diff --git a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml index f38a42c6..d78df96b 100644 --- a/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml +++ b/config/crd/bases/iam/iam.miloapis.com_policybindings.yaml @@ -140,7 +140,7 @@ spec: items: description: |- Subject contains a reference to the object or user identities a role binding applies to. - This can be a User or Group. + This can be a User, Group, or MachineAccount. properties: kind: description: Kind of object being referenced. Values defined @@ -148,6 +148,7 @@ spec: enum: - User - Group + - MachineAccount type: string name: description: |- @@ -157,8 +158,8 @@ spec: type: string namespace: description: |- - Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. - For a User or Group, it is ignored. + Namespace of the referenced object. + If not specified for a Group, User or MachineAccount, it is ignored. type: string uid: description: UID of the referenced object. Optional for system diff --git a/docs/api/iam.md b/docs/api/iam.md index 1ee17986..ad793402 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -2055,7 +2055,7 @@ This can be a reference to a Role custom resource. Subject contains a reference to the object or user identities a role binding applies to. -This can be a User or Group. +This can be a User, Group, or MachineAccount. @@ -2072,7 +2072,7 @@ This can be a User or Group. @@ -2088,8 +2088,8 @@ users.
diff --git a/pkg/apis/iam/v1alpha1/policybinding_types.go b/pkg/apis/iam/v1alpha1/policybinding_types.go index 3a1f36f2..cfca9ee7 100644 --- a/pkg/apis/iam/v1alpha1/policybinding_types.go +++ b/pkg/apis/iam/v1alpha1/policybinding_types.go @@ -16,21 +16,21 @@ type RoleReference struct { } // Subject contains a reference to the object or user identities a role binding applies to. -// This can be a User or Group. +// This can be a User, Group, or MachineAccount. // +k8s:deepcopy-gen=true // +kubebuilder:validation:XValidation:rule="(self.kind == 'Group' && has(self.name) && self.name.startsWith('system:')) || (has(self.uid) && size(self.uid) > 0)",message="UID is required for all subjects except system groups (groups with names starting with 'system:')" type Subject struct { // Kind of object being referenced. Values defined in Kind constants. // +kubebuilder:validation:Required - // +kubebuilder:validation:Enum=User;Group + // +kubebuilder:validation:Enum=User;Group;MachineAccount Kind string `json:"kind"` // Name of the object being referenced. A special group name of // "system:authenticated-users" can be used to refer to all authenticated // users. // +kubebuilder:validation:Required Name string `json:"name"` - // Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. - // For a User or Group, it is ignored. + // Namespace of the referenced object. + // If not specified for a Group, User or MachineAccount, it is ignored. // +kubebuilder:validation:Optional Namespace string `json:"namespace,omitempty"` // UID of the referenced object. Optional for system groups (groups with names starting with "system:").
Kind of object being referenced. Values defined in Kind constants.

- Enum: User, Group
+ Enum: User, Group, MachineAccount
 true
namespace string - Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. -For a User or Group, it is ignored.
+ Namespace of the referenced object. +If not specified for a Group, User or MachineAccount, it is ignored.
 false