From daa8abae058f7579f636c9241cbfa78cca1e7fc4 Mon Sep 17 00:00:00 2001 From: hongming Date: Mon, 14 Aug 2023 11:07:45 +0800 Subject: [PATCH] release ks-core-0.4.0 --- src/main/ks-core/.helmignore | 23 + src/main/ks-core/Chart.yaml | 15 + ...tore.kubesphere.io_applicationclasses.yaml | 71 + ...re.kubesphere.io_applicationresources.yaml | 110 ++ .../appstore.kubesphere.io_applications.yaml | 127 ++ .../crds/auditing.kubesphere.io_rules.yaml | 84 + .../crds/auditing.kubesphere.io_webhooks.yaml | 1195 ++++++++++++ .../crds/cluster.kubesphere.io_clusters.yaml | 180 ++ .../extensions.kubesphere.io_apiservices.yaml | 154 ++ .../extensions.kubesphere.io_jsbundles.yaml | 203 ++ ...tensions.kubesphere.io_reverseproxies.yaml | 207 ++ ...eway.kubesphere.io_ingressclassscopes.yaml | 62 + .../crds/iam.kubesphere.io_builtinroles.yaml | 88 + .../crds/iam.kubesphere.io_categories.yaml | 53 + ...iam.kubesphere.io_clusterrolebindings.yaml | 92 + .../crds/iam.kubesphere.io_clusterroles.yaml | 146 ++ .../iam.kubesphere.io_globalrolebindings.yaml | 93 + .../crds/iam.kubesphere.io_globalroles.yaml | 148 ++ .../crds/iam.kubesphere.io_groupbindings.yaml | 61 + .../crds/iam.kubesphere.io_groups.yaml | 50 + .../crds/iam.kubesphere.io_loginrecords.yaml | 87 + .../crds/iam.kubesphere.io_rolebindings.yaml | 92 + .../ks-core/crds/iam.kubesphere.io_roles.yaml | 146 ++ .../crds/iam.kubesphere.io_roletemplates.yaml | 104 + .../ks-core/crds/iam.kubesphere.io_users.yaml | 108 + ...m.kubesphere.io_workspacerolebindings.yaml | 99 + .../iam.kubesphere.io_workspaceroles.yaml | 154 ++ .../crds/kubesphere.io_categories.yaml | 52 + .../crds/kubesphere.io_extensions.yaml | 272 +++ .../crds/kubesphere.io_extensionversions.yaml | 157 ++ .../crds/kubesphere.io_installplans.yaml | 328 ++++ .../crds/kubesphere.io_repositories.yaml | 73 + .../crds/kubesphere.io_serviceaccounts.yaml | 97 + ...rketplace.kubesphere.io_subscriptions.yaml | 85 + .../oauth.kubesphere.io_oauthclients.yaml | 64 + .../quota.kubesphere.io_resourcequotas.yaml | 185 ++ ...kubesphere.io_provisionercapabilities.yaml | 113 ++ ...ubesphere.io_storageclasscapabilities.yaml | 113 ++ ...telemetry.kubesphere.io_clusterinfoes.yaml | 153 ++ .../crds/tenant.kubesphere.io_workspaces.yaml | 48 + ...nant.kubesphere.io_workspacetemplates.yaml | 148 ++ src/main/ks-core/templates/NOTES.txt | 17 + src/main/ks-core/templates/_helpers.tpl | 99 + src/main/ks-core/templates/_images.tpl | 74 + src/main/ks-core/templates/_tplvalues.tpl | 13 + src/main/ks-core/templates/builtinroles.yaml | 263 +++ src/main/ks-core/templates/categories.yaml | 81 + src/main/ks-core/templates/clusterroles.yaml | 54 + .../ks-core/templates/globalrolebingings.yaml | 60 + src/main/ks-core/templates/globalroles.yaml | 195 ++ src/main/ks-core/templates/ks-agent.yml | 125 ++ src/main/ks-core/templates/ks-apiserver.yml | 85 + .../ks-core/templates/ks-console-config.yml | 27 + src/main/ks-core/templates/ks-console.yml | 119 ++ .../templates/ks-controller-manager.yaml | 89 + .../ks-core/templates/kubesphere-config.yaml | 36 + .../ks-core/templates/marketplace-config.yaml | 20 + .../ks-core/templates/post-install-job.yaml | 25 + .../ks-core/templates/pre-delete-job.yaml | 36 + .../templates/roletemplate-categories.yaml | 235 +++ src/main/ks-core/templates/roletemplates.yaml | 1735 +++++++++++++++++ .../ks-core/templates/serviceaccount.yaml | 27 + src/main/ks-core/templates/services.yml | 59 + src/main/ks-core/templates/user.yaml | 12 + src/main/ks-core/templates/webhook.yaml | 213 ++ src/main/ks-core/templates/workspace.yaml | 15 + src/main/ks-core/values.yaml | 246 +++ 67 files changed, 9800 insertions(+) create mode 100644 src/main/ks-core/.helmignore create mode 100644 src/main/ks-core/Chart.yaml create mode 100644 src/main/ks-core/crds/appstore.kubesphere.io_applicationclasses.yaml create mode 100644 src/main/ks-core/crds/appstore.kubesphere.io_applicationresources.yaml create mode 100644 src/main/ks-core/crds/appstore.kubesphere.io_applications.yaml create mode 100644 src/main/ks-core/crds/auditing.kubesphere.io_rules.yaml create mode 100644 src/main/ks-core/crds/auditing.kubesphere.io_webhooks.yaml create mode 100644 src/main/ks-core/crds/cluster.kubesphere.io_clusters.yaml create mode 100644 src/main/ks-core/crds/extensions.kubesphere.io_apiservices.yaml create mode 100644 src/main/ks-core/crds/extensions.kubesphere.io_jsbundles.yaml create mode 100644 src/main/ks-core/crds/extensions.kubesphere.io_reverseproxies.yaml create mode 100644 src/main/ks-core/crds/gateway.kubesphere.io_ingressclassscopes.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_builtinroles.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_categories.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_clusterrolebindings.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_clusterroles.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_globalrolebindings.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_globalroles.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_groupbindings.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_groups.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_loginrecords.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_rolebindings.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_roles.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_roletemplates.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_users.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_workspacerolebindings.yaml create mode 100644 src/main/ks-core/crds/iam.kubesphere.io_workspaceroles.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_categories.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_extensions.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_extensionversions.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_installplans.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_repositories.yaml create mode 100644 src/main/ks-core/crds/kubesphere.io_serviceaccounts.yaml create mode 100644 src/main/ks-core/crds/marketplace.kubesphere.io_subscriptions.yaml create mode 100644 src/main/ks-core/crds/oauth.kubesphere.io_oauthclients.yaml create mode 100644 src/main/ks-core/crds/quota.kubesphere.io_resourcequotas.yaml create mode 100644 src/main/ks-core/crds/storage.kubesphere.io_provisionercapabilities.yaml create mode 100644 src/main/ks-core/crds/storage.kubesphere.io_storageclasscapabilities.yaml create mode 100644 src/main/ks-core/crds/telemetry.kubesphere.io_clusterinfoes.yaml create mode 100644 src/main/ks-core/crds/tenant.kubesphere.io_workspaces.yaml create mode 100644 src/main/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml create mode 100644 src/main/ks-core/templates/NOTES.txt create mode 100644 src/main/ks-core/templates/_helpers.tpl create mode 100644 src/main/ks-core/templates/_images.tpl create mode 100644 src/main/ks-core/templates/_tplvalues.tpl create mode 100644 src/main/ks-core/templates/builtinroles.yaml create mode 100644 src/main/ks-core/templates/categories.yaml create mode 100644 src/main/ks-core/templates/clusterroles.yaml create mode 100644 src/main/ks-core/templates/globalrolebingings.yaml create mode 100644 src/main/ks-core/templates/globalroles.yaml create mode 100644 src/main/ks-core/templates/ks-agent.yml create mode 100644 src/main/ks-core/templates/ks-apiserver.yml create mode 100644 src/main/ks-core/templates/ks-console-config.yml create mode 100644 src/main/ks-core/templates/ks-console.yml create mode 100644 src/main/ks-core/templates/ks-controller-manager.yaml create mode 100644 src/main/ks-core/templates/kubesphere-config.yaml create mode 100644 src/main/ks-core/templates/marketplace-config.yaml create mode 100644 src/main/ks-core/templates/post-install-job.yaml create mode 100644 src/main/ks-core/templates/pre-delete-job.yaml create mode 100644 src/main/ks-core/templates/roletemplate-categories.yaml create mode 100644 src/main/ks-core/templates/roletemplates.yaml create mode 100644 src/main/ks-core/templates/serviceaccount.yaml create mode 100644 src/main/ks-core/templates/services.yml create mode 100644 src/main/ks-core/templates/user.yaml create mode 100644 src/main/ks-core/templates/webhook.yaml create mode 100644 src/main/ks-core/templates/workspace.yaml create mode 100644 src/main/ks-core/values.yaml diff --git a/src/main/ks-core/.helmignore b/src/main/ks-core/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/src/main/ks-core/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/src/main/ks-core/Chart.yaml b/src/main/ks-core/Chart.yaml new file mode 100644 index 000000000..5b682365e --- /dev/null +++ b/src/main/ks-core/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: ks-core +description: A Helm chart for KubeSphere Core components + +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.4.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "v4.0.0" diff --git a/src/main/ks-core/crds/appstore.kubesphere.io_applicationclasses.yaml b/src/main/ks-core/crds/appstore.kubesphere.io_applicationclasses.yaml new file mode 100644 index 000000000..467cd12d6 --- /dev/null +++ b/src/main/ks-core/crds/appstore.kubesphere.io_applicationclasses.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: applicationclasses.appstore.kubesphere.io +spec: + group: appstore.kubesphere.io + names: + kind: ApplicationClass + listKind: ApplicationClassList + plural: applicationclasses + singular: applicationclass + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + parameters: + additionalProperties: + type: string + type: object + provisioner: + type: string + spec: + properties: + appVersion: + type: string + description: + type: string + icon: + type: string + maintainers: + items: + properties: + email: + description: Email is an optional email address to contact the + named maintainer + type: string + name: + description: Name is a username or organization name + type: string + url: + description: URL is an optional URL to an address for the named + maintainer + type: string + type: object + type: array + packageVersion: + type: string + type: object + required: + - provisioner + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/appstore.kubesphere.io_applicationresources.yaml b/src/main/ks-core/crds/appstore.kubesphere.io_applicationresources.yaml new file mode 100644 index 000000000..8ed1cf02e --- /dev/null +++ b/src/main/ks-core/crds/appstore.kubesphere.io_applicationresources.yaml @@ -0,0 +1,110 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: applicationresources.appstore.kubesphere.io +spec: + group: appstore.kubesphere.io + names: + kind: ApplicationResource + listKind: ApplicationResourceList + plural: applicationresources + singular: applicationresource + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + claimRef: + description: "ObjectReference contains enough information to let you + inspect or modify the referred object. --- New uses of this type + are discouraged because of difficulty describing its usage when + embedded in APIs. 1. Ignored fields. It includes many fields which + are not generally honored. For instance, ResourceVersion and FieldPath + are both very rarely valid in actual usage. 2. Invalid usage help. + \ It is impossible to add specific help for individual usage. In + most embedded usages, there are particular restrictions like, \"must + refer only to types A and B\" or \"UID not honored\" or \"name must + be restricted\". Those cannot be well described when embedded. 3. + Inconsistent validation. Because the usages are different, the + validation rules are different by usage, which makes it hard for + users to predict what will happen. 4. The fields are both imprecise + and overly precise. Kind is not a precise mapping to a URL. This + can produce ambiguity during interpretation and require a REST mapping. + \ In most cases, the dependency is on the group,resource tuple and + the version of the actual struct is irrelevant. 5. We cannot easily + change it. Because this type is embedded in many locations, updates + to this type will affect numerous schemas. Don't make new APIs + embed an underspecified API type they do not control. \n Instead + of using this type, create a locally provided and used type that + is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of + an entire object, this string should contain a valid JSON/Go + field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen + only to have some well-defined way of referencing a part of + an object. TODO: this design is not final and this field is + subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference + is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + className: + type: string + type: object + status: + properties: + message: + type: string + phase: + type: string + reason: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/appstore.kubesphere.io_applications.yaml b/src/main/ks-core/crds/appstore.kubesphere.io_applications.yaml new file mode 100644 index 000000000..8247a4618 --- /dev/null +++ b/src/main/ks-core/crds/appstore.kubesphere.io_applications.yaml @@ -0,0 +1,127 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: applications.appstore.kubesphere.io +spec: + group: appstore.kubesphere.io + names: + kind: Application + listKind: ApplicationList + plural: applications + singular: application + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + className: + type: string + parameters: + type: string + required: + - className + - parameters + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + message: + type: string + parameters: + additionalProperties: + type: string + type: object + resourceName: + type: string + state: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/auditing.kubesphere.io_rules.yaml b/src/main/ks-core/crds/auditing.kubesphere.io_rules.yaml new file mode 100644 index 000000000..9a974d8d0 --- /dev/null +++ b/src/main/ks-core/crds/auditing.kubesphere.io_rules.yaml @@ -0,0 +1,84 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: rules.auditing.kubesphere.io +spec: + group: auditing.kubesphere.io + names: + kind: Rule + listKind: RuleList + plural: rules + singular: rule + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Rule is the Schema for the rules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuditRuleSpec defines the desired state of Rule + properties: + rules: + items: + properties: + alias: + description: This effective When the rule type is alias + type: string + condition: + description: Rule condition This effective When the rule type + is rule + type: string + desc: + description: Rule describe + type: string + enable: + description: Is the rule enable + type: boolean + list: + description: This effective When the rule type is list + items: + type: string + type: array + macro: + description: This effective When the rule type is macro + type: string + name: + description: Rule name + type: string + output: + description: The output formater of message which send to user + type: string + priority: + description: Rule priority, DEBUG, INFO, WARNING + type: string + type: + description: Rule type, rule, macro,list,alias + type: string + required: + - enable + type: object + type: array + type: object + status: + description: RuleStatus defines the observed state of Rule + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/auditing.kubesphere.io_webhooks.yaml b/src/main/ks-core/crds/auditing.kubesphere.io_webhooks.yaml new file mode 100644 index 000000000..eb7ed2526 --- /dev/null +++ b/src/main/ks-core/crds/auditing.kubesphere.io_webhooks.yaml @@ -0,0 +1,1195 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: webhooks.auditing.kubesphere.io +spec: + group: auditing.kubesphere.io + names: + kind: Webhook + listKind: WebhookList + plural: webhooks + singular: webhook + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Webhook is the Schema for the webhooks API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WebhookSpec defines the desired state of Webhook + properties: + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + args: + description: Arguments to the entrypoint.. It will be appended to + the args and replace the default value. + items: + type: string + type: array + auditLevel: + description: 'The Level that all requests are recorded at. available + options: None, Metadata, Request, RequestResponse default: Metadata' + type: string + auditSinkPolicy: + description: AuditSinkPolicy is a rule selector, only the rule matched + this selector will be taked effect. + properties: + alertingRuleSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An + empty label selector matches all objects. A null label selector + matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + archivingRuleSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An + empty label selector matches all objects. A null label selector + matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + auditType: + description: Audit type, static or dynamic. + type: string + image: + description: The webhook docker image name. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent + otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to + secrets in the same namespace to use for pulling any of the images + used by this PodSpec. If specified, these secrets will be passed + to individual puller implementations for them to use. For example, + in the case of docker, only DockerConfig type secrets are honored. + More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information to + let you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + k8sAuditingEnabled: + description: K8s auditing is enabled or not. + type: boolean + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels + for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priority: + description: Rule priority, DEBUG < INFO < WARNING Audit events will + be stored only when the priority of the audit rule matching the + audit event is greater than this. + type: string + receivers: + description: Receiver contains the information to make a connection + with the alertmanager + items: + description: Receiver config which received the audit alert + properties: + config: + description: ClientConfig holds the connection parameters for + the webhook + properties: + caBundle: + description: '`caBundle` is a PEM encoded CA bundle which + will be used to validate the webhook''s server certificate. + If unspecified, system trust roots on the apiserver are + used.' + format: byte + type: string + service: + description: "`service` is a reference to the service for + this webhook. Either `service` or `url` must be specified. + \n If the webhook is running within the cluster, then + you should use `service`." + properties: + name: + description: '`name` is the name of the service. Required' + type: string + namespace: + description: '`namespace` is the namespace of the service. + Required' + type: string + path: + description: '`path` is an optional URL path which will + be sent in any request to this service.' + type: string + port: + description: If specified, the port on the service that + hosting webhook. Default to 443 for backward compatibility. + `port` should be a valid port number (1-65535, inclusive). + format: int32 + type: integer + required: + - name + - namespace + type: object + url: + description: "`url` gives the location of the webhook, in + standard URL form (`scheme://host:port/path`). Exactly + one of `url` or `service` must be specified. \n The `host` + should not refer to a service running in the cluster; + use the `service` field instead. The host might be resolved + via external DNS in some apiservers (e.g., `kube-apiserver` + cannot resolve in-cluster DNS as that would be a layering + violation). `host` may also be an IP address. \n Please + note that using `localhost` or `127.0.0.1` as a `host` + is risky unless you take great care to run this webhook + on all hosts which run an apiserver which might need to + make calls to this webhook. Such installs are likely to + be non-portable, i.e., not easy to turn up in a new cluster. + \n The scheme must be \"https\"; the URL must begin with + \"https://\". \n A path is optional, and if present may + be any string permissible in a URL. You may use the path + to pass an arbitrary string to the webhook, for example, + a cluster identifier. \n Attempting to use a user or basic + auth e.g. \"user:password@\" is not allowed. Fragments + (\"#...\") and query parameters (\"?...\") are not allowed, + either." + type: string + type: object + name: + description: Receiver name + type: string + type: + description: Receiver type, alertmanager or webhook + type: string + type: object + type: array + replicas: + description: Number of desired pods. This is a pointer to distinguish + between explicit zero and not specified. Defaults to 1. + format: int32 + type: integer + resources: + description: 'Compute Resources required by this container. Cannot + be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + properties: + claims: + description: "Claims lists the names of resources, defined in + spec.resourceClaims, that are used by this container. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims + of the Pod where this field is used. It makes that resource + available inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + type: object + status: + description: WebhookStatus defines the observed state of Webhook + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/cluster.kubesphere.io_clusters.yaml b/src/main/ks-core/crds/cluster.kubesphere.io_clusters.yaml new file mode 100644 index 000000000..863a3cb11 --- /dev/null +++ b/src/main/ks-core/crds/cluster.kubesphere.io_clusters.yaml @@ -0,0 +1,180 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: clusters.cluster.kubesphere.io +spec: + group: cluster.kubesphere.io + names: + kind: Cluster + listKind: ClusterList + plural: clusters + singular: cluster + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.provider + name: Provider + type: string + - jsonPath: .status.kubernetesVersion + name: Version + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Cluster is the schema for the clusters API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + connection: + description: Connection holds info to connect to the member cluster + properties: + externalKubernetesAPIEndpoint: + description: External Kubernetes API Server endpoint Will be populated + by ks-apiserver if connection type is proxy and ExternalKubeAPIEnabled + is true. + type: string + kubeconfig: + description: KubeConfig content used to connect to cluster api + server Should provide this field explicitly if connection type + is direct. Will be populated by ks-proxy if connection type + is proxy. + format: byte + type: string + kubernetesAPIEndpoint: + description: 'Kubernetes API Server endpoint. Example: https://10.10.0.1:6443 + Should provide this field explicitly if connection type is direct. + Will be populated by ks-apiserver if connection type is proxy.' + type: string + kubernetesAPIServerPort: + description: KubeAPIServerPort is the port which listens for forwarding + kube-apiserver traffic Only applicable when connection type + is proxy. + type: integer + kubesphereAPIEndpoint: + description: 'KubeSphere API Server endpoint. Example: http://10.10.0.11:8080 + Should provide this field explicitly if connection type is direct. + Will be populated by ks-apiserver if connection type is proxy.' + type: string + kubesphereAPIServerPort: + description: KubeSphereAPIServerPort is the port which listens + for forwarding kubesphere apigateway traffic Only applicable + when connection type is proxy. + type: integer + token: + description: Token used by agents of member cluster to connect + to host cluster proxy. This field is populated by apiserver + only if connection type is proxy. + type: string + type: + description: type defines how host cluster will connect to host + cluster ConnectionTypeDirect means direct connection, this requires + kubeconfig and kubesphere apiserver endpoint provided ConnectionTypeProxy + means using kubesphere proxy, no kubeconfig or kubesphere apiserver + endpoint required + type: string + type: object + enable: + description: 'Desired state of the cluster Deprecated: will be removed + in the next version.' + type: boolean + externalKubeAPIEnabled: + description: ExternalKubeAPIEnabled export kube-apiserver to public + use a lb type service if connection type is proxy + type: boolean + joinFederation: + description: 'Join cluster as a kubefed cluster Deprecated: will be + removed in the next version.' + type: boolean + provider: + description: Provider of the cluster, this field is just for description + type: string + type: object + status: + properties: + conditions: + description: Represents the latest available observations of a cluster's + current state. + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human-readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of the condition + type: string + required: + - status + - type + type: object + type: array + configz: + additionalProperties: + type: boolean + description: 'Configz is status of components enabled in the member + cluster. This is synchronized with member cluster every amount of + time, like 5 minutes. Deprecated: this field will be removed in + the future version.' + type: object + kubeSphereVersion: + description: GitVersion of the /kapis/version api response, this field + is populated by cluster controller + type: string + kubernetesVersion: + description: GitVersion of the kubernetes cluster, this field is populated + by cluster controller + type: string + nodeCount: + description: Count of the kubernetes cluster nodes This field may + not reflect the instant status of the cluster. + type: integer + region: + description: Region is the name of the region in which all of the + nodes in the cluster exist. e.g. 'us-east1'. + type: string + uid: + description: UID is the kube-system namespace UID of the cluster, + which represents the unique ID of the cluster. + type: string + zones: + description: Zones are the names of availability zones in which the + nodes of the cluster exist, e.g. 'us-east1-a'. + items: + type: string + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/extensions.kubesphere.io_apiservices.yaml b/src/main/ks-core/crds/extensions.kubesphere.io_apiservices.yaml new file mode 100644 index 000000000..fc530ce11 --- /dev/null +++ b/src/main/ks-core/crds/extensions.kubesphere.io_apiservices.yaml @@ -0,0 +1,154 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: apiservices.extensions.kubesphere.io +spec: + group: extensions.kubesphere.io + names: + kind: APIService + listKind: APIServiceList + plural: apiservices + singular: apiservice + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: APIService is a special resource used in Ks-apiserver declares + a directional proxy path for a resource type API, it's similar to Kubernetes + API Aggregation Layer. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + caBundle: + format: byte + type: string + group: + type: string + insecureSkipVerify: + type: boolean + service: + description: service is a reference to the service for this endpoint. + Either service or url must be specified. the scheme is default to + HTTPS. + properties: + name: + description: name is the name of the service. Required + type: string + namespace: + description: namespace is the namespace of the service. Required + type: string + path: + description: path is an optional URL path at which the upstream + will be contacted. + type: string + port: + description: port is an optional service port at which the upstream + will be contacted. `port` should be a valid port number (1-65535, + inclusive). Defaults to 443 for backward compatibility. + format: int32 + type: integer + required: + - name + - namespace + type: object + url: + description: '`url` gives the location of the upstream, in standard + URL form (`scheme://host:port/path`). Exactly one of `url` or `service` + must be specified.' + type: string + version: + type: string + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/extensions.kubesphere.io_jsbundles.yaml b/src/main/ks-core/crds/extensions.kubesphere.io_jsbundles.yaml new file mode 100644 index 000000000..262db21dc --- /dev/null +++ b/src/main/ks-core/crds/extensions.kubesphere.io_jsbundles.yaml @@ -0,0 +1,203 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: jsbundles.extensions.kubesphere.io +spec: + group: extensions.kubesphere.io + names: + kind: JSBundle + listKind: JSBundleList + plural: jsbundles + singular: jsbundle + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JSBundle declares a js bundle that needs to be injected into + ks-console, the endpoint can be provided by a service or a static file. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + raw: + format: byte + type: string + rawFrom: + properties: + caBundle: + format: byte + type: string + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + namespace: + type: string + optional: + description: Specify whether the ConfigMap or its key must + be defined + type: boolean + required: + - key + - namespace + type: object + x-kubernetes-map-type: atomic + insecureSkipVerify: + type: boolean + secretKeyRef: + description: Selects a key of a Secret. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + namespace: + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + - namespace + type: object + x-kubernetes-map-type: atomic + service: + description: service is a reference to the service for this endpoint. + Either service or url must be specified. the scheme is default + to HTTPS. + properties: + name: + description: name is the name of the service. Required + type: string + namespace: + description: namespace is the namespace of the service. Required + type: string + path: + description: path is an optional URL path at which the upstream + will be contacted. + type: string + port: + description: port is an optional service port at which the + upstream will be contacted. `port` should be a valid port + number (1-65535, inclusive). Defaults to 443 for backward + compatibility. + format: int32 + type: integer + required: + - name + - namespace + type: object + url: + description: '`url` gives the location of the upstream, in standard + URL form (`scheme://host:port/path`). Exactly one of `url` or + `service` must be specified.' + type: string + type: object + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + link: + description: Link is the path for downloading JS file, default to + "/dist/{jsBundleName}/index.js". + type: string + state: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/extensions.kubesphere.io_reverseproxies.yaml b/src/main/ks-core/crds/extensions.kubesphere.io_reverseproxies.yaml new file mode 100644 index 000000000..97c509ac7 --- /dev/null +++ b/src/main/ks-core/crds/extensions.kubesphere.io_reverseproxies.yaml @@ -0,0 +1,207 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: reverseproxies.extensions.kubesphere.io +spec: + group: extensions.kubesphere.io + names: + kind: ReverseProxy + listKind: ReverseProxyList + plural: reverseproxies + singular: reverseproxy + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + directives: + properties: + authProxy: + description: Add auth proxy header to requests + type: boolean + changeOrigin: + description: Change Host header for name-based virtual hosted + sites. + type: boolean + headerDown: + description: Sets, adds (with the + prefix), deletes (with the + - prefix), or performs a replacement (by using two arguments, + a search and replacement) in a response header coming downstream + from the backend. + items: + type: string + type: array + headerUp: + description: Sets, adds (with the + prefix), deletes (with the + - prefix), or performs a replacement (by using two arguments, + a search and replacement) in a request header going upstream + to the backend. + items: + type: string + type: array + interceptRedirects: + description: InterceptRedirects determines whether the proxy should + sniff backend responses for redirects, only allows redirects + to the same host. Deprecated, https://github.com/kubernetes/kubernetes/pull/106830 + type: boolean + method: + description: Changes the request's HTTP verb. + type: string + stripPathPrefix: + description: Strips the given prefix from the beginning of the + URI path. + type: string + stripPathSuffix: + description: Strips the given suffix from the end of the URI path. + type: string + wrapTransport: + description: WrapTransport indicates whether the provided Transport + should be wrapped with default proxy transport behavior (URL + rewriting, X-Forwarded-* header setting) + type: boolean + type: object + matcher: + properties: + method: + type: string + path: + type: string + required: + - method + - path + type: object + upstream: + properties: + caBundle: + format: byte + type: string + insecureSkipVerify: + type: boolean + service: + description: service is a reference to the service for this endpoint. + Either service or url must be specified. the scheme is default + to HTTPS. + properties: + name: + description: name is the name of the service. Required + type: string + namespace: + description: namespace is the namespace of the service. Required + type: string + path: + description: path is an optional URL path at which the upstream + will be contacted. + type: string + port: + description: port is an optional service port at which the + upstream will be contacted. `port` should be a valid port + number (1-65535, inclusive). Defaults to 443 for backward + compatibility. + format: int32 + type: integer + required: + - name + - namespace + type: object + url: + description: '`url` gives the location of the upstream, in standard + URL form (`scheme://host:port/path`). Exactly one of `url` or + `service` must be specified.' + type: string + type: object + type: object + status: + properties: + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + state: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/gateway.kubesphere.io_ingressclassscopes.yaml b/src/main/ks-core/crds/gateway.kubesphere.io_ingressclassscopes.yaml new file mode 100644 index 000000000..b35e82507 --- /dev/null +++ b/src/main/ks-core/crds/gateway.kubesphere.io_ingressclassscopes.yaml @@ -0,0 +1,62 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: ingressclassscopes.gateway.kubesphere.io +spec: + group: gateway.kubesphere.io + names: + kind: IngressClassScope + listKind: IngressClassScopeList + plural: ingressclassscopes + singular: ingressclassscope + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: IngressClassScope is a special resource used to connect other + gateways to the KubeSphere platform. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + ingressClass: + properties: + default: + type: boolean + name: + type: string + type: object + scope: + description: Watching scope, when both are empty, watching all namespaces, + when neither is empty, namespaces is preferred. + properties: + namespaceSelector: + type: string + namespaces: + items: + type: string + type: array + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_builtinroles.yaml b/src/main/ks-core/crds/iam.kubesphere.io_builtinroles.yaml new file mode 100644 index 000000000..221f2ad41 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_builtinroles.yaml @@ -0,0 +1,88 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: builtinroles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: BuiltinRole + listKind: BuiltinRoleList + plural: builtinroles + singular: builtinrole + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + role: + type: object + x-kubernetes-embedded-resource: true + x-kubernetes-preserve-unknown-fields: true + targetSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An empty label + selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains + values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to a set + of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator + is In or NotIn, the values array must be non-empty. If the + operator is Exists or DoesNotExist, the values array must + be empty. This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - role + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_categories.yaml b/src/main/ks-core/crds/iam.kubesphere.io_categories.yaml new file mode 100644 index 000000000..3a11de956 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_categories.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: categories.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: Category + listKind: CategoryList + plural: categories + singular: category + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Category is the Schema for the categories API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CategorySpec defines the desired state of Category + properties: + description: + additionalProperties: + type: string + type: object + displayName: + additionalProperties: + type: string + type: object + icon: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_clusterrolebindings.yaml b/src/main/ks-core/crds/iam.kubesphere.io_clusterrolebindings.yaml new file mode 100644 index 000000000..a39e30c1e --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_clusterrolebindings.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: clusterrolebindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: ClusterRoleBinding + listKind: ClusterRoleBindingList + plural: clusterrolebindings + singular: clusterrolebinding + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + roleRef: + description: RoleRef can only reference a WorkspaceRole. If the RoleRef + cannot be resolved, the Authorizer must return an error. + properties: + apiGroup: + description: APIGroup is the group for the resource being referenced + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + x-kubernetes-map-type: atomic + subjects: + description: Subjects holds references to the objects the role applies + to. + items: + description: Subject contains a reference to the object or user identities + a role binding applies to. This can either hold a direct API object + reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + required: + - roleRef + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_clusterroles.yaml b/src/main/ks-core/crds/iam.kubesphere.io_clusterroles.yaml new file mode 100644 index 000000000..a139bc0b8 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_clusterroles.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: clusterroles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: ClusterRole + listKind: ClusterRoleList + plural: clusterroles + singular: clusterrole + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ClusterRole is the Schema for the clusterroles API + properties: + aggregationRoleTemplates: + description: AggregationRoleTemplates means which RoleTemplates are composed + this Role + properties: + roleSelector: + description: RoleSelectors select rules from RoleTemplate`s rules + by labels + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + templateNames: + description: TemplateNames select rules from RoleTemplate`s rules + by RoleTemplate name + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + rules: + description: Rules holds all the PolicyRules for this WorkspaceRole + items: + description: PolicyRule holds information that describes a policy rule, + but does not contain information about who the rule applies to or + which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any action + requested against one of the enumerated resources in any API group + will be allowed. "" represents the core API group and "*" represents + all API groups. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user + should have access to. *s are allowed, but only as the full, + final step in the path Since non-resource URLs are not namespaced, + this field is only applicable for ClusterRoles referenced from + a ClusterRoleBinding. Rules can either apply to API resources + (such as "pods" or "secrets") or non-resource URL paths (such + as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that + the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds + contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_globalrolebindings.yaml b/src/main/ks-core/crds/iam.kubesphere.io_globalrolebindings.yaml new file mode 100644 index 000000000..49a35ba53 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_globalrolebindings.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: globalrolebindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: GlobalRoleBinding + listKind: GlobalRoleBindingList + plural: globalrolebindings + singular: globalrolebinding + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: GlobalRoleBinding is the Schema for the globalrolebindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + roleRef: + description: RoleRef can only reference a GlobalRole. If the RoleRef cannot + be resolved, the Authorizer must return an error. + properties: + apiGroup: + description: APIGroup is the group for the resource being referenced + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + x-kubernetes-map-type: atomic + subjects: + description: Subjects holds references to the objects the role applies + to. + items: + description: Subject contains a reference to the object or user identities + a role binding applies to. This can either hold a direct API object + reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + required: + - roleRef + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_globalroles.yaml b/src/main/ks-core/crds/iam.kubesphere.io_globalroles.yaml new file mode 100644 index 000000000..a1ebcfcc8 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_globalroles.yaml @@ -0,0 +1,148 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: globalroles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: GlobalRole + listKind: GlobalRoleList + plural: globalroles + singular: globalrole + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: GlobalRole is the Schema for the globalroles API + properties: + aggregationRoleTemplates: + description: AggregationRoleTemplates means which RoleTemplates are composed + this Role + properties: + roleSelector: + description: RoleSelectors select rules from RoleTemplate`s rules + by labels + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + templateNames: + description: TemplateNames select rules from RoleTemplate`s rules + by RoleTemplate name + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + rules: + description: Rules holds all the PolicyRules for this WorkspaceRole + items: + description: PolicyRule holds information that describes a policy rule, + but does not contain information about who the rule applies to or + which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any action + requested against one of the enumerated resources in any API group + will be allowed. "" represents the core API group and "*" represents + all API groups. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user + should have access to. *s are allowed, but only as the full, + final step in the path Since non-resource URLs are not namespaced, + this field is only applicable for ClusterRoles referenced from + a ClusterRoleBinding. Rules can either apply to API resources + (such as "pods" or "secrets") or non-resource URL paths (such + as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that + the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds + contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + required: + - rules + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_groupbindings.yaml b/src/main/ks-core/crds/iam.kubesphere.io_groupbindings.yaml new file mode 100644 index 000000000..2ad5b5c9f --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_groupbindings.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: groupbindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - group + kind: GroupBinding + listKind: GroupBindingList + plural: groupbindings + singular: groupbinding + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .groupRef.name + name: Group + type: string + - jsonPath: .users + name: Users + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: GroupBinding is the Schema for the groupbindings API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + groupRef: + description: GroupRef defines the desired relation of GroupBinding + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + type: object + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + users: + items: + type: string + type: array + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/iam.kubesphere.io_groups.yaml b/src/main/ks-core/crds/iam.kubesphere.io_groups.yaml new file mode 100644 index 000000000..4cc15d164 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_groups.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: groups.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - group + kind: Group + listKind: GroupList + plural: groups + singular: group + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels.kubesphere\.io/workspace + name: Workspace + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: Group is the Schema for the groups API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GroupSpec defines the desired state of Group + type: object + status: + description: GroupStatus defines the observed state of Group + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/iam.kubesphere.io_loginrecords.yaml b/src/main/ks-core/crds/iam.kubesphere.io_loginrecords.yaml new file mode 100644 index 000000000..9261d22ad --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_loginrecords.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: loginrecords.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: LoginRecord + listKind: LoginRecordList + plural: loginrecords + singular: loginrecord + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.type + name: Type + type: string + - jsonPath: .spec.provider + name: Provider + type: string + - jsonPath: .spec.sourceIP + name: From + type: string + - jsonPath: .spec.success + name: Success + type: string + - jsonPath: .spec.reason + name: Reason + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + provider: + description: Provider of authentication, Ldap/Github etc. + type: string + reason: + description: States failed login attempt reason + type: string + sourceIP: + description: Source IP of client + type: string + success: + description: Successful login attempt or not + type: boolean + type: + description: Which authentication method used, Password/OAuth/Token + type: string + userAgent: + description: User agent of login attempt + type: string + required: + - provider + - reason + - sourceIP + - success + - type + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/iam.kubesphere.io_rolebindings.yaml b/src/main/ks-core/crds/iam.kubesphere.io_rolebindings.yaml new file mode 100644 index 000000000..78097df5e --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_rolebindings.yaml @@ -0,0 +1,92 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: rolebindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: RoleBinding + listKind: RoleBindingList + plural: rolebindings + singular: rolebinding + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + roleRef: + description: RoleRef can only reference a WorkspaceRole. If the RoleRef + cannot be resolved, the Authorizer must return an error. + properties: + apiGroup: + description: APIGroup is the group for the resource being referenced + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + x-kubernetes-map-type: atomic + subjects: + description: Subjects holds references to the objects the role applies + to. + items: + description: Subject contains a reference to the object or user identities + a role binding applies to. This can either hold a direct API object + reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + required: + - roleRef + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_roles.yaml b/src/main/ks-core/crds/iam.kubesphere.io_roles.yaml new file mode 100644 index 000000000..6d19c68e2 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_roles.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: roles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: Role + listKind: RoleList + plural: roles + singular: role + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Role is the Schema for the roles API + properties: + aggregationRoleTemplates: + description: AggregationRoleTemplates means which RoleTemplates are composed + this Role + properties: + roleSelector: + description: RoleSelectors select rules from RoleTemplate`s rules + by labels + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + templateNames: + description: TemplateNames select rules from RoleTemplate`s rules + by RoleTemplate name + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + rules: + description: Rules holds all the PolicyRules for this WorkspaceRole + items: + description: PolicyRule holds information that describes a policy rule, + but does not contain information about who the rule applies to or + which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any action + requested against one of the enumerated resources in any API group + will be allowed. "" represents the core API group and "*" represents + all API groups. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user + should have access to. *s are allowed, but only as the full, + final step in the path Since non-resource URLs are not namespaced, + this field is only applicable for ClusterRoles referenced from + a ClusterRoleBinding. Rules can either apply to API resources + (such as "pods" or "secrets") or non-resource URL paths (such + as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that + the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds + contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_roletemplates.yaml b/src/main/ks-core/crds/iam.kubesphere.io_roletemplates.yaml new file mode 100644 index 000000000..d9e1306df --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_roletemplates.yaml @@ -0,0 +1,104 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: roletemplates.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: RoleTemplate + listKind: RoleTemplateList + plural: roletemplates + singular: roletemplate + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: RoleTemplate is the Schema for the roletemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RoleTemplateSpec defines the desired state of RoleTemplate + properties: + description: + additionalProperties: + type: string + type: object + displayName: + additionalProperties: + type: string + description: DisplayName represent the name displays at console, this + field + type: object + rules: + items: + description: PolicyRule holds information that describes a policy + rule, but does not contain information about who the rule applies + to or which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any + action requested against one of the enumerated resources in + any API group will be allowed. "" represents the core API + group and "*" represents all API groups. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a + user should have access to. *s are allowed, but only as the + full, final step in the path Since non-resource URLs are not + namespaced, this field is only applicable for ClusterRoles + referenced from a ClusterRoleBinding. Rules can either apply + to API resources (such as "pods" or "secrets") or non-resource + URL paths (such as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names + that the rule applies to. An empty set means that everything + is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the + ResourceKinds contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + required: + - rules + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/iam.kubesphere.io_users.yaml b/src/main/ks-core/crds/iam.kubesphere.io_users.yaml new file mode 100644 index 000000000..be11ed752 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_users.yaml @@ -0,0 +1,108 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: users.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: User + listKind: UserList + plural: users + singular: user + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.email + name: Email + type: string + - jsonPath: .status.state + name: Status + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: User is the Schema for the users API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: UserSpec defines the desired state of User + properties: + description: + description: Description of the user. + type: string + displayName: + type: string + email: + description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt). + type: string + groups: + items: + type: string + type: array + lang: + description: The preferred written or spoken language for the user. + type: string + password: + description: 'password will be encrypted by mutating admission webhook + Password pattern is tricky here. The rule is simple: length between + [6,64], at least one uppercase letter, one lowercase letter, one + digit. The regexp in console(javascript) is quite straightforward: + ^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)[^]{6,64}$ But in Go, we don''t have + ?= (back tracking) capability in regexp (also in CRD validation + pattern) So we adopted an alternative scheme to achieve. Use 6 different + regexp to combine to achieve the same effect. These six schemes + enumerate the arrangement of numbers, uppercase letters, and lowercase + letters that appear for the first time. - ^(.*[a-z].*[A-Z].*[0-9].*)$ + stands for lowercase letter comes first, then followed by an uppercase + letter, then a digit. - ^(.*[a-z].*[0-9].*[A-Z].*)$ stands for lowercase + letter comes first, then followed by a digit, then an uppercase + leeter. - ^(.*[A-Z].*[a-z].*[0-9].*)$ ... - ^(.*[A-Z].*[0-9].*[a-z].*)$ + ... - ^(.*[0-9].*[a-z].*[A-Z].*)$ ... - ^(.*[0-9].*[A-Z].*[a-z].*)$ + ... Last but not least, the bcrypt string is also included to match + the encrypted password. ^(\$2[ayb]\$.{56})$' + maxLength: 64 + minLength: 8 + pattern: ^(.*[a-z].*[A-Z].*[0-9].*)$|^(.*[a-z].*[0-9].*[A-Z].*)$|^(.*[A-Z].*[a-z].*[0-9].*)$|^(.*[A-Z].*[0-9].*[a-z].*)$|^(.*[0-9].*[a-z].*[A-Z].*)$|^(.*[0-9].*[A-Z].*[a-z].*)$|^(\$2[ayb]\$.{56})$ + type: string + required: + - email + type: object + status: + description: UserStatus defines the observed state of User + properties: + lastLoginTime: + description: Last login attempt timestamp + format: date-time + type: string + lastTransitionTime: + format: date-time + type: string + reason: + type: string + state: + description: The user status + type: string + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/iam.kubesphere.io_workspacerolebindings.yaml b/src/main/ks-core/crds/iam.kubesphere.io_workspacerolebindings.yaml new file mode 100644 index 000000000..41d7df56d --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_workspacerolebindings.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: workspacerolebindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: WorkspaceRoleBinding + listKind: WorkspaceRoleBindingList + plural: workspacerolebindings + singular: workspacerolebinding + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels.kubesphere\.io/workspace + name: Workspace + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: WorkspaceRoleBinding is the Schema for the workspacerolebindings + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + roleRef: + description: RoleRef can only reference a WorkspaceRole. If the RoleRef + cannot be resolved, the Authorizer must return an error. + properties: + apiGroup: + description: APIGroup is the group for the resource being referenced + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + x-kubernetes-map-type: atomic + subjects: + description: Subjects holds references to the objects the role applies + to. + items: + description: Subject contains a reference to the object or user identities + a role binding applies to. This can either hold a direct API object + reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" + for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by + this API group are "User", "Group", and "ServiceAccount". If the + Authorizer does not recognized the kind value, the Authorizer + should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this value + is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + required: + - roleRef + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/iam.kubesphere.io_workspaceroles.yaml b/src/main/ks-core/crds/iam.kubesphere.io_workspaceroles.yaml new file mode 100644 index 000000000..fe32b18d3 --- /dev/null +++ b/src/main/ks-core/crds/iam.kubesphere.io_workspaceroles.yaml @@ -0,0 +1,154 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: workspaceroles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + categories: + - iam + kind: WorkspaceRole + listKind: WorkspaceRoleList + plural: workspaceroles + singular: workspacerole + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.labels.kubesphere\.io/workspace + name: Workspace + type: string + - jsonPath: .metadata.annotations.kubesphere\.io/alias-name + name: Alias + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: WorkspaceRole is the Schema for the workspaceroles API + properties: + aggregationRoleTemplates: + description: AggregationRoleTemplates means which RoleTemplates are composed + this Role + properties: + roleSelector: + description: RoleSelectors select rules from RoleTemplate`s rules + by labels + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + templateNames: + description: TemplateNames select rules from RoleTemplate`s rules + by RoleTemplate name + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + rules: + description: Rules holds all the PolicyRules for this WorkspaceRole + items: + description: PolicyRule holds information that describes a policy rule, + but does not contain information about who the rule applies to or + which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any action + requested against one of the enumerated resources in any API group + will be allowed. "" represents the core API group and "*" represents + all API groups. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that a user + should have access to. *s are allowed, but only as the full, + final step in the path Since non-resource URLs are not namespaced, + this field is only applicable for ClusterRoles referenced from + a ClusterRoleBinding. Rules can either apply to API resources + (such as "pods" or "secrets") or non-resource URL paths (such + as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names that + the rule applies to. An empty set means that everything is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. '*' represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the ResourceKinds + contained in this rule. '*' represents all verbs. + items: + type: string + type: array + required: + - verbs + type: object + type: array + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/kubesphere.io_categories.yaml b/src/main/ks-core/crds/kubesphere.io_categories.yaml new file mode 100644 index 000000000..80e157b89 --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_categories.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: categories.kubesphere.io +spec: + group: kubesphere.io + names: + categories: + - extensions + kind: Category + listKind: CategoryList + plural: categories + singular: category + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Category can help us group the extensions. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + description: + additionalProperties: + type: string + type: object + displayName: + additionalProperties: + type: string + type: object + icon: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/kubesphere.io_extensions.yaml b/src/main/ks-core/crds/kubesphere.io_extensions.yaml new file mode 100644 index 000000000..c40616199 --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_extensions.yaml @@ -0,0 +1,272 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: extensions.kubesphere.io +spec: + group: kubesphere.io + names: + categories: + - extensions + kind: Extension + listKind: ExtensionList + plural: extensions + singular: extension + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: Extension is synchronized from the Repository. An extension can + contain multiple versions. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionSpec only contains basic extension information copied + from the latest ExtensionVersion. + properties: + created: + format: date-time + type: string + description: + additionalProperties: + type: string + type: object + displayName: + additionalProperties: + type: string + type: object + icon: + type: string + provider: + additionalProperties: + description: Provider describes an extension provider. + properties: + email: + description: Email is an optional email address to contact the + named provider + type: string + name: + description: Name is a username or organization name + type: string + url: + description: URL is an optional URL to an address for the named + provider + type: string + type: object + type: object + type: object + status: + properties: + clusterSchedulingStatuses: + additionalProperties: + properties: + conditions: + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + jobName: + type: string + releaseName: + type: string + state: + type: string + stateHistory: + items: + properties: + lastTransitionTime: + format: date-time + type: string + state: + type: string + required: + - lastTransitionTime + - state + type: object + type: array + targetNamespace: + type: string + version: + type: string + type: object + description: ClusterSchedulingStatuses describes the subchart installation + status of the extension + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + plannedInstallVersion: + type: string + recommendedVersion: + type: string + state: + type: string + versions: + items: + properties: + creationTimestamp: + format: date-time + type: string + version: + type: string + required: + - version + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/kubesphere.io_extensionversions.yaml b/src/main/ks-core/crds/kubesphere.io_extensionversions.yaml new file mode 100644 index 000000000..d762ba6c8 --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_extensionversions.yaml @@ -0,0 +1,157 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: extensionversions.kubesphere.io +spec: + group: kubesphere.io + names: + categories: + - extensions + kind: ExtensionVersion + listKind: ExtensionVersionList + plural: extensionversions + singular: extensionversion + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExtensionVersionSpec contains the details of a specific version + extension. + properties: + category: + type: string + chartDataRef: + description: ChartDataRef refers to a configMap which contains raw + chart data. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + namespace: + type: string + optional: + description: Specify whether the ConfigMap or its key must be + defined + type: boolean + required: + - key + - namespace + type: object + x-kubernetes-map-type: atomic + chartURL: + type: string + created: + format: date-time + type: string + description: + additionalProperties: + type: string + type: object + digest: + type: string + displayName: + additionalProperties: + type: string + type: object + externalDependencies: + description: ExternalDependencies + items: + properties: + name: + description: Name of the external dependency + type: string + required: + description: Indicates if the dependency is required + type: boolean + type: + description: Type of dependency, default to extension + type: string + version: + description: SemVer + type: string + required: + - name + - required + - version + type: object + type: array + home: + type: string + icon: + type: string + installationMode: + default: HostOnly + enum: + - HostOnly + - Multicluster + type: string + keywords: + items: + type: string + type: array + ksVersion: + description: 'KSVersion is a SemVer constraint specifying the version + of KubeSphere required. eg: >= 1.2.0, see https://github.com/Masterminds/semver + for more info.' + type: string + kubeVersion: + description: 'KubeVersion is a SemVer constraint specifying the version + of Kubernetes required. eg: >= 1.2.0, see https://github.com/Masterminds/semver + for more info.' + type: string + provider: + additionalProperties: + description: Provider describes an extension provider. + properties: + email: + description: Email is an optional email address to contact the + named provider + type: string + name: + description: Name is a username or organization name + type: string + url: + description: URL is an optional URL to an address for the named + provider + type: string + type: object + type: object + repository: + type: string + screenshots: + items: + type: string + type: array + sources: + items: + type: string + type: array + version: + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/kubesphere.io_installplans.yaml b/src/main/ks-core/crds/kubesphere.io_installplans.yaml new file mode 100644 index 000000000..08ea67e00 --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_installplans.yaml @@ -0,0 +1,328 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: installplans.kubesphere.io +spec: + group: kubesphere.io + names: + categories: + - extensions + kind: InstallPlan + listKind: InstallPlanList + plural: installplans + singular: installplan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.state + name: State + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: InstallPlan defines how to install an extension in the cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + clusterScheduling: + properties: + overrides: + additionalProperties: + type: string + type: object + placement: + properties: + clusterSelector: + description: A label selector is a label query over a set + of resources. The result of matchLabels and matchExpressions + are ANDed. An empty label selector matches all objects. + A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + clusters: + items: + type: string + type: array + x-kubernetes-list-type: set + type: object + type: object + config: + type: string + enabled: + type: boolean + extension: + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + upgradeStrategy: + default: Manual + type: string + required: + - enabled + - extension + type: object + status: + properties: + clusterSchedulingStatuses: + additionalProperties: + properties: + conditions: + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + jobName: + type: string + releaseName: + type: string + state: + type: string + stateHistory: + items: + properties: + lastTransitionTime: + format: date-time + type: string + state: + type: string + required: + - lastTransitionTime + - state + type: object + type: array + targetNamespace: + type: string + version: + type: string + type: object + description: ClusterSchedulingStatuses describes the subchart installation + status of the extension + type: object + conditions: + items: + description: "Condition contains details for one aspect of the current + state of this API Resource. --- This struct is intended for direct + use as an array at the field path .status.conditions. For example, + \n type FooStatus struct{ // Represents the observations of a + foo's current state. // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should be when + the underlying condition changed. If that is not known, then + using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, if .metadata.generation + is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the current + state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier indicating + the reason for the condition's last transition. Producers + of specific condition types may define expected values and + meanings for this field, and whether the values are considered + a guaranteed API. The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across resources + like Available, but because arbitrary conditions can be useful + (see .node.status.conditions), the ability to deconflict is + important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + jobName: + type: string + releaseName: + type: string + state: + type: string + stateHistory: + items: + properties: + lastTransitionTime: + format: date-time + type: string + state: + type: string + required: + - lastTransitionTime + - state + type: object + type: array + targetNamespace: + type: string + version: + type: string + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/kubesphere.io_repositories.yaml b/src/main/ks-core/crds/kubesphere.io_repositories.yaml new file mode 100644 index 000000000..59bb2de0f --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_repositories.yaml @@ -0,0 +1,73 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: repositories.kubesphere.io +spec: + group: kubesphere.io + names: + categories: + - extensions + kind: Repository + listKind: RepositoryList + plural: repositories + singular: repository + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Repository declared a docker image containing the extension helm + chart. The extension manager controller will deploy and synchronizes the + extensions from the image repository. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + basicAuth: + properties: + password: + type: string + username: + type: string + type: object + description: + type: string + image: + type: string + updateStrategy: + properties: + registryPoll: + properties: + interval: + type: string + required: + - interval + type: object + type: object + url: + type: string + type: object + status: + properties: + lastSyncTime: + format: date-time + type: string + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/kubesphere.io_serviceaccounts.yaml b/src/main/ks-core/crds/kubesphere.io_serviceaccounts.yaml new file mode 100644 index 000000000..737e7a948 --- /dev/null +++ b/src/main/ks-core/crds/kubesphere.io_serviceaccounts.yaml @@ -0,0 +1,97 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: serviceaccounts.kubesphere.io +spec: + group: kubesphere.io + names: + kind: ServiceAccount + listKind: ServiceAccountList + plural: serviceaccounts + singular: serviceaccount + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + secrets: + items: + description: "ObjectReference contains enough information to let you + inspect or modify the referred object. --- New uses of this type are + discouraged because of difficulty describing its usage when embedded + in APIs. 1. Ignored fields. It includes many fields which are not + generally honored. For instance, ResourceVersion and FieldPath are + both very rarely valid in actual usage. 2. Invalid usage help. It + is impossible to add specific help for individual usage. In most + embedded usages, there are particular restrictions like, \"must refer + only to types A and B\" or \"UID not honored\" or \"name must be restricted\". + Those cannot be well described when embedded. 3. Inconsistent validation. + \ Because the usages are different, the validation rules are different + by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not + a precise mapping to a URL. This can produce ambiguity during interpretation + and require a REST mapping. In most cases, the dependency is on the + group,resource tuple and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many + locations, updates to this type will affect numerous schemas. Don't + make new APIs embed an underspecified API type they do not control. + \n Instead of using this type, create a locally provided and used + type that is well-focused on your reference. For example, ServiceReferences + for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 + ." + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an + entire object, this string should contain a valid JSON/Go field + access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within + a pod, this would take on a value like: "spec.containers{name}" + (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" + (container with index 2 in this pod). This syntax is chosen only + to have some well-defined way of referencing a part of an object. + TODO: this design is not final and this field is subject to change + in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is + made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/marketplace.kubesphere.io_subscriptions.yaml b/src/main/ks-core/crds/marketplace.kubesphere.io_subscriptions.yaml new file mode 100644 index 000000000..c5ba2285d --- /dev/null +++ b/src/main/ks-core/crds/marketplace.kubesphere.io_subscriptions.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: subscriptions.marketplace.kubesphere.io +spec: + group: marketplace.kubesphere.io + names: + categories: + - marketplace + kind: Subscription + listKind: SubscriptionList + plural: subscriptions + singular: subscription + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + extensionName: + type: string + required: + - extensionName + type: object + status: + properties: + createdAt: + format: date-time + type: string + expiredAt: + format: date-time + type: string + extensionID: + type: string + extraInfo: + type: string + orderID: + type: string + startedAt: + format: date-time + type: string + subscriptionID: + type: string + updatedAt: + format: date-time + type: string + userID: + type: string + userSubscriptionID: + type: string + required: + - createdAt + - expiredAt + - extensionID + - extraInfo + - orderID + - startedAt + - subscriptionID + - updatedAt + - userID + - userSubscriptionID + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/oauth.kubesphere.io_oauthclients.yaml b/src/main/ks-core/crds/oauth.kubesphere.io_oauthclients.yaml new file mode 100644 index 000000000..799cbe4cb --- /dev/null +++ b/src/main/ks-core/crds/oauth.kubesphere.io_oauthclients.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: oauthclients.oauth.kubesphere.io +spec: + group: oauth.kubesphere.io + names: + categories: + - oauth + kind: OAuthClient + listKind: OAuthClientList + plural: oauthclients + singular: oauthclient + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OAuthClient is the Schema for the oauthclients API + properties: + accessTokenInactivityTimeout: + default: 7200 + format: int64 + minimum: 600 + type: integer + accessTokenMaxAge: + default: 7200 + format: int64 + minimum: 600 + type: integer + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + grantMethod: + enum: + - auto + - prompt + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + redirectURIs: + items: + type: string + type: array + x-kubernetes-list-type: set + secret: + type: string + required: + - grantMethod + - secret + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/quota.kubesphere.io_resourcequotas.yaml b/src/main/ks-core/crds/quota.kubesphere.io_resourcequotas.yaml new file mode 100644 index 000000000..ef3db80d2 --- /dev/null +++ b/src/main/ks-core/crds/quota.kubesphere.io_resourcequotas.yaml @@ -0,0 +1,185 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: resourcequotas.quota.kubesphere.io +spec: + group: quota.kubesphere.io + names: + categories: + - quota + kind: ResourceQuota + listKind: ResourceQuotaList + plural: resourcequotas + singular: resourcequota + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: ResourceQuota sets aggregate quota restrictions enforced per + workspace + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired quota + properties: + quota: + description: Quota defines the desired quota + properties: + hard: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'hard is the set of desired hard limits for each + named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + scopeSelector: + description: scopeSelector is also a collection of filters like + scopes that must match each object tracked by a quota but expressed + using ScopeSelectorOperator in combination with possible values. + For a resource to match, both scopes AND scopeSelector (if specified + in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by scope + of the resources. + items: + description: A scoped-resource selector requirement is a + selector that contains values, a scope name, and an operator + that relates the scope name and values. + properties: + operator: + description: Represents a scope's relationship to a + set of values. Valid operators are In, NotIn, Exists, + DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector + applies to. + type: string + values: + description: An array of string values. If the operator + is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array + type: object + x-kubernetes-map-type: atomic + scopes: + description: A collection of filters that must match each object + tracked by a quota. If not specified, the quota matches all + objects. + items: + description: A ResourceQuotaScope defines a filter that must + match each object tracked by a quota + type: string + type: array + type: object + selector: + additionalProperties: + type: string + description: LabelSelector is used to select projects by label. + type: object + required: + - quota + - selector + type: object + status: + description: Status defines the actual enforced quota and its current + usage + properties: + namespaces: + description: Namespaces slices the usage by project. + items: + description: ResourceQuotaStatusByNamespace gives status for a particular + project + properties: + hard: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Hard is the set of enforced hard limits for each + named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + namespace: + description: Namespace the project this status applies to + type: string + used: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Used is the current observed total usage of the + resource in the namespace. + type: object + required: + - namespace + type: object + type: array + total: + description: Total defines the actual enforced quota and its current + usage across all projects + properties: + hard: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Hard is the set of enforced hard limits for each + named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' + type: object + used: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Used is the current observed total usage of the resource + in the namespace. + type: object + type: object + required: + - namespaces + - total + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/src/main/ks-core/crds/storage.kubesphere.io_provisionercapabilities.yaml b/src/main/ks-core/crds/storage.kubesphere.io_provisionercapabilities.yaml new file mode 100644 index 000000000..2dbfe3238 --- /dev/null +++ b/src/main/ks-core/crds/storage.kubesphere.io_provisionercapabilities.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: provisionercapabilities.storage.kubesphere.io +spec: + group: storage.kubesphere.io + names: + kind: ProvisionerCapability + listKind: ProvisionerCapabilityList + plural: provisionercapabilities + singular: provisionercapability + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.pluginInfo.name + name: Provisioner + type: string + - jsonPath: .spec.features.volume.expandMode + name: Expand + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ProvisionerCapability is the schema for the provisionercapability + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability + properties: + features: + description: CapabilityFeatures describe storage features + properties: + snapshot: + description: SnapshotFeature describe snapshot features + properties: + create: + type: boolean + list: + type: boolean + required: + - create + - list + type: object + topology: + type: boolean + volume: + description: VolumeFeature describe volume features + properties: + attach: + type: boolean + clone: + type: boolean + create: + type: boolean + expandMode: + type: string + list: + type: boolean + stats: + type: boolean + required: + - attach + - clone + - create + - expandMode + - list + - stats + type: object + required: + - snapshot + - topology + - volume + type: object + pluginInfo: + description: PluginInfo describes plugin info + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + required: + - features + - pluginInfo + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/storage.kubesphere.io_storageclasscapabilities.yaml b/src/main/ks-core/crds/storage.kubesphere.io_storageclasscapabilities.yaml new file mode 100644 index 000000000..5c4e9ab8c --- /dev/null +++ b/src/main/ks-core/crds/storage.kubesphere.io_storageclasscapabilities.yaml @@ -0,0 +1,113 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: storageclasscapabilities.storage.kubesphere.io +spec: + group: storage.kubesphere.io + names: + kind: StorageClassCapability + listKind: StorageClassCapabilityList + plural: storageclasscapabilities + singular: storageclasscapability + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.provisioner + name: Provisioner + type: string + - jsonPath: .spec.features.volume.create + name: Volume + type: boolean + - jsonPath: .spec.features.volume.expandMode + name: Expand + type: string + - jsonPath: .spec.features.volume.clone + name: Clone + type: boolean + - jsonPath: .spec.features.snapshot.create + name: Snapshot + type: boolean + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: StorageClassCapability is the Schema for the storage class capability + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability + properties: + features: + description: CapabilityFeatures describe storage features + properties: + snapshot: + description: SnapshotFeature describe snapshot features + properties: + create: + type: boolean + list: + type: boolean + required: + - create + - list + type: object + topology: + type: boolean + volume: + description: VolumeFeature describe volume features + properties: + attach: + type: boolean + clone: + type: boolean + create: + type: boolean + expandMode: + type: string + list: + type: boolean + stats: + type: boolean + required: + - attach + - clone + - create + - expandMode + - list + - stats + type: object + required: + - snapshot + - topology + - volume + type: object + provisioner: + type: string + required: + - features + - provisioner + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/src/main/ks-core/crds/telemetry.kubesphere.io_clusterinfoes.yaml b/src/main/ks-core/crds/telemetry.kubesphere.io_clusterinfoes.yaml new file mode 100644 index 000000000..5992eb865 --- /dev/null +++ b/src/main/ks-core/crds/telemetry.kubesphere.io_clusterinfoes.yaml @@ -0,0 +1,153 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: clusterinfoes.telemetry.kubesphere.io +spec: + group: telemetry.kubesphere.io + names: + kind: ClusterInfo + listKind: ClusterInfoList + plural: clusterinfoes + singular: clusterinfo + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.pluginInfo.name + name: Provisioner + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: ClusterInfo is the Schema for the clusterinfos API. the API is + use to store telemetry data. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterInfoSpec nothing in Spec. only use collect cluster + telemetry data + type: object + status: + description: ClusterInfoStatus store cluster telemetry data + properties: + cloudId: + description: kubesphere cloud id + type: string + clusters: + description: cluster info which kubesphere use. refer to clusters.cluster.kubesphere.io + items: + properties: + clusterVersion: + description: kubernetes cluster version + type: string + ksVersion: + description: kubesphere version + type: string + name: + description: cluster name + type: string + namespace: + description: Namepace number of cluster + type: integer + nid: + description: cluster namespace id + type: string + nodes: + description: nodes of cluster + items: + properties: + arch: + description: node arch + type: string + containerRuntime: + description: node containerRuntime + type: string + kernel: + description: node kernel + type: string + kubeProxy: + description: node kubeProxy + type: string + kubelet: + description: node kubelet + type: string + name: + description: node name + type: string + os: + description: node operator system + type: string + osImage: + description: os operator system image + type: string + role: + description: node roles + items: + type: string + type: array + uid: + description: node uid + type: string + type: object + type: array + role: + description: cluster role + type: string + uid: + description: cluster uid + type: string + type: object + type: array + extension: + description: extension which cluster has installed. refer to subscriptions.kubesphere.io + items: + properties: + cTime: + description: extension create time + type: string + name: + description: extension name + type: string + version: + description: extension version + type: string + type: object + type: array + platform: + description: the platform resources total. + properties: + user: + description: user number of cluster + type: integer + workspace: + description: workspace number of cluster + type: integer + type: object + syncTime: + description: when to sync data to ksCloud + format: date-time + type: string + ts: + description: collection time + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/src/main/ks-core/crds/tenant.kubesphere.io_workspaces.yaml b/src/main/ks-core/crds/tenant.kubesphere.io_workspaces.yaml new file mode 100644 index 000000000..63d541f6a --- /dev/null +++ b/src/main/ks-core/crds/tenant.kubesphere.io_workspaces.yaml @@ -0,0 +1,48 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: workspaces.tenant.kubesphere.io +spec: + group: tenant.kubesphere.io + names: + categories: + - tenant + kind: Workspace + listKind: WorkspaceList + plural: workspaces + singular: workspace + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Workspace is the Schema for the workspaces API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WorkspaceSpec defines the desired state of Workspace + properties: + manager: + type: string + type: object + status: + description: WorkspaceStatus defines the observed state of Workspace + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml b/src/main/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml new file mode 100644 index 000000000..cb3553c91 --- /dev/null +++ b/src/main/ks-core/crds/tenant.kubesphere.io_workspacetemplates.yaml @@ -0,0 +1,148 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (unknown) + creationTimestamp: null + name: workspacetemplates.tenant.kubesphere.io +spec: + group: tenant.kubesphere.io + names: + categories: + - tenant + kind: WorkspaceTemplate + listKind: WorkspaceTemplateList + plural: workspacetemplates + singular: workspacetemplate + scope: Cluster + versions: + - name: v1alpha2 + schema: + openAPIV3Schema: + description: WorkspaceTemplate is the Schema for the workspacetemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + overrides: + items: + properties: + clusterName: + type: string + clusterOverrides: + items: + properties: + op: + type: string + path: + type: string + value: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - path + type: object + type: array + required: + - clusterName + type: object + type: array + placement: + properties: + clusterSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An + empty label selector matches all objects. A null label selector + matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + metadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + spec: + description: WorkspaceSpec defines the desired state of Workspace + properties: + manager: + type: string + type: object + type: object + required: + - placement + - template + type: object + type: object + served: true + storage: true diff --git a/src/main/ks-core/templates/NOTES.txt b/src/main/ks-core/templates/NOTES.txt new file mode 100644 index 000000000..c79ca1aad --- /dev/null +++ b/src/main/ks-core/templates/NOTES.txt @@ -0,0 +1,17 @@ +Please wait for several seconds for KubeSphere deployment to complete. + +1. Make sure KubeSphere components are running: + + kubectl get pods -n {{ .Release.Namespace }} + +2. Then you should be able to visit the console NodePort: + + Console: http://{{ include "getNodeAddress" . }}:{{ .Values.console.nodePort }} + +3. To login to your KubeSphere console: + + Account: admin + Password: {{ include "printOrDefaultPass" . | quote }} + NOTE: Please change the default password after login. + +For more details, please visit https://kubesphere.io. \ No newline at end of file diff --git a/src/main/ks-core/templates/_helpers.tpl b/src/main/ks-core/templates/_helpers.tpl new file mode 100644 index 000000000..268439810 --- /dev/null +++ b/src/main/ks-core/templates/_helpers.tpl @@ -0,0 +1,99 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "ks-core.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ks-core.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ks-core.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ks-core.labels" -}} +helm.sh/chart: {{ include "ks-core.chart" . }} +{{ include "ks-core.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ks-core.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ks-core.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ks-core.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} + {{- default (include "ks-core.fullname" .) .Values.serviceAccount.name }} +{{- else }} + {{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Returns user's password or use default +*/}} +{{- define "getOrDefaultPass" }} +{{- if not .Values.adminPassword -}} +{{- printf "$2a$10$zcHepmzfKPoxCVCYZr5K7ORPZZ/ySe9p/7IUb/8u./xHrnSX2LOCO" -}} +{{- else -}} +{{- printf "%s" .Values.adminPassword -}} +{{- end -}} +{{- end }} + +{{/* +Returns user's password or use default. Used by NOTES.txt +*/}} +{{- define "printOrDefaultPass" }} +{{- if not .Values.adminPassword -}} +{{- printf "P@88w0rd" -}} +{{- else -}} +{{- printf "%s" .Values.adminPassword -}} +{{- end -}} +{{- end }} + +{{- define "getNodeAddress" -}} +{{- $address := "127.0.0.1"}} +{{- with $nodes := lookup "v1" "Node" "" "" }} +{{- $node := first $nodes.items -}} +{{- range $k, $v := $node.status.addresses }} + {{- if (eq $v.type "InternalIP") }} + {{- $address = $v.address }} + {{- end }} +{{- end }} +{{- else }} +{{- end }} +{{- printf "%s" $address }} +{{- end }} \ No newline at end of file diff --git a/src/main/ks-core/templates/_images.tpl b/src/main/ks-core/templates/_images.tpl new file mode 100644 index 000000000..b19595b5f --- /dev/null +++ b/src/main/ks-core/templates/_images.tpl @@ -0,0 +1,74 @@ +{{/* +Return the proper image name +*/}} +{{- define "ks-apiserver.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.apiserver.image "global" .Values.global) }} +{{- end -}} + +{{- define "ks-console.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.console.image "global" .Values.global) }} +{{- end -}} + +{{- define "ks-controller-manager.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.controller.image "global" .Values.global) }} +{{- end -}} + +{{- define "kubectl.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }} +{{- end -}} + +{{- define "common.images.image" -}} +{{- $registryName := .global.imageRegistry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .global.tag | toString -}} +{{- if .imageRoot.registry }} + {{- $registryName = .imageRoot.registry -}} +{{- end -}} +{{- if .imageRoot.tag }} + {{- $termination = .imageRoot.tag | toString -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "apiserver.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.apiserver.image) "global" .Values.global) -}} +{{- end -}} + +{{- define "console.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.console.image) "global" .Values.global) -}} +{{- end -}} + +{{- define "controller.imagePullSecrets" -}} +{{- include "common.images.pullSecrets" (dict "images" (list .Values.controller.image) "global" .Values.global) -}} +{{- end -}} + +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/src/main/ks-core/templates/_tplvalues.tpl b/src/main/ks-core/templates/_tplvalues.tpl new file mode 100644 index 000000000..5d3d60352 --- /dev/null +++ b/src/main/ks-core/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/src/main/ks-core/templates/builtinroles.yaml b/src/main/ks-core/templates/builtinroles.yaml new file mode 100644 index 000000000..2bb48b65b --- /dev/null +++ b/src/main/ks-core/templates/builtinroles.yaml @@ -0,0 +1,263 @@ +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + name: project-admin +targetSelector: + matchLabels: + kubesphere.io/managed: "true" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + apiVersion: iam.kubesphere.io/v1beta1 + kind: Role + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: admin + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + name: project-operator +targetSelector: + matchLabels: + kubesphere.io/managed: "true" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/aggregate-to-operator: "" + kubesphere.io/managed: "true" + iam.kubesphere.io/scope: "namespace" + apiVersion: iam.kubesphere.io/v1beta1 + kind: Role + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: operator + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - "" + - apps + - extensions + - batch + - autoscaling + - app.k8s.io + - operations.kubesphere.io + - resources.kubesphere.io + - config.istio.io + - events.k8s.io + - events.kubesphere.io + - snapshot.storage.k8s.io + - networking.k8s.io + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + name: project-viewer +targetSelector: + matchLabels: + kubesphere.io/managed: "true" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/aggregate-to-viewer: "" + kubesphere.io/managed: "true" + iam.kubesphere.io/scope: "namespace" + apiVersion: iam.kubesphere.io/v1beta1 + kind: Role + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: viewer + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + name: workspace-admin + labels: + iam.kubesphere.io/scope: "workspace" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/scope: 'workspace' + templateNames: + - workspace-manage-workspace-settings + - workspace-view-workspace-settings + - workspace-manage-projects + - workspace-view-projects + - workspace-create-projects + - workspace-view-members + - workspace-manage-members + - workspace-manage-roles + - workspace-view-roles + - workspace-manage-groups + - workspace-view-groups + apiVersion: iam.kubesphere.io/v1beta1 + kind: WorkspaceRole + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: admin + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + name: workspace-regular + labels: + iam.kubesphere.io/scope: "workspace" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/aggregate-to-regular: "" + iam.kubesphere.io/scope: "workspace" + templateNames: + - workspace-view-workspace-settings + apiVersion: iam.kubesphere.io/v1beta1 + kind: WorkspaceRole + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: regular + rules: + - apiGroups: + - '*' + resources: + - workspaces + - workspacemembers + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + name: workspace-self-provisioner + labels: + iam.kubesphere.io/scope: "workspace" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/aggregate-to-self-provisioner: "" + iam.kubesphere.io/scope: "workspace" + templateNames: + - workspace-create-projects + - workspace-view-workspace-settings + apiVersion: iam.kubesphere.io/v1beta1 + kind: WorkspaceRole + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: self-provisioner + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: BuiltinRole +metadata: + name: workspace-viewer + labels: + iam.kubesphere.io/scope: "workspace" +role: + aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/scope: "workspace" + iam.kubesphere.io/aggregate-to-viewer: "" + templateNames: + - workspace-view-projects + - workspace-view-members + - workspace-view-roles + - workspace-view-groups + - workspace-view-workspace-settings + apiVersion: iam.kubesphere.io/v1beta1 + kind: WorkspaceRole + metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: viewer + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/src/main/ks-core/templates/categories.yaml b/src/main/ks-core/templates/categories.yaml new file mode 100644 index 000000000..ed7f4ceb5 --- /dev/null +++ b/src/main/ks-core/templates/categories.yaml @@ -0,0 +1,81 @@ +{{ if eq .Values.role "host" }} +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: ai-machine-learning +spec: + displayName: + en: AI / Machine learning + zh: AI / 机器学习 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: database +spec: + displayName: + en: Database + zh: 数据库 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: integration-delivery +spec: + displayName: + en: Integration and delivery + zh: 集成和交付 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: monitoring-logging +spec: + displayName: + en: Monitoring and logging + zh: 监控和日志 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: networking +spec: + displayName: + en: Networking + zh: 网络 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: security +spec: + displayName: + en: Security + zh: 安全 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: storage +spec: + displayName: + en: Storage + zh: 存储 + +--- +apiVersion: kubesphere.io/v1alpha1 +kind: Category +metadata: + name: streaming-messaging +spec: + displayName: + en: Streaming and messaging + zh: 流平台和消息中间件 +{{ end }} \ No newline at end of file diff --git a/src/main/ks-core/templates/clusterroles.yaml b/src/main/ks-core/templates/clusterroles.yaml new file mode 100644 index 000000000..e1937796f --- /dev/null +++ b/src/main/ks-core/templates/clusterroles.yaml @@ -0,0 +1,54 @@ +apiVersion: iam.kubesphere.io/v1beta1 +kind: ClusterRole +metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "管理集群中的所有资源。", "en": "Manage all resources in the cluster."}' + name: cluster-admin +aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/scope: "cluster" + templateNames: [] +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - nonResourceURLs: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: ClusterRole +metadata: + annotations: + kubesphere.io/creator: system + kubesphere.io/description: '{"zh": "查看集群中的所有资源。", "en": "View all resources in the cluster."}' + name: cluster-viewer +aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + templateNames: + - cluster-view-components + - cluster-view-volume-snapshot-classes + - cluster-view-volumes + - cluster-view-roles +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - nonResourceURLs: + - '*' + verbs: + - GET \ No newline at end of file diff --git a/src/main/ks-core/templates/globalrolebingings.yaml b/src/main/ks-core/templates/globalrolebingings.yaml new file mode 100644 index 000000000..503a4d80f --- /dev/null +++ b/src/main/ks-core/templates/globalrolebingings.yaml @@ -0,0 +1,60 @@ +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRoleBinding +metadata: + labels: + iam.kubesphere.io/role-ref: platform-admin + iam.kubesphere.io/user-ref: admin + name: admin-platform-admin +roleRef: + apiGroup: iam.kubesphere.io + kind: GlobalRole + name: platform-admin +subjects: + - apiGroup: iam.kubesphere.io + kind: User + name: admin + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRoleBinding +metadata: + name: anonymous +roleRef: + apiGroup: iam.kubesphere.io + kind: GlobalRole + name: anonymous +subjects: + - apiGroup: iam.kubesphere.io + kind: Group + name: system:unauthenticated + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRoleBinding +metadata: + name: authenticated +roleRef: + apiGroup: iam.kubesphere.io + kind: GlobalRole + name: authenticated +subjects: + - apiGroup: iam.kubesphere.io + kind: Group + name: system:authenticated + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRoleBinding +metadata: + name: pre-registration +roleRef: + apiGroup: iam.kubesphere.io + kind: GlobalRole + name: pre-registration +subjects: + - apiGroup: iam.kubesphere.io + kind: Group + name: pre-registration + - apiGroup: iam.kubesphere.io + kind: User + name: system:pre-registration \ No newline at end of file diff --git a/src/main/ks-core/templates/globalroles.yaml b/src/main/ks-core/templates/globalroles.yaml new file mode 100644 index 000000000..0d51fda14 --- /dev/null +++ b/src/main/ks-core/templates/globalroles.yaml @@ -0,0 +1,195 @@ +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + name: anonymous +rules: + - nonResourceURLs: + - /dist/* + verbs: + - GET + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + annotations: + iam.kubesphere.io/rego-override: |- + package authz + default allow = false + allow = true { + input.Resource == "users" + input.User.Name == input.Name + } + allow = true { + allowedResources := ["clustermembers","workspacemembers","namespacemembers"] + allowedResources[_] == input.Resource + input.User.Name == input.Name + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } + allow = true { + allowedNoneResources := ["/api","/api/v1"] + allowedNoneResources[_] == input.Path + input.Verb == "GET" + } + allow = true { + input.APIGroup == "tenant.kubesphere.io" + input.KubernetesRequest == false + allowedVerbs := ["get","list","watch"] + allowedVerbs[_] == input.Verb + } + name: authenticated +rules: + - apiGroups: + - config.kubesphere.io + resources: + - configs + verbs: + - get + - list + - apiGroups: + - iam.kubesphere.io + resources: + - users + - roletemplates + - categories + verbs: + - list + - apiGroups: + - resources.kubesphere.io + resources: + - registry + - git + verbs: + - get + - create + - apiGroups: + - resources.kubesphere.io + resources: + - clusters + verbs: + - get + - list + - apiGroups: + - '*' + resources: + - storageclasses + - storageclasscapabilities + - nodes + verbs: + - get + - list + - apiGroups: + - resources.kubesphere.io + resources: + - namespaces + - services + verbs: + - list + - apiGroups: + - tenant.kubesphere.io + resources: + - workspacetemplates + verbs: + - patch + - apiGroups: + - extensions.kubesphere.io + resources: + - jsbundles + verbs: + - get + - list + - apiGroups: + - kubesphere.io + resources: + - extensions + verbs: + - get + - list + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + annotations: + kubesphere.io/creator: admin + kubesphere.io/description: '{"zh": "管理 KubeSphere 平台上的所有资源。", "en": "Manage all resources on the KubeSphere platform."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: platform-admin +aggregationRoleTemplates: + roleSelector: + matchLabels: + iam.kubesphere.io/scope: "global" + templateNames: + - global-manage-clusters + - global-view-clusters + - global-create-workspaces + - global-view-basic + - global-manage-app-templates + - global-manage-users + - global-view-roles + - global-manage-platform-settings + - global-manage-workspaces + - global-view-app-templates + - global-view-users + - global-manage-roles + - global-view-workspaces +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + - nonResourceURLs: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + annotations: + kubesphere.io/description: '{"zh": "被邀请加入企业空间之前无法访问任何资源。", "en": "Cannot access any resources before joining a workspace."}' + kubesphere.io/creator: admin + name: platform-regular +rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + annotations: + kubesphere.io/creator: admin + kubesphere.io/description: '{"zh": "创建企业空间并成为所创建的企业空间的管理员。", "en": "Create workspaces and become an administrator of the created workspaces."}' + labels: + iam.kubesphere.io/auto-aggregate: "true" + name: platform-self-provisioner +aggregationRoleTemplates: + templateNames: + - global-create-workspaces +rules: + - apiGroups: + - tenant.kubesphere.io + resources: + - workspaces + - workspacetemplates + verbs: + - create + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: GlobalRole +metadata: + name: pre-registration +rules: + - apiGroups: + - iam.kubesphere.io + resources: + - users + verbs: + - create + - list \ No newline at end of file diff --git a/src/main/ks-core/templates/ks-agent.yml b/src/main/ks-core/templates/ks-agent.yml new file mode 100644 index 000000000..c187f9486 --- /dev/null +++ b/src/main/ks-core/templates/ks-agent.yml @@ -0,0 +1,125 @@ +{{ if eq .Values.role "member" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-agent + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-agent + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + progressDeadlineSeconds: 600 + replicas: {{ .Values.agent.replicaCount }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ks-agent + tier: backend + template: + metadata: + labels: + app: ks-agent + tier: backend + spec: + serviceAccountName: {{ template "ks-core.serviceAccountName" . }} + {{- include "controller.imagePullSecrets" . | nindent 6 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + containers: + - name: ks-apiserver + image: {{ template "ks-apiserver.image" . }} + imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }} + {{- if .Values.apiserver.containerPorts }} + ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.apiserver.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.command "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.apiserver.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.apiserver.resources }} + resources: {{- toYaml .Values.apiserver.resources | nindent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 8 + httpGet: + path: /version + port: 9090 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /etc/localtime + name: host-time + readOnly: true + {{- if .Values.apiserver.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + - name: ks-controller-manager + image: {{ template "ks-controller-manager.image" . }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.containerPorts }} + ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.controller.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-secret + - mountPath: /etc/localtime + name: host-time + readOnly: true + {{- if .Values.controller.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + volumes: + - name: kubesphere-config + configMap: + name: kubesphere-config + defaultMode: 420 + - name: webhook-secret + secret: + defaultMode: 420 + secretName: ks-controller-manager-webhook-cert + - name: host-time + hostPath: + path: /etc/localtime + type: "" + {{- if .Values.controller.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.apiserver.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{ end }} diff --git a/src/main/ks-core/templates/ks-apiserver.yml b/src/main/ks-core/templates/ks-apiserver.yml new file mode 100644 index 000000000..cbfe63d6f --- /dev/null +++ b/src/main/ks-core/templates/ks-apiserver.yml @@ -0,0 +1,85 @@ +{{ if eq .Values.role "host" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.apiserver.replicaCount }} + selector: + matchLabels: + app: ks-apiserver + tier: backend + template: + metadata: + labels: + app: ks-apiserver + tier: backend + spec: + serviceAccountName: {{ template "ks-core.serviceAccountName" . }} + {{- include "apiserver.imagePullSecrets" . | nindent 6 }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + containers: + - name: ks-apiserver + image: {{ template "ks-apiserver.image" . }} + imagePullPolicy: {{ .Values.apiserver.image.pullPolicy }} + {{- if .Values.apiserver.containerPorts }} + ports: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.containerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.apiserver.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.command "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.apiserver.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.apiserver.resources }} + resources: {{- toYaml .Values.apiserver.resources | nindent 12 }} + {{- end }} + livenessProbe: + failureThreshold: 8 + httpGet: + path: /version + port: 9090 + scheme: HTTP + initialDelaySeconds: 15 + timeoutSeconds: 15 + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /etc/localtime + name: host-time + readOnly: true + {{- if .Values.apiserver.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + volumes: + - configMap: + defaultMode: 420 + name: kubesphere-config + name: kubesphere-config + - hostPath: + path: /etc/localtime + type: "" + name: host-time + {{- if .Values.apiserver.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.apiserver.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{ end }} \ No newline at end of file diff --git a/src/main/ks-core/templates/ks-console-config.yml b/src/main/ks-core/templates/ks-console-config.yml new file mode 100644 index 000000000..54024948e --- /dev/null +++ b/src/main/ks-core/templates/ks-console-config.yml @@ -0,0 +1,27 @@ +apiVersion: v1 +data: + local_config.yaml: | + server: + http: + hostname: localhost + port: 8000 + static: + production: + /public: server/public + /assets: dist/assets + /dist: dist + redis: + port: 6379 + host: redis.kubesphere-system.svc + redisTimeout: 5000 + sessionTimeout: 7200000 + client: + version: + kubesphere: {{ .Chart.AppVersion }} + kubernetes: {{ .Values.kubeVersion }} + enableKubeConfig: true + defaultClusterName: {{ .Values.console.defaultClusterName }} +kind: ConfigMap +metadata: + name: ks-console-config + namespace: kubesphere-system diff --git a/src/main/ks-core/templates/ks-console.yml b/src/main/ks-core/templates/ks-console.yml new file mode 100644 index 000000000..b3a15da71 --- /dev/null +++ b/src/main/ks-core/templates/ks-console.yml @@ -0,0 +1,119 @@ +{{ if eq .Values.role "host" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + replicas: {{ .Values.console.replicaCount }} + selector: + matchLabels: + app: ks-console + tier: frontend + template: + metadata: + labels: + app: ks-console + tier: frontend + spec: + serviceAccount: {{ template "ks-core.serviceAccountName" . }} + serviceAccountName: {{ template "ks-core.serviceAccountName" . }} + {{- include "console.imagePullSecrets" . | nindent 6 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + containers: + - name: ks-console + image: {{ template "ks-console.image" . }} + imagePullPolicy: {{ .Values.console.image.pullPolicy }} + {{- if .Values.console.containerPorts }} + ports: {{- include "common.tplvalues.render" (dict "value" .Values.console.containerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.console.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.console.command "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.console.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.console.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.console.resources }} + resources: {{- toYaml .Values.console.resources | nindent 12 }} + {{- end }} + livenessProbe: + tcpSocket: + port: 8000 + initialDelaySeconds: 15 + timeoutSeconds: 15 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 8 + volumeMounts: + - name: ks-console-config + mountPath: /opt/kubesphere/console/configs/local_config.yaml + subPath: local_config.yaml + - name: host-time + mountPath: /etc/localtime + readOnly: true + {{- if .Values.console.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.console.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + volumes: + - configMap: + defaultMode: 420 + name: ks-console-config + items: + - key: local_config.yaml + path: local_config.yaml + name: ks-console-config + - hostPath: + path: /etc/localtime + type: "" + name: host-time + {{- if .Values.console.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.console.extraVolumes "context" $) | nindent 8 }} + {{- end }} + +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-console + tier: frontend + version: {{ .Chart.AppVersion }} + name: ks-console +spec: + ports: + - name: nginx + port: 80 + protocol: TCP + targetPort: 8000 + {{- with .Values.console.nodePort }} + nodePort: + {{- toYaml . | nindent 6 }} + {{- end }} + selector: + app: ks-console + tier: frontend +{{- if .Values.console.nodePort }} + type: NodePort +{{- else}} + type: ClusterIP +{{- end}} +{{ end }} diff --git a/src/main/ks-core/templates/ks-controller-manager.yaml b/src/main/ks-core/templates/ks-controller-manager.yaml new file mode 100644 index 000000000..b065393f3 --- /dev/null +++ b/src/main/ks-core/templates/ks-controller-manager.yaml @@ -0,0 +1,89 @@ +{{ if eq .Values.role "host" }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + strategy: + rollingUpdate: + maxSurge: 0 + type: RollingUpdate + progressDeadlineSeconds: 600 + replicas: {{ .Values.controller.replicaCount }} + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ks-controller-manager + tier: backend + template: + metadata: + labels: + app: ks-controller-manager + tier: backend + spec: + serviceAccountName: {{ template "ks-core.serviceAccountName" . }} + {{- include "controller.imagePullSecrets" . | nindent 6 }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" .) | nindent 8 }} + {{- end }} + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + terminationGracePeriodSeconds: 30 + containers: + - name: ks-controller-manager + image: {{ template "ks-controller-manager.image" . }} + imagePullPolicy: {{ .Values.controller.image.pullPolicy }} + {{- if .Values.controller.containerPorts }} + ports: {{- include "common.tplvalues.render" (dict "value" .Values.controller.containerPorts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.controller.command "context" $) | nindent 12 }} + {{- end }} + env: + {{- if .Values.controller.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.controller.resources }} + resources: {{- toYaml .Values.controller.resources | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /etc/kubesphere/ + name: kubesphere-config + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-secret + - mountPath: /etc/localtime + name: host-time + readOnly: true + {{- if .Values.controller.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + volumes: + - name: kubesphere-config + configMap: + name: kubesphere-config + defaultMode: 420 + - name: webhook-secret + secret: + defaultMode: 420 + secretName: ks-controller-manager-webhook-cert + - hostPath: + path: /etc/localtime + type: "" + name: host-time + {{- if .Values.controller.extraVolumes }} + {{- include "common.tplvalues.render" (dict "value" .Values.controller.extraVolumes "context" $) | nindent 8 }} + {{- end }} +{{ end }} diff --git a/src/main/ks-core/templates/kubesphere-config.yaml b/src/main/ks-core/templates/kubesphere-config.yaml new file mode 100644 index 000000000..8f2f69568 --- /dev/null +++ b/src/main/ks-core/templates/kubesphere-config.yaml @@ -0,0 +1,36 @@ +{{- if .Values.config.create -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: kubesphere-config + namespace: kubesphere-system +data: + kubesphere.yaml: | + authentication: + authenticateRateLimiterMaxTries: {{ .Values.config.authentication.authenticateRateLimiterMaxTries | default 10 }} + authenticateRateLimiterDuration: {{ .Values.config.authentication.authenticationRateLimiterDuration | default "10m0s" }} + loginHistoryRetentionPeriod: {{ .Values.config.authentication.loginHistoryRetentionPeriod | default "168h" }} + maximumClockSkew: {{ .Values.config.authentication.maximumClockSkew | default "10s" }} + multipleLogin: {{ .Values.config.authentication.enableMultiLogin | default true }} + kubectlImage: {{ template "kubectl.image" . }} +{{- if eq .Values.role "host" }} + {{- with lookup "v1" "ConfigMap" (printf "%s" .Release.Namespace) "kubesphere-config" }} + jwtSecret: "{{ (fromYaml (index .data "kubesphere.yaml")).authentication.jwtSecret }}" + {{- else }} + jwtSecret: "{{ .Values.config.jwtSecret | default (randAlphaNum 32 ) }}" + {{- end }} +{{- else }} + jwtSecret: "{{ .Values.config.jwtSecret }}" +{{- end }} +{{- if .Values.config.authentication.oauthOptions }} + {{- with .Values.config.authentication.oauthOptions }} + oauthOptions: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- else if eq (default .Values.role "none") "member" }} + oauthOptions: + accessTokenMaxAge: 0 +{{- end }} + multicluster: + clusterRole: {{ .Values.role }} +{{- end }} diff --git a/src/main/ks-core/templates/marketplace-config.yaml b/src/main/ks-core/templates/marketplace-config.yaml new file mode 100644 index 000000000..1e3ae8aac --- /dev/null +++ b/src/main/ks-core/templates/marketplace-config.yaml @@ -0,0 +1,20 @@ +{{ if eq .Values.role "host" }} +apiVersion: v1 +stringData: + configuration.yaml: | + url: https://kubesphere.cloud + oauth: + clientID: "client-a5cdf64c-7f84-415e-a6b1-8dfbfad493c3" + clientSecret: "66ce75fc-4a87-4f97-9963-92d1a19b137e" + subscription: + syncPeriod: 60m + repository: + url: https://app.kubesphere.cloud + repoName: marketplace + syncPeriod: 60m +kind: Secret +metadata: + name: marketplace + namespace: kubesphere-system +type: config.kubesphere.io/marketplace +{{ end }} \ No newline at end of file diff --git a/src/main/ks-core/templates/post-install-job.yaml b/src/main/ks-core/templates/post-install-job.yaml new file mode 100644 index 000000000..07bbb4f3a --- /dev/null +++ b/src/main/ks-core/templates/post-install-job.yaml @@ -0,0 +1,25 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-post-install" + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + restartPolicy: Never + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + containers: + - name: post-install-job + image: "kubesphere/kubectl:v1.27.4" + command: + - /bin/bash + - -c + - | + for ns in kubesphere-system default kube-system; + do + kubectl label ns $ns kubesphere.io/workspace=system-workspace + kubectl label ns $ns kubesphere.io/managed=true + done \ No newline at end of file diff --git a/src/main/ks-core/templates/pre-delete-job.yaml b/src/main/ks-core/templates/pre-delete-job.yaml new file mode 100644 index 000000000..ac1db181e --- /dev/null +++ b/src/main/ks-core/templates/pre-delete-job.yaml @@ -0,0 +1,36 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ .Release.Name }}-pre-delete" + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + template: + spec: + restartPolicy: Never + serviceAccountName: {{ include "ks-core.serviceAccountName" . }} + containers: + - name: pre-delete-job + image: "kubesphere/kubectl:v1.27.4" + command: + - /bin/bash + - -c + - | + kubectl -n kubesphere-system scale deploy ks-controller-manager --replicas=0 + until [ "$(kubectl -n kube-system get deploy ks-controller-manager -o jsonpath='{.status.readyReplicas}')" = "" ]; + do + echo "ks-controller-manager is running......" + sleep 1s + done + kubectl patch workspaces.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge + kubectl patch workspacetemplates.tenant.kubesphere.io system-workspace -p '{"metadata":{"finalizers":[]}}' --type=merge + for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}') + do + kubectl label ns $ns kubesphere.io/workspace- && \ + kubectl patch ns $ns -p '{"metadata":{"ownerReferences":[]}}' --type=merge && \ + echo "{\"kind\":\"Namespace\",\"apiVersion\":\"v1\",\"metadata\":{\"name\":\"$ns\",\"finalizers\":null}}" | kubectl replace --raw "/api/v1/namespaces/$ns/finalize" -f - + done + + diff --git a/src/main/ks-core/templates/roletemplate-categories.yaml b/src/main/ks-core/templates/roletemplate-categories.yaml new file mode 100644 index 000000000..09a88b123 --- /dev/null +++ b/src/main/ks-core/templates/roletemplate-categories.yaml @@ -0,0 +1,235 @@ +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: 'true' + name: global-platform-settings +spec: + displayName: + en: 'Platform Settings' + zh: '平台设置' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: 'true' + name: global-access-control +spec: + displayName: + en: Access Control + zh: '访问控制' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: 'true' + name: global-workspace-management +spec: + displayName: + en: Workspace + zh: '企业空间' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: 'true' + name: global-cluster-management +spec: + displayName: + en: Cluster Management + zh: '集群管理' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-access-control +spec: + displayName: + en: Access Control + zh: '访问控制' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-resource-management +spec: + displayName: + en: Cluster Resources + zh: '集群资源' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-settings +spec: + displayName: + en: Cluster Settings + zh: '集群设置' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-app-workloads-management +spec: + displayName: + en: Application Workloads + zh: '应用负载' + + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-project-management +spec: + displayName: + en: Project + zh: '项目' + + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-storage-management +spec: + displayName: + en: Storage + zh: '存储' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-settings +spec: + displayName: + en: Workspace Settings + zh: '企业空间设置' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-project-management +spec: + displayName: + en: Projects + zh: '项目' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-access-control +spec: + displayName: + en: Access Control + zh: '访问控制' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-access-control +spec: + displayName: + en: Access Control + zh: '访问控制' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-configuration-management +spec: + displayName: + en: Configuration + zh: '配置' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-storage-management +spec: + displayName: + en: Storage + zh: '存储' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-application-workloads +spec: + displayName: + en: Application Workloads + zh: '应用负载' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: Category +metadata: + labels: + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-settings +spec: + displayName: + en: Project Settings + zh: '项目设置' \ No newline at end of file diff --git a/src/main/ks-core/templates/roletemplates.yaml b/src/main/ks-core/templates/roletemplates.yaml new file mode 100644 index 000000000..902fef627 --- /dev/null +++ b/src/main/ks-core/templates/roletemplates.yaml @@ -0,0 +1,1735 @@ +# global scope role templates +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"workspaces": "create"}' + labels: + iam.kubesphere.io/category: global-workspace-management + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-create-workspaces +spec: + description: + en: 'Create workspaces and become an administrator of the created projects.' + zh: '创建企业空间。' + displayName: + en: Workspace Creation + zh: '企业空间创建' + rules: + - apiGroups: + - tenant.kubesphere.io + resources: + - workspaces + - workspacetemplates + verbs: + - create + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"workspaces": "view"}' + labels: + iam.kubesphere.io/category: global-workspace-management + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-view-workspaces +spec: + description: + en: 'View all workspaces and workspace resources.' + zh: '查看所有工作空间和企业空间下的资源。' + displayName: + en: Workspace Viewing + zh: 企业空间查看 + rules: + - apiGroups: + - '*' + resources: + - abnormalworkloads + - quotas + - workloads + - configmaps + - endpoints + - events + - limitranges + - namespaces + - persistentvolumeclaims + - podtemplates + - replicationcontrollers + - resourcequotas + - secrets + - serviceaccounts + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - meshpolicies + - cronjobs + - jobs + - horizontalpodautoscalers + - events + - ingresses + - router + - filters + - pods + - pods/log + - pods/exec + - pods/containers + - namespacenetworkpolicies + - workspacenetworkpolicies + - networkpolicies + - podsecuritypolicies + - rolebindings + - roles + - namespacemembers + - servicepolicies + - workspaces + - workspacetemplates + - workspaceroles + - workspacemembers + - workspacemembers/namespaces + - workspacerolebindings + - workloads + verbs: + - get + - list + - watch + - apiGroups: + - resources.kubesphere.io + resources: + - '*' + verbs: + - list + - get + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"workspaces": "manage"}' + labels: + iam.kubesphere.io/category: global-workspace-management + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-manage-workspaces +spec: + description: + en: 'Manage all workspaces and workspace resources.' + zh: '管理所有企业空间和企业空间下的资源。' + displayName: + en: Workspace Management + zh: '企业空间管理' + rules: + - apiGroups: + - '*' + resources: + - abnormalworkloads + - quotas + - workloads + - configmaps + - endpoints + - events + - limitranges + - namespaces + - persistentvolumeclaims + - podtemplates + - replicationcontrollers + - resourcequotas + - secrets + - serviceaccounts + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - meshpolicies + - cronjobs + - jobs + - horizontalpodautoscalers + - events + - ingresses + - router + - filters + - pods + - pods/log + - pods/exec + - pods/containers + - namespacenetworkpolicies + - workspacenetworkpolicies + - networkpolicies + - podsecuritypolicies + - rolebindings + - roles + - namespacemembers + - servicepolicies + - workspaces + - workspacetemplates + - workspaceroles + - workspacemembers + - workspacemembers/namespaces + - workspacerolebindings + - workloads + verbs: + - '*' + - apiGroups: + - resources.kubesphere.io + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"clusters": "view"}' + labels: + iam.kubesphere.io/category: global-cluster-management + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-view-clusters +spec: + description: + en: 'View all clusters and cluster resources.' + zh: '查看所有集群和集群资源。' + displayName: + en: Cluster Viewing + zh: '集群查看' + rules: + - apiGroups: + - "" + - apiextensions.k8s.io + - app.k8s.io + - apps + - autoscaling + - batch + - config.istio.io + - events.k8s.io + - events.kubesphere.io + - extensions + - metrics.k8s.io + - networking.k8s.io + - node.k8s.io + - rbac.istio.io + - scheduling.k8s.io + - security.istio.io + - storage.k8s.io + - storage.kubesphere.io + - resources.kubesphere.io + - cluster.kubesphere.io + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - tenant.kubesphere.io + resources: + - workspaces + - workspacetemplates + verbs: + - get + - list + - watch + - apiGroups: + - iam.kubesphere.io + resources: + - clustermembers + - clusterroles + verbs: + - get + - list + - watch + - nonResourceURLs: + - '*' + verbs: + - GET + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["global-view-clusters"]' + iam.kubesphere.io/role-template-rules: '{"clusters": "manage"}' + kubesphere.io/description: '{"zh":"创建集群、删除集群和管理集群中的所有资源。"}' + labels: + iam.kubesphere.io/category: global-cluster-management + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-manage-clusters +spec: + description: + en: 'Create clusters, delete clusters, and manage resources in all clusters.' + zh: '创建集群、删除集群和管理集群中的所有资源。' + displayName: + en: Cluster Management + zh: '集群管理' + rules: + - apiGroups: + - "" + - apiextensions.k8s.io + - app.k8s.io + - apps + - autoscaling + - batch + - events.k8s.io + - extensions + - node.k8s.io + - scheduling.k8s.io + - storage.k8s.io + - storage.k8s.io + - storage.kubesphere.io + - resources.kubesphere.io + - cluster.kubesphere.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - tenant.kubesphere.io + resources: + - workspaces + - workspacetemplates + verbs: + - update + - patch + - apiGroups: + - iam.kubesphere.io + resources: + - clustermembers + - clusterroles + verbs: + - '*' + - nonResourceURLs: + - '*' + verbs: + - GET + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"platform-settings": "manage"}' + labels: + iam.kubesphere.io/category: global-platform-settings + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-manage-platform-settings +spec: + description: + zh: '查看和编辑 KubeSphere 平台的设置。' + en: 'View and edit settings of the KubeSphere platform.' + displayName: + en: Platform Settings Management + zh: '平台设置管理' + rules: + - apiGroups: + - extensions.kubesphere.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - kubesphere.io + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["global-view-users"]' + iam.kubesphere.io/role-template-rules: '{"roles": "view"}' + labels: + iam.kubesphere.io/category: global-access-control + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-view-roles +spec: + description: + en: 'View platform roles.' + zh: '查看平台角色。' + displayName: + en: Role Viewing + zh: '角色查看' + rules: + - apiGroups: + - iam.kubesphere.io + resources: + - globalroles + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"roles": "manage"}' + labels: + iam.kubesphere.io/category: global-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-manage-roles +spec: + description: + en: 'Manage platform roles.' + zh: '管理平台角色。' + displayName: + en: Role Management + zh: '角色管理' + rules: + - apiGroups: + - '*' + resources: + - globalroles + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"users": "view"}' + labels: + iam.kubesphere.io/category: global-access-control + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-view-users +spec: + description: + en: 'View users.' + zh: '查看用户。' + displayName: + en: User Viewing + zh: '用户查看' + rules: + - apiGroups: + - '*' + resources: + - users + - users/loginrecords + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"users": "manage"}' + labels: + iam.kubesphere.io/category: global-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "global" + kubesphere.io/managed: "true" + name: global-manage-users +spec: + description: + en: 'Manage users.' + zh: '管理用户。' + displayName: + en: User Management + zh: '用户管理' + rules: + - apiGroups: + - '*' + resources: + - users + - users/password + - users/loginrecords + verbs: + - '*' + + +# cluster scope role templates +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"cluster-settings": "view"}' + labels: + iam.kubesphere.io/category: cluster-settings + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: "true" + name: cluster-view-cluster-settings +spec: + displayName: + en: Cluster Settings View + zh: '集群设置查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"cluster-settings": "manage"}' + labels: + iam.kubesphere.io/category: cluster-settings + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: "true" + name: cluster-manage-cluster-settings +spec: + displayName: + en: Cluster Settings Management + zh: '集群设置管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"customresources": "view"}' + labels: + iam.kubesphere.io/category: cluster-resource-management + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: "true" + name: cluster-view-crds +spec: + displayName: + en: Custom Resource Definition Viewing + zh: '定制资源定义查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"customresources": "manage"}' + labels: + iam.kubesphere.io/category: cluster-resource-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: "true" + name: cluster-manage-crds +spec: + displayName: + en: Custom Resource Definition Management + zh: '定制资源定义管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"members": "view"}' + labels: + iam.kubesphere.io/category: cluster-access-control + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: 'true' + name: cluster-view-members +spec: + displayName: + en: Member Viewing + zh: '成员查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-roles", "cluster-view-members"]' + iam.kubesphere.io/role-template-rules: '{"members": "manage"}' + labels: + iam.kubesphere.io/category: cluster-access-control + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-members +spec: + displayName: + en: Member Management + zh: '成员管理' + rules: [] + + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-members"]' + iam.kubesphere.io/role-template-rules: '{"roles": "view"}' + labels: + iam.kubesphere.io/category: cluster-access-control + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: 'true' + name: cluster-view-roles +spec: + displayName: + en: Role Viewing + zh: '角色查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-roles"]' + iam.kubesphere.io/role-template-rules: '{"roles": "manage"}' + labels: + iam.kubesphere.io/category: cluster-access-control + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-roles +spec: + displayName: + en: Role Management + zh: '角色管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"nodes": "view"}' + labels: + iam.kubesphere.io/category: cluster-resource-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-view-nodes +spec: + displayName: + en: Node Viewing + zh: '节点查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-nodes"]' + iam.kubesphere.io/role-template-rules: '{"nodes": "manage"}' + labels: + iam.kubesphere.io/category: cluster-resource-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-nodes +spec: + displayName: + en: Node Management + zh: '节点管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-projects"]' + iam.kubesphere.io/role-template-rules: '{"deployments":"view","statefulsets":"view", + "daemonsets":"view","jobs":"view","cronjobs":"view","pods":"view","services":"view","ingresses":"view", + "configmaps":"view","secrets":"view","serviceaccounts":"view"}' + labels: + iam.kubesphere.io/category: cluster-app-workloads-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-view-app-workloads +spec: + displayName: + en: Application Workload Viewing + zh: '应用负载查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-app-workloads", "cluster-view-projects"]' + iam.kubesphere.io/role-template-rules: '{"deployments":"manage","statefulsets":"manage", + "daemonsets":"manage","jobs":"manage","cronjobs":"manage","pods":"manage","services":"manage", + "ingresses":"manage","configmaps":"manage","secrets":"manage","serviceaccounts":"manage"}' + labels: + iam.kubesphere.io/category: cluster-app-workloads-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-app-workloads +spec: + displayName: + en: Application Workload Management + zh: '应用负载管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"projects": "view"}' + labels: + iam.kubesphere.io/category: cluster-project-management + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: 'true' + name: cluster-view-projects +spec: + displayName: + en: Project Viewing + zh: '项目查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-projects"]' + iam.kubesphere.io/role-template-rules: '{"projects": "manage"}' + labels: + iam.kubesphere.io/category: cluster-project-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-projects +spec: + displayName: + en: Project Management + zh: '项目管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-volumes"]' + iam.kubesphere.io/role-template-rules: '{"storageclasses": "view"}' + labels: + iam.kubesphere.io/category: cluster-storage-management + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: 'true' + name: cluster-view-storageclasses +spec: + displayName: + en: Storage Class Viewing + zh: '存储类查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-volumes", "cluster-view-storageclasses"]' + iam.kubesphere.io/role-template-rules: '{"storageclasses": "manage"}' + labels: + iam.kubesphere.io/category: cluster-storage-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-storageclasses +spec: + displayName: + en: Storage Class Management + zh: '存储类管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"volumes": "view"}' + labels: + iam.kubesphere.io/category: cluster-storage-management + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-view-volumes +spec: + displayName: + en: Persistent Volume Claim Viewing + zh: '持久卷声明查看' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["cluster-view-volumes", "cluster-view-storageclasses"]' + iam.kubesphere.io/role-template-rules: '{"volumes": "manage"}' + labels: + iam.kubesphere.io/category: cluster-storage-management + iam.kubesphere.io/scope: "cluster" + kubesphere.io/managed: 'true' + name: cluster-manage-volumes +spec: + displayName: + en: Persistent Volume Claim Management + zh: '持久卷声明管理' + rules: [] + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"components": "view"}' + labels: + iam.kubesphere.io/category: cluster-resource-management + iam.kubesphere.io/scope: "cluster" + iam.kubesphere.io/aggregate-to-cluster-viewer: "" + kubesphere.io/managed: 'true' + name: cluster-view-components +spec: + displayName: + en: System Component Viewing + zh: '系统组件查看' + rules: [] + +# workspace scope role templates +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"workspace-settings": "view"}' + labels: + iam.kubesphere.io/category: workspace-settings + iam.kubesphere.io/scope: "workspace" + iam.kubesphere.io/aggregate-to-regular: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/aggregate-to-self-provisioner: "" + iam.kubesphere.io/hidden-role-template: 'true' + iam.kubesphere.io/basic-role-template: 'true' + kubesphere.io/managed: 'true' + name: workspace-view-workspace-settings +spec: + description: + en: 'View workspace settings.' + zh: '查看企业空间设置。' + displayName: + en: Workspace Settings Viewing + zh: '企业空间设置查看' + rules: + - apiGroups: + - '*' + resources: + - workspaces + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"workspace-settings": "manage"}' + labels: + iam.kubesphere.io/category: workspace-settings + iam.kubesphere.io/hidden-role-template: 'true' + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-manage-workspace-settings +spec: + description: + en: 'Manage workspace settings and edit workspace information and network policies.' + zh: '管理企业空间的基本信息、网络策略等设置。' + displayName: + en: Workspace Settings Management + zh: '企业空间设置管理' + rules: + - apiGroups: + - '*' + resources: + - workspaces + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"projects": "create"}' + labels: + iam.kubesphere.io/category: workspace-project-management + iam.kubesphere.io/aggregate-to-self-provisioner: "" + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-create-projects +spec: + description: + en: 'Create projects and become an administrator of the created projects.' + zh: '创建项目并成为所创建的项目的管理员。' + displayName: + en: Project Creation + zh: '项目创建' + rules: + - apiGroups: + - '*' + resources: + - workspaces + - workspacemembers + - quotas + - abnormalworkloads + - pods + verbs: + - get + - list + - watch + - apiGroups: + - '*' + resources: + - namespaces + - federatednamespaces + verbs: + - create + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"projects": "view"}' + labels: + iam.kubesphere.io/category: workspace-project-management + iam.kubesphere.io/scope: "workspace" + iam.kubesphere.io/aggregate-to-viewer: "" + kubesphere.io/managed: 'true' + name: workspace-view-projects +spec: + description: + en: 'View all projects and project resources.' + zh: '查看企业空间中的所有项目及项目下的资源。' + displayName: + en: Project Viewing + zh: '项目查看' + rules: + - apiGroups: + - '*' + resources: + - namespaces + - configmaps + - endpoints + - events + - limitranges + - persistentvolumeclaims + - podtemplates + - replicationcontrollers + - resourcequotas + - secrets + - serviceaccounts + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - cronjobs + - jobs + - events + - ingresses + - router + - pods + - pods/log + - pods/containers + - namespacenetworkpolicies + - networkpolicies + - podsecuritypolicies + - rolebindings + - roles + - namespacemembers + - servicepolicies + - workspaces + - quotas + - abnormalworkloads + - workloads + - router + - strategies + verbs: + - get + - list + - watch + - apiGroups: + - apps + - extensions + - batch + - autoscaling + - app.k8s.io + - operations.kubesphere.io + - resources.kubesphere.io + resources: + - '*' + verbs: + - list + - get + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["workspace-view-projects","workspace-view-members","workspace-create-projects"]' + iam.kubesphere.io/role-template-rules: '{"projects": "manage"}' + labels: + iam.kubesphere.io/category: workspace-project-management + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-manage-projects +spec: + description: + en: 'Create, edit, and delete projects in the workspace.' + zh: '创建、编辑和删除企业空间中的项目。' + displayName: + en: Project Management + zh: '项目管理' + rules: + - apiGroups: + - apps + - extensions + - batch + - autoscaling + - app.k8s.io + - operations.kubesphere.io + - resources.kubesphere.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - '*' + resources: + - namespaces + - configmaps + - endpoints + - events + - limitranges + - persistentvolumeclaims + - podtemplates + - replicationcontrollers + - resourcequotas + - secrets + - serviceaccounts + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - meshpolicies + - cronjobs + - jobs + - events + - ingresses + - router + - pods + - pods/log + - pods/exec + - pods/containers + - namespacenetworkpolicies + - networkpolicies + - podsecuritypolicies + - rolebindings + - roles + - namespacemembers + - servicepolicies + - workspaces + - quotas + - abnormalworkloads + - workloads + - router + - strategies + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"members": "view"}' + labels: + iam.kubesphere.io/category: workspace-access-control + iam.kubesphere.io/scope: "workspace" + iam.kubesphere.io/aggregate-to-viewer: "" + kubesphere.io/managed: 'true' + name: workspace-view-members +spec: + description: + en: 'View workspace members.' + zh: '查看企业空间成员。' + displayName: + en: Member Viewing + zh: '成员查看' + rules: + - apiGroups: + - '*' + resources: + - workspacemembers + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"members": "manage"}' + labels: + iam.kubesphere.io/category: workspace-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-manage-members +spec: + description: + en: 'Manage workspace members.' + zh: '管理企业空间成员。' + displayName: + en: Member Management + zh: '成员管理' + rules: + - apiGroups: + - '*' + resources: + - workspacemembers + verbs: + - '*' + - apiGroups: + - '*' + resources: + - workspaceroles + verbs: + - list + - get + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["workspace-view-members"]' + iam.kubesphere.io/role-template-rules: '{"roles": "view"}' + labels: + iam.kubesphere.io/category: workspace-access-control + iam.kubesphere.io/scope: "workspace" + iam.kubesphere.io/aggregate-to-viewer: "" + kubesphere.io/managed: 'true' + name: workspace-view-roles +spec: + description: + en: 'View workspace roles.' + zh: '查看企业空间角色。' + displayName: + en: Role Viewing + zh: "角色查看" + rules: + - apiGroups: + - '*' + resources: + - workspaceroles + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"roles": "manage"}' + labels: + iam.kubesphere.io/category: workspace-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "workspace" + kubesphere.io/managed: 'true' + name: workspace-manage-roles +spec: + description: + en: 'Manage workspace roles.' + zh: '管理企业空间角色。' + displayName: + en: Role Management + zh: '角色管理' + rules: + - apiGroups: + - '*' + resources: + - workspaceroles + verbs: + - '*' + +# namespace scope role templates +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"project-settings": "view"}' + labels: + iam.kubesphere.io/category: namespace-settings + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + iam.kubesphere.io/basic-role-template: 'true' + iam.kubesphere.io/hidden-role-template: 'true' + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + name: namespace-view-project-settings +spec: + description: + en: 'View project settings including project basic information, external access settings and resource quotas settings.' + zh: '查看项目设置,包括项目基本信息、外部访问设置、资源配额等。' + displayName: + en: Project Settings Viewing + zh: '项目设置查看' + rules: + - apiGroups: + - '*' + resources: + - 'namespaces' + verbs: + - 'get' + - apiGroups: + - 'resources.kubesphere.io' + resources: + - 'quotas' + - 'metrics' + verbs: + - 'list' + - apiGroups: + - '' + resources: + - 'limitranges' + verbs: + - 'list' + + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"project-settings": "manage"}' + labels: + iam.kubesphere.io/category: namespace-settings + iam.kubesphere.io/hidden-role-template: 'true' + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-project-settings +spec: + description: + en: 'Manage project settings including project basic information, external access settings and resource quotas settings.' + zh: '管理项目设置,包括项目基本信息、外部访问设置、资源配额等。' + displayName: + en: Project Settings Management + zh: '项目设置管理' + rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"members": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-access-control + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-members +spec: + description: + en: 'View project members.' + zh: '查看项目成员。' + displayName: + en: Member Viewing + zh: '成员查看' + rules: + - apiGroups: + - '*' + resources: + - namespacemembers + - rolebindings + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"members": "manage"}' + labels: + iam.kubesphere.io/category: namespace-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-members +spec: + description: + en: 'Manage project members.' + zh: '管理项目成员。' + displayName: + en: Member Management + zh: '成员管理' + rules: + - apiGroups: + - '*' + resources: + - namespacemembers + - rolebindings + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-members"]' + iam.kubesphere.io/role-template-rules: '{"roles": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-access-control + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-roles +spec: + description: + en: 'View project roles.' + zh: '查看项目角色。' + displayName: + en: Role Viewing + zh: '角色查看' + rules: + - apiGroups: + - '*' + resources: + - roles + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"roles": "manage"}' + labels: + iam.kubesphere.io/category: namespace-access-control + iam.kubesphere.io/hidden-role-template: "true" + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-roles +spec: + description: + en: 'Manage project roles.' + zh: '管理项目角色。' + displayName: + en: Role Management + zh: '角色管理' + rules: + - apiGroups: + - '*' + resources: + - roles + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-volumes","namespace-view-secrets","namespace-view-configmaps"]' + iam.kubesphere.io/role-template-rules: '{"applications":"view","deployments":"view","statefulsets":"view", + "daemonsets":"view","jobs":"view","cronjobs":"view","pods":"view","services":"view","ingresses":"view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-application-workloads + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-app-workloads +spec: + description: + en: 'View resources such as applications, services, workloads and jobs in the project.' + zh: '查看项目中的应用、服务、工作负载和任务等资源。' + displayName: + en: Application Workload Viewing + zh: '应用负载查看' + rules: + - apiGroups: + - '*' + resources: + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - jobs + - cronjobs + - pods + - pods/log + - pods/containers + - services + - ingresses + - router + - horizontalpodautoscalers + - configmaps + - secrets + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-app-workloads"]' + iam.kubesphere.io/role-template-rules: '{"applications":"manage","deployments":"manage","statefulsets":"manage", + "daemonsets":"manage","jobs":"manage","cronjobs":"manage","pods":"manage","services":"manage","ingresses":"manage"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/category: namespace-application-workloads + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-app-workloads +spec: + description: + en: 'Manage resources such as applications, services, workloads and jobs in the project.' + zh: '管理项目中的应用、服务、工作负载和任务等资源。' + displayName: + en: Application Workload Management + zh: '应用负载管理' + rules: + - apiGroups: + - '*' + resources: + - services + - applications + - controllerrevisions + - deployments + - replicasets + - statefulsets + - daemonsets + - jobs + - cronjobs + - pods + - pods/log + - pods/exec + - pods/containers + - services + - ingresses + - router + - workloads + - horizontalpodautoscalers + verbs: + - '*' + - apiGroups: + - '*' + resources: + - secrets + - secrets + verbs: + - list + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"configmaps": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-configmaps +spec: + description: + en: 'View configmaps in the project.' + zh: '查看项目中的配置字典。' + displayName: + en: ConfigMap Viewing + zh: '配置字典查看' + rules: + - apiGroups: + - '*' + resources: + - configmaps + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-configmaps"]' + iam.kubesphere.io/role-template-rules: '{"configmaps": "manage"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-configmaps +spec: + description: + en: 'Create, edit, and delete configmaps in the project.' + zh: '创建、编辑和删除项目中的配置字典。' + displayName: + en: ConfigMap Management + zh: '配置字典管理' + rules: + - apiGroups: + - '*' + resources: + - configmaps + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/role-template-rules: '{"secrets": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-secrets +spec: + description: + en: 'View secrets in the project.' + zh: '查看项目中的保密字典。' + displayName: + en: Secret Viewing + zh: '保密字典查看' + rules: + - apiGroups: + - '*' + resources: + - secrets + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-secrets"]' + iam.kubesphere.io/role-template-rules: '{"secrets": "manage"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-secrets +spec: + description: + en: 'Create, edit, and delete secrets in the project.' + zh: '创建、编辑和删除项目中的保密字典。' + displayName: + en: Secret Management + zh: '保密字典管理' + rules: + - apiGroups: + - '*' + resources: + - secrets + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-roles","namespace-view-secrets"]' + iam.kubesphere.io/role-template-rules: '{"serviceaccounts": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-serviceaccount +spec: + description: + en: 'View service accounts in the project.' + zh: '查看项目中的服务账户。' + displayName: + en: Service Account Viewing + zh: '服务账户查看' + rules: + - apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - get + - list + - watch + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-serviceaccount"]' + iam.kubesphere.io/role-template-rules: '{"serviceaccounts": "manage"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/category: namespace-configuration-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-serviceaccount +spec: + description: + en: 'Create, edit, and delete service accounts in the project.' + zh: '创建、编辑和删除项目中的服务帐户。' + displayName: + en: Service Account Management + zh: '服务账户管理' + rules: + - apiGroups: + - '*' + resources: + - serviceaccounts + verbs: + - '*' + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-snapshots"]' + iam.kubesphere.io/role-template-rules: '{"volumes": "view"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/aggregate-to-viewer: "" + iam.kubesphere.io/category: namespace-storage-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-view-volumes +spec: + description: + en: 'View persistent volume claims in the project.' + zh: '查看项目中的持久卷声明。' + displayName: + en: Volume Viewing + zh: '持久卷声明查看' + rules: + - apiGroups: + - '*' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - apiGroups: + - '*' + resources: + - pods + verbs: + - list + +--- +apiVersion: iam.kubesphere.io/v1beta1 +kind: RoleTemplate +metadata: + annotations: + iam.kubesphere.io/dependencies: '["namespace-view-volumes","namespace-manage-snapshots"]' + iam.kubesphere.io/role-template-rules: '{"volumes": "manage"}' + labels: + iam.kubesphere.io/aggregate-to-operator: "" + iam.kubesphere.io/category: namespace-storage-management + iam.kubesphere.io/scope: "namespace" + kubesphere.io/managed: "true" + name: namespace-manage-volumes +spec: + description: + en: 'Create, edit, and delete persistent volume claims in the project.' + zh: '创建、编辑和删除项目中的持久卷声明。' + displayName: + en: Volume Management + zh: 持久卷声明管理 + rules: + - apiGroups: + - '*' + resources: + - persistentvolumeclaims + verbs: + - '*' + - apiGroups: + - '*' + resources: + - pods + verbs: + - list \ No newline at end of file diff --git a/src/main/ks-core/templates/serviceaccount.yaml b/src/main/ks-core/templates/serviceaccount.yaml new file mode 100644 index 000000000..67223275c --- /dev/null +++ b/src/main/ks-core/templates/serviceaccount.yaml @@ -0,0 +1,27 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ks-core.serviceAccountName" . }} + namespace: kubesphere-system + labels: + {{- include "ks-core.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "ks-core.serviceAccountName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: {{ include "ks-core.serviceAccountName" . }} + namespace: kubesphere-system diff --git a/src/main/ks-core/templates/services.yml b/src/main/ks-core/templates/services.yml new file mode 100644 index 000000000..73c346897 --- /dev/null +++ b/src/main/ks-core/templates/services.yml @@ -0,0 +1,59 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + kubernetes.io/created-by: kubesphere.io/ks-apiserver + labels: + app: ks-apiserver + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-apiserver + namespace: kubesphere-system +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 9090 + {{- with .Values.apiserver.nodePort }} + nodePort: + {{- toYaml . | nindent 8 }} + {{- end }} + selector: + {{- if eq .Values.role "host" }} + app: ks-apiserver + {{- else }} + app: ks-agent + {{- end }} + tier: backend + # version: {{ .Chart.AppVersion }} +{{- if .Values.apiserver.nodePort }} + type: NodePort +{{- else}} + type: ClusterIP +{{- end}} +--- + +apiVersion: v1 +kind: Service +metadata: + labels: + app: ks-controller-manager + tier: backend + version: {{ .Chart.AppVersion }} + name: ks-controller-manager + namespace: kubesphere-system +spec: + ports: + - port: 443 + protocol: TCP + targetPort: 8443 + selector: + {{- if eq .Values.role "host" }} + app: ks-controller-manager + {{- else }} + app: ks-agent + {{- end }} + tier: backend + # version: {{ .Chart.AppVersion }} + sessionAffinity: None + type: ClusterIP diff --git a/src/main/ks-core/templates/user.yaml b/src/main/ks-core/templates/user.yaml new file mode 100644 index 000000000..d19386b0e --- /dev/null +++ b/src/main/ks-core/templates/user.yaml @@ -0,0 +1,12 @@ +apiVersion: iam.kubesphere.io/v1beta1 +kind: User +metadata: + name: admin + annotations: + iam.kubesphere.io/uninitialized: "true" + iam.kubesphere.io/globalrole: "platform-admin" +spec: + email: admin@kubesphere.io + password: {{ include "getOrDefaultPass" . | quote }} +status: + state: Active \ No newline at end of file diff --git a/src/main/ks-core/templates/webhook.yaml b/src/main/ks-core/templates/webhook.yaml new file mode 100644 index 000000000..e89533a6f --- /dev/null +++ b/src/main/ks-core/templates/webhook.yaml @@ -0,0 +1,213 @@ +{{- $ca := genCA "ks-controller-manager-ca" 3650 }} +{{- $cn := printf "%s-admission-webhook" .Release.Name }} +{{- $altName1 := printf "ks-controller-manager.%s" .Release.Namespace }} +{{- $altName2 := printf "ks-controller-manager.%s.svc" .Release.Namespace }} +{{- $cert := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }} + +apiVersion: v1 +data: + ca.crt: {{ b64enc $ca.Cert | quote }} + tls.crt: {{ b64enc $cert.Cert | quote }} + tls.key: {{ b64enc $cert.Key | quote }} +kind: Secret +metadata: + name: ks-controller-manager-webhook-cert +type: Opaque + + +{{ if eq .Values.role "host" }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: users.iam.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-email-iam-kubesphere-io-v1beta1 + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: users.iam.kubesphere.io + namespaceSelector: {} + objectSelector: + matchExpressions: + - key: app.kubernetes.io/managed-by + operator: NotIn + values: + - Helm + rules: + - apiGroups: + - iam.kubesphere.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - users + scope: '*' + sideEffects: None + timeoutSeconds: 30 +{{ end }} + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: resourcesquotas.quota.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-quota-kubesphere-io-v1alpha2 + port: 443 + failurePolicy: Ignore + matchPolicy: Exact + name: resourcesquotas.quota.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + resources: + - pods + - persistentvolumeclaims + - services + scope: '*' + sideEffects: None + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: extensions.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-extensions-kubesphere-io-v1alpha1-jsbundle + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: jsbundles.extensions.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - extensions.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jsbundles + scope: '*' + sideEffects: None + timeoutSeconds: 30 + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-extensions-kubesphere-io-v1alpha1-apiservice + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: apiservices.extensions.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - extensions.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - apiservices + scope: '*' + sideEffects: None + timeoutSeconds: 30 + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /validate-extensions-kubesphere-io-v1alpha1-reverseproxy + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: reverseproxies.extensions.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - extensions.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - reverseproxies + scope: '*' + sideEffects: None + timeoutSeconds: 30 + +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: extensions.kubesphere.io +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: {{ b64enc $ca.Cert | quote }} + service: + name: ks-controller-manager + namespace: kubesphere-system + path: /mutate-extensions-kubesphere-io-v1alpha1-jsbundle + port: 443 + failurePolicy: Fail + matchPolicy: Exact + name: jsbundles.extensions.kubesphere.io + namespaceSelector: {} + objectSelector: {} + rules: + - apiGroups: + - extensions.kubesphere.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jsbundles + scope: '*' + sideEffects: None + timeoutSeconds: 30 \ No newline at end of file diff --git a/src/main/ks-core/templates/workspace.yaml b/src/main/ks-core/templates/workspace.yaml new file mode 100644 index 000000000..ce8d9d9f7 --- /dev/null +++ b/src/main/ks-core/templates/workspace.yaml @@ -0,0 +1,15 @@ +{{ if eq .Values.role "host" }} +apiVersion: tenant.kubesphere.io/v1alpha2 +kind: WorkspaceTemplate +metadata: + annotations: + kubesphere.io/creator: admin + kubesphere.io/description: "system-workspace is a built-in workspace automatically created by KubeSphere. It contains all system components to run KubeSphere." + name: system-workspace +spec: + placement: + clusterSelector: {} + template: + spec: + manager: admin +{{ end }} \ No newline at end of file diff --git a/src/main/ks-core/values.yaml b/src/main/ks-core/values.yaml new file mode 100644 index 000000000..e6f51f8c8 --- /dev/null +++ b/src/main/ks-core/values.yaml @@ -0,0 +1,246 @@ +## @param global.imageRegistry Global Docker image registry +## @param global.tag Global Docker image tag +global: + imageRegistry: registry.cn-beijing.aliyuncs.com + tag: v4.0.0 + imagePullSecrets: [] + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname +## +fullnameOverride: "" +## @param commonLabels Labels to add to all deployed objects +## +commonLabels: {} +## @param commonAnnotations Annotations to add to all deployed objects +## +commonAnnotations: {} + +role: host + +adminPassword: "" + +config: + # Specifies whether the kubesphere-config configmap should be created + create: true + authentication: + authenticateRateLimiterMaxTries: 10 + authenticationRateLimiterDuration: 10m0s + loginHistoryRetentionPeriod: 168h + maximumClockSkew: 10s + enableMultiLogin: true + oauthOptions: + clients: + - name: kubesphere + secret: kubesphere + redirectURIs: + - '*' + # Jwt Secret is required by ks-apiserver, a random string would be generated if it's empty + jwtSecret: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "kubesphere" + +podAnnotations: {} + +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + key: node.kubernetes.io/not-ready + operator: Exists + tolerationSeconds: 60 + - effect: NoExecute + key: node.kubernetes.io/unreachable + operator: Exists + tolerationSeconds: 60 + +affinity: {} + +nodeSelector: {} + +## deployment specific configuration + +apiserver: + replicaCount: 1 + image: + registry: "" + repository: kse/ks-apiserver + tag: "" + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param containerPorts [array] List of container ports to enable in the ks-apiserver container + ## + containerPorts: + - protocol: TCP + containerPort: 9090 + nodePort: + ## ks-apiserver resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param resources.limits The resources limits for the haproxy containers + ## @param resources.requests The requested resources for the haproxy containers + ## + resources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + ## @param command Override default container command (useful when using custom images) + ## + command: + - ks-apiserver + - --logtostderr=true + ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## + extraVolumeMounts: [] + ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## + extraVolumes: [] + +console: + replicaCount: 1 + image: + registry: "" + repository: kse/ks-console + tag: "" + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param containerPorts [array] List of container ports to enable in the ks-apiserver container + ## + containerPorts: [] + nodePort: 30880 + defaultClusterName: "default" + ## @param resources.limits The resources limits for the haproxy containers + ## @param resources.requests The requested resources for the haproxy containers + ## + resources: + limits: + cpu: 1 + memory: 1024Mi + requests: + cpu: 20m + memory: 100Mi + ## @param command Override default container command (useful when using custom images) + ## + command: [] + ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes + ## + extraEnvVars: [] + ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## + extraVolumeMounts: [] + ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## + extraVolumes: [] + +controller: + replicaCount: 1 + image: + registry: "" + repository: kse/ks-controller-manager + tag: "" + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## e.g: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param containerPorts [array] List of container ports to enable in the ks-apiserver container + ## + containerPorts: + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + ## @param resources.limits The resources limits for the haproxy containers + ## @param resources.requests The requested resources for the haproxy containers + ## + resources: + limits: + cpu: 1 + memory: 1000Mi + requests: + cpu: 30m + memory: 50Mi + ## @param command Override default container command (useful when using custom images) + ## + command: + - controller-manager + - --logtostderr=true + - --leader-elect=true + - --controllers=* + ## @param extraEnvVars Array with extra environment variables to add to haproxy nodes + ## + extraEnvVars: [] + ## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the haproxy container(s) + ## + extraVolumeMounts: [] + ## @param extraVolumes Optionally specify extra list of additional volumes for the haproxy pod(s) + ## + extraVolumes: [] + +agent: + replicaCount: 1 + +kubectl: + image: + registry: "" + repository: kubesphereio/kubectl + tag: "latest" + pullPolicy: IfNotPresent \ No newline at end of file