WorkspaceType
WorkspaceType CRD schema reference (group tenancy.kcp.io)¶
Version v1alpha1
Properties
.apiVersion
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
.kind
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
.metadata
.metadata.name
.spec
.spec.additionalWorkspaceLabels
additionalWorkspaceLabels are a set of labels that will be added to a Workspace on creation.
.spec.authenticationConfigurations
authenticationConfigurations are additional authentication options that should apply to any workspace using this workspace type.
.spec.authenticationConfigurations[*]
AuthenticationConfigurationReference provides the fields necessary to resolve a WorkspaceAuthenticationConfiguration.
.spec.authenticationConfigurations[*].name
name is the name of the WorkspaceAuthenticationConfiguration.
.spec.defaultAPIBindingLifecycle
Configure the lifecycle behaviour of defaultAPIBindings.
.spec.defaultAPIBindings
defaultAPIBindings are the APIs to bind during initialization of workspaces created from this type. The APIBinding names will be generated dynamically.
.spec.defaultAPIBindings[*]
APIExportReference provides the fields necessary to resolve an APIExport.
.spec.defaultAPIBindings[*].export
export is the name of the APIExport.
.spec.defaultAPIBindings[*].path
path is the fully-qualified path to the workspace containing the APIExport. If it is empty, the current workspace is assumed.
.spec.defaultChildWorkspaceType
defaultChildWorkspaceType is the WorkspaceType that will be used by default if another, nested Workspace is created in a workspace of this type. When this field is unset, the user must specify a type when creating nested workspaces. Extending another WorkspaceType does not inherit its defaultChildWorkspaceType.
.spec.defaultChildWorkspaceType.name
name is the name of the WorkspaceType
.spec.defaultChildWorkspaceType.path
path is an absolute reference to the workspace that owns this type, e.g. root:org:ws.
.spec.extend
extend is a list of other WorkspaceTypes whose initializers and limitAllowedChildren and limitAllowedParents this WorkspaceType is inheriting. By (transitively) extending another WorkspaceType, this WorkspaceType will be considered as that other type in evaluation of limitAllowedChildren and limitAllowedParents constraints.
A dependency cycle stop this WorkspaceType from being admitted as the type of a Workspace.
A non-existing dependency stop this WorkspaceType from being admitted as the type of a Workspace.
.spec.extend.with
with are WorkspaceTypes whose initializers are added to the list for the owning type, and for whom the owning type becomes an alias, as long as all of their required types are not mentioned in without.
.spec.extend.with[*]
WorkspaceTypeReference is a globally unique, fully qualified reference to a workspace type.
.spec.extend.with[*].name
name is the name of the WorkspaceType
.spec.extend.with[*].path
path is an absolute reference to the workspace that owns this type, e.g. root:org:ws.
.spec.initializer
initializer determines if this WorkspaceType has an associated initializing controller. These controllers are used to add functionality to a Workspace; all controllers must finish their work before the Workspace becomes ready for use.
One initializing controller is supported per WorkspaceType; the identifier
for this initializer will be a colon-delimited string using the workspace in which
the WorkspaceType is defined, and the type’s name. For example, if a
WorkspaceType example is created in the root:org workspace, the implicit
initializer name is root:org:example.
.spec.initializerPermissions
initializerPermissions are the RBAC rules granted to initializer controllers when they access workspace content through the initializing virtual workspace’s content proxy. Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or ClusterRoleBinding objects are created inside the workspace.
When empty (the default), the VW content proxy falls back to impersonating the workspace owner (full cluster-admin), preserving the historical behavior.
Changes take effect immediately for all workspaces of this type.
.spec.initializerPermissions[*]
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
.spec.initializerPermissions[*].apiGroups
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. “” represents the core API group and “*” represents all API groups.
.spec.initializerPermissions[*].apiGroups[*]
.spec.initializerPermissions[*].nonResourceURLs
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as “pods” or “secrets”) or non-resource URL paths (such as “/api”), but not both.
.spec.initializerPermissions[*].nonResourceURLs[*]
.spec.initializerPermissions[*].resourceNames
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
.spec.initializerPermissions[*].resourceNames[*]
.spec.initializerPermissions[*].resources
Resources is a list of resources this rule applies to. ‘*’ represents all resources.
.spec.initializerPermissions[*].resources[*]
.spec.initializerPermissions[*].verbs
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. ‘*’ represents all verbs.
.spec.initializerPermissions[*].verbs[*]
.spec.limitAllowedChildren
limitAllowedChildren specifies constraints for sub-workspaces created in workspaces of this type. These are in addition to child constraints of types this one extends.
.spec.limitAllowedChildren.none
none means that no type matches.
.spec.limitAllowedChildren.types
types is a list of WorkspaceTypes that match. A workspace type extending another workspace type automatically is considered as that extended type as well (even transitively).
An empty list matches all types.
.spec.limitAllowedChildren.types[*]
WorkspaceTypeReference is a globally unique, fully qualified reference to a workspace type.
.spec.limitAllowedChildren.types[*].name
name is the name of the WorkspaceType
.spec.limitAllowedChildren.types[*].path
path is an absolute reference to the workspace that owns this type, e.g. root:org:ws.
.spec.limitAllowedParents
limitAllowedParents specifies constraints for the parent workspace that workspaces of this type are created in. These are in addition to parent constraints of types this one extends.
.spec.limitAllowedParents.none
none means that no type matches.
.spec.limitAllowedParents.types
types is a list of WorkspaceTypes that match. A workspace type extending another workspace type automatically is considered as that extended type as well (even transitively).
An empty list matches all types.
.spec.limitAllowedParents.types[*]
WorkspaceTypeReference is a globally unique, fully qualified reference to a workspace type.
.spec.limitAllowedParents.types[*].name
name is the name of the WorkspaceType
.spec.limitAllowedParents.types[*].path
path is an absolute reference to the workspace that owns this type, e.g. root:org:ws.
.spec.terminator
Terminator determines if this WorkspaceType has an associated terminating controller. These controllers are used to add functionality to a Workspace; all controllers must finish their work before the Workspace is being deleted.
One terminating controller is supported per WorkspaceType; the identifier
for this terminator will be a colon-delimited string using the workspace in which
the WorkspaceType is defined, and the type’s name. For example, if a
WorkspaceType example is created in the root:org workspace, the implicit
terminator name is root:org:example.
.spec.terminatorPermissions
terminatorPermissions are the RBAC rules granted to terminator controllers when they access workspace content through the terminating virtual workspace’s content proxy. Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or ClusterRoleBinding objects are created inside the workspace.
When empty (the default), the VW content proxy falls back to impersonating the workspace owner (full cluster-admin), preserving the historical behavior.
Changes take effect immediately for all workspaces of this type.
.spec.terminatorPermissions[*]
PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.
.spec.terminatorPermissions[*].apiGroups
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. “” represents the core API group and “*” represents all API groups.
.spec.terminatorPermissions[*].apiGroups[*]
.spec.terminatorPermissions[*].nonResourceURLs
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as “pods” or “secrets”) or non-resource URL paths (such as “/api”), but not both.
.spec.terminatorPermissions[*].nonResourceURLs[*]
.spec.terminatorPermissions[*].resourceNames
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
.spec.terminatorPermissions[*].resourceNames[*]
.spec.terminatorPermissions[*].resources
Resources is a list of resources this rule applies to. ‘*’ represents all resources.
.spec.terminatorPermissions[*].resources[*]
.spec.terminatorPermissions[*].verbs
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. ‘*’ represents all verbs.
.spec.terminatorPermissions[*].verbs[*]
.status
WorkspaceTypeStatus defines the observed state of WorkspaceType.
.status.conditions
conditions is a list of conditions that apply to the APIExport.
.status.conditions[*]
Condition defines an observation of a object operational state.
.status.conditions[*].lastTransitionTime
Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
.status.conditions[*].message
A human readable message indicating details about the transition. This field may be empty.
.status.conditions[*].reason
The reason for the condition’s last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.
.status.conditions[*].severity
Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.
.status.conditions[*].status
Status of the condition, one of True, False, Unknown.
.status.conditions[*].type
Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.
.status.virtualWorkspaces
virtualWorkspaces contains all APIExport virtual workspace URLs.
.status.virtualWorkspaces[*]
.status.virtualWorkspaces[*].type
type indicates the type of virtual workspace this URL represents.
.status.virtualWorkspaces[*].url
url is a WorkspaceType initialization virtual workspace URL.