TeleportScopedTokenV1
resources.teleport.dev / v1
apiVersion: resources.teleport.dev/v1
kind: TeleportScopedTokenV1
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
scope
string
Scope is the scope of the token resource.
spec object
ScopedToken resource definition v1 from Teleport
assigned_scope
string
The scope to which this token is assigned. Must be equivalent or descendent to the scope of the token itself.
aws object
The AWS-specific configuration used with the "ec2" and "iam" join methods.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
aws_account
string
aws_arn
string
aws_organization_id
string
aws_regions
[]string
aws_role
string
iid_ttl
string
The TTL to use for AWS EC2 Instance Identity Documents used to join the cluster with this token. This should be a duration string such as "8h" or "6mo".
integration
string
Integration name which provides credentials for validating join attempts. Currently only in use for validating the AWS Organization ID in the IAM Join method.
azure object
The Azure-specific configuration used with the "azure" join method.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
resource_groups
[]string
subscription
string
tenant
string
azure_devops object
The Azure Devops-specific configuration used with the "azure_devops" join method.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
definition_id
string
pipeline_name
string
project_id
string
project_name
string
repository_ref
string
repository_uri
string
repository_version
string
sub
string
organization_id
string
The UUID of the Azure DevOps organization that this join token will grant access to. This is used to identify the correct issuer verification of the ID token. This is a required field.
bot_name
string
Name of the bot associated with this join token, if any.
bot_scope
string
Scope of the bot associated with this join token. Required if bot_name is set, and mutually exclusive with assigned_scope.
bound_keypair object
Configuration specific to the "bound_keypair" join method.
onboarding object
Parameters related to initial onboarding and keypair registration.
initial_public_key
string
must_register_before
string
format:
date-time
registration_secret
string
recovery object
Parameters related to recovery after identity expiration, including the initial join.
limit
integer
format:
int32
mode
string
rotate_after
string
An optional timestamp that forces clients to perform a keypair rotation on the next join or recovery attempt after the given date. If `LastRotatedAt` is unset or before this timestamp, a rotation will be requested. It is recommended to set this value to the current timestamp if a rotation should be triggered on the next join attempt.
format:
date-timegcp object
The GCP-specific configuration used with the "gcp" join method.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
locations
[]string
project_ids
[]string
service_accounts
[]string
immutable_labels object
Immutable labels that should be applied to any resulting resources provisioned using this token.
ssh
object
Labels that should be applied to SSH nodes.
join_method
string
The joining method required in order to use this token. Note that not all join methods support joining with scoped tokens.
kubernetes object
The Kubernetes-specific configuration used with the "kubernetes" join method.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
service_account
string
service_account_name
string
service_account_namespace
string
oidc object
The configuration specific to the `oidc` type.
insecure_allow_http_issuer
boolean
issuer
string
static_jwks object
The configuration specific to the `static_jwks` type.
jwks
string
type
string
Controls which behavior should be used for validating the Kubernetes Service Account token. Supported values: - `in_cluster` - `static_jwks` - `oidc`
oracle object
The Oracle-specific configuration used with the "oracle" join method.
allow []object
A list of Rules for allowing use of this token. A node must match at least one allow rule in order to use this token.
instances
[]string
parent_compartments
[]string
regions
[]string
tenancy
string
roles
[]string
The list of roles associated with the token. They will be converted to metadata in the SSH and X509 certificates issued to the user of the token.
usage_mode
string
The usage mode of the token. Can be "single_use" or "unlimited". Single use tokens can only be used to provision a single resource. Unlimited tokens can be be used to provision any number of resources until it expires.
status object
Status defines the observed state of the Teleport resource
conditions []object
Conditions represent the latest available observations of an object's state
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
teleportResourceID
integer
format:
int64No matches. Try .spec.assigned_scope for an exact path