v1beta1

package
v1.127.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

+kcc:proto=google.cloud.privilegedaccessmanager.v1

+kubebuilder:object:generate=true +groupName=privilegedaccessmanager.cnrm.cloud.google.com

Index

Constants

This section is empty.

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "privilegedaccessmanager.cnrm.cloud.google.com", Version: "v1beta1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var PrivilegedAccessManagerEntitlementGVK = GroupVersion.WithKind("PrivilegedAccessManagerEntitlement")

Functions

This section is empty.

Types

type AccessControlEntry 

type AccessControlEntry struct {
	// Optional. Users who are allowed for the operation. Each entry should be a
	// valid v1 IAM principal identifier. The format for these is documented at:
	// https://cloud.google.com/iam/docs/principal-identifiers#v1
	// +required
	Principals []string `json:"principals,omitempty"`
}

AccessControlEntry is used to control who can do some operation. +kcc:proto=google.cloud.privilegedaccessmanager.v1.AccessControlEntry

func (*AccessControlEntry) DeepCopy 

func (in *AccessControlEntry) DeepCopy() *AccessControlEntry

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlEntry.

func (*AccessControlEntry) DeepCopyInto 

func (in *AccessControlEntry) DeepCopyInto(out *AccessControlEntry)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdditionalNotificationTargets 

type AdditionalNotificationTargets struct {
	// Optional. Additional email addresses to be notified when a principal
	// (requester) is granted access.
	// +optional
	AdminEmailRecipients []string `json:"adminEmailRecipients,omitempty"`

	// Optional. Additional email address to be notified about an eligible
	// entitlement.
	// +optional
	RequesterEmailRecipients []string `json:"requesterEmailRecipients,omitempty"`
}

AdditionalNotificationTargets includes email addresses to be notified. +kcc:proto=google.cloud.privilegedaccessmanager.v1.Entitlement.AdditionalNotificationTargets

func (*AdditionalNotificationTargets) DeepCopy 

func (in *AdditionalNotificationTargets) DeepCopy() *AdditionalNotificationTargets

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalNotificationTargets.

func (*AdditionalNotificationTargets) DeepCopyInto 

func (in *AdditionalNotificationTargets) DeepCopyInto(out *AdditionalNotificationTargets)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ApprovalWorkflow 

type ApprovalWorkflow struct {
	// An approval workflow where users designated as approvers review and act
	// on the grants.
	// +required
	ManualApprovals *ManualApprovals `json:"manualApprovals,omitempty"`
}

ApprovalWorkflow represents different types of approval workflows that can be used to gate privileged access granting. +kcc:proto=google.cloud.privilegedaccessmanager.v1.ApprovalWorkflow

func (*ApprovalWorkflow) DeepCopy 

func (in *ApprovalWorkflow) DeepCopy() *ApprovalWorkflow

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApprovalWorkflow.

func (*ApprovalWorkflow) DeepCopyInto 

func (in *ApprovalWorkflow) DeepCopyInto(out *ApprovalWorkflow)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type GcpIamAccess 

type GcpIamAccess struct {

	// Required. Role bindings that are created on successful grant.
	// +required
	RoleBindings []RoleBinding `json:"roleBindings,omitempty"`
}

GcpIamAccess represents IAM based access control on a Google Cloud resource. Refer to https://cloud.google.com/iam/docs to understand more about IAM. +kcc:proto=google.cloud.privilegedaccessmanager.v1.PrivilegedAccess.GcpIamAccess

func (*GcpIamAccess) DeepCopy 

func (in *GcpIamAccess) DeepCopy() *GcpIamAccess

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GcpIamAccess.

func (*GcpIamAccess) DeepCopyInto 

func (in *GcpIamAccess) DeepCopyInto(out *GcpIamAccess)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ManualApprovals 

type ManualApprovals struct {
	// Optional. Whether the approvers need to provide a justification for their
	// actions.
	// +optional
	RequireApproverJustification *bool `json:"requireApproverJustification,omitempty"`

	// Optional. List of approval steps in this workflow. These steps are followed
	// in the specified order sequentially. Only 1 step is supported.
	// +optional
	Steps []Step `json:"steps,omitempty"`
}

ManualApprovals represent the manual approval workflow where users who are designated as approvers need to call the 'ApproveGrant'/'DenyGrant' APIs for a grant. The workflow can consist of multiple serial steps where each step defines who can act as the approver in that step and how many of those users should approve before the workflow moves to the next step.

This can be used to create approval workflows such as:

* Require an approval from any user in a group G. * Require an approval from any k number of users from a Group G. * Require an approval from any user in a group G and then from a user U.

A single user might be part of the 'approvers' ACL for multiple steps in this workflow, but they can only approve once and that approval is only considered to satisfy the approval step at which it was granted. +kcc:proto=google.cloud.privilegedaccessmanager.v1.ManualApprovals

func (*ManualApprovals) DeepCopy 

func (in *ManualApprovals) DeepCopy() *ManualApprovals

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManualApprovals.

func (*ManualApprovals) DeepCopyInto 

func (in *ManualApprovals) DeepCopyInto(out *ManualApprovals)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivilegedAccess 

type PrivilegedAccess struct {
	// Access to a Google Cloud resource through IAM.
	// +required
	GcpIAMAccess *GcpIamAccess `json:"gcpIAMAccess,omitempty"`
}

Privileged access that this service can be used to gate. +kcc:proto=google.cloud.privilegedaccessmanager.v1.PrivilegedAccess

func (*PrivilegedAccess) DeepCopy 

func (in *PrivilegedAccess) DeepCopy() *PrivilegedAccess

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccess.

func (*PrivilegedAccess) DeepCopyInto 

func (in *PrivilegedAccess) DeepCopyInto(out *PrivilegedAccess)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivilegedAccessManagerEntitlement 

type PrivilegedAccessManagerEntitlement struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PrivilegedAccessManagerEntitlementSpec   `json:"spec,omitempty"`
	Status PrivilegedAccessManagerEntitlementStatus `json:"status,omitempty"`
}

PrivilegedAccessManagerEntitlement is the Schema for the PrivilegedAccessManagerEntitlement API. +k8s:openapi-gen=true +kubebuilder:storageversion

func (*PrivilegedAccessManagerEntitlement) DeepCopy 

func (in *PrivilegedAccessManagerEntitlement) DeepCopy() *PrivilegedAccessManagerEntitlement

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccessManagerEntitlement.

func (*PrivilegedAccessManagerEntitlement) DeepCopyInto 

func (in *PrivilegedAccessManagerEntitlement) DeepCopyInto(out *PrivilegedAccessManagerEntitlement)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PrivilegedAccessManagerEntitlement) DeepCopyObject 

func (in *PrivilegedAccessManagerEntitlement) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PrivilegedAccessManagerEntitlementList 

type PrivilegedAccessManagerEntitlementList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []PrivilegedAccessManagerEntitlement `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object PrivilegedAccessManagerEntitlementList contains a list of PrivilegedAccessManagerEntitlement.

func (*PrivilegedAccessManagerEntitlementList) DeepCopy 

func (in *PrivilegedAccessManagerEntitlementList) DeepCopy() *PrivilegedAccessManagerEntitlementList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccessManagerEntitlementList.

func (*PrivilegedAccessManagerEntitlementList) DeepCopyInto 

func (in *PrivilegedAccessManagerEntitlementList) DeepCopyInto(out *PrivilegedAccessManagerEntitlementList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PrivilegedAccessManagerEntitlementList) DeepCopyObject 

func (in *PrivilegedAccessManagerEntitlementList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PrivilegedAccessManagerEntitlementObservedState 

type PrivilegedAccessManagerEntitlementObservedState struct {
	// Output only. Create time stamp.
	// +optional
	CreateTime *string `json:"createTime,omitempty"`

	// Output only. Update time stamp.
	// +optional
	UpdateTime *string `json:"updateTime,omitempty"`

	// Output only. Current state of this entitlement.
	// +optional
	State *string `json:"state,omitempty"`

	// An 'etag' is used for optimistic concurrency control as a way to prevent
	// simultaneous updates to the same entitlement. An 'etag' is returned in the
	// response to 'GetEntitlement' and the caller should put the 'etag' in the
	// request to 'UpdateEntitlement' so that their change is applied on
	// the same version. If this field is omitted or if there is a mismatch while
	// updating an entitlement, then the server rejects the request.
	// +optional
	Etag *string `json:"etag,omitempty"`
}

PrivilegedAccessManagerEntitlementSpec defines the desired state of PrivilegedAccessManagerEntitlement. +kcc:proto=google.privilegedaccessmanager.v1.Entitlement

func (*PrivilegedAccessManagerEntitlementObservedState) DeepCopy 

func (in *PrivilegedAccessManagerEntitlementObservedState) DeepCopy() *PrivilegedAccessManagerEntitlementObservedState

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccessManagerEntitlementObservedState.

func (*PrivilegedAccessManagerEntitlementObservedState) DeepCopyInto 

func (in *PrivilegedAccessManagerEntitlementObservedState) DeepCopyInto(out *PrivilegedAccessManagerEntitlementObservedState)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivilegedAccessManagerEntitlementSpec 

type PrivilegedAccessManagerEntitlementSpec struct {
	// Immutable. The Project that this resource belongs to.
	// One and only one of 'projectRef', 'folderRef', or 'organizationRef' must
	// be set.
	// +optional
	ProjectRef *refs.ProjectRef `json:"projectRef,omitempty"`

	// Immutable. The Folder that this resource belongs to.
	// One and only one of 'projectRef', 'folderRef', or 'organizationRef' must
	// be set.
	// +optional
	FolderRef *refs.FolderRef `json:"folderRef,omitempty"`

	// Immutable. The Organization that this resource belongs to.
	// One and only one of 'projectRef', 'folderRef', or 'organizationRef' must
	// be set.
	// +optional
	OrganizationRef *refs.OrganizationRef `json:"organizationRef,omitempty"`

	// Immutable. Location of the resource.
	// +required
	Location *string `json:"location"`

	// Immutable.
	// The PrivilegedAccessManagerEntitlement name. If not given, the
	// 'metadata.name' will be used.
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="ResourceID field is immutable"
	// +optional
	ResourceID *string `json:"resourceID,omitempty"`

	// Who can create grants using this entitlement. This list should
	// contain at most one entry.
	// +required
	EligibleUsers []AccessControlEntry `json:"eligibleUsers,omitempty"`

	// Optional. The approvals needed before access are granted to a requester.
	// No approvals are needed if this field is null.
	// +optional
	ApprovalWorkflow *ApprovalWorkflow `json:"approvalWorkflow,omitempty"`

	// Required. The maximum amount of time that access is granted for a request.
	// A requester can ask for a duration less than this, but never more.
	// +required
	MaxRequestDuration *string `json:"maxRequestDuration,omitempty"`

	// The access granted to a requester on successful approval.
	// +required
	PrivilegedAccess *PrivilegedAccess `json:"privilegedAccess,omitempty"`

	// Required. The manner in which the requester should provide a justification
	// for requesting access.
	// +required
	RequesterJustificationConfig *RequesterJustificationConfig `json:"requesterJustificationConfig,omitempty"`

	// Optional. Additional email addresses to be notified based on actions taken.
	// +optional
	AdditionalNotificationTargets *AdditionalNotificationTargets `json:"additionalNotificationTargets,omitempty"`
}

PrivilegedAccessManagerEntitlementSpec defines the desired state of PrivilegedAccessManagerEntitlement. +kcc:proto=google.cloud.privilegedaccessmanager.v1.Entitlement

func (*PrivilegedAccessManagerEntitlementSpec) DeepCopy 

func (in *PrivilegedAccessManagerEntitlementSpec) DeepCopy() *PrivilegedAccessManagerEntitlementSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccessManagerEntitlementSpec.

func (*PrivilegedAccessManagerEntitlementSpec) DeepCopyInto 

func (in *PrivilegedAccessManagerEntitlementSpec) DeepCopyInto(out *PrivilegedAccessManagerEntitlementSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PrivilegedAccessManagerEntitlementStatus 

type PrivilegedAccessManagerEntitlementStatus struct {
	/* Conditions represent the latest available observations of the
	   object's current state. */
	Conditions []v1alpha1.Condition `json:"conditions,omitempty"`

	// ObservedGeneration is the generation of the resource that was most
	// recently observed by the Config Connector controller. If this is equal to
	// 'metadata.generation', then that means that the current reported status
	// reflects the most recent desired state of the resource.
	ObservedGeneration *int64 `json:"observedGeneration,omitempty"`

	// A unique specifier for the PrivilegedAccessManagerEntitlement resource in
	// GCP.
	ExternalRef *string `json:"externalRef,omitempty"`

	// ObservedState is the state of the resource as most recently observed in
	// GCP.
	// +optional
	ObservedState *PrivilegedAccessManagerEntitlementObservedState `json:"observedState,omitempty"`
}

PrivilegedAccessManagerEntitlementStatus defines the config connector machine state of PrivilegedAccessManagerEntitlement.

func (*PrivilegedAccessManagerEntitlementStatus) DeepCopy 

func (in *PrivilegedAccessManagerEntitlementStatus) DeepCopy() *PrivilegedAccessManagerEntitlementStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivilegedAccessManagerEntitlementStatus.

func (*PrivilegedAccessManagerEntitlementStatus) DeepCopyInto 

func (in *PrivilegedAccessManagerEntitlementStatus) DeepCopyInto(out *PrivilegedAccessManagerEntitlementStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RequesterJustificationConfig 

type RequesterJustificationConfig struct {
	// NotMandatory justification type means the justification isn't required
	// and can be provided in any of the supported formats. The user must
	// explicitly opt out using this field if a justification from the requester
	// isn't mandatory.
	// The only accepted value is `{}` (empty struct).
	// Either 'notMandatory' or 'unstructured' field must be set.
	// +optional
	NotMandatory *runtime.RawExtension `json:"notMandatory,omitempty"`

	// Unstructured justification type means the justification is in the format
	// of a string. If this is set, the server allows the requester to provide a
	// justification but doesn't validate it.
	// The only accepted value is `{}` (empty struct).
	// Either 'notMandatory' or 'unstructured' field must be set.
	// +optional
	Unstructured *runtime.RawExtension `json:"unstructured,omitempty"`
}

RequesterJustificationConfig defines how a requester must provide a justification when requesting access. +kcc:proto=google.cloud.privilegedaccessmanager.v1.Entitlement.RequesterJustificationConfig

func (*RequesterJustificationConfig) DeepCopy 

func (in *RequesterJustificationConfig) DeepCopy() *RequesterJustificationConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequesterJustificationConfig.

func (*RequesterJustificationConfig) DeepCopyInto 

func (in *RequesterJustificationConfig) DeepCopyInto(out *RequesterJustificationConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RoleBinding 

type RoleBinding struct {
	// Required. IAM role to be granted. More details can be found at
	// https://cloud.google.com/iam/docs/roles-overview.
	// +required
	Role *string `json:"role,omitempty"`

	// Optional. The expression field of the IAM condition to be associated
	// with the role. If specified, a user with an active grant for this
	// entitlement is able to access the resource only if this condition
	// evaluates to true for their request.
	//
	// This field uses the same CEL format as IAM and supports all attributes
	// that IAM supports, except tags. More details can be found at
	// https://cloud.google.com/iam/docs/conditions-overview#attributes.
	// +optional
	ConditionExpression *string `json:"conditionExpression,omitempty"`
}

RoleBinding represents IAM role bindings that are created after a successful grant. +kcc:proto=google.cloud.privilegedaccessmanager.v1.PrivilegedAccess.GcpIamAccess.RoleBinding

func (*RoleBinding) DeepCopy 

func (in *RoleBinding) DeepCopy() *RoleBinding

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleBinding.

func (*RoleBinding) DeepCopyInto 

func (in *RoleBinding) DeepCopyInto(out *RoleBinding)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Step 

type Step struct {
	// Optional. The potential set of approvers in this step. This list must
	// contain at most one entry.
	// +optional
	Approvers []AccessControlEntry `json:"approvers,omitempty"`

	// Required. How many users from the above list need to approve. If there
	// aren't enough distinct users in the list, then the workflow indefinitely
	// blocks. Should always be greater than 0. 1 is the only supported value.
	// +required
	ApprovalsNeeded *int32 `json:"approvalsNeeded,omitempty"`

	// Optional. Additional email addresses to be notified when a grant is
	// pending approval.
	// +optional
	ApproverEmailRecipients []string `json:"approverEmailRecipients,omitempty"`
}

Step represents a logical step in a manual approval workflow. +kcc:proto=google.cloud.privilegedaccessmanager.v1.ManualApprovals.Step

func (*Step) DeepCopy 

func (in *Step) DeepCopy() *Step

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Step.

func (*Step) DeepCopyInto 

func (in *Step) DeepCopyInto(out *Step)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.