320 lines
18 KiB
YAML
Generated
320 lines
18 KiB
YAML
Generated
---
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: v0.8.0
|
|
creationTimestamp: null
|
|
name: activedirectoryidentityproviders.idp.supervisor.pinniped.dev
|
|
spec:
|
|
group: idp.supervisor.pinniped.dev
|
|
names:
|
|
categories:
|
|
- pinniped
|
|
- pinniped-idp
|
|
- pinniped-idps
|
|
kind: ActiveDirectoryIdentityProvider
|
|
listKind: ActiveDirectoryIdentityProviderList
|
|
plural: activedirectoryidentityproviders
|
|
singular: activedirectoryidentityprovider
|
|
scope: Namespaced
|
|
versions:
|
|
- additionalPrinterColumns:
|
|
- jsonPath: .spec.host
|
|
name: Host
|
|
type: string
|
|
- jsonPath: .status.phase
|
|
name: Status
|
|
type: string
|
|
- jsonPath: .metadata.creationTimestamp
|
|
name: Age
|
|
type: date
|
|
name: v1alpha1
|
|
schema:
|
|
openAPIV3Schema:
|
|
description: ActiveDirectoryIdentityProvider describes the configuration of
|
|
an upstream Microsoft Active Directory identity provider.
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: Spec for configuring the identity provider.
|
|
properties:
|
|
bind:
|
|
description: Bind contains the configuration for how to provide access
|
|
credentials during an initial bind to the ActiveDirectory server
|
|
to be allowed to perform searches and binds to validate a user's
|
|
credentials during a user's authentication attempt.
|
|
properties:
|
|
secretName:
|
|
description: SecretName contains the name of a namespace-local
|
|
Secret object that provides the username and password for an
|
|
Active Directory bind user. This account will be used to perform
|
|
LDAP searches. The Secret should be of type "kubernetes.io/basic-auth"
|
|
which includes "username" and "password" keys. The username
|
|
value should be the full dn (distinguished name) of your bind
|
|
account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
|
|
The password must be non-empty.
|
|
minLength: 1
|
|
type: string
|
|
required:
|
|
- secretName
|
|
type: object
|
|
groupSearch:
|
|
description: GroupSearch contains the configuration for searching
|
|
for a user's group membership in ActiveDirectory.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the group's information
|
|
should be read from each ActiveDirectory entry which was found
|
|
as the result of the group search.
|
|
properties:
|
|
groupName:
|
|
description: GroupName specifies the name of the attribute
|
|
in the Active Directory entries whose value shall become
|
|
a group name in the user's list of groups after a successful
|
|
authentication. The value of this field is case-sensitive
|
|
and must match the case of the attribute name returned by
|
|
the ActiveDirectory server in the user's entry. E.g. "cn"
|
|
for common name. Distinguished names can be used by specifying
|
|
lower-case "dn". Optional. When not specified, this defaults
|
|
to a custom field that looks like "sAMAccountName@domain",
|
|
where domain is constructed from the domain components of
|
|
the group DN.
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for groups. E.g. "ou=groups,dc=example,dc=com".
|
|
Optional, when not specified it will be based on the result
|
|
of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
|
|
The default behavior searches your entire domain for groups.
|
|
It may make sense to specify a subtree as a search base if you
|
|
wish to exclude some groups for security reasons or to make
|
|
searches faster.
|
|
type: string
|
|
filter:
|
|
description: Filter is the ActiveDirectory search filter which
|
|
should be applied when searching for groups for a user. The
|
|
pattern "{}" must occur in the filter at least once and will
|
|
be dynamically replaced by the value of an attribute of the
|
|
user entry found as a result of the user search. Which attribute's
|
|
value is used to replace the placeholder(s) depends on the value
|
|
of UserAttributeForFilter. E.g. "member={}" or "&(objectClass=groupOfNames)(member={})".
|
|
For more information about ActiveDirectory filters, see https://ldap.com/ldap-filters.
|
|
Note that the dn (distinguished name) is not an attribute of
|
|
an entry, so "dn={}" cannot be used. Optional. When not specified,
|
|
the default will act as if the filter were specified as "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
|
|
This searches nested groups by default. Note that nested group
|
|
search can be slow for some Active Directory servers. To disable
|
|
it, you can set the filter to "(&(objectClass=group)(member={})"
|
|
type: string
|
|
skipGroupRefresh:
|
|
description: "The user's group membership is refreshed as they
|
|
interact with the supervisor to obtain new credentials (as their
|
|
old credentials expire). This allows group membership changes
|
|
to be quickly reflected into Kubernetes clusters. Since group
|
|
membership is often used to bind authorization policies, it
|
|
is important to keep the groups observed in Kubernetes clusters
|
|
in-sync with the identity provider. \n In some environments,
|
|
frequent group membership queries may result in a significant
|
|
performance impact on the identity provider and/or the supervisor.
|
|
The best approach to handle performance impacts is to tweak
|
|
the group query to be more performant, for example by disabling
|
|
nested group search or by using a more targeted group search
|
|
base. \n If the group search query cannot be made performant
|
|
and you are willing to have group memberships remain static
|
|
for approximately a day, then set skipGroupRefresh to true.
|
|
\ This is an insecure configuration as authorization policies
|
|
that are bound to group membership will not notice if a user
|
|
has been removed from a particular group until their next login.
|
|
\n This is an experimental feature that may be removed or significantly
|
|
altered in the future. Consumers of this configuration should
|
|
carefully read all release notes before upgrading to ensure
|
|
that the meaning of this field has not changed."
|
|
type: boolean
|
|
userAttributeForFilter:
|
|
description: UserAttributeForFilter specifies which attribute's
|
|
value from the user entry found as a result of the user search
|
|
will be used to replace the "{}" placeholder(s) in the group
|
|
search Filter. For example, specifying "uid" as the UserAttributeForFilter
|
|
while specifying "&(objectClass=posixGroup)(memberUid={})" as
|
|
the Filter would search for groups by replacing the "{}" placeholder
|
|
in the Filter with the value of the user's "uid" attribute.
|
|
Optional. When not specified, the default will act as if "dn"
|
|
were specified. For example, leaving UserAttributeForFilter
|
|
unspecified while specifying "&(objectClass=groupOfNames)(member={})"
|
|
as the Filter would search for groups by replacing the "{}"
|
|
placeholder(s) with the dn (distinguished name) of the user.
|
|
type: string
|
|
type: object
|
|
host:
|
|
description: 'Host is the hostname of this Active Directory identity
|
|
provider, i.e., where to connect. For example: ldap.example.com:636.'
|
|
minLength: 1
|
|
type: string
|
|
tls:
|
|
description: TLS contains the connection settings for how to establish
|
|
the connection to the Host.
|
|
properties:
|
|
certificateAuthorityData:
|
|
description: X.509 Certificate Authority (base64-encoded PEM bundle).
|
|
If omitted, a default set of system roots will be trusted.
|
|
type: string
|
|
type: object
|
|
userSearch:
|
|
description: UserSearch contains the configuration for searching for
|
|
a user by name in Active Directory.
|
|
properties:
|
|
attributes:
|
|
description: Attributes specifies how the user's information should
|
|
be read from the ActiveDirectory entry which was found as the
|
|
result of the user search.
|
|
properties:
|
|
uid:
|
|
description: UID specifies the name of the attribute in the
|
|
ActiveDirectory entry which whose value shall be used to
|
|
uniquely identify the user within this ActiveDirectory provider
|
|
after a successful authentication. Optional, when empty
|
|
this defaults to "objectGUID".
|
|
type: string
|
|
username:
|
|
description: Username specifies the name of the attribute
|
|
in Active Directory entry whose value shall become the username
|
|
of the user after a successful authentication. Optional,
|
|
when empty this defaults to "userPrincipalName".
|
|
type: string
|
|
type: object
|
|
base:
|
|
description: Base is the dn (distinguished name) that should be
|
|
used as the search base when searching for users. E.g. "ou=users,dc=example,dc=com".
|
|
Optional, when not specified it will be based on the result
|
|
of a query for the defaultNamingContext (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
|
|
The default behavior searches your entire domain for users.
|
|
It may make sense to specify a subtree as a search base if you
|
|
wish to exclude some users or to make searches faster.
|
|
type: string
|
|
filter:
|
|
description: Filter is the search filter which should be applied
|
|
when searching for users. The pattern "{}" must occur in the
|
|
filter at least once and will be dynamically replaced by the
|
|
username for which the search is being run. E.g. "mail={}" or
|
|
"&(objectClass=person)(uid={})". For more information about
|
|
LDAP filters, see https://ldap.com/ldap-filters. Note that the
|
|
dn (distinguished name) is not an attribute of an entry, so
|
|
"dn={}" cannot be used. Optional. When not specified, the default
|
|
will be '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
|
|
This means that the user is a person, is not a computer, the
|
|
sAMAccountType is for a normal user account, and is not shown
|
|
in advanced view only (which would likely mean its a system
|
|
created service account with advanced permissions). Also, either
|
|
the sAMAccountName, the userPrincipalName, or the mail attribute
|
|
matches the input username.
|
|
type: string
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
status:
|
|
description: Status of the identity provider.
|
|
properties:
|
|
conditions:
|
|
description: Represents the observations of an identity provider's
|
|
current state.
|
|
items:
|
|
description: Condition status of a resource (mirrored from the metav1.Condition
|
|
type added in Kubernetes 1.19). In a future API version we can
|
|
switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
|
|
properties:
|
|
lastTransitionTime:
|
|
description: lastTransitionTime is the last time the condition
|
|
transitioned from one status to another. This should be when
|
|
the underlying condition changed. If that is not known, then
|
|
using the time when the API field changed is acceptable.
|
|
format: date-time
|
|
type: string
|
|
message:
|
|
description: message is a human readable message indicating
|
|
details about the transition. This may be an empty string.
|
|
maxLength: 32768
|
|
type: string
|
|
observedGeneration:
|
|
description: observedGeneration represents the .metadata.generation
|
|
that the condition was set based upon. For instance, if .metadata.generation
|
|
is currently 12, but the .status.conditions[x].observedGeneration
|
|
is 9, the condition is out of date with respect to the current
|
|
state of the instance.
|
|
format: int64
|
|
minimum: 0
|
|
type: integer
|
|
reason:
|
|
description: reason contains a programmatic identifier indicating
|
|
the reason for the condition's last transition. Producers
|
|
of specific condition types may define expected values and
|
|
meanings for this field, and whether the values are considered
|
|
a guaranteed API. The value should be a CamelCase string.
|
|
This field may not be empty.
|
|
maxLength: 1024
|
|
minLength: 1
|
|
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
|
|
type: string
|
|
status:
|
|
description: status of the condition, one of True, False, Unknown.
|
|
enum:
|
|
- "True"
|
|
- "False"
|
|
- Unknown
|
|
type: string
|
|
type:
|
|
description: type of condition in CamelCase or in foo.example.com/CamelCase.
|
|
--- Many .condition.type values are consistent across resources
|
|
like Available, but because arbitrary conditions can be useful
|
|
(see .node.status.conditions), the ability to deconflict is
|
|
important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
|
|
maxLength: 316
|
|
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
|
|
type: string
|
|
required:
|
|
- lastTransitionTime
|
|
- message
|
|
- reason
|
|
- status
|
|
- type
|
|
type: object
|
|
type: array
|
|
x-kubernetes-list-map-keys:
|
|
- type
|
|
x-kubernetes-list-type: map
|
|
phase:
|
|
default: Pending
|
|
description: Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
|
|
enum:
|
|
- Pending
|
|
- Ready
|
|
- Error
|
|
type: string
|
|
type: object
|
|
required:
|
|
- spec
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
subresources:
|
|
status: {}
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|