Skip to content

APIBinding

APIBinding CRD schema reference (group apis.kcp.io)

APIBinding enables a set of resources and their behaviour through an external service provider in this workspace. The service provider uses an APIExport to expose the API.
Full name:
apibindings.apis.kcp.io
Group:
apis.kcp.io
Singular name:
apibinding
Plural name:
apibindings
Scope:
Cluster
Versions:
v1alpha1

Version v1alpha1

Properties

.apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

.kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

.metadata

object

.spec

object

Spec holds the desired state.

.spec.permissionClaims

array

permissionClaims records decisions about permission claims requested by the API service provider. Individual claims can be accepted or rejected. If accepted, the API service provider gets the requested access to the specified resources in this workspace. Access is granted per GroupResource, identity, and other properties.

.spec.permissionClaims[*]

object

AcceptablePermissionClaim is a PermissionClaim that records if the user accepts or rejects it.

.spec.permissionClaims[*].all

boolean

all claims all resources for the given group/resource. This is mutually exclusive with resourceSelector.

.spec.permissionClaims[*].group

string

group is the name of an API group. For core groups this is the empty string ‘“”’.

.spec.permissionClaims[*].identityHash

string

This is the identity for a given APIExport that the APIResourceSchema belongs to. The hash can be found on APIExport and APIResourceSchema’s status. It will be empty for core types. Note that one must look this up for a particular KCP instance.

.spec.permissionClaims[*].resource

string Required

resource is the name of the resource. Note: it is worth noting that you can not ask for permissions for resource provided by a CRD not provided by an api export.

.spec.permissionClaims[*].resourceSelector

array

resourceSelector is a list of claimed resource selectors.

.spec.permissionClaims[*].resourceSelector[*]

object

.spec.permissionClaims[*].resourceSelector[*].name

string

name of an object within a claimed group/resource. It matches the metadata.name field of the underlying object. If namespace is unset, all objects matching that name will be claimed.

.spec.permissionClaims[*].resourceSelector[*].namespace

string

namespace containing the named object. Matches metadata.namespace field. If “name” is unset, all objects from the namespace are being claimed.

.spec.permissionClaims[*].state

string Required

.spec.reference

object Required

reference uniquely identifies an API to bind to.

.spec.reference.export

object

export is a reference to an APIExport by cluster name and export name. The creator of the APIBinding needs to have access to the APIExport with the verb bind in order to bind to it.

.spec.reference.export.name

string Required

name is the name of the APIExport that describes the API.

.spec.reference.export.path

string

path is a logical cluster path where the APIExport is defined. If the path is unset, the logical cluster of the APIBinding is used.

.status

object

Status communicates the observed state.

.status.apiExportClusterName

string

APIExportClusterName records the name (not path) of the logical cluster that contains the APIExport.

.status.appliedPermissionClaims

array

appliedPermissionClaims is a list of the permission claims the system has seen and applied, according to the requests of the API service provider in the APIExport and the acceptance state in spec.permissionClaims.

.status.appliedPermissionClaims[*]

object

PermissionClaim identifies an object by GR and identity hash. Its purpose is to determine the added permissions that a service provider may request and that a consumer may accept and allow the service provider access to.

.status.appliedPermissionClaims[*].all

boolean

all claims all resources for the given group/resource. This is mutually exclusive with resourceSelector.

.status.appliedPermissionClaims[*].group

string

group is the name of an API group. For core groups this is the empty string ‘“”’.

.status.appliedPermissionClaims[*].identityHash

string

This is the identity for a given APIExport that the APIResourceSchema belongs to. The hash can be found on APIExport and APIResourceSchema’s status. It will be empty for core types. Note that one must look this up for a particular KCP instance.

.status.appliedPermissionClaims[*].resource

string Required

resource is the name of the resource. Note: it is worth noting that you can not ask for permissions for resource provided by a CRD not provided by an api export.

.status.appliedPermissionClaims[*].resourceSelector

array

resourceSelector is a list of claimed resource selectors.

.status.appliedPermissionClaims[*].resourceSelector[*]

object

.status.appliedPermissionClaims[*].resourceSelector[*].name

string

name of an object within a claimed group/resource. It matches the metadata.name field of the underlying object. If namespace is unset, all objects matching that name will be claimed.

.status.appliedPermissionClaims[*].resourceSelector[*].namespace

string

namespace containing the named object. Matches metadata.namespace field. If “name” is unset, all objects from the namespace are being claimed.

.status.boundResources

array

boundResources records the state of bound APIs.

.status.boundResources[*]

object

BoundAPIResource describes a bound GroupVersionResource through an APIResourceSchema of an APIExport..

.status.boundResources[*].group

string Required

group is the group of the bound API. Empty string for the core API group.

.status.boundResources[*].resource

string Required

resource is the resource of the bound API.

kubebuilder:validation:MinLength=1

.status.boundResources[*].schema

object Required

Schema references the APIResourceSchema that is bound to this API.

.status.boundResources[*].schema.UID

string Required

UID is the UID of the APIResourceSchema that is bound to this API.

.status.boundResources[*].schema.identityHash

string Required

identityHash is the hash of the API identity that this schema is bound to. The API identity determines the etcd prefix used to persist the object. Different identity means that the objects are effectively served and stored under a distinct resource. A CRD of the same GroupVersionResource uses a different identity and hence a separate etcd prefix.

.status.boundResources[*].schema.name

string Required

name is the bound APIResourceSchema name.

.status.boundResources[*].storageVersions

array

storageVersions lists all versions of a resource that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list.

Versions may not be removed while they exist in this list.

.status.boundResources[*].storageVersions[*]

string

.status.conditions

array

conditions is a list of conditions that apply to the APIBinding.

.status.conditions[*]

object

Condition defines an observation of a object operational state.

.status.conditions[*].lastTransitionTime

string Required

Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

.status.conditions[*].message

string

A human readable message indicating details about the transition. This field may be empty.

.status.conditions[*].reason

string

The reason for the condition’s last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty.

.status.conditions[*].severity

string

Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False.

.status.conditions[*].status

string Required

Status of the condition, one of True, False, Unknown.

.status.conditions[*].type

string Required

Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important.

.status.exportPermissionClaims

array

exportPermissionClaims records the permissions that the export provider is asking for the binding to grant.

.status.exportPermissionClaims[*]

object

PermissionClaim identifies an object by GR and identity hash. Its purpose is to determine the added permissions that a service provider may request and that a consumer may accept and allow the service provider access to.

.status.exportPermissionClaims[*].all

boolean

all claims all resources for the given group/resource. This is mutually exclusive with resourceSelector.

.status.exportPermissionClaims[*].group

string

group is the name of an API group. For core groups this is the empty string ‘“”’.

.status.exportPermissionClaims[*].identityHash

string

This is the identity for a given APIExport that the APIResourceSchema belongs to. The hash can be found on APIExport and APIResourceSchema’s status. It will be empty for core types. Note that one must look this up for a particular KCP instance.

.status.exportPermissionClaims[*].resource

string Required

resource is the name of the resource. Note: it is worth noting that you can not ask for permissions for resource provided by a CRD not provided by an api export.

.status.exportPermissionClaims[*].resourceSelector

array

resourceSelector is a list of claimed resource selectors.

.status.exportPermissionClaims[*].resourceSelector[*]

object

.status.exportPermissionClaims[*].resourceSelector[*].name

string

name of an object within a claimed group/resource. It matches the metadata.name field of the underlying object. If namespace is unset, all objects matching that name will be claimed.

.status.exportPermissionClaims[*].resourceSelector[*].namespace

string

namespace containing the named object. Matches metadata.namespace field. If “name” is unset, all objects from the namespace are being claimed.

.status.phase

string

phase is the current phase of the APIBinding: - “”: the APIBinding has just been created, waiting to be bound. - Binding: the APIBinding is being bound. - Bound: the APIBinding is bound and the referenced APIs are available in the workspace.