{ "description": "AccessControlPolicy defines an access control policy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": [ "string", "null" ] }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": [ "string", "null" ] }, "metadata": { "type": [ "object", "null" ] }, "spec": { "additionalProperties": false, "description": "AccessControlPolicySpec configures an access control policy.", "properties": { "apiKey": { "additionalProperties": false, "description": "AccessControlPolicyAPIKey configure an APIKey control policy.", "properties": { "forwardHeaders": { "additionalProperties": { "type": "string" }, "description": "ForwardHeaders instructs the middleware to forward key metadata as header values upon successful authentication.", "type": [ "object", "null" ] }, "keySource": { "additionalProperties": false, "description": "KeySource defines how to extract API keys from requests.", "properties": { "cookie": { "description": "Cookie is the name of a cookie.", "type": [ "string", "null" ] }, "header": { "description": "Header is the name of a header.", "type": [ "string", "null" ] }, "headerAuthScheme": { "description": "HeaderAuthScheme sets an optional auth scheme when Header is set to \"Authorization\".\nIf set, this scheme is removed from the token, and all requests not including it are dropped.", "type": [ "string", "null" ] }, "query": { "description": "Query is the name of a query parameter.", "type": [ "string", "null" ] } }, "type": "object" }, "keys": { "description": "Keys define the set of authorized keys to access a protected resource.", "items": { "additionalProperties": false, "description": "AccessControlPolicyAPIKeyKey defines an API key.", "properties": { "id": { "description": "ID is the unique identifier of the key.", "type": "string" }, "metadata": { "additionalProperties": { "type": "string" }, "description": "Metadata holds arbitrary metadata for this key, can be used by ForwardHeaders.", "type": [ "object", "null" ] }, "value": { "description": "Value is the SHAKE-256 hash (using 64 bytes) of the API key.", "type": "string" } }, "required": [ "id", "value" ], "type": "object" }, "type": [ "array", "null" ] } }, "required": [ "keySource" ], "type": [ "object", "null" ] }, "basicAuth": { "additionalProperties": false, "description": "AccessControlPolicyBasicAuth holds the HTTP basic authentication configuration.", "properties": { "forwardUsernameHeader": { "type": [ "string", "null" ] }, "realm": { "type": [ "string", "null" ] }, "stripAuthorizationHeader": { "type": [ "boolean", "null" ] }, "users": { "items": { "type": "string" }, "type": [ "array", "null" ] } }, "type": [ "object", "null" ] }, "jwt": { "additionalProperties": false, "description": "AccessControlPolicyJWT configures a JWT access control policy.", "properties": { "claims": { "type": [ "string", "null" ] }, "forwardHeaders": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "jwksFile": { "type": [ "string", "null" ] }, "jwksUrl": { "type": [ "string", "null" ] }, "publicKey": { "type": [ "string", "null" ] }, "signingSecret": { "type": [ "string", "null" ] }, "signingSecretBase64Encoded": { "type": [ "boolean", "null" ] }, "stripAuthorizationHeader": { "type": [ "boolean", "null" ] }, "tokenQueryKey": { "type": [ "string", "null" ] } }, "type": [ "object", "null" ] }, "oAuthIntro": { "additionalProperties": false, "description": "AccessControlOAuthIntro configures an OAuth 2.0 Token Introspection access control policy.", "properties": { "claims": { "type": [ "string", "null" ] }, "clientConfig": { "additionalProperties": false, "description": "AccessControlOAuthIntroClientConfig configures the OAuth 2.0 client for issuing token introspection requests.", "properties": { "headers": { "additionalProperties": { "type": "string" }, "description": "Headers to set when sending requests to the Authorization Server.", "type": [ "object", "null" ] }, "maxRetries": { "default": 3, "description": "MaxRetries defines the number of retries for introspection requests.", "type": [ "integer", "null" ] }, "timeoutSeconds": { "default": 5, "description": "TimeoutSeconds configures the maximum amount of seconds to wait before giving up on requests.", "type": [ "integer", "null" ] }, "tls": { "additionalProperties": false, "description": "TLS configures TLS communication with the Authorization Server.", "properties": { "ca": { "description": "CA sets the CA bundle used to sign the Authorization Server certificate.", "type": [ "string", "null" ] }, "insecureSkipVerify": { "description": "InsecureSkipVerify skips the Authorization Server certificate validation.\nFor testing purposes only, do not use in production.", "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "tokenTypeHint": { "description": "TokenTypeHint is a hint to pass to the Authorization Server.\nSee https://tools.ietf.org/html/rfc7662#section-2.1 for more information.", "type": [ "string", "null" ] }, "url": { "description": "URL of the Authorization Server.", "type": "string" } }, "required": [ "url" ], "type": "object" }, "forwardHeaders": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "tokenSource": { "additionalProperties": false, "description": "TokenSource describes how to extract tokens from HTTP requests.\nIf multiple sources are set, the order is the following: header \u003e query \u003e cookie.", "properties": { "cookie": { "description": "Cookie is the name of a cookie.", "type": [ "string", "null" ] }, "header": { "description": "Header is the name of a header.", "type": [ "string", "null" ] }, "headerAuthScheme": { "description": "HeaderAuthScheme sets an optional auth scheme when Header is set to \"Authorization\".\nIf set, this scheme is removed from the token, and all requests not including it are dropped.", "type": [ "string", "null" ] }, "query": { "description": "Query is the name of a query parameter.", "type": [ "string", "null" ] } }, "type": "object" } }, "required": [ "clientConfig", "tokenSource" ], "type": [ "object", "null" ] }, "oidc": { "additionalProperties": false, "description": "AccessControlPolicyOIDC holds the OIDC authentication configuration.", "properties": { "authParams": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "claims": { "type": [ "string", "null" ] }, "clientId": { "type": [ "string", "null" ] }, "disableAuthRedirectionPaths": { "items": { "type": "string" }, "type": [ "array", "null" ] }, "forwardHeaders": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "issuer": { "type": [ "string", "null" ] }, "logoutUrl": { "type": [ "string", "null" ] }, "redirectUrl": { "type": [ "string", "null" ] }, "scopes": { "items": { "type": "string" }, "type": [ "array", "null" ] }, "secret": { "additionalProperties": false, "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret\nin any namespace", "properties": { "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": [ "string", "null" ] }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "session": { "additionalProperties": false, "description": "Session holds session configuration.", "properties": { "domain": { "type": [ "string", "null" ] }, "path": { "type": [ "string", "null" ] }, "refresh": { "type": [ "boolean", "null" ] }, "sameSite": { "type": [ "string", "null" ] }, "secure": { "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "stateCookie": { "additionalProperties": false, "description": "StateCookie holds state cookie configuration.", "properties": { "domain": { "type": [ "string", "null" ] }, "path": { "type": [ "string", "null" ] }, "sameSite": { "type": [ "string", "null" ] }, "secure": { "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] } }, "type": [ "object", "null" ] }, "oidcGoogle": { "additionalProperties": false, "description": "AccessControlPolicyOIDCGoogle holds the Google OIDC authentication configuration.", "properties": { "authParams": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "clientId": { "type": [ "string", "null" ] }, "emails": { "description": "Emails are the allowed emails to connect.", "items": { "type": "string" }, "minItems": 1, "type": [ "array", "null" ] }, "forwardHeaders": { "additionalProperties": { "type": "string" }, "type": [ "object", "null" ] }, "logoutUrl": { "type": [ "string", "null" ] }, "redirectUrl": { "type": [ "string", "null" ] }, "secret": { "additionalProperties": false, "description": "SecretReference represents a Secret Reference. It has enough information to retrieve secret\nin any namespace", "properties": { "name": { "description": "name is unique within a namespace to reference a secret resource.", "type": [ "string", "null" ] }, "namespace": { "description": "namespace defines the space within which the secret name must be unique.", "type": [ "string", "null" ] } }, "type": [ "object", "null" ], "x-kubernetes-map-type": "atomic" }, "session": { "additionalProperties": false, "description": "Session holds session configuration.", "properties": { "domain": { "type": [ "string", "null" ] }, "path": { "type": [ "string", "null" ] }, "refresh": { "type": [ "boolean", "null" ] }, "sameSite": { "type": [ "string", "null" ] }, "secure": { "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] }, "stateCookie": { "additionalProperties": false, "description": "StateCookie holds state cookie configuration.", "properties": { "domain": { "type": [ "string", "null" ] }, "path": { "type": [ "string", "null" ] }, "sameSite": { "type": [ "string", "null" ] }, "secure": { "type": [ "boolean", "null" ] } }, "type": [ "object", "null" ] } }, "type": [ "object", "null" ] } }, "type": [ "object", "null" ] }, "status": { "additionalProperties": false, "description": "The current status of this access control policy.", "properties": { "specHash": { "type": [ "string", "null" ] }, "syncedAt": { "format": "date-time", "type": [ "string", "null" ] }, "version": { "type": [ "string", "null" ] } }, "type": [ "object", "null" ] } }, "type": "object" }