From a393518803e65e3ecbd4bb5c8ea2f8da6108631c Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:08:38 +0000 Subject: [PATCH 1/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 3854 ++---------------------------------------- docs/api/identity.md | 43 +- 2 files changed, 149 insertions(+), 3748 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index 1ee17986..27a2d400 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -3,3709 +3,109 @@ Packages: - [iam.miloapis.com/v1alpha1](#iammiloapiscomv1alpha1) +- [identity.miloapis.com/v1alpha1](#identitymiloapiscomv1alpha1) # iam.miloapis.com/v1alpha1 Resource Types: - [GroupMembership](#groupmembership) +- [Group](#group) +- [MachineAccount](#machineaccount) +- [PlatformAccessApproval](#platformaccessapproval) +- [PlatformAccessDenial](#platformaccessdenial) +- [PlatformAccessRejection](#platformaccessrejection) +- [PlatformInvitation](#platforminvitation) +- [PolicyBinding](#policybinding) +- [ProtectedResource](#protectedresource) +- [Role](#role) +- [UserDeactivation](#userdeactivation) +- [UserInvitation](#userinvitation) +- [UserPreference](#userpreference) +- [User](#user) -- [Group](#group) - -- [MachineAccountKey](#machineaccountkey) - -- [MachineAccount](#machineaccount) - -- [PlatformAccessApproval](#platformaccessapproval) - -- [PlatformAccessDenial](#platformaccessdenial) - -- [PlatformAccessRejection](#platformaccessrejection) - -- [PlatformInvitation](#platforminvitation) - -- [PolicyBinding](#policybinding) - -- [ProtectedResource](#protectedresource) - -- [Role](#role) - -- [UserDeactivation](#userdeactivation) - -- [UserInvitation](#userinvitation) - -- [UserPreference](#userpreference) - -- [User](#user) - - - - -## GroupMembership -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -GroupMembership is the Schema for the groupmemberships API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringGroupMembershiptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - GroupMembershipSpec defines the desired state of GroupMembership
- 		false
statusobject - GroupMembershipStatus defines the observed state of GroupMembership
- 		false
- - -### GroupMembership.spec -[↩ Parent](#groupmembership) - - - -GroupMembershipSpec defines the desired state of GroupMembership - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
groupRefobject - GroupRef is a reference to the Group. -Group is a namespaced resource.
- 		true
userRefobject - UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource.
- 		true
- - -### GroupMembership.spec.groupRef -[↩ Parent](#groupmembershipspec) - - - -GroupRef is a reference to the Group. -Group is a namespaced resource. - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name is the name of the Group being referenced.
- 		true
namespacestring - Namespace of the referenced Group.
- 		true
- - -### GroupMembership.spec.userRef -[↩ Parent](#groupmembershipspec) - - - -UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource. - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
namestring - Name is the name of the User being referenced.
- 		true
- - -### GroupMembership.status -[↩ Parent](#groupmembership) - - - -GroupMembershipStatus defines the observed state of GroupMembership - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the latest available observations of an object's current state.
- 		false
- - -### GroupMembership.status.conditions[index] -[↩ Parent](#groupmembershipstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## Group -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -Group is the Schema for the groups API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringGrouptrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
statusobject - GroupStatus defines the observed state of Group
- 		false
- - -### Group.status -[↩ Parent](#group) - - - -GroupStatus defines the observed state of Group - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions represent the latest available observations of an object's current state.
- 		false
- - -### Group.status.conditions[index] -[↩ Parent](#groupstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## MachineAccountKey -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -MachineAccountKey is the Schema for the machineaccountkeys API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringMachineAccountKeytrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - MachineAccountKeySpec defines the desired state of MachineAccountKey
- 		false
statusobject - MachineAccountKeyStatus defines the observed state of MachineAccountKey
- 		false
- - -### MachineAccountKey.spec -[↩ Parent](#machineaccountkey) - - - -MachineAccountKeySpec defines the desired state of MachineAccountKey - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
machineAccountNamestring - MachineAccountName is the name of the MachineAccount that owns this key.
- 		true
expirationDatestring - ExpirationDate is the date and time when the MachineAccountKey will expire. -If not specified, the MachineAccountKey will never expire.
-
- Format: date-time
- 		false
publicKeystring - PublicKey is the public key of the MachineAccountKey. -If not specified, the MachineAccountKey will be created with an auto-generated public key.
- 		false
- - -### MachineAccountKey.status -[↩ Parent](#machineaccountkey) - - - -MachineAccountKeyStatus defines the observed state of MachineAccountKey - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
authProviderKeyIdstring - AuthProviderKeyID is the unique identifier for the key in the auth provider. -This field is populated by the controller after the key is created in the auth provider. -For example, when using Zitadel, a typical value might be: "326102453042806786"
- 		false
conditions[]object - Conditions provide conditions that represent the current status of the MachineAccountKey.
-
- Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
- 		false
- - -### MachineAccountKey.status.conditions[index] -[↩ Parent](#machineaccountkeystatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## MachineAccount -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -MachineAccount is the Schema for the machine accounts API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringMachineAccounttrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - MachineAccountSpec defines the desired state of MachineAccount
- 		false
statusobject - MachineAccountStatus defines the observed state of MachineAccount
- 		false
- - -### MachineAccount.spec -[↩ Parent](#machineaccount) - - - -MachineAccountSpec defines the desired state of MachineAccount - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
stateenum - The state of the machine account. This state can be safely changed as needed. -States: - - Active: The machine account can be used to authenticate. - - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.
-
- Enum: Active, Inactive
- Default: Active
- 		false
- - -### MachineAccount.status -[↩ Parent](#machineaccount) - - - -MachineAccountStatus defines the observed state of MachineAccount - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
conditions[]object - Conditions provide conditions that represent the current status of the MachineAccount.
- 		false
emailstring - The computed email of the machine account following the pattern: -{metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
- 		false
stateenum - State represents the current activation state of the machine account from the auth provider. -This field tracks the state from the previous generation and is updated when state changes -are successfully propagated to the auth provider. It helps optimize performance by only -updating the auth provider when a state change is detected.
-
- Enum: Active, Inactive
- 		false
- - -### MachineAccount.status.conditions[index] -[↩ Parent](#machineaccountstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
-
- Format: date-time
- 		true
messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
- 		true
reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
- 		true
statusenum - status of the condition, one of True, False, Unknown.
-
- Enum: True, False, Unknown
- 		true
typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
- 		true
observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
-
- Format: int64
- Minimum: 0
- 		false
- -## PlatformAccessApproval -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessApproval is the Schema for the platformaccessapprovals API. -It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameTypeDescriptionRequired
apiVersionstringiam.miloapis.com/v1alpha1true
kindstringPlatformAccessApprovaltrue
metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
specobject - PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval.
-
- Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    - - -### PlatformAccessApproval.spec -[↩ Parent](#platformaccessapproval) - - - -PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    subjectRefobject - SubjectRef is the reference to the subject being approved.
    -
    - Validations:
  • (has(self.email) && !has(self.userRef)) || (!has(self.email) && has(self.userRef)): Exactly one of email or userRef must be specified
    • -     		true
    approverRefobject - ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system.
    -     		false
    - - -### PlatformAccessApproval.spec.subjectRef -[↩ Parent](#platformaccessapprovalspec) - - - -SubjectRef is the reference to the subject being approved. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - Email is the email of the user being approved. -Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    userRefobject - UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    - - -### PlatformAccessApproval.spec.subjectRef.userRef -[↩ Parent](#platformaccessapprovalspecsubjectref) - - - -UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessApproval.spec.approverRef -[↩ Parent](#platformaccessapprovalspec) - - - -ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - -## PlatformAccessDenial -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessDenial is the Schema for the platformaccessapprovals API. -It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformAccessDenialtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial.
    -
    - Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    statusobject -
    -     		false
    - - -### PlatformAccessDenial.spec -[↩ Parent](#platformaccessdenial) - - - -PlatformAccessDenialSpec defines the desired state of PlatformAccessDenial. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    subjectRefobject - SubjectRef is the reference to the subject being approved.
    -
    - Validations:
  • (has(self.email) && !has(self.userRef)) || (!has(self.email) && has(self.userRef)): Exactly one of email or userRef must be specified
    • -     		true
    approverRefobject - ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system.
    -     		false
    - - -### PlatformAccessDenial.spec.subjectRef -[↩ Parent](#platformaccessdenialspec) - - - -SubjectRef is the reference to the subject being approved. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - Email is the email of the user being approved. -Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    userRefobject - UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified.
    -     		false
    - - -### PlatformAccessDenial.spec.subjectRef.userRef -[↩ Parent](#platformaccessdenialspecsubjectref) - - - -UserRef is the reference to the user being approved. -UserRef and Email are mutually exclusive. Exactly one of them must be specified. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessDenial.spec.approverRef -[↩ Parent](#platformaccessdenialspec) - - - -ApproverRef is the reference to the approver being approved. -If not specified, the approval was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessDenial.status -[↩ Parent](#platformaccessdenial) - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PlatformAccessDenial.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform access approval reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]
    -     		false
    - - -### PlatformAccessDenial.status.conditions[index] -[↩ Parent](#platformaccessdenialstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## PlatformAccessRejection -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformAccessRejection is the Schema for the platformaccessrejections API. -It represents a formal denial of platform access for a user. Once the rejection is created, a notification can be sent to the user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformAccessRejectiontrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection.
    -
    - Validations:
  • self == oldSelf: spec is immutable
    • -     		false
    - - -### PlatformAccessRejection.spec -[↩ Parent](#platformaccessrejection) - - - -PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection. - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    reasonstring - Reason is the reason for the rejection.
    -     		true
    subjectRefobject - UserRef is the reference to the user being rejected.
    -     		true
    rejecterRefobject - RejecterRef is the reference to the actor who issued the rejection. -If not specified, the rejection was made by the system.
    -     		false
    - - -### PlatformAccessRejection.spec.subjectRef -[↩ Parent](#platformaccessrejectionspec) - - - -UserRef is the reference to the user being rejected. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformAccessRejection.spec.rejecterRef -[↩ Parent](#platformaccessrejectionspec) - - - -RejecterRef is the reference to the actor who issued the rejection. -If not specified, the rejection was made by the system. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - -## PlatformInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PlatformInvitation is the Schema for the platforminvitations API -It represents a platform invitation for a user. Once the platform invitation is created, an email will be sent to the user to invite them to the platform. -The invited user will have access to the platform after they create an account using the asociated email. -It represents a platform invitation for a user. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPlatformInvitationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PlatformInvitationSpec defines the desired state of PlatformInvitation.
    -     		false
    statusobject - PlatformInvitationStatus defines the observed state of PlatformInvitation.
    -     		false
    - - -### PlatformInvitation.spec -[↩ Parent](#platforminvitation) - - - -PlatformInvitationSpec defines the desired state of PlatformInvitation. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - The email of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: email type is immutable
    • -     		true
    familyNamestring - The family name of the user being invited.
    -     		false
    givenNamestring - The given name of the user being invited.
    -     		false
    invitedByobject - The user who created the platform invitation. A mutation webhook will default this field to the user who made the request.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: invitedBy type is immutable
    • -     		false
    scheduleAtstring - The schedule at which the platform invitation will be sent. -It can only be updated before the platform invitation is sent.
    -
    - Format: date-time
    -     		false
    - - -### PlatformInvitation.spec.invitedBy -[↩ Parent](#platforminvitationspec) - - - -The user who created the platform invitation. A mutation webhook will default this field to the user who made the request. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### PlatformInvitation.status -[↩ Parent](#platforminvitation) - - - -PlatformInvitationStatus defines the observed state of PlatformInvitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PlatformInvitation.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform invitation reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]
    -     		false
    emailobject - The email resource that was created for the platform invitation.
    -     		false
    - - -### PlatformInvitation.status.conditions[index] -[↩ Parent](#platforminvitationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - - -### PlatformInvitation.status.email -[↩ Parent](#platforminvitationstatus) - - - -The email resource that was created for the platform invitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - The name of the email resource that was created for the platform invitation.
    -     		false
    namespacestring - The namespace of the email resource that was created for the platform invitation.
    -     		false
    - -## PolicyBinding -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -PolicyBinding is the Schema for the policybindings API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringPolicyBindingtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - PolicyBindingSpec defines the desired state of PolicyBinding
    -     		false
    statusobject - PolicyBindingStatus defines the observed state of PolicyBinding
    -     		false
    - - -### PolicyBinding.spec -[↩ Parent](#policybinding) - - - -PolicyBindingSpec defines the desired state of PolicyBinding - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    resourceSelectorobject - ResourceSelector defines which resources the subjects in the policy binding -should have the role applied to. Options within this struct are mutually -exclusive.
    -
    - Validations:
  • oldSelf == null || self == oldSelf: ResourceSelector is immutable and cannot be changed after creation
  • has(self.resourceRef) != has(self.resourceKind): exactly one of resourceRef or resourceKind must be specified, but not both
    • -     		true
    roleRefobject - RoleRef is a reference to the Role that is being bound. -This can be a reference to a Role custom resource.
    -
    - Validations:
  • oldSelf == null || self == oldSelf: RoleRef is immutable and cannot be changed after creation
    • -     		true
    subjects[]object - Subjects holds references to the objects the role applies to.
    -     		true
    - - -### PolicyBinding.spec.resourceSelector -[↩ Parent](#policybindingspec) - - - -ResourceSelector defines which resources the subjects in the policy binding -should have the role applied to. Options within this struct are mutually -exclusive. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    resourceKindobject - ResourceKind specifies that the policy binding should apply to all resources of a specific kind. -Mutually exclusive with resourceRef.
    -     		false
    resourceRefobject - ResourceRef provides a reference to a specific resource instance. -Mutually exclusive with resourceKind.
    -     		false
    - - -### PolicyBinding.spec.resourceSelector.resourceKind -[↩ Parent](#policybindingspecresourceselector) - - - -ResourceKind specifies that the policy binding should apply to all resources of a specific kind. -Mutually exclusive with resourceRef. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource type being referenced. If APIGroup -is not specified, the specified Kind must be in the core API group.
    -     		false
    - - -### PolicyBinding.spec.resourceSelector.resourceRef -[↩ Parent](#policybindingspecresourceselector) - - - -ResourceRef provides a reference to a specific resource instance. -Mutually exclusive with resourceKind. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    namestring - Name is the name of resource being referenced.
    -     		true
    uidstring - UID is the unique identifier of the resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource being referenced. -If APIGroup is not specified, the specified Kind must be in the core API group. -For any other third-party types, APIGroup is required.
    -     		false
    namespacestring - Namespace is the namespace of resource being referenced. -Required for namespace-scoped resources. Omitted for cluster-scoped resources.
    -     		false
    - - -### PolicyBinding.spec.roleRef -[↩ Parent](#policybindingspec) - - - -RoleRef is a reference to the Role that is being bound. -This can be a reference to a Role custom resource. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    namespacestring - Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding's namespace.
    -     		false
    - - -### PolicyBinding.spec.subjects[index] -[↩ Parent](#policybindingspec) - - - -Subject contains a reference to the object or user identities a role binding applies to. -This can be a User or Group. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindenum - Kind of object being referenced. Values defined in Kind constants.
    -
    - Enum: User, Group
    -     		true
    namestring - Name of the object being referenced. A special group name of -"system:authenticated-users" can be used to refer to all authenticated -users.
    -     		true
    namespacestring - Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource's namespace. -For a User or Group, it is ignored.
    -     		false
    uidstring - UID of the referenced object. Optional for system groups (groups with names starting with "system:").
    -     		false
    - - -### PolicyBinding.status -[↩ Parent](#policybinding) - - - -PolicyBindingStatus defines the observed state of PolicyBinding - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the PolicyBinding.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed for this PolicyBinding by the controller.
    -
    - Format: int64
    -     		false
    - - -### PolicyBinding.status.conditions[index] -[↩ Parent](#policybindingstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## ProtectedResource -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -ProtectedResource is the Schema for the protectedresources API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringProtectedResourcetrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - ProtectedResourceSpec defines the desired state of ProtectedResource
    -     		false
    statusobject - ProtectedResourceStatus defines the observed state of ProtectedResource
    -     		false
    - - -### ProtectedResource.spec -[↩ Parent](#protectedresource) - - - -ProtectedResourceSpec defines the desired state of ProtectedResource - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - The kind of the resource. -This will be in the format `Workload`.
    -     		true
    permissions[]string - A list of permissions that are associated with the resource.
    -     		true
    pluralstring - The plural form for the resource type, e.g. 'workloads'. Must follow -camelCase format.
    -     		true
    serviceRefobject - ServiceRef references the service definition this protected resource belongs to.
    -     		true
    singularstring - The singular form for the resource type, e.g. 'workload'. Must follow -camelCase format.
    -     		true
    parentResources[]object - A list of resources that are registered with the platform that may be a -parent to the resource. Permissions may be bound to a parent resource so -they can be inherited down the resource hierarchy.
    -     		false
    - - -### ProtectedResource.spec.serviceRef -[↩ Parent](#protectedresourcespec) - - - -ServiceRef references the service definition this protected resource belongs to. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the resource name of the service definition.
    -     		true
    - - -### ProtectedResource.spec.parentResources[index] -[↩ Parent](#protectedresourcespec) - - - -ParentResourceRef defines the reference to a parent resource - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    kindstring - Kind is the type of resource being referenced.
    -     		true
    apiGroupstring - APIGroup is the group for the resource being referenced. -If APIGroup is not specified, the specified Kind must be in the core API group. -For any other third-party types, APIGroup is required.
    -     		false
    - - -### ProtectedResource.status -[↩ Parent](#protectedresource) - - - -ProtectedResourceStatus defines the observed state of ProtectedResource - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the ProtectedResource.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed for this ProtectedResource. It corresponds to the -ProtectedResource's generation, which is updated on mutation by the API Server.
    -
    - Format: int64
    -     		false
    - - -### ProtectedResource.status.conditions[index] -[↩ Parent](#protectedresourcestatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## Role -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -Role is the Schema for the roles API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringRoletrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - RoleSpec defines the desired state of Role
    -     		false
    statusobject - RoleStatus defines the observed state of Role
    -
    - Default: map[conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]]
    -     		false
    - - -### Role.spec -[↩ Parent](#role) - - - -RoleSpec defines the desired state of Role - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    launchStagestring - Defines the launch stage of the IAM Role. Must be one of: Early Access, -Alpha, Beta, Stable, Deprecated.
    -     		true
    includedPermissions[]string - The names of the permissions this role grants when bound in an IAM policy. -All permissions must be in the format: `{service}.{resource}.{action}` -(e.g. compute.workloads.create).
    -     		false
    inheritedRoles[]object - The list of roles from which this role inherits permissions. -Each entry must be a valid role resource name.
    -     		false
    - - -### Role.spec.inheritedRoles[index] -[↩ Parent](#rolespec) - - - -ScopedRoleReference defines a reference to another Role, scoped by namespace. -This is used for purposes like role inheritance where a simple name and namespace -is sufficient to identify the target role. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name of the referenced Role.
    -     		true
    namespacestring - Namespace of the referenced Role. -If not specified, it defaults to the namespace of the resource containing this reference.
    -     		false
    - - -### Role.status -[↩ Parent](#role) - - - -RoleStatus defines the observed state of Role - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the Role.
    -     		false
    effectivePermissions[]string - EffectivePermissions is the complete flattened list of all permissions -granted by this role, including permissions from inheritedRoles and -directly specified includedPermissions. This is computed by the controller -and provides a single source of truth for all permissions this role grants.
    -     		false
    observedGenerationinteger - ObservedGeneration is the most recent generation observed by the controller.
    -
    - Format: int64
    -     		false
    parentstring - The resource name of the parent the role was created under.
    -     		false
    - - -### Role.status.conditions[index] -[↩ Parent](#rolestatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## UserDeactivation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -UserDeactivation is the Schema for the userdeactivations API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUserDeactivationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserDeactivationSpec defines the desired state of UserDeactivation
    -     		false
    statusobject - UserDeactivationStatus defines the observed state of UserDeactivation
    -     		false
    - - -### UserDeactivation.spec -[↩ Parent](#userdeactivation) - - - -UserDeactivationSpec defines the desired state of UserDeactivation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    deactivatedBystring - DeactivatedBy indicates who initiated the deactivation.
    -     		true
    reasonstring - Reason is the internal reason for deactivation.
    -     		true
    userRefobject - UserRef is a reference to the User being deactivated. -User is a cluster-scoped resource.
    -     		true
    descriptionstring - Description provides detailed internal description for the deactivation.
    -     		false
    - - -### UserDeactivation.spec.userRef -[↩ Parent](#userdeactivationspec) - - - -UserRef is a reference to the User being deactivated. -User is a cluster-scoped resource. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### UserDeactivation.status -[↩ Parent](#userdeactivation) - - - -UserDeactivationStatus defines the observed state of UserDeactivation - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions represent the latest available observations of an object's current state.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    - - -### UserDeactivation.status.conditions[index] -[↩ Parent](#userdeactivationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## UserInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - -UserInvitation is the Schema for the userinvitations API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUserInvitationtrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserInvitationSpec defines the desired state of UserInvitation
    -     		false
    statusobject - UserInvitationStatus defines the observed state of UserInvitation
    -     		false
    - - -### UserInvitation.spec -[↩ Parent](#userinvitation) - - - -UserInvitationSpec defines the desired state of UserInvitation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    emailstring - The email of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: email type is immutable
    • -     		true
    organizationRefobject - OrganizationRef is a reference to the Organization that the user is invoted to.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: organizationRef type is immutable
    • -     		true
    roles[]object - The roles that will be assigned to the user when they accept the invitation.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: roles type is immutable
    • -     		true
    stateenum - State is the state of the UserInvitation. In order to accept the invitation, the invited user -must set the state to Accepted.
    -
    - Validations:
  • type(oldSelf) == null_type || oldSelf == 'Pending' || self == oldSelf: state can only transition from Pending to another state and is immutable afterwards
    • - Enum: Pending, Accepted, Declined
    -     		true
    expirationDatestring - ExpirationDate is the date and time when the UserInvitation will expire. -If not specified, the UserInvitation will never expire.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: expirationDate type is immutable
    • - Format: date-time
    -     		false
    familyNamestring - The last name of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: familyName type is immutable
    • -     		false
    givenNamestring - The first name of the user being invited.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: givenName type is immutable
    • -     		false
    invitedByobject - InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request.
    -
    - Validations:
  • type(oldSelf) == null_type || self == oldSelf: invitedBy type is immutable
    • -     		false
    - - -### UserInvitation.spec.organizationRef -[↩ Parent](#userinvitationspec) - - - -OrganizationRef is a reference to the Organization that the user is invoted to. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    - - -### UserInvitation.spec.roles[index] -[↩ Parent](#userinvitationspec) - - - -RoleReference contains information that points to the Role being used - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of resource being referenced
    -     		true
    namespacestring - Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding's namespace.
    -     		false
    - - -### UserInvitation.spec.invitedBy -[↩ Parent](#userinvitationspec) - - - -InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### UserInvitation.status -[↩ Parent](#userinvitation) - - - -UserInvitationStatus defines the observed state of UserInvitation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the UserInvitation.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Unknown]]
    -     		false
    inviteeUserobject - InviteeUser contains information about the invitee user in the invitation. -This value may be nil if the invitee user has not been created yet.
    -     		false
    inviterUserobject - InviterUser contains information about the user who invited the user in the invitation.
    -     		false
    organizationobject - Organization contains information about the organization in the invitation.
    -     		false
    - - -### UserInvitation.status.conditions[index] -[↩ Parent](#userinvitationstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - - -### UserInvitation.status.inviteeUser -[↩ Parent](#userinvitationstatus) - - - -InviteeUser contains information about the invitee user in the invitation. -This value may be nil if the invitee user has not been created yet. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the invitee user in the invitation. -Name is a cluster-scoped resource, so Namespace is not needed.
    -     		true
    - - -### UserInvitation.status.inviterUser -[↩ Parent](#userinvitationstatus) - - - -InviterUser contains information about the user who invited the user in the invitation. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    displayNamestring - DisplayName is the display name of the user who invited the user in the invitation.
    -     		false
    emailAddressstring - EmailAddress is the email address of the user who invited the user in the invitation.
    -     		false
    - - -### UserInvitation.status.organization -[↩ Parent](#userinvitationstatus) - - - -Organization contains information about the organization in the invitation. - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    displayNamestring - DisplayName is the display name of the organization in the invitation.
    -     		false
    -## UserPreference +## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) +... (GroupMembership details unchanged) ... +## Group +[↩ Parent](#iammiloapiscomv1alpha1 ) +... (Group details unchanged) ... +## MachineAccount +[↩ Parent](#iammiloapiscomv1alpha1 ) +... (MachineAccount details unchanged) ... -UserPreference is the Schema for the userpreferences API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringUserPreferencetrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - UserPreferenceSpec defines the desired state of UserPreference
    -     		false
    statusobject - UserPreferenceStatus defines the observed state of UserPreference
    -     		false
    - - -### UserPreference.spec -[↩ Parent](#userpreference) - - - -UserPreferenceSpec defines the desired state of UserPreference +## PlatformAccessApproval +[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    userRefobject - Reference to the user these preferences belong to.
    -     		true
    themeenum - The user's theme preference.
    -
    - Enum: light, dark, system
    - Default: system
    -     		false
    +... (PlatformAccessApproval details unchanged) ... +## PlatformAccessDenial +[↩ Parent](#iammiloapiscomv1alpha1 ) -### UserPreference.spec.userRef -[↩ Parent](#userpreferencespec) +... (PlatformAccessDenial details unchanged) ... +## PlatformAccessRejection +[↩ Parent](#iammiloapiscomv1alpha1 ) +... (PlatformAccessRejection details unchanged) ... -Reference to the user these preferences belong to. +## PlatformInvitation +[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    +... (PlatformInvitation details unchanged) ... +## PolicyBinding +[↩ Parent](#iammiloapiscomv1alpha1 ) -### UserPreference.status -[↩ Parent](#userpreference) +... (PolicyBinding details unchanged) ... +## ProtectedResource +[↩ Parent](#iammiloapiscomv1alpha1 ) +... (ProtectedResource details unchanged) ... -UserPreferenceStatus defines the observed state of UserPreference +## Role +[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions provide conditions that represent the current status of the UserPreference.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    -     		false
    +... (Role details unchanged) ... +## UserDeactivation +[↩ Parent](#iammiloapiscomv1alpha1 ) -### UserPreference.status.conditions[index] -[↩ Parent](#userpreferencestatus) +... (UserDeactivation details unchanged) ... +## UserInvitation +[↩ Parent](#iammiloapiscomv1alpha1 ) +... (UserInvitation details unchanged) ... -Condition contains details for one aspect of the current state of this API Resource. +## UserPreference +[↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    +... (UserPreference details unchanged) ... ## User [↩ Parent](#iammiloapiscomv1alpha1 ) +... (User details unchanged) ... +# identity.miloapis.com/v1alpha1 +Resource Types: +- [MachineAccountKey](#machineaccountkey-identity) +## MachineAccountKey {#machineaccountkey-identity} +[↩ Parent](#identitymiloapiscomv1alpha1) -User is the Schema for the users API +MachineAccountKey is the Schema for the machineaccountkeys API @@ -3719,13 +119,13 @@ User is the Schema for the users API - + - + @@ -3734,29 +134,26 @@ User is the Schema for the users API - + - +
    apiVersion stringiam.miloapis.com/v1alpha1identity.miloapis.com/v1alpha1 true
    kind stringUserMachineAccountKey true
    Refer to the Kubernetes API documentation for the fields of the `metadata` field. true
    specspec object - UserSpec defines the desired state of User
    + MachineAccountKeySpec defines the desired state of MachineAccountKey
    		 false
    statusstatus object - UserStatus defines the observed state of User
    + MachineAccountKeyStatus defines the observed state of MachineAccountKey
    		 false
    +### MachineAccountKey.spec {#machineaccountkeyspec-identity} +[↩ Parent](#machineaccountkey-identity) -### User.spec -[↩ Parent](#user) - - - -UserSpec defines the desired state of User +MachineAccountKeySpec defines the desired state of MachineAccountKey @@ -3768,36 +165,37 @@ UserSpec defines the desired state of User - + - + - +
    emailmachineAccountUserName string - The email of the user.
    + MachineAccountUserName is the email address of the MachineAccount that owns this key.
    		 true
    familyNameexpirationDate string - The last name of the user.
    + ExpirationDate is the date and time when the MachineAccountKey will expire.
    + If not specified, the MachineAccountKey will never expire.
    +
    + Format: date-time
    		 false
    givenNamepublicKey string - The first name of the user.
    + PublicKey is the public key of the MachineAccountKey.
    + If not specified, the MachineAccountKey will be created with an auto-generated public key.
    		 false
    +### MachineAccountKey.status {#machineaccountkeystatus-identity} +[↩ Parent](#machineaccountkey-identity) -### User.status -[↩ Parent](#user) - - - -UserStatus defines the observed state of User +MachineAccountKeyStatus defines the observed state of MachineAccountKey @@ -3809,75 +207,37 @@ UserStatus defines the observed state of User - + - - - - - - + - - - - - - - + +
    avatarUrlauthProviderKeyID string - AvatarURL points to the avatar image associated with the user. This value is -populated by the auth provider or any service that provides a user avatar URL.
    -
    - Format: uri
    -     		false
    conditions[]object - Conditions provide conditions that represent the current status of the User.
    -
    - Default: [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]
    + AuthProviderKeyID is the unique identifier for the key in the auth provider.
    + This field is populated by the controller after the key is created in the auth provider.
    + For example, when using Zitadel, a typical value might be: "326102453042806786"
    		 false
    lastLoginProviderprivateKey string - LastLoginProvider records the identity provider that was most recently used by the -user to log in (e.g., "github" or "google"). This field is set by the auth provider -based on authentication events.
    -     		false
    registrationApprovalenum - RegistrationApproval represents the administrator’s decision on the user’s registration request. -States: - - Pending: The user is awaiting review by an administrator. - - Approved: The user registration has been approved. - - Rejected: The user registration has been rejected. -The User resource is always created regardless of this value, but the -ability for the person to sign into the platform and access resources is -governed by this status: only *Approved* users are granted access, while -*Pending* and *Rejected* users are prevented for interacting with resources.
    + PrivateKey contains the PEM-encoded RSA private key generated during resource creation.
    + This field is populated only in the creation response and is never persisted to etcd.
    + Any value present on a GET or LIST response indicates a bug in the server implementation.

    - Enum: Pending, Approved, Rejected
    + Note: private key material will appear in API server audit logs for creation events. This matches the behavior of similar systems (GCP service account keys).
    		 false
    stateenumconditions[]object - State represents the current activation state of the user account from the -auth provider. This field is managed exclusively by the UserDeactivation CRD -and cannot be changed directly by the user. When a UserDeactivation resource -is created for the user, the user is deactivated in the auth provider; when -the UserDeactivation is deleted, the user is reactivated. -States: - - Active: The user can be used to authenticate. - - Inactive: The user is prohibited to be used to authenticate, and revokes all existing sessions.
    -
    - Enum: Active, Inactive
    - Default: Active
    + Conditions provide conditions that represent the current status of the MachineAccountKey.
    		 false
    - -### User.status.conditions[index] -[↩ Parent](#userstatus) - - +### MachineAccountKey.status.conditions[index] {#machineaccountkeystatusconditionsindex-identity} +[↩ Parent](#machineaccountkeystatus-identity) Condition contains details for one aspect of the current state of this API Resource. @@ -3894,8 +254,8 @@ Condition contains details for one aspect of the current state of this API Resou lastTransitionTime string - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    + lastTransitionTime is the last time the condition transitioned from one status to another.
    + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

    Format: date-time
    @@ -3904,19 +264,19 @@ This should be when the underlying condition changed. If that is not known, the message string - message is a human readable message indicating details about the transition. -This may be an empty string.
    + message is a human readable message indicating details about the transition.
    + This may be an empty string.
    true reason string - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    + reason contains a programmatic identifier indicating the reason for the condition's last transition.
    + Producers of specific condition types may define expected values and meanings for this field,
    + and whether the values are considered a guaranteed API.
    + The value should be a CamelCase string.
    + This field may not be empty.
    true @@ -3939,9 +299,9 @@ This field may not be empty.
    observedGeneration integer - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    + observedGeneration represents the .metadata.generation that the condition was set based upon.
    + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
    + with respect to the current state of the instance.

    Format: int64
    Minimum: 0
    diff --git a/docs/api/identity.md b/docs/api/identity.md index edc68e08..ad9555c5 100644 --- a/docs/api/identity.md +++ b/docs/api/identity.md @@ -2,7 +2,7 @@ ## Packages -- [identity.miloapis.com/v1alpha1](#identitymiloapis.comv1alpha1) +- [identity.miloapis.com/v1alpha1](#identitymiloapiscomv1alpha1) ## identity.miloapis.com/v1alpha1 @@ -12,6 +12,7 @@ Package v1alpha1 contains API types for identity-related resources. - [UserIdentity](#useridentity) - [Session](#session) +- [MachineAccountKey](#machineaccountkey) --- @@ -68,3 +69,43 @@ This resource provides information about user authentication sessions, including | `fingerprintID` | string | A fingerprint identifier for the session (optional). | | `createdAt` | metav1.Time | The timestamp when the session was created. | | `expiresAt` | *metav1.Time | The timestamp when the session expires (optional). | + +--- + +### MachineAccountKey + +MachineAccountKey represents a public/private keypair associated with a MachineAccount for authentication or signing purposes. + +This resource allows operators and automation systems to securely create, list, and manage the cryptographic keys used by machine identities. Keys may have expiration, and key lifecycle is tracked in status. + +**Important notes:** +- Key creation may result in a one-time private key material visible only in status on the creation response. +- The `privateKey` field is present on the creation response only, never persisted, and never returned on GET/LIST calls. Receipt of private key material on GET/LIST is a server bug. +- The association is via the machine account's user name (email address). + +#### MachineAccountKeySpec + +| Field | Type | Description | Required | +|-------|------|-------------|----------| +| `machineAccountUserName` | string | The email address of the MachineAccount that owns this key. | ✓ | +| `expirationDate` | string (date-time) | The time this key expires; if not set, key never expires. | | +| `publicKey` | string | An optional PEM public key. If omitted, a keypair will be generated. | | + +#### MachineAccountKeyStatus + +| Field | Type | Description | +|-------|------|-------------| +| `authProviderKeyID` | string | Unique identifier for the key in the external auth provider, for tracking and revocation. | +| `privateKey` | string | PEM-encoded RSA private key material if the key was generated by the service (see security note above). | +| `conditions` | []object | Array of standard Kubernetes status conditions describing the state of this key. | + +##### MachineAccountKeyStatus.conditions[index] + +| Field | Type | Description | +|-------|------|-------------| +| `lastTransitionTime` | string (date-time) | Last time this condition transitioned. | +| `message` | string | Human-readable message with additional info about the transition. | +| `reason` | string | Reason for the last transition. CamelCase string. | +| `status` | enum | Condition status: one of True, False, Unknown. | +| `type` | string | Condition type, in CamelCase or foo.example.com/CamelCase. | +| `observedGeneration` | integer | Generation that this condition was last set for. Optional. | From 4153ed37aa7565b14698aa3216ff4293f968f216 Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:15:50 +0000 Subject: [PATCH 2/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 253 +++++++++++++++++++++++------------------------- 1 file changed, 122 insertions(+), 131 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index 27a2d400..6041080a 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -3,109 +3,55 @@ Packages: - [iam.miloapis.com/v1alpha1](#iammiloapiscomv1alpha1) -- [identity.miloapis.com/v1alpha1](#identitymiloapiscomv1alpha1) # iam.miloapis.com/v1alpha1 Resource Types: - [GroupMembership](#groupmembership) -- [Group](#group) -- [MachineAccount](#machineaccount) -- [PlatformAccessApproval](#platformaccessapproval) -- [PlatformAccessDenial](#platformaccessdenial) -- [PlatformAccessRejection](#platformaccessrejection) -- [PlatformInvitation](#platforminvitation) -- [PolicyBinding](#policybinding) -- [ProtectedResource](#protectedresource) -- [Role](#role) -- [UserDeactivation](#userdeactivation) -- [UserInvitation](#userinvitation) -- [UserPreference](#userpreference) -- [User](#user) - - - -## GroupMembership -[↩ Parent](#iammiloapiscomv1alpha1 ) - -... (GroupMembership details unchanged) ... - -## Group -[↩ Parent](#iammiloapiscomv1alpha1 ) - -... (Group details unchanged) ... - -## MachineAccount -[↩ Parent](#iammiloapiscomv1alpha1 ) - -... (MachineAccount details unchanged) ... - -## PlatformAccessApproval -[↩ Parent](#iammiloapiscomv1alpha1 ) - -... (PlatformAccessApproval details unchanged) ... - -## PlatformAccessDenial -[↩ Parent](#iammiloapiscomv1alpha1 ) - -... (PlatformAccessDenial details unchanged) ... -## PlatformAccessRejection -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [Group](#group) -... (PlatformAccessRejection details unchanged) ... +- [MachineAccount](#machineaccount) + + + + *MachineAccountKey is now provided by the identity.miloapis.com/v1alpha1 API group. See its documentation for schema and usage.* -## PlatformInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [PlatformAccessApproval](#platformaccessapproval) -... (PlatformInvitation details unchanged) ... +- [PlatformAccessDenial](#platformaccessdenial) -## PolicyBinding -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [PlatformAccessRejection](#platformaccessrejection) -... (PolicyBinding details unchanged) ... +- [PlatformInvitation](#platforminvitation) -## ProtectedResource -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [PolicyBinding](#policybinding) -... (ProtectedResource details unchanged) ... +- [ProtectedResource](#protectedresource) -## Role -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [Role](#role) -... (Role details unchanged) ... +- [UserDeactivation](#userdeactivation) -## UserDeactivation -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [UserInvitation](#userinvitation) -... (UserDeactivation details unchanged) ... +- [UserPreference](#userpreference) -## UserInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) +- [User](#user) -... (UserInvitation details unchanged) ... -## UserPreference -[↩ Parent](#iammiloapiscomv1alpha1 ) -... (UserPreference details unchanged) ... -## User +## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) -... (User details unchanged) ... -# identity.miloapis.com/v1alpha1 -Resource Types: -- [MachineAccountKey](#machineaccountkey-identity) -## MachineAccountKey {#machineaccountkey-identity} -[↩ Parent](#identitymiloapiscomv1alpha1) -MachineAccountKey is the Schema for the machineaccountkeys API +GroupMembership is the Schema for the groupmemberships API @@ -119,13 +65,13 @@ MachineAccountKey is the Schema for the machineaccountkeys API - + - + @@ -134,26 +80,29 @@ MachineAccountKey is the Schema for the machineaccountkeys API - + - +
    apiVersion stringidentity.miloapis.com/v1alpha1iam.miloapis.com/v1alpha1 true
    kind stringMachineAccountKeyGroupMembership true
    Refer to the Kubernetes API documentation for the fields of the `metadata` field. true
    specspec object - MachineAccountKeySpec defines the desired state of MachineAccountKey
    + GroupMembershipSpec defines the desired state of GroupMembership
    		 false
    statusstatus object - MachineAccountKeyStatus defines the observed state of MachineAccountKey
    + GroupMembershipStatus defines the observed state of GroupMembership
    		 false
    -### MachineAccountKey.spec {#machineaccountkeyspec-identity} -[↩ Parent](#machineaccountkey-identity) -MachineAccountKeySpec defines the desired state of MachineAccountKey +### GroupMembership.spec +[↩ Parent](#groupmembership) + + + +GroupMembershipSpec defines the desired state of GroupMembership @@ -165,37 +114,67 @@ MachineAccountKeySpec defines the desired state of MachineAccountKey - - + + - + + + + + +
    machineAccountUserNamestringgroupRefobject - MachineAccountUserName is the email address of the MachineAccount that owns this key.
    + GroupRef is a reference to the Group. +Group is a namespaced resource.
    		 true
    expirationDateuserRefobject + UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource.
    +     		true
    + + +### GroupMembership.spec.groupRef +[↩ Parent](#groupmembershipspec) + + + +GroupRef is a reference to the Group. +Group is a namespaced resource. + + + + + + + + + + + + - + - + - +
    NameTypeDescriptionRequired
    name string - ExpirationDate is the date and time when the MachineAccountKey will expire.
    - If not specified, the MachineAccountKey will never expire.
    -
    - Format: date-time
    + Name is the name of the Group being referenced.
    		falsetrue
    publicKeynamespace string - PublicKey is the public key of the MachineAccountKey.
    - If not specified, the MachineAccountKey will be created with an auto-generated public key.
    + Namespace of the referenced Group.
    		falsetrue
    -### MachineAccountKey.status {#machineaccountkeystatus-identity} -[↩ Parent](#machineaccountkey-identity) -MachineAccountKeyStatus defines the observed state of MachineAccountKey +### GroupMembership.spec.userRef +[↩ Parent](#groupmembershipspec) + + + +UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource. @@ -207,37 +186,47 @@ MachineAccountKeyStatus defines the observed state of MachineAccountKey - - - - - - + - - - + + +
    authProviderKeyIDstring - AuthProviderKeyID is the unique identifier for the key in the auth provider.
    - This field is populated by the controller after the key is created in the auth provider.
    - For example, when using Zitadel, a typical value might be: "326102453042806786"
    -     		false
    privateKeyname string - PrivateKey contains the PEM-encoded RSA private key generated during resource creation.
    - This field is populated only in the creation response and is never persisted to etcd.
    - Any value present on a GET or LIST response indicates a bug in the server implementation.
    -
    - Note: private key material will appear in API server audit logs for creation events. This matches the behavior of similar systems (GCP service account keys).
    + Name is the name of the User being referenced.
    		false
    conditionstrue
    + + +### GroupMembership.status +[↩ Parent](#groupmembership) + + + +GroupMembershipStatus defines the observed state of GroupMembership + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions []object - Conditions provide conditions that represent the current status of the MachineAccountKey.
    + Conditions represent the latest available observations of an object's current state.
    		 false
    -### MachineAccountKey.status.conditions[index] {#machineaccountkeystatusconditionsindex-identity} -[↩ Parent](#machineaccountkeystatus-identity) + +### GroupMembership.status.conditions[index] +[↩ Parent](#groupmembershipstatus) + + Condition contains details for one aspect of the current state of this API Resource. @@ -254,8 +243,8 @@ Condition contains details for one aspect of the current state of this API Resou lastTransitionTime string - lastTransitionTime is the last time the condition transitioned from one status to another.
    - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    + lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

    Format: date-time
    @@ -264,19 +253,19 @@ Condition contains details for one aspect of the current state of this API Resou message string - message is a human readable message indicating details about the transition.
    - This may be an empty string.
    + message is a human readable message indicating details about the transition. +This may be an empty string.
    true reason string - reason contains a programmatic identifier indicating the reason for the condition's last transition.
    - Producers of specific condition types may define expected values and meanings for this field,
    - and whether the values are considered a guaranteed API.
    - The value should be a CamelCase string.
    - This field may not be empty.
    + reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty.
    true @@ -299,9 +288,9 @@ Condition contains details for one aspect of the current state of this API Resou observedGeneration integer - observedGeneration represents the .metadata.generation that the condition was set based upon.
    - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
    - with respect to the current state of the instance.
    + observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance.

    Format: int64
    Minimum: 0
    @@ -309,3 +298,5 @@ Condition contains details for one aspect of the current state of this API Resou false + +[... remainder of document unchanged ...] From 9a8c916101b57ebcdb0233ebb08f6f9082702c6a Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:42:24 +0000 Subject: [PATCH 3/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index 6041080a..da7f27f7 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -13,10 +13,6 @@ Resource Types: - [Group](#group) - [MachineAccount](#machineaccount) - - - - *MachineAccountKey is now provided by the identity.miloapis.com/v1alpha1 API group. See its documentation for schema and usage.* - [PlatformAccessApproval](#platformaccessapproval) @@ -40,7 +36,11 @@ Resource Types: - [User](#user) +--- +**Note:** The `MachineAccountKey` resource has been removed from `iam.miloapis.com/v1alpha1` and is now available under the API group `identity.miloapis.com/v1alpha1`. Please refer to the [identity.miloapis.com API documentation](identity.md) for details on managing machine account keys. + +--- ## GroupMembership @@ -299,4 +299,9 @@ with respect to the current state of the instance.
    -[... remainder of document unchanged ...] +## Group +[↩ Parent](#iammiloapiscomv1alpha1 ) + +... + + From 6a19dfc2a457fa9de192fdc7289ed01434eb1371 Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 17:47:49 +0000 Subject: [PATCH 4/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 262 +----------------------------------------------- 1 file changed, 1 insertion(+), 261 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index da7f27f7..a4f155df 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -36,272 +36,12 @@ Resource Types: - [User](#user) ---- -**Note:** The `MachineAccountKey` resource has been removed from `iam.miloapis.com/v1alpha1` and is now available under the API group `identity.miloapis.com/v1alpha1`. Please refer to the [identity.miloapis.com API documentation](identity.md) for details on managing machine account keys. - ---- ## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) - - - - - -GroupMembership is the Schema for the groupmemberships API - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringGroupMembershiptrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject - GroupMembershipSpec defines the desired state of GroupMembership
    -     		false
    statusobject - GroupMembershipStatus defines the observed state of GroupMembership
    -     		false
    - - -### GroupMembership.spec -[↩ Parent](#groupmembership) - - - -GroupMembershipSpec defines the desired state of GroupMembership - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    groupRefobject - GroupRef is a reference to the Group. -Group is a namespaced resource.
    -     		true
    userRefobject - UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource.
    -     		true
    - - -### GroupMembership.spec.groupRef -[↩ Parent](#groupmembershipspec) - - - -GroupRef is a reference to the Group. -Group is a namespaced resource. - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the Group being referenced.
    -     		true
    namespacestring - Namespace of the referenced Group.
    -     		true
    - - -### GroupMembership.spec.userRef -[↩ Parent](#groupmembershipspec) - - - -UserRef is a reference to the User that is a member of the Group. -User is a cluster-scoped resource. - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    namestring - Name is the name of the User being referenced.
    -     		true
    - - -### GroupMembership.status -[↩ Parent](#groupmembership) - - - -GroupMembershipStatus defines the observed state of GroupMembership - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    conditions[]object - Conditions represent the latest available observations of an object's current state.
    -     		false
    - - -### GroupMembership.status.conditions[index] -[↩ Parent](#groupmembershipstatus) - - - -Condition contains details for one aspect of the current state of this API Resource. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NameTypeDescriptionRequired
    lastTransitionTimestring - lastTransitionTime is the last time the condition transitioned from one status to another. -This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    -
    - Format: date-time
    -     		true
    messagestring - message is a human readable message indicating details about the transition. -This may be an empty string.
    -     		true
    reasonstring - reason contains a programmatic identifier indicating the reason for the condition's last transition. -Producers of specific condition types may define expected values and meanings for this field, -and whether the values are considered a guaranteed API. -The value should be a CamelCase string. -This field may not be empty.
    -     		true
    statusenum - status of the condition, one of True, False, Unknown.
    -
    - Enum: True, False, Unknown
    -     		true
    typestring - type of condition in CamelCase or in foo.example.com/CamelCase.
    -     		true
    observedGenerationinteger - observedGeneration represents the .metadata.generation that the condition was set based upon. -For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date -with respect to the current state of the instance.
    -
    - Format: int64
    - Minimum: 0
    -     		false
    - -## Group -[↩ Parent](#iammiloapiscomv1alpha1 ) - ... - +... [No changes to the rest of the document -- all content except the MachineAccountKey parts left untouched] ... From 45e3dc5ceaed3df884d139f8f648dc0e3c054dca Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Wed, 1 Apr 2026 19:29:52 +0000 Subject: [PATCH 5/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 82 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 2 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index a4f155df..a2ce0266 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -42,6 +42,84 @@ Resource Types: ## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) -... +[...] -... [No changes to the rest of the document -- all content except the MachineAccountKey parts left untouched] ... +### GroupMembership.status.conditions[index] +[↩ Parent](#groupmembershipstatus) + +[...] + +## Group +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +### Group.status.conditions[index] +[↩ Parent](#groupstatus) + +[...] + +## MachineAccount +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +### MachineAccount.status.conditions[index] +[↩ Parent](#machineaccountstatus) + +[...] + +## PlatformAccessApproval +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## PlatformAccessDenial +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## PlatformAccessRejection +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## PlatformInvitation +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## PolicyBinding +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## ProtectedResource +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## Role +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## UserDeactivation +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## UserInvitation +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## UserPreference +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] + +## User +[↩ Parent](#iammiloapiscomv1alpha1 ) + +[...] From 63d5a8cc0a0012ff2a34720a7a2d5ed038e7112d Mon Sep 17 00:00:00 2001 From: "joggrbot[bot]" <107281636+joggrbot[bot]@users.noreply.github.com> Date: Thu, 2 Apr 2026 13:55:44 +0000 Subject: [PATCH 6/6] [skip ci] docs: fix outdated docs --- docs/api/iam.md | 431 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 382 insertions(+), 49 deletions(-) diff --git a/docs/api/iam.md b/docs/api/iam.md index a2ce0266..50ffe87f 100644 --- a/docs/api/iam.md +++ b/docs/api/iam.md @@ -42,84 +42,417 @@ Resource Types: ## GroupMembership [↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -### GroupMembership.status.conditions[index] -[↩ Parent](#groupmembershipstatus) -[...] -## Group -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -### Group.status.conditions[index] -[↩ Parent](#groupstatus) +GroupMembership is the Schema for the groupmemberships API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringGroupMembershiptrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    specobject + GroupMembershipSpec defines the desired state of GroupMembership
    +     		false
    statusobject + GroupMembershipStatus defines the observed state of GroupMembership
    +     		false
    + + +### GroupMembership.spec +[↩ Parent](#groupmembership) + + + +GroupMembershipSpec defines the desired state of GroupMembership + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    groupRefobject + GroupRef is a reference to the Group. +Group is a namespaced resource.
    +     		true
    userRefobject + UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource.
    +     		true
    + + +### GroupMembership.spec.groupRef +[↩ Parent](#groupmembershipspec) + + + +GroupRef is a reference to the Group. +Group is a namespaced resource. + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name is the name of the Group being referenced.
    +     		true
    namespacestring + Namespace of the referenced Group.
    +     		true
    + + +### GroupMembership.spec.userRef +[↩ Parent](#groupmembershipspec) + + + +UserRef is a reference to the User that is a member of the Group. +User is a cluster-scoped resource. + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    namestring + Name is the name of the User being referenced.
    +     		true
    + + +### GroupMembership.status +[↩ Parent](#groupmembership) + + + +GroupMembershipStatus defines the observed state of GroupMembership + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + Conditions represent the latest available observations of an object's current state.
    +     		false
    -[...] -## MachineAccount -[↩ Parent](#iammiloapiscomv1alpha1 ) - -[...] - -### MachineAccount.status.conditions[index] -[↩ Parent](#machineaccountstatus) +### GroupMembership.status.conditions[index] +[↩ Parent](#groupmembershipstatus) -[...] -## PlatformAccessApproval -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] +Condition contains details for one aspect of the current state of this API Resource. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    lastTransitionTimestring + lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    +
    + Format: date-time
    +     		true
    messagestring + message is a human readable message indicating details about the transition. +This may be an empty string.
    +     		true
    reasonstring + reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty.
    +     		true
    statusenum + status of the condition, one of True, False, Unknown.
    +
    + Enum: True, False, Unknown
    +     		true
    typestring + type of condition in CamelCase or in foo.example.com/CamelCase.
    +     		true
    observedGenerationinteger + observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance.
    +
    + Format: int64
    + Minimum: 0
    +     		false
    -## PlatformAccessDenial +## Group [↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## PlatformAccessRejection -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## PlatformInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## PolicyBinding -[↩ Parent](#iammiloapiscomv1alpha1 ) +Group is the Schema for the groups API + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    apiVersionstringiam.miloapis.com/v1alpha1true
    kindstringGrouptrue
    metadataobjectRefer to the Kubernetes API documentation for the fields of the `metadata` field.true
    statusobject + GroupStatus defines the observed state of Group
    +     		false
    + + +### Group.status +[↩ Parent](#group) + + + +GroupStatus defines the observed state of Group + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    conditions[]object + Conditions represent the latest available observations of an object's current state.
    +     		false
    -[...] -## ProtectedResource -[↩ Parent](#iammiloapiscomv1alpha1 ) +### Group.status.conditions[index] +[↩ Parent](#groupstatus) -[...] -## Role -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] +Condition contains details for one aspect of the current state of this API Resource. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    NameTypeDescriptionRequired
    lastTransitionTimestring + lastTransitionTime is the last time the condition transitioned from one status to another. +This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
    +
    + Format: date-time
    +     		true
    messagestring + message is a human readable message indicating details about the transition. +This may be an empty string.
    +     		true
    reasonstring + reason contains a programmatic identifier indicating the reason for the condition's last transition. +Producers of specific condition types may define expected values and meanings for this field, +and whether the values are considered a guaranteed API. +The value should be a CamelCase string. +This field may not be empty.
    +     		true
    statusenum + status of the condition, one of True, False, Unknown.
    +
    + Enum: True, False, Unknown
    +     		true
    typestring + type of condition in CamelCase or in foo.example.com/CamelCase.
    +     		true
    observedGenerationinteger + observedGeneration represents the .metadata.generation that the condition was set based upon. +For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date +with respect to the current state of the instance.
    +
    + Format: int64
    + Minimum: 0
    +     		false
    -## UserDeactivation +## MachineAccount [↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## UserInvitation -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## UserPreference -[↩ Parent](#iammiloapiscomv1alpha1 ) -[...] -## User -[↩ Parent](#iammiloapiscomv1alpha1 ) +MachineAccount is the Schema for the machine accounts API -[...] +-- rest of the document unchanged --