API Reference
Packages:
ztoperator.kartverket.no/v1alpha1
Resource Types:
AuthPolicy
↩ ParentAuthPolicy is the Schema for the authpolicies API.
| Name | Type | Description | Required |
|---|---|---|---|
| apiVersion | string | ztoperator.kartverket.no/v1alpha1 | true |
| kind | string | AuthPolicy | true |
| metadata | object | Refer to the Kubernetes API documentation for the fields of the metadata field. | true |
| spec | object | AuthPolicySpec defines the desired state of AuthPolicy. | false |
| status | object | AuthPolicyStatus defines the observed state of AuthPolicy. | false |
AuthPolicy.spec
↩ ParentAuthPolicySpec defines the desired state of AuthPolicy.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Whether to enable JWT validation.
If enabled, incoming JWTs will be validated against the issuer specified in the app registration and the generated audience. | true |
| selector | object | The Selector specifies which workload the defined auth policy should be applied to. | true |
| wellKnownURI | string | WellKnownURI specifies the URi to the identity provider's discovery document (also known as well-known endpoint). | true |
| acceptedResources | []string | AcceptedResources specifies resource indicators used to request an audience limited access token following RFC8707. It defines accepted audience resource indicators in the JWT token. The resource indicators specified will be added to the initial authorize request towards the configured identity provider.
Each resource indicator must be a valid URI,
and the access token returned by the identity provider will set the resource indicators in the Please note that this alone is not sufficient to securely restrict access to a resource based on the | false |
| allowedAudiences | []object | AllowedAudiences defines the allowed audience ( The normative behaviour for an OAuth / OIDC-compliant identity provider is to validate the presense of one or more client IDs as allowed audiences. | false |
| audience | []string | Deprecated: use .allowedAudiences instead.
Audience defines the accepted audience ( | false |
| authRules | []object | AuthRules defines rules for allowing HTTP requests based on conditions that must be met based on JWT claims. API endpoints not covered by AuthRules and/or IgnoreAuthRules requires an authenticated JWT by default. | false |
| autoLogin | object | AutoLogin specifies the required configuration needed to log in users. | false |
| forwardJwt | boolean | If set to | false |
| ignoreAuthRules | []object | IgnoreAuthRules defines request matchers for HTTP requests that do not require JWT authentication. API endpoints not covered by AuthRules or IgnoreAuthRules require an authenticated JWT by default. | false |
| oAuthCredentials | object | OAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication. | false |
| outputClaimToHeaders | []object | OutputClaimsToHeaders specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
If the claim is an object or array, it will be added to the header as a base64-encoded JSON string. | false |
AuthPolicy.spec.selector
↩ ParentThe Selector specifies which workload the defined auth policy should be applied to.
| Name | Type | Description | Required |
|---|---|---|---|
| matchLabels | map[string]string | One or more labels that indicate a specific set of pods/VMs
on which a policy should be applied. The scope of label search is restricted to
the configuration namespace in which the resource is present. | true |
AuthPolicy.spec.allowedAudiences[index]
↩ ParentAllowedAudience defines an audience that is validated against the aud claim in the JWT.
An audience can be defined as a static value or retrieved from a kubernetes resource.
| Name | Type | Description | Required |
|---|---|---|---|
| value | string | Value specifies a static audience value. | false |
| valueFrom | object | ValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from. | false |
AuthPolicy.spec.allowedAudiences[index].valueFrom
↩ ParentValueFrom specifies a reference to a kubernetes resource to retrieve the audience value from.
| Name | Type | Description | Required |
|---|---|---|---|
| configMapKeyRef | object | ConfigMapKeyRef specifies a reference to a key in a ConfigMap. | false |
| secretKeyRef | object | SecretKeyRef specifies a reference to a key in a Secret. | false |
AuthPolicy.spec.allowedAudiences[index].valueFrom.configMapKeyRef
↩ ParentConfigMapKeyRef specifies a reference to a key in a ConfigMap.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
AuthPolicy.spec.allowedAudiences[index].valueFrom.secretKeyRef
↩ ParentSecretKeyRef specifies a reference to a key in a Secret.
| Name | Type | Description | Required |
|---|---|---|---|
| key | string | Key specifies the data entry name within the ConfigMap/Secret; must follow key naming rules. | true |
| name | string | Name specifies the name of the ConfigMap/Secret; must satisfy DNS-1123 subdomain naming. | true |
AuthPolicy.spec.authRules[index]
↩ ParentRequestAuthRule defines a rule for controlling access to HTTP requests using JWT authentication.
| Name | Type | Description | Required |
|---|---|---|---|
| paths | []string | Paths specify a set of URI paths that this rule applies to.
Each path must be a valid URI path, starting with '/' and not ending with '/'. | true |
| denyRedirect | boolean | DenyRedirect specifies whether a denied request should trigger auto-login (if configured) or not when it is denied due to missing or invalid authentication.
Defaults to false, meaning auto-login will be triggered (if configured). | false |
| methods | []string | Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted. Allowed methods:
| false |
| when | []object | When defines additional conditions based on JWT claims that must be met. The request is permitted if at least one of the specified conditions is satisfied. | false |
AuthPolicy.spec.authRules[index].when[index]
↩ ParentCondition represents a rule that evaluates JWT claims to determine access control.
This type allows defining conditions that check whether a specific claim in the JWT token contains one of the expected values.
If multiple conditions are specified, all must be met (AND logic) for the request to be allowed.
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | Claim specifies the name of the JWT claim to check. | true |
| values | []string | Values specifies a list of allowed values for the claim.
If the claim in the JWT contains any of these values (OR logic), the condition is met. | true |
AuthPolicy.spec.autoLogin
↩ ParentAutoLogin specifies the required configuration needed to log in users.
| Name | Type | Description | Required |
|---|---|---|---|
| enabled | boolean | Whether to enable auto login.
If enabled, users accessing authenticated endpoints will be redirected to log in towards the configured identity provider. | true |
| scopes | []string | Scopes specifies the OAuth2 scopes used during authorization code flow. | true |
| loginParams | map[string]string | LoginParams specifies a map of query parameters and their values which will be added in the authorize request made towards the configured identity provider. | false |
| loginPath | string | LoginPath specifies a list of URI paths that should trigger the auto-login behavior.
When a request matches any of these paths, the user will be redirected to log in if not already authenticated. | false |
| logoutPath | string | LogoutPath specifies which URI to redirect the user to when signing out.
This will end the session for the application and also redirect the user
to log out towards the configured identity provider (RP-initiated logout).
If omitted, a default path of /logout is used. | false |
| postLogoutRedirectUri | string | PostLogoutRedirectURI specifies which URI to redirect the user to after
successfully signed out towards the configured identity provider (RP-initiated logout).
If omitted, no post_logout_redirect_uri will be used. | false |
| redirectPath | string | RedirectPath specifies which path to redirect the user to after completing the OIDC flow.
If omitted, a default path of /oauth2/callback is used. | false |
AuthPolicy.spec.ignoreAuthRules[index]
↩ ParentRequestMatcher defines paths and methods to match incoming HTTP requests.
| Name | Type | Description | Required |
|---|---|---|---|
| paths | []string | Paths specify a set of URI paths that this rule applies to.
Each path must be a valid URI path, starting with '/' and not ending with '/'. | true |
| methods | []string | Methods specifies HTTP methods that applies for the defined paths. If omitted, all methods are permitted. Allowed methods:
| false |
AuthPolicy.spec.oAuthCredentials
↩ ParentOAuthCredentials specifies a reference to a kubernetes secret in the same namespace holding OAuth credentials used for authentication.
| Name | Type | Description | Required |
|---|---|---|---|
| clientIDKey | string | ClientIDKey specifies the data key to access the client ID. | true |
| clientSecretKey | string | ClientSecretKey specifies the data key to access the client secret. | true |
| secretRef | string | SecretRef specifies the name of the kubernetes secret. | true |
AuthPolicy.spec.outputClaimToHeaders[index]
↩ ParentClaimToHeader specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
| Name | Type | Description | Required |
|---|---|---|---|
| claim | string | Claim specifies the name of the claim in the JWT token that will be copied to the header. | true |
| header | string | Header specifies the name of the HTTP header to which the claim value will be copied. | true |
AuthPolicy.status
↩ ParentAuthPolicyStatus defines the observed state of AuthPolicy.
| Name | Type | Description | Required |
|---|---|---|---|
| ready | boolean | true | |
| conditions | []object | false | |
| message | string | false | |
| observedGeneration | integer | Format: int64 | false |
| phase | string | false |
AuthPolicy.status.conditions[index]
↩ ParentCondition contains details for one aspect of the current state of this API Resource.
| Name | Type | Description | Required |
|---|---|---|---|
| lastTransitionTime | string | lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. Format: date-time | true |
| message | string | message is a human readable message indicating details about the transition.
This may be an empty string. | true |
| reason | string | reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty. | true |
| status | enum | status of the condition, one of True, False, Unknown. Enum: True, False, Unknown | true |
| type | string | type of condition in CamelCase or in foo.example.com/CamelCase. | true |
| observedGeneration | integer | observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance. Format: int64 | false |