘123-abc’, regex used for validation is ‘([A-Za-z0-9][-A-Za-z0-9.]*)?[A-Za-z0-9]’) with an optional DNS subdomain prefix and ‘/’ (e.g. ’example.com/MyName’)

Required.

Context defines variables and data sources that can be used during rule execution.
APICall is an HTTP request to the Kubernetes API server, or other JSON web service. The data returned is stored in the context with the name for the context entry.
Data specifies the POST data sent to the server.
Key is a unique identifier for the data value
Value is the data value
JMESPath is an optional JSON Match Expression that can be used to transform the JSON response returned from the server. For example a JMESPath of ‘items | length(@)’ applied to the API server response for the URLPath ‘/apis/apps/v1/deployments’ will return the total count of deployments across all namespaces.
Default: GET
Method is the HTTP request type (GET or POST).
Service is an API call to a JSON web service
CABundle is a PEM encoded CA bundle which will be used to validate the server certificate.
URL is the JSON web service URL. A typical form is https://{service}.{namespace}:{port}/{path}.
URLPath is the URL path to be used in the HTTP GET or POST request to the Kubernetes API server (e.g. ‘/api/v1/namespaces’ or ‘/apis/apps/v1/deployments’). The format required is the same format used by the kubectl get --raw command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details.
ConfigMap is the ConfigMap reference.
Name is the ConfigMap name.
Namespace is the ConfigMap namespace.
ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details.
ImageRegistryCredentials provides credentials that will be used for authentication with registry
AllowInsecureRegistry allows insecure access to a registry.
Providers specifies a list of OCI Registry names, whose authentication providers are provided. It can be of one of these values: default,google,azure,amazon,github.
Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace.
JMESPath is an optional JSON Match Expression that can be used to transform the ImageData struct returned as a result of processing the image reference.
Reference is image reference to a container image in the registry. Example: ghcr.io/kyverno/kyverno:latest
Name is the variable name.
Variable defines an arbitrary JMESPath context variable that can be defined inline.
Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil
JMESPath is an optional JMESPath Expression that can be used to transform the variable.
Value is any arbitrary JSON object representable in YAML or JSON form.
ExcludeResources defines when this policy rule should not be applied. The exclude criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the name or role.
All allows specifying resources which will be ANDed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Any allows specifying resources which will be ORed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified. Requires at least one tag to be specified when under MatchResources. Specifying ResourceDescription directly under match is being deprecated. Please specify under ‘any’ or ‘all’ instead.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Generation is used to create new resources.
APIVersion specifies resource apiVersion.
Clone specifies the source resource used to populate each generated resource. At most one of Data or Clone can be specified. If neither are provided, the generated resource will be created with default data only.
Name specifies name of the resource.
Namespace specifies source resource namespace.
CloneList specifies the list of source resource used to populate each generated resource.
Kinds is a list of resource kinds.
Namespace specifies source resource namespace.
Selector is a label selector. Label keys and values in matchLabels. wildcard characters are not supported.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Data provides the resource declaration used to populate each generated resource. At most one of Data or Clone must be specified. If neither are provided, the generated resource will be created with default data only.
Kind specifies resource kind.
Name specifies the resource name.
Namespace specifies resource namespace.
Synchronize controls if generated resources should be kept in-sync with their source resource. If Synchronize is set to ’true’ changes to generated resources will be overwritten with resource data from Data or the resource specified in the Clone declaration. Optional. Defaults to ‘false’ if not specified.
UID specifies the resource uid.
ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. This config is only valid for verifyImages rules.
MatchResources defines when this policy rule should be applied. The match criteria can include resource information (e.g. kind, name, namespace, labels) and admission review request information like the user name or role. At least one kind is required.
All allows specifying resources which will be ANDed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.
Name of the object being referenced.
Namespace of the referenced object. If the object kind is non-namespace, such as ‘User’ or ‘Group’, and this value is not empty the Authorizer should report an error.
Any allows specifying resources which will be ORed
ClusterRoles is the list of cluster-wide role names for the user.
ResourceDescription contains information about the resource being created or modified.
Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (matches at least one character).
Kinds is a list of resource kinds.
Name is the name of the resource. The name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character). NOTE: ‘Name’ is being deprecated in favor of ‘Names’.
Names are the names of the resources. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
NamespaceSelector is a label selector for the resource namespace. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character).Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Namespaces is a list of namespaces names. Each name supports wildcard characters ‘*’ (matches zero or many characters) and ‘?’ (at least one character).
Operations can contain values [‘CREATE, ‘UPDATE’, ‘CONNECT’, ‘DELETE’], which are used to match a specific action.
Selector is a label selector. Label keys and values in matchLabels support the wildcard characters * (matches zero or many characters) and ? (matches one character). Wildcards allows writing label selectors like [‘storage.k8s.io/’: ‘’]. Note that using [’’ : ‘’] matches any key and value but does not match an empty label set.
matchExpressions is a list of label selector requirements. The requirements are ANDed.
key is the label key that the selector applies to.
operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is ‘key’, the operator is ‘In’, and the values array contains only ‘value’. The requirements are ANDed.
Roles is the list of namespaced role names for the user.
Subjects is the list of subject names like users, user groups, and service accounts.
APIGroup holds the API group of the referenced subject. Defaults to ’’ for ServiceAccount subjects. Defaults to ‘rbac.authorization.k8s.io’ for User and Group subjects.
Kind of object being referenced. Values defined by this API group are ‘User’, ‘Group’, and ‘ServiceAccount’. If the Authorizer does not recognized the kind value, the Authorizer should report an error.