API Reference
Packages
Section titled “Packages”- activity.miloapis.com/v1alpha1
- crm.miloapis.com/v1alpha1
- dns.networking.miloapis.com/v1alpha1
- iam.miloapis.com/v1alpha1
- identity.miloapis.com/v1alpha1
- infrastructure.miloapis.com/v1alpha1
- networking.datumapis.com/v1alpha
- notification.miloapis.com/v1alpha1
- quota.miloapis.com/v1alpha1
- resourcemanager.miloapis.com/v1alpha1
- telemetry.miloapis.com/v1alpha1
activity.miloapis.com/v1alpha1
Section titled “activity.miloapis.com/v1alpha1”Package v1alpha1 contains API Schema definitions for the activity v1alpha1 API group
AuditLogQuery
Section titled “AuditLogQuery”AuditLogQuery searches your control plane’s audit logs.
Use this to investigate incidents, track resource changes, generate compliance reports, or analyze user activity. Results are returned in the Status field, ordered newest-first.
Quick Start:
apiVersion: activity.miloapis.com/v1alpha1 kind: AuditLogQuery metadata: name: recent-deletions spec: startTime: “now-30d” # last 30 days endTime: “now” filter: “verb == ‘delete’” # optional: narrow your search limit: 100
Time Formats:
- Relative: “now-30d” (great for dashboards and recurring queries)
- Absolute: “2024-01-01T00:00:00Z” (great for historical analysis)
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specAuditLogQuerySpec | |||
statusAuditLogQueryStatus |
AuditLogQuerySpec
Section titled “AuditLogQuerySpec”AuditLogQuerySpec defines the search parameters.
Required: startTime and endTime define your search window. Optional: filter (narrow results), limit (page size, default 100), continue (pagination).
Performance: Smaller time ranges and specific filters perform better. The maximum time window is typically 30 days. If your range is too large, you’ll get an error with guidance on splitting your query into smaller chunks.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
startTimestring | StartTime is the beginning of your search window (inclusive). Format Options: - Relative: “now-30d”, “now-2h”, “now-30m” (units: s, m, h, d, w) Use for dashboards and recurring queries - they adjust automatically. - Absolute: “2024-01-01T00:00:00Z” (RFC3339 with timezone) Use for historical analysis of specific time periods. Examples: “now-30d” → 30 days ago “2024-06-15T14:30:00-05:00” → specific time with timezone offset | ||
endTimestring | EndTime is the end of your search window (exclusive). Uses the same formats as StartTime. Commonly “now” for current moment. Must be greater than StartTime. Examples: “now” → current time “2024-01-02T00:00:00Z” → specific end point | ||
filterstring | Filter narrows results using CEL (Common Expression Language). Leave empty to get all events. Available Fields: verb - API action: get, list, create, update, patch, delete, watch auditID - unique event identifier requestReceivedTimestamp - when the API server received the request (RFC3339 timestamp) user.username - who made the request (user or service account) user.uid - unique user identifier (stable across username changes) responseStatus.code - HTTP response code (200, 201, 404, 500, etc.) objectRef.namespace - target resource namespace objectRef.resource - resource type (pods, deployments, secrets, configmaps, etc.) objectRef.name - specific resource name Operators: ==, !=, <, >, <=, >=, &&, ||, in String Functions: startsWith(), endsWith(), contains() Common Patterns: “verb == ‘delete’” - All deletions “objectRef.namespace == ‘production’” - Activity in production namespace “verb in [‘create’, ‘update’, ‘delete’, ‘patch’]” - All write operations “responseStatus.code >= 400” - Failed requests “user.username.startsWith(‘system:serviceaccount:’)” - Service account activity “user.uid == ‘550e8400-e29b-41d4-a716-446655440000’” - Specific user by UID “objectRef.resource == ‘secrets’” - Secret access “verb == ‘delete’ && objectRef.namespace == ‘production’” - Production deletions Note: Use single quotes for strings. Field names are case-sensitive. CEL reference: https://cel.dev | ||
limitinteger | Limit sets the maximum number of results per page. Default: 100, Maximum: 1000. Use smaller values (10-50) for exploration, larger (500-1000) for data collection. Use continue to fetch additional pages. | ||
continuestring | Continue is the pagination cursor for fetching additional pages. Leave empty for the first page. If status.continue is non-empty after a query, copy that value here in a new query with identical parameters to get the next page. Repeat until status.continue is empty. Important: Keep all other parameters (startTime, endTime, filter, limit) identical across paginated requests. The cursor is opaque - copy it exactly without modification. |
AuditLogQueryStatus
Section titled “AuditLogQueryStatus”AuditLogQueryStatus contains the query results and pagination state.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resultsEvent array | Results contains matching audit events, sorted newest-first. Each event follows the Kubernetes audit.Event format with fields like: verb, user.username, objectRef.{namespace,resource,name}, requestReceivedTimestamp, stageTimestamp, responseStatus.code, requestObject, responseObject Empty results? Try broadening your filter or time range. Full documentation: https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/ | ||
continuestring | Continue is the pagination cursor. Non-empty means more results are available - copy this to spec.continue for the next page. Empty means you have all results. | ||
effectiveStartTimestring | EffectiveStartTime is the actual start time used for this query (RFC3339 format). When you use relative times like “now-7d”, this shows the exact timestamp that was calculated. Useful for understanding exactly what time range was queried, especially for auditing, debugging, or recreating queries with absolute timestamps. Example: If you query with startTime=“now-7d” at 2025-12-17T12:00:00Z, this will be “2025-12-10T12:00:00Z”. | ||
effectiveEndTimestring | EffectiveEndTime is the actual end time used for this query (RFC3339 format). When you use relative times like “now”, this shows the exact timestamp that was calculated. Useful for understanding exactly what time range was queried. Example: If you query with endTime=“now” at 2025-12-17T12:00:00Z, this will be “2025-12-17T12:00:00Z”. |
crm.miloapis.com/v1alpha1
Section titled “crm.miloapis.com/v1alpha1”Resource Types
Section titled “Resource Types”Note is the Schema for the notes API. It represents a note attached to a subject (e.g. Contact or User).
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | crm.miloapis.com/v1alpha1 | ||
kindstring | Note | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specNoteSpec | Type: object | ||
statusNoteStatus |
NoteList
Section titled “NoteList”NoteList contains a list of Note.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | crm.miloapis.com/v1alpha1 | ||
kindstring | NoteList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsNote array |
NoteSpec
Section titled “NoteSpec”NoteSpec defines the desired state of Note.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subjectRefSubjectReference | Subject is a reference to the subject of the note. | Required: {} Type: object | |
contentstring | Content is the text content of the note. | MaxLength: 1000 Required: {} | |
interactionTimeTime | InteractionTime is the timestamp of the interaction with the subject. | Optional: {} | |
nextActionstring | NextAction is an optional follow-up action. | Optional: {} | |
nextActionTimeTime | NextActionTime is the timestamp for the follow-up action. | Optional: {} | |
followUpboolean | FollowUp indicates whether this note requires follow-up. When true, the note is being actively tracked for further action. | false | Optional: {} |
creatorRefUserReference | CreatorRef is a reference to the user that created the note. Defaults to the user that created the note. | Optional: {} |
NoteStatus
Section titled “NoteStatus”NoteStatus defines the observed state of Note
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the Note. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
createdBystring | CreatedBy is the email of the user that created the note. | Optional: {} |
SubjectReference
Section titled “SubjectReference”SubjectReference is a reference to the subject of the note.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup is the group for the resource being referenced. | Enum: [iam.miloapis.com notification.miloapis.com] Required: {} | |
kindstring | Kind is the type of resource being referenced. | Enum: [User Contact] Required: {} | |
namestring | Name is the name of resource being referenced. | Required: {} | |
namespacestring | Namespace is the namespace of resource being referenced. Required for namespace-scoped resources. Omitted for cluster-scoped resources. | Optional: {} |
dns.networking.miloapis.com/v1alpha1
Section titled “dns.networking.miloapis.com/v1alpha1”SPDX-License-Identifier: AGPL-3.0-only
One-shot discovery/snapshot of existing DNS records for a DNSZone. On creation, a controller queries common RR types for the zone and stores them in .status for easy extraction/translation into DNSRecordSet objects. This object is write-once (status) and has no lifecycle beyond initial discovery.
Package v1alpha1 contains API Schema definitions for the dns v1alpha1 API group.
Resource Types
Section titled “Resource Types”- DNSRecordSet
- DNSRecordSetList
- DNSZone
- DNSZoneClass
- DNSZoneClassList
- DNSZoneDiscovery
- DNSZoneDiscoveryList
- DNSZoneList
AAAARecordSpec
Section titled “AAAARecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring | Format: ipv6 |
ARecordSpec
Section titled “ARecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring | Format: ipv4 |
CAARecordSpec
Section titled “CAARecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
flaginteger | 0–255 flag | Maximum: 255 Minimum: 0 | |
tagstring | RFC-style tags: keep it simple: [a-z0-9]+ | MinLength: 1 Pattern: ^[a-z0-9]+$ | |
valuestring | MinLength: 1 |
CNAMERecordSpec
Section titled “CNAMERecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring | MaxLength: 253 MinLength: 1 Pattern: ^([A-Za-z0-9_](?:[-A-Za-z0-9_]\{0,61\}[A-Za-z0-9_])?)(?:\.([A-Za-z0-9_](?:[-A-Za-z0-9_]\{0,61\}[A-Za-z0-9_])?))*\.?$ |
DNSRecordSet
Section titled “DNSRecordSet”DNSRecordSet is the Schema for the dnsrecordsets API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSRecordSet | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specDNSRecordSetSpec | spec defines the desired state of DNSRecordSet | ||
statusDNSRecordSetStatus | status defines the observed state of DNSRecordSet |
DNSRecordSetList
Section titled “DNSRecordSetList”DNSRecordSetList contains a list of DNSRecordSet
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSRecordSetList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsDNSRecordSet array |
DNSRecordSetSpec
Section titled “DNSRecordSetSpec”DNSRecordSetSpec defines the desired state of DNSRecordSet
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
dnsZoneRefLocalObjectReference | DNSZoneRef references the DNSZone (same namespace) this recordset belongs to. | Required: {} | |
recordTypeRRType | RecordType is the DNS RR type for this recordset. | Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB] Required: {} | |
recordsRecordEntry array | Records contains one or more owner names with values appropriate for the RecordType. | MinItems: 1 |
DNSRecordSetStatus
Section titled “DNSRecordSetStatus”DNSRecordSetStatus defines the observed state of DNSRecordSet.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions includes Accepted and Programmed readiness. | ||
recordSetsRecordSetStatus array | RecordSets captures per-owner (per name) status and conditions. |
DNSZone
Section titled “DNSZone”DNSZone is the Schema for the dnszones API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZone | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specDNSZoneSpec | spec defines the desired state of DNSZone | ||
statusDNSZoneStatus | status defines the observed state of DNSZone |
DNSZoneClass
Section titled “DNSZoneClass”DNSZoneClass is the Schema for the dnszoneclasses API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZoneClass | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specDNSZoneClassSpec | spec defines the desired state of DNSZoneClass | ||
statusDNSZoneClassStatus | status defines the observed state of DNSZoneClass |
DNSZoneClassList
Section titled “DNSZoneClassList”DNSZoneClassList contains a list of DNSZoneClass
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZoneClassList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsDNSZoneClass array |
DNSZoneClassSpec
Section titled “DNSZoneClassSpec”DNSZoneClassSpec defines the desired state of DNSZoneClass
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
controllerNamestring | ControllerName identifies the downstream controller/backend implementation (e.g., “powerdns”, “hickory”). | Required: {} | |
nameServerPolicyNameServerPolicy | NameServerPolicy defines how nameservers are assigned for zones using this class. | ||
defaultsZoneDefaults | Defaults provides optional default values applied to managed zones. |
DNSZoneClassStatus
Section titled “DNSZoneClassStatus”DNSZoneClassStatus defines the observed state of DNSZoneClass.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the current state of the resource. Common types include ”Accepted” and “Programmed” to standardize readiness reporting across controllers. |
DNSZoneDiscovery
Section titled “DNSZoneDiscovery”DNSZoneDiscovery is the Schema for the DNSZone discovery API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZoneDiscovery | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specDNSZoneDiscoverySpec | spec defines the desired target for discovery. | ||
statusDNSZoneDiscoveryStatus | status contains the discovered data (write-once). |
DNSZoneDiscoveryList
Section titled “DNSZoneDiscoveryList”DNSZoneDiscoveryList contains a list of DNSZoneDiscovery
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZoneDiscoveryList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsDNSZoneDiscovery array |
DNSZoneDiscoverySpec
Section titled “DNSZoneDiscoverySpec”DNSZoneDiscoverySpec defines the desired discovery target.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
dnsZoneRefLocalObjectReference | DNSZoneRef references the DNSZone (same namespace) this discovery targets. | Required: {} |
DNSZoneDiscoveryStatus
Section titled “DNSZoneDiscoveryStatus”DNSZoneDiscoveryStatus defines the observed snapshot of a DNS zone.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions includes Accepted and Discovered. | ||
recordSetsDiscoveredRecordSet array | RecordSets is the set of discovered RRsets grouped by RecordType. |
DNSZoneList
Section titled “DNSZoneList”DNSZoneList contains a list of DNSZone
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | dns.networking.miloapis.com/v1alpha1 | ||
kindstring | DNSZoneList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsDNSZone array |
DNSZoneSpec
Section titled “DNSZoneSpec”DNSZoneSpec defines the desired state of DNSZone
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
domainNamestring | DomainName is the FQDN of the zone (e.g., “example.com”). | MaxLength: 253 MinLength: 1 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Required: {} | |
dnsZoneClassNamestring | DNSZoneClassName references the DNSZoneClass used to provision this zone. | Required: {} |
DNSZoneStatus
Section titled “DNSZoneStatus”DNSZoneStatus defines the observed state of DNSZone.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
nameserversstring array | Nameservers lists the active authoritative nameservers for this zone. | ||
recordCountinteger | RecordCount is the number of DNSRecordSet resources in this namespace that reference this zone. | ||
conditionsCondition array | Conditions tracks state such as Accepted and Programmed readiness. | ||
domainRefDomainRef | DomainRef references the Domain this zone belongs to. |
DiscoveredRecordSet
Section titled “DiscoveredRecordSet”DiscoveredRecordSet groups discovered records by type.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
recordTypeRRType | RecordType is the DNS RR type for this recordset. | Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB] Required: {} | |
recordsRecordEntry array | Records contains one or more owner names with values appropriate for the RecordType. The RecordEntry schema is shared with DNSRecordSet for easy translation. |
DomainRef
Section titled “DomainRef”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | |||
statusDomainRefStatus |
DomainRefStatus
Section titled “DomainRefStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
nameserversNameserver array |
HTTPSRecordSpec
Section titled “HTTPSRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
priorityinteger | Maximum: 65535 Minimum: 0 | ||
targetstring | |||
paramsobject (keys:string, values:string) |
MXRecordSpec
Section titled “MXRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
preferenceinteger | Maximum: 65535 Minimum: 0 | ||
exchangestring | MinLength: 1 |
NSRecordSpec
Section titled “NSRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring | Require a hostname (FQDN or relative), allow optional trailing dot, no underscores. Labels: 1-63 chars, alphanum with interior hyphens, total length <=253. | MaxLength: 253 MinLength: 1 Pattern: ^([A-Za-z0-9](?:[A-Za-z0-9-]\{0,61\}[A-Za-z0-9])?)(?:\.([A-Za-z0-9](?:[A-Za-z0-9-]\{0,61\}[A-Za-z0-9])?))*\.?$ |
NameServerPolicy
Section titled “NameServerPolicy”NameServerPolicy specifies the policy for nameserver assignment.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
modeNameServerPolicyMode | Mode defines which policy to use. | Enum: [Static] | |
staticStaticNS | Static contains a static list of authoritative nameservers when Mode == “Static”. |
NameServerPolicyMode
Section titled “NameServerPolicyMode”Underlying type: string
Validation:
- Enum: [Static]
Appears in:
| Field | Description | | Static | |
PTRRecordSpec
Section titled “PTRRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring |
RRType
Section titled “RRType”Underlying type: string
Validation:
- Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB]
Appears in:
| Field | Description | | A | | | AAAA | | | CNAME | | | TXT | | | MX | | | SRV | | | CAA | | | NS | | | SOA | | | PTR | | | TLSA | | | HTTPS | | | SVCB | |
RecordEntry
Section titled “RecordEntry”RecordEntry represents one owner name and its values.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the owner name (relative to the zone or FQDN). | MinLength: 1 Pattern: ^(@|[A-Za-z0-9*._-]+)$Required: {} | |
ttlinteger | TTL optionally overrides TTL for this owner/RRset. | ||
aARecordSpec | Exactly one of the following type-specific fields should be set matching RecordType. | ||
aaaaAAAARecordSpec | |||
cnameCNAMERecordSpec | |||
nsNSRecordSpec | |||
txtTXTRecordSpec | |||
soaSOARecordSpec | |||
caaCAARecordSpec | |||
mxMXRecordSpec | |||
srvSRVRecordSpec | |||
tlsaTLSARecordSpec | |||
httpsHTTPSRecordSpec | |||
svcbHTTPSRecordSpec | |||
ptrPTRRecordSpec |
RecordSetStatus
Section titled “RecordSetStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the owner name this status pertains to. | ||
conditionsCondition array | Conditions captures per-name readiness information such as RecordProgrammed. |
SOARecordSpec
Section titled “SOARecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
mnamestring | MinLength: 1 | ||
rnamestring | MinLength: 1 | ||
serialinteger | |||
refreshinteger | |||
retryinteger | |||
expireinteger | |||
ttlinteger |
SRVRecordSpec
Section titled “SRVRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
priorityinteger | Maximum: 65535 Minimum: 0 | ||
weightinteger | Maximum: 65535 Minimum: 0 | ||
portinteger | Maximum: 65535 Minimum: 0 | ||
targetstring | MinLength: 1 |
StaticNS
Section titled “StaticNS”StaticNS lists static authoritative nameserver hostnames.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
serversstring array |
TLSARecordSpec
Section titled “TLSARecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
usageinteger | |||
selectorinteger | |||
matchingTypeinteger | |||
certDatastring |
TXTRecordSpec
Section titled “TXTRecordSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contentstring |
ZoneDefaults
Section titled “ZoneDefaults”ZoneDefaults holds optional default settings for zones.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
defaultTTLinteger | DefaultTTL is the default TTL applied to records when not otherwise specified. |
iam.miloapis.com/v1alpha1
Section titled “iam.miloapis.com/v1alpha1”Package v1alpha1 contains API Schema definitions for the iam v1alpha1 API group
Resource Types
Section titled “Resource Types”- Group
- GroupList
- GroupMembership
- GroupMembershipList
- MachineAccount
- MachineAccountKey
- MachineAccountKeyList
- MachineAccountList
- PlatformAccessApproval
- PlatformAccessApprovalList
- PlatformAccessRejection
- PlatformAccessRejectionList
- PlatformInvitation
- PlatformInvitationList
- PolicyBinding
- PolicyBindingList
- UserDeactivation
- UserDeactivationList
- UserInvitation
- UserInvitationList
AuthProvider
Section titled “AuthProvider”Underlying type: string
AuthProvider represents an external identity provider used for user authentication.
Validation:
- Enum: [github google]
Appears in:
| Field | Description | | github | | | google | |
Group is the Schema for the groups API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | Group | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
statusGroupStatus |
GroupList
Section titled “GroupList”GroupList contains a list of Group
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | GroupList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsGroup array |
GroupMembership
Section titled “GroupMembership”GroupMembership is the Schema for the groupmemberships API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | GroupMembership | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specGroupMembershipSpec | |||
statusGroupMembershipStatus |
GroupMembershipList
Section titled “GroupMembershipList”GroupMembershipList contains a list of GroupMembership
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | GroupMembershipList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsGroupMembership array |
GroupMembershipSpec
Section titled “GroupMembershipSpec”GroupMembershipSpec defines the desired state of GroupMembership
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
userRefUserReference | UserRef is a reference to the User that is a member of the Group. User is a cluster-scoped resource. | Required: {} | |
groupRefGroupReference | GroupRef is a reference to the Group. Group is a namespaced resource. | Required: {} |
GroupMembershipStatus
Section titled “GroupMembershipStatus”GroupMembershipStatus defines the observed state of GroupMembership
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. |
GroupReference
Section titled “GroupReference”GroupReference contains information that points to the Group being referenced. Group is a namespaced resource.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the Group being referenced. | Required: {} | |
namespacestring | Namespace of the referenced Group. | Required: {} |
GroupStatus
Section titled “GroupStatus”GroupStatus defines the observed state of Group
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. |
MachineAccount
Section titled “MachineAccount”MachineAccount is the Schema for the machine accounts API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | MachineAccount | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specMachineAccountSpec | |||
statusMachineAccountStatus |
MachineAccountKey
Section titled “MachineAccountKey”MachineAccountKey is the Schema for the machineaccountkeys API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | MachineAccountKey | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specMachineAccountKeySpec | |||
statusMachineAccountKeyStatus |
MachineAccountKeyList
Section titled “MachineAccountKeyList”MachineAccountKeyList contains a list of MachineAccountKey
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | MachineAccountKeyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsMachineAccountKey array |
MachineAccountKeySpec
Section titled “MachineAccountKeySpec”MachineAccountKeySpec defines the desired state of MachineAccountKey
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
machineAccountNamestring | MachineAccountName is the name of the MachineAccount that owns this key. | Required: {} | |
expirationDateTime | ExpirationDate is the date and time when the MachineAccountKey will expire. If not specified, the MachineAccountKey will never expire. | Optional: {} | |
publicKeystring | PublicKey is the public key of the MachineAccountKey. If not specified, the MachineAccountKey will be created with an auto-generated public key. | Optional: {} |
MachineAccountKeyStatus
Section titled “MachineAccountKeyStatus”MachineAccountKeyStatus defines the observed state of MachineAccountKey
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
authProviderKeyIdstring | AuthProviderKeyID is the unique identifier for the key in the auth provider. This field is populated by the controller after the key is created in the auth provider. For example, when using Zitadel, a typical value might be: “326102453042806786” | ||
conditionsCondition array | Conditions provide conditions that represent the current status of the MachineAccountKey. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
MachineAccountList
Section titled “MachineAccountList”MachineAccountList contains a list of MachineAccount
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | MachineAccountList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsMachineAccount array |
MachineAccountSpec
Section titled “MachineAccountSpec”MachineAccountSpec defines the desired state of MachineAccount
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
statestring | The state of the machine account. This state can be safely changed as needed. States: - Active: The machine account can be used to authenticate. - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions. | Active | Enum: [Active Inactive] Optional: {} |
MachineAccountStatus
Section titled “MachineAccountStatus”MachineAccountStatus defines the observed state of MachineAccount
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | The computed email of the machine account following the pattern: {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix} | ||
statestring | State represents the current activation state of the machine account from the auth provider. This field tracks the state from the previous generation and is updated when state changes are successfully propagated to the auth provider. It helps optimize performance by only updating the auth provider when a state change is detected. | Enum: [Active Inactive] | |
conditionsCondition array | Conditions provide conditions that represent the current status of the MachineAccount. |
ParentResourceRef
Section titled “ParentResourceRef”ParentResourceRef defines the reference to a parent resource
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required. | Optional: {} | |
kindstring | Kind is the type of resource being referenced. | Required: {} |
PlatformAccessApproval
Section titled “PlatformAccessApproval”PlatformAccessApproval is the Schema for the platformaccessapprovals API. It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformAccessApproval | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specPlatformAccessApprovalSpec | Type: object |
PlatformAccessApprovalList
Section titled “PlatformAccessApprovalList”PlatformAccessApprovalList contains a list of PlatformAccessApproval.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformAccessApprovalList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsPlatformAccessApproval array |
PlatformAccessApprovalSpec
Section titled “PlatformAccessApprovalSpec”PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subjectRefSubjectReference | SubjectRef is the reference to the subject being approved. | Required: {} | |
approverRefUserReference | ApproverRef is the reference to the approver being approved. If not specified, the approval was made by the system. | Optional: {} |
PlatformAccessRejection
Section titled “PlatformAccessRejection”PlatformAccessRejection is the Schema for the platformaccessrejections API. It represents a formal denial of platform access for a user. Once the rejection is created, a notification can be sent to the user.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformAccessRejection | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specPlatformAccessRejectionSpec | Type: object |
PlatformAccessRejectionList
Section titled “PlatformAccessRejectionList”PlatformAccessRejectionList contains a list of PlatformAccessRejection.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformAccessRejectionList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsPlatformAccessRejection array |
PlatformAccessRejectionSpec
Section titled “PlatformAccessRejectionSpec”PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subjectRefUserReference | UserRef is the reference to the user being rejected. | Required: {} | |
reasonstring | Reason is the reason for the rejection. | Required: {} | |
rejecterRefUserReference | RejecterRef is the reference to the actor who issued the rejection. If not specified, the rejection was made by the system. | Optional: {} |
PlatformInvitation
Section titled “PlatformInvitation”PlatformInvitation is the Schema for the platforminvitations API It represents a platform invitation for a user. Once the platform invitation is created, an email will be sent to the user to invite them to the platform. The invited user will have access to the platform after they create an account using the asociated email. It represents a platform invitation for a user.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformInvitation | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specPlatformInvitationSpec | Type: object | ||
statusPlatformInvitationStatus | Type: object |
PlatformInvitationEmailStatus
Section titled “PlatformInvitationEmailStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | The name of the email resource that was created for the platform invitation. | Optional: {} | |
namespacestring | The namespace of the email resource that was created for the platform invitation. | Optional: {} |
PlatformInvitationList
Section titled “PlatformInvitationList”PlatformInvitationList contains a list of PlatformInvitation.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PlatformInvitationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsPlatformInvitation array |
PlatformInvitationSpec
Section titled “PlatformInvitationSpec”PlatformInvitationSpec defines the desired state of PlatformInvitation.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | The email of the user being invited. | Required: {} | |
givenNamestring | The given name of the user being invited. | Optional: {} | |
familyNamestring | The family name of the user being invited. | Optional: {} | |
scheduleAtTime | The schedule at which the platform invitation will be sent. It can only be updated before the platform invitation is sent. | Optional: {} | |
invitedByUserReference | The user who created the platform invitation. A mutation webhook will default this field to the user who made the request. |
PlatformInvitationStatus
Section titled “PlatformInvitationStatus”PlatformInvitationStatus defines the observed state of PlatformInvitation.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the PlatformInvitation. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform invitation reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]] | Optional: {} |
emailPlatformInvitationEmailStatus | The email resource that was created for the platform invitation. | Optional: {} |
PolicyBinding
Section titled “PolicyBinding”PolicyBinding is the Schema for the policybindings API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PolicyBinding | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specPolicyBindingSpec | |||
statusPolicyBindingStatus |
PolicyBindingList
Section titled “PolicyBindingList”PolicyBindingList contains a list of PolicyBinding
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | PolicyBindingList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsPolicyBinding array |
PolicyBindingSpec
Section titled “PolicyBindingSpec”PolicyBindingSpec defines the desired state of PolicyBinding
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
roleRefRoleReference | RoleRef is a reference to the Role that is being bound. This can be a reference to a Role custom resource. | Required: {} | |
subjectsSubject array | Subjects holds references to the objects the role applies to. | MinItems: 1 Required: {} | |
resourceSelectorResourceSelector | ResourceSelector defines which resources the subjects in the policy binding should have the role applied to. Options within this struct are mutually exclusive. | Required: {} |
PolicyBindingStatus
Section titled “PolicyBindingStatus”PolicyBindingStatus defines the observed state of PolicyBinding
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration is the most recent generation observed for this PolicyBinding by the controller. | Optional: {} | |
conditionsCondition array | Conditions provide conditions that represent the current status of the PolicyBinding. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
ProtectedResource
Section titled “ProtectedResource”ProtectedResource is the Schema for the protectedresources API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specProtectedResourceSpec | |||
statusProtectedResourceStatus |
ProtectedResourceSpec
Section titled “ProtectedResourceSpec”ProtectedResourceSpec defines the desired state of ProtectedResource
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
serviceRefServiceReference | ServiceRef references the service definition this protected resource belongs to. | Required: {} | |
kindstring | The kind of the resource. This will be in the format Workload. | Required: {} | |
singularstring | The singular form for the resource type, e.g. ‘workload’. Must follow camelCase format. | Required: {} | |
pluralstring | The plural form for the resource type, e.g. ‘workloads’. Must follow camelCase format. | Required: {} | |
parentResourcesParentResourceRef array | A list of resources that are registered with the platform that may be a parent to the resource. Permissions may be bound to a parent resource so they can be inherited down the resource hierarchy. | Optional: {} | |
permissionsstring array | A list of permissions that are associated with the resource. | Required: {} |
ProtectedResourceStatus
Section titled “ProtectedResourceStatus”ProtectedResourceStatus defines the observed state of ProtectedResource
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the ProtectedResource. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
observedGenerationinteger | ObservedGeneration is the most recent generation observed for this ProtectedResource. It corresponds to the ProtectedResource’s generation, which is updated on mutation by the API Server. | Optional: {} |
RegistrationApprovalState
Section titled “RegistrationApprovalState”Underlying type: string
Appears in:
| Field | Description | | Pending | | | Approved | | | Rejected | |
ResourceKind
Section titled “ResourceKind”ResourceKind contains enough information to identify a resource type.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup is the group for the resource type being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. | Optional: {} | |
kindstring | Kind is the type of resource being referenced. | Required: {} |
ResourceReference
Section titled “ResourceReference”ResourceReference contains enough information to let you identify a specific API resource instance.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required. | Optional: {} | |
kindstring | Kind is the type of resource being referenced. | Required: {} | |
namestring | Name is the name of resource being referenced. | Required: {} | |
uidstring | UID is the unique identifier of the resource being referenced. | Required: {} | |
namespacestring | Namespace is the namespace of resource being referenced. Required for namespace-scoped resources. Omitted for cluster-scoped resources. | Optional: {} |
ResourceSelector
Section titled “ResourceSelector”ResourceSelector defines which resources the policy binding applies to. Either resourceRef or resourceKind must be specified, but not both.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceRefResourceReference | ResourceRef provides a reference to a specific resource instance. Mutually exclusive with resourceKind. | Optional: {} | |
resourceKindResourceKind | ResourceKind specifies that the policy binding should apply to all resources of a specific kind. Mutually exclusive with resourceRef. | Optional: {} |
Role is the Schema for the roles API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specRoleSpec | |||
statusRoleStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] } |
RoleReference
Section titled “RoleReference”RoleReference contains information that points to the Role being used
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of resource being referenced | Required: {} | |
namespacestring | Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding’s namespace. | Optional: {} |
RoleSpec
Section titled “RoleSpec”RoleSpec defines the desired state of Role
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
includedPermissionsstring array | The names of the permissions this role grants when bound in an IAM policy. All permissions must be in the format: \{service\}.\{resource\}.\{action\}(e.g. compute.workloads.create). | Optional: {} | |
launchStagestring | Defines the launch stage of the IAM Role. Must be one of: Early Access, Alpha, Beta, Stable, Deprecated. | Required: {} | |
inheritedRolesScopedRoleReference array | The list of roles from which this role inherits permissions. Each entry must be a valid role resource name. | Optional: {} |
RoleStatus
Section titled “RoleStatus”RoleStatus defines the observed state of Role
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
parentstring | The resource name of the parent the role was created under. | Optional: {} | |
effectivePermissionsstring array | EffectivePermissions is the complete flattened list of all permissions granted by this role, including permissions from inheritedRoles and directly specified includedPermissions. This is computed by the controller and provides a single source of truth for all permissions this role grants. | Optional: {} | |
conditionsCondition array | Conditions provide conditions that represent the current status of the Role. | Optional: {} | |
observedGenerationinteger | ObservedGeneration is the most recent generation observed by the controller. |
ScopedRoleReference
Section titled “ScopedRoleReference”ScopedRoleReference defines a reference to another Role, scoped by namespace. This is used for purposes like role inheritance where a simple name and namespace is sufficient to identify the target role.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name of the referenced Role. | Required: {} | |
namespacestring | Namespace of the referenced Role. If not specified, it defaults to the namespace of the resource containing this reference. | Optional: {} |
ServiceReference
Section titled “ServiceReference”ServiceReference holds a reference to a service definition.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the resource name of the service definition. | Required: {} |
Subject
Section titled “Subject”Subject contains a reference to the object or user identities a role binding applies to. This can be a User or Group.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
kindstring | Kind of object being referenced. Values defined in Kind constants. | Enum: [User Group] Required: {} | |
namestring | Name of the object being referenced. A special group name of ”system:authenticated-users” can be used to refer to all authenticated users. | Required: {} | |
namespacestring | Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource’s namespace. For a User or Group, it is ignored. | Optional: {} | |
uidstring | UID of the referenced object. Optional for system groups (groups with names starting with “system:”). | Optional: {} |
SubjectReference
Section titled “SubjectReference”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | Email is the email of the user being approved. Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation) UserRef and Email are mutually exclusive. Exactly one of them must be specified. | Optional: {} | |
userRefUserReference | UserRef is the reference to the user being approved. UserRef and Email are mutually exclusive. Exactly one of them must be specified. | Optional: {} |
User is the Schema for the users API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specUserSpec | |||
statusUserStatus |
UserDeactivation
Section titled “UserDeactivation”UserDeactivation is the Schema for the userdeactivations API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | UserDeactivation | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specUserDeactivationSpec | |||
statusUserDeactivationStatus |
UserDeactivationList
Section titled “UserDeactivationList”UserDeactivationList contains a list of UserDeactivation
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | UserDeactivationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsUserDeactivation array |
UserDeactivationSpec
Section titled “UserDeactivationSpec”UserDeactivationSpec defines the desired state of UserDeactivation
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
userRefUserReference | UserRef is a reference to the User being deactivated. User is a cluster-scoped resource. | Required: {} | |
reasonstring | Reason is the internal reason for deactivation. | Required: {} | |
descriptionstring | Description provides detailed internal description for the deactivation. | Optional: {} | |
deactivatedBystring | DeactivatedBy indicates who initiated the deactivation. | Required: {} |
UserDeactivationStatus
Section titled “UserDeactivationStatus”UserDeactivationStatus defines the observed state of UserDeactivation
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
UserInvitation
Section titled “UserInvitation”UserInvitation is the Schema for the userinvitations API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | UserInvitation | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specUserInvitationSpec | |||
statusUserInvitationStatus |
UserInvitationInviteeUserStatus
Section titled “UserInvitationInviteeUserStatus”UserInvitationInviteeUserStatus contains information about the invitee user in the invitation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the invitee user in the invitation. Name is a cluster-scoped resource, so Namespace is not needed. | Required: {} |
UserInvitationList
Section titled “UserInvitationList”UserInvitationList contains a list of UserInvitation
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | iam.miloapis.com/v1alpha1 | ||
kindstring | UserInvitationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsUserInvitation array |
UserInvitationOrganizationStatus
Section titled “UserInvitationOrganizationStatus”UserInvitationOrganizationStatus contains information about the organization in the invitation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
displayNamestring | DisplayName is the display name of the organization in the invitation. | Optional: {} |
UserInvitationSpec
Section titled “UserInvitationSpec”UserInvitationSpec defines the desired state of UserInvitation
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
organizationRefOrganizationReference | OrganizationRef is a reference to the Organization that the user is invoted to. | Required: {} | |
emailstring | The email of the user being invited. | Required: {} | |
givenNamestring | The first name of the user being invited. | Optional: {} | |
familyNamestring | The last name of the user being invited. | Optional: {} | |
rolesRoleReference array | The roles that will be assigned to the user when they accept the invitation. | MaxItems: 100 MinItems: 1 Required: {} | |
invitedByUserReference | InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request. | Optional: {} | |
expirationDateTime | ExpirationDate is the date and time when the UserInvitation will expire. If not specified, the UserInvitation will never expire. | Optional: {} | |
stateUserInvitationStateType | State is the state of the UserInvitation. In order to accept the invitation, the invited user must set the state to Accepted. | Enum: [Pending Accepted Declined] Required: {} |
UserInvitationStateType
Section titled “UserInvitationStateType”Underlying type: string
Appears in:
| Field | Description | | Pending | | | Accepted | | | Declined | |
UserInvitationStatus
Section titled “UserInvitationStatus”UserInvitationStatus defines the observed state of UserInvitation
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the UserInvitation. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Unknown]] | Optional: {} |
organizationUserInvitationOrganizationStatus | Organization contains information about the organization in the invitation. | Optional: {} | |
inviterUserUserInvitationUserStatus | InviterUser contains information about the user who invited the user in the invitation. | Optional: {} | |
inviteeUserUserInvitationInviteeUserStatus | InviteeUser contains information about the invitee user in the invitation. This value may be nil if the invitee user has not been created yet. | Optional: {} |
UserInvitationUserStatus
Section titled “UserInvitationUserStatus”UserInvitationInviterUserStatus contains information about the user who invited the user in the invitation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
displayNamestring | DisplayName is the display name of the user who invited the user in the invitation. | Optional: {} | |
emailAddressstring | EmailAddress is the email address of the user who invited the user in the invitation. | Optional: {} |
UserPreference
Section titled “UserPreference”UserPreference is the Schema for the userpreferences API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specUserPreferenceSpec | |||
statusUserPreferenceStatus |
UserPreferenceSpec
Section titled “UserPreferenceSpec”UserPreferenceSpec defines the desired state of UserPreference
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
userRefUserReference | Reference to the user these preferences belong to. | Required: {} | |
themestring | The user’s theme preference. | system | Enum: [light dark system] Optional: {} |
UserPreferenceStatus
Section titled “UserPreferenceStatus”UserPreferenceStatus defines the observed state of UserPreference
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the UserPreference. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
UserReference
Section titled “UserReference”UserReference contains information that points to the User being referenced. User is a cluster-scoped resource, so Namespace is not needed.
Appears in:
- GroupMembershipSpec
- NoteSpec
- PlatformAccessApprovalSpec
- PlatformAccessRejectionSpec
- PlatformInvitationSpec
- SubjectReference
- UserDeactivationSpec
- UserInvitationSpec
- UserPreferenceSpec
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the User being referenced. | Required: {} |
UserSpec
Section titled “UserSpec”UserSpec defines the desired state of User
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | The email of the user. | Required: {} | |
givenNamestring | The first name of the user. | Optional: {} | |
familyNamestring | The last name of the user. | Optional: {} |
UserState
Section titled “UserState”Underlying type: string
Appears in:
| Field | Description | | Active | | | Inactive | |
UserStatus
Section titled “UserStatus”UserStatus defines the observed state of User
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions provide conditions that represent the current status of the User. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
stateUserState | State represents the current activation state of the user account from the auth provider. This field is managed exclusively by the UserDeactivation CRD and cannot be changed directly by the user. When a UserDeactivation resource is created for the user, the user is deactivated in the auth provider; when the UserDeactivation is deleted, the user is reactivated. States: - Active: The user can be used to authenticate. - Inactive: The user is prohibited to be used to authenticate, and revokes all existing sessions. | Active | Enum: [Active Inactive] |
registrationApprovalRegistrationApprovalState | RegistrationApproval represents the administrator’s decision on the user’s registration request. States: - Pending: The user is awaiting review by an administrator. - Approved: The user registration has been approved. - Rejected: The user registration has been rejected. The User resource is always created regardless of this value, but the ability for the person to sign into the platform and access resources is governed by this status: only Approved users are granted access, while Pending and Rejected users are prevented for interacting with resources. | Enum: [Pending Approved Rejected] | |
lastLoginProviderAuthProvider | LastLoginProvider records the identity provider that was most recently used by the user to log in (e.g., “github” or “google”). This field is set by the auth provider based on authentication events. | Enum: [github google] Optional: {} | |
avatarUrlstring | AvatarURL points to the avatar image associated with the user. This value is populated by the auth provider or any service that provides a user avatar URL. | Format: uri Optional: {} |
identity.miloapis.com/v1alpha1
Section titled “identity.miloapis.com/v1alpha1”Package v1alpha1 contains API Schema definitions for the identity.miloapis.com group
This package defines virtual types served by the Milo API server. These types are backed by provider-specific implementations and are not persisted in etcd.
infrastructure.miloapis.com/v1alpha1
Section titled “infrastructure.miloapis.com/v1alpha1”Resource Types
Section titled “Resource Types”ProjectControlPlane
Section titled “ProjectControlPlane”ProjectControlPlane is the Schema for the projectcontrolplanes API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | infrastructure.miloapis.com/v1alpha1 | ||
kindstring | ProjectControlPlane | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specProjectControlPlaneSpec | Required: {} | ||
statusProjectControlPlaneStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Creating a new control plane for the project reason:Creating status:False type:ControlPlaneReady]] } |
ProjectControlPlaneList
Section titled “ProjectControlPlaneList”ProjectControlPlaneList contains a list of ProjectControlPlane.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | infrastructure.miloapis.com/v1alpha1 | ||
kindstring | ProjectControlPlaneList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsProjectControlPlane array |
ProjectControlPlaneSpec
Section titled “ProjectControlPlaneSpec”ProjectControlPlaneSpec defines the desired state of ProjectControlPlane.
Appears in:
ProjectControlPlaneStatus
Section titled “ProjectControlPlaneStatus”ProjectControlPlaneStatus defines the observed state of ProjectControlPlane.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Represents the observations of a project control plane’s current state. Known condition types are: “Ready” |
networking.datumapis.com/v1alpha
Section titled “networking.datumapis.com/v1alpha”Package v1alpha contains API Schema definitions for the networking v1alpha API group.
Resource Types
Section titled “Resource Types”- Domain
- DomainList
- HTTPProxy
- HTTPProxyList
- Location
- LocationList
- Network
- NetworkBinding
- NetworkBindingList
- NetworkContext
- NetworkContextList
- NetworkList
- NetworkPolicy
- NetworkPolicyList
- Subnet
- SubnetClaim
- SubnetClaimList
- SubnetList
- TrafficProtectionPolicy
- TrafficProtectionPolicyList
AbuseContact
Section titled “AbuseContact”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | |||
phonestring |
Contact
Section titled “Contact”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
organizationstring | |||
emailstring | |||
phonestring |
ContactSet
Section titled “ContactSet”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
registrantContact | |||
adminContact | |||
techContact |
DNSSECInfo
Section titled “DNSSECInfo”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
enabledboolean | |||
dsDSRecord array |
DNSVerificationRecord
Section titled “DNSVerificationRecord”DNSVerificationRecord represents a DNS record required for verification
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | |||
typestring | |||
contentstring |
DSRecord
Section titled “DSRecord”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
keyTaginteger | |||
algorithminteger | |||
digestTypeinteger | |||
digeststring |
Domain
Section titled “Domain”Domain represents a domain name in the Datum system
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | Domain | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specDomainSpec | Required: {} | ||
statusDomainStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Verified] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedDNS] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedHTTP]] } |
DomainList
Section titled “DomainList”DomainList contains a list of Domain
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | DomainList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsDomain array |
DomainSpec
Section titled “DomainSpec”DomainSpec defines the desired state of Domain
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
domainNamestring | DomainName is the fully qualified domain name (FQDN) to be managed | MaxLength: 253 MinLength: 1 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Required: {} | |
desiredRegistrationRefreshAttemptTime | DesiredRegistrationRefreshAttempt is the desired time of the next registration refresh attempt. | Optional: {} |
DomainStatus
Section titled “DomainStatus”DomainStatus defines the observed state of Domain
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
verificationDomainVerificationStatus | |||
registrationRegistration | |||
nameserversNameserver array | Nameservers lists the authoritative NS for the effective domain name: - If Apex == true: taken from RDAP for the registered domain (eTLD+1) - If Apex == false: taken from DNS delegation for the subdomain; falls back to apex NS if no cut | ||
apexboolean | Apex is true when spec.domainName is the registered domain (eTLD+1). | ||
conditionsCondition array |
DomainVerificationStatus
Section titled “DomainVerificationStatus”DomainVerificationStatus represents the verification status of a domain
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
dnsRecordDNSVerificationRecord | |||
httpTokenHTTPVerificationToken | |||
nextVerificationAttemptTime |
GCPLocationProvider
Section titled “GCPLocationProvider”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
projectIdstring | The GCP project servicing the location For locations with the class of datum-managed, a service account will berequired for each unique GCP project ID across all locations registered in a namespace. | Required: {} | |
regionstring | The GCP region servicing the location | Required: {} | |
zonestring | The GCP zone servicing the location | Required: {} |
HTTPProxy
Section titled “HTTPProxy”An HTTPProxy builds on top of Gateway API resources to provide a more convenient method to manage simple reverse proxy use cases.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | HTTPProxy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specHTTPProxySpec | Spec defines the desired state of an HTTPProxy. | Required: {} | |
statusHTTPProxyStatus | Status defines the current state of an HTTPProxy. | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] } |
HTTPProxyList
Section titled “HTTPProxyList”HTTPProxyList contains a list of HTTPProxy.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | HTTPProxyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsHTTPProxy array |
HTTPProxyRule
Section titled “HTTPProxyRule”HTTPProxyRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to backends.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
nameSectionName | Name is the name of the route rule. This name MUST be unique within a Route if it is set. | ||
matchesHTTPRouteMatch array | Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. See documentation for the matches field in the HTTPRouteRule type athttps://gateway-api.sigs.k8s.io/reference/spec/#httprouterule | [map[path:map[type:PathPrefix value:/]]] | MaxItems: 64 MinItems: 1 |
filtersHTTPRouteFilter array | Filters define the filters that are applied to requests that match this rule. See documentation for the filters field in the HTTPRouteRule type athttps://gateway-api.sigs.k8s.io/reference/spec/#httprouterule | MaxItems: 16 | |
backendsHTTPProxyRuleBackend array | Backends defines the backend(s) where matching requests should be sent. Note: While this field is a list, only a single element is permitted at this time due to underlying Gateway limitations. Once addressed, MaxItems will be increased to allow for multiple backends on any given route. | MaxItems: 1 MinItems: 0 |
HTTPProxyRuleBackend
Section titled “HTTPProxyRuleBackend”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
endpointstring | Endpoint for the backend. Must be a valid URL. Supports http and https protocols, IPs or DNS addresses in the host, custom ports, and paths. | Required: {} | |
filtersHTTPRouteFilter array | Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here. | MaxItems: 16 |
HTTPProxySpec
Section titled “HTTPProxySpec”HTTPProxySpec defines the desired state of HTTPProxy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
hostnamesHostname array | Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPProxy used to process the request. Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 1 notable exception: 1. IPs are not allowed. Hostnames must be verified before being programmed. This is accomplished via the use of Domain resources. A hostname is considered verified if anyverified Domain resource exists in the same namespace where thespec.domainName of the resource either exactly matches the hostname, oris a suffix match of the hostname. That means that a Domain with a spec.domainName of example.com will match a hostname oftest.example.com, foo.test.example.com, and exactly example.com, butnot a hostname of test-example.com. If a Domain resource does not existthat matches a hostname, one will automatically be created when the system attempts to program the HTTPProxy. In addition to verifying ownership, hostnames must be unique across the platform. If a hostname is already programmed on another resource, a conflict will be encountered and communicated in the HostnamesVerifiedcondition. Hostnames which have been programmed will be listed in the status.hostnames field. Any hostname which has not been programmed willbe listed in the message field of the HostnamesVerified condition withan indication as to why it was not programmed. The system may automatically generate and associate hostnames with the HTTPProxy. In such cases, these will be listed in the status.hostnamesfield and do not require additional configuration by the user. Wildcard hostnames are not supported at this time. | MaxItems: 16 Optional: {} | |
rulesHTTPProxyRule array | Rules are a list of HTTP matchers, filters and actions. | MaxItems: 16 MinItems: 1 Required: {} |
HTTPProxyStatus
Section titled “HTTPProxyStatus”HTTPProxyStatus defines the observed state of HTTPProxy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
addressesGatewayStatusAddress array | Addresses lists the network addresses that have been bound to the HTTPProxy. This field will not contain custom hostnames defined in the HTTPProxy. See the hostnames field | MaxItems: 16 | |
hostnamesHostname array | Hostnames lists the hostnames that have been bound to the HTTPProxy. If this list does not match that defined in the HTTPProxy, see the HostnamesVerified condition message for details. | ||
conditionsCondition array | Conditions describe the current conditions of the HTTPProxy. |
HTTPVerificationToken
Section titled “HTTPVerificationToken”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
urlstring | |||
bodystring |
IPBlock
Section titled “IPBlock”IPBlock describes a particular CIDR (Ex. “192.168.1.0/24”,“2001:db8::/64”) that is allowed to the targets matched by a network policy. The except entry describes CIDRs that should not be included within this rule.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
cidrstring | cidr is a string representing the IPBlock Valid examples are “192.168.1.0/24” or “2001:db8::/64” | Required: {} | |
exceptstring array | except is a slice of CIDRs that should not be included within an IPBlock Valid examples are “192.168.1.0/24” or “2001:db8::/64” Except values will be rejected if they are outside the cidr range | Optional: {} |
IPFamily
Section titled “IPFamily”Underlying type: string
Validation:
- Enum: [IPv4 IPv6]
Appears in:
| Field | Description | | IPv4 | | | IPv6 | |
LocalNetworkContextRef
Section titled “LocalNetworkContextRef”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | The network context name | Required: {} |
LocalNetworkRef
Section titled “LocalNetworkRef”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | The network name | Required: {} |
LocalSubnetReference
Section titled “LocalSubnetReference”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring |
Location
Section titled “Location”Location is the Schema for the locations API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | Location | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specLocationSpec | |||
statusLocationStatus |
LocationList
Section titled “LocationList”LocationList contains a list of Location.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | LocationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsLocation array |
LocationProvider
Section titled “LocationProvider”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
gcpGCPLocationProvider |
LocationReference
Section titled “LocationReference”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name of a datum location | Required: {} | |
namespacestring | Namespace for the datum location | Required: {} |
LocationSpec
Section titled “LocationSpec”LocationSpec defines the desired state of Location.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
locationClassNamestring | The location class that indicates control plane behavior of entities associated with the location. Valid values are: - datum-managed - self-managed | Required: {} | |
topologyobject (keys:string, values:string) | The topology of the location This may contain arbitrary topology keys. Some keys may be well known, such as: - topology.datum.net/city-code | Required: {} | |
providerLocationProvider | The location provider | Required: {} |
LocationStatus
Section titled “LocationStatus”LocationStatus defines the observed state of Location.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Represents the observations of a location’s current state. |
Nameserver
Section titled “Nameserver”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
hostnamestring | |||
ipsNameserverIP array |
NameserverIP
Section titled “NameserverIP”NameserverIP captures per-address provenance for a nameserver.
Appears in:
- Nameserver
| Field | Description | Default | Validation |
|---|---|---|---|
addressstring | |||
registrantNamestring |
Network
Section titled “Network”Network is the Schema for the networks API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | Network | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specNetworkSpec | Required: {} | ||
statusNetworkStatus |
NetworkBinding
Section titled “NetworkBinding”NetworkBinding is the Schema for the networkbindings API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkBinding | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specNetworkBindingSpec | Required: {} | ||
statusNetworkBindingStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] } |
NetworkBindingList
Section titled “NetworkBindingList”NetworkBindingList contains a list of NetworkBinding
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkBindingList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsNetworkBinding array |
NetworkBindingSpec
Section titled “NetworkBindingSpec”NetworkBindingSpec defines the desired state of NetworkBinding
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
networkNetworkRef | The network that the binding is for. | Required: {} | |
locationLocationReference | The location of where a network binding exists. | Required: {} |
NetworkBindingStatus
Section titled “NetworkBindingStatus”NetworkBindingStatus defines the observed state of NetworkBinding
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
networkContextRefNetworkContextRef | |||
conditionsCondition array | Represents the observations of a network binding’s current state. |
NetworkContext
Section titled “NetworkContext”NetworkContext is the Schema for the networkcontexts API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkContext | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specNetworkContextSpec | |||
statusNetworkContextStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] } |
NetworkContextList
Section titled “NetworkContextList”NetworkContextList contains a list of NetworkContext
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkContextList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsNetworkContext array |
NetworkContextRef
Section titled “NetworkContextRef”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namespacestring | The network context namespace | Required: {} | |
namestring | The network context name | Required: {} |
NetworkContextSpec
Section titled “NetworkContextSpec”NetworkContextSpec defines the desired state of NetworkContext
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
networkLocalNetworkRef | The attached network | Required: {} | |
locationLocationReference | The location of where a network context exists. | Required: {} |
NetworkContextStatus
Section titled “NetworkContextStatus”NetworkContextStatus defines the observed state of NetworkContext
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Represents the observations of a network context’s current state. |
NetworkIPAM
Section titled “NetworkIPAM”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
modeNetworkIPAMMode | IPAM mode | Enum: [Auto Policy] Required: {} | |
ipv4Rangestring | IPv4 range to use in auto mode networks. Defaults to 10.128.0.0/9. | Optional: {} | |
ipv6Rangestring | IPv6 range to use in auto mode networks. Defaults to a /48 allocated from fd20::/20. | Optional: {} |
NetworkIPAMMode
Section titled “NetworkIPAMMode”Underlying type: string
Appears in:
| Field | Description | | Auto | Automatically allocate subnets in the network
| | Policy | Leverage allocation policies or manually created subnets
|
NetworkList
Section titled “NetworkList”NetworkList contains a list of Network
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsNetwork array |
NetworkPolicy
Section titled “NetworkPolicy”NetworkPolicy is the Schema for the networkpolicies API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkPolicy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specNetworkPolicySpec | |||
statusNetworkPolicyStatus |
NetworkPolicyList
Section titled “NetworkPolicyList”NetworkPolicyList contains a list of NetworkPolicy
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | NetworkPolicyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsNetworkPolicy array |
NetworkPolicyPeer
Section titled “NetworkPolicyPeer”NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ipBlockIPBlock | ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be. | Optional: {} |
NetworkPolicyPort
Section titled “NetworkPolicyPort”NetworkPolicyPort describes a port to allow traffic on
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
protocolProtocol | protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. | Optional: {} | |
portIntOrString | port represents the port on the given protocol. This can either be a numerical or named port on an instance. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched. | Optional: {} | |
endPortinteger | endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. | Optional: {} |
NetworkPolicySpec
Section titled “NetworkPolicySpec”NetworkPolicySpec defines the desired state of NetworkPolicy
Appears in:
NetworkPolicyStatus
Section titled “NetworkPolicyStatus”NetworkPolicyStatus defines the observed state of NetworkPolicy
Appears in:
NetworkRef
Section titled “NetworkRef”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namespacestring | The network namespace. Defaults to the namespace for the type the reference is embedded in. | Optional: {} | |
namestring | The network name | Required: {} |
NetworkSpec
Section titled “NetworkSpec”NetworkSpec defines the desired state of a Network
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ipamNetworkIPAM | IPAM settings for the network. | Required: {} | |
ipFamiliesIPFamily array | IP Families to permit on a network. Defaults to IPv4. | [IPv4] | Enum: [IPv4 IPv6] Optional: {} |
mtuinteger | Network MTU. May be between 1300 and 8856. | 1460 | Maximum: 8856 Minimum: 1300 Optional: {} |
NetworkStatus
Section titled “NetworkStatus”NetworkStatus defines the observed state of Network
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Represents the observations of a network’s current state. |
OWASPCRS
Section titled “OWASPCRS”OWASPCRS defines configuration options for the OWASP ModSecurity Core Rule Set (CRS).
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
paranoiaLevelsParanoiaLevels | ParanoiaLevels specifies the OWASP ModSecurity Core Rule Set (CRS) paranoia levels to use. | { } | |
scoreThresholdsOWASPScoreThresholds | ScoreThresholds specifies the OWASP ModSecurity Core Rule Set (CRS) score thresholds to block a request or response. See: https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/ | { } | |
ruleExclusionsOWASPRuleExclusions | RuleExclusions can be used to disable specific OWASP ModSecurity Rules. This allows operators to disable specific rules that may be causing false positives. | Optional: {} |
OWASPIDRange
Section titled “OWASPIDRange”Underlying type: string
OWASPIDRange is a range of OWASP ModSecurity Rule IDs.
Validation:
- MaxLength: 21
- Pattern:
^\d{1,10}-\d{1,10}$
Appears in:
OWASPRuleExclusions
Section titled “OWASPRuleExclusions”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
tagsOWASPTag array | Tags is a list of rule tags to disable. | MaxItems: 100 Pattern: ^[a-zA-Z0-9_\-/]+$ | |
idsinteger array | IDs is a list of specific rule IDs to disable | MaxItems: 100 | |
idRangesOWASPIDRange array | IDRanges is a list of specific rule ID ranges to disable. | MaxItems: 100 MaxLength: 21 Pattern: ^\d\{1,10\}-\d\{1,10\}$ |
OWASPScoreThresholds
Section titled “OWASPScoreThresholds”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
inboundinteger | Inbound is the score threshold for blocking inbound (request) traffic. | 5 | Maximum: 10000 Minimum: 1 |
outboundinteger | Outbound is the score threshold for blocking outbound (response) traffic. | 4 | Maximum: 10000 Minimum: 1 |
OWASPTag
Section titled “OWASPTag”Underlying type: string
Validation:
- Pattern:
^[a-zA-Z0-9_\-/]+$
Appears in:
ParanoiaLevels
Section titled “ParanoiaLevels”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
blockinginteger | Blocking specifies the paranoia level for blocking requests or responses. | 1 | Maximum: 4 Minimum: 1 |
detectioninteger | Detection specifies the paranoia level for detection only. This allows setting a higher paranoia level for detection while keeping blocking at a lower level. | 1 | Maximum: 4 Minimum: 1 |
RegistrarInfo
Section titled “RegistrarInfo”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ianaIDstring | |||
namestring | |||
urlstring |
Registration
Section titled “Registration”Registration represents the registration information for a domain
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
domainstring | Identity & provenance | ||
registryDomainIDstring | |||
handlestring | |||
sourcestring | |||
registrarRegistrarInfo | |||
registryRegistryInfo | |||
createdAtTime | Lifecycle | ||
updatedAtTime | |||
expiresAtTime | |||
statusesstring array | Raw statuses that will either be rdap rfc8056 or whois EPP status strings | ||
dnssecDNSSECInfo | DNSSEC (from RDAP secureDNS, with WHOIS fallback when parsable) | ||
contactsContactSet | Contacts (minimal, non-PII summary if available) | ||
abuseAbuseContact | Abuse / support contacts (registrar/registry) | ||
nextRefreshAttemptTime | |||
lastRefreshAttemptTime |
RegistryInfo
Section titled “RegistryInfo”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | |||
urlstring |
Subnet
Section titled “Subnet”Subnet is the Schema for the subnets API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | Subnet | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specSubnetSpec | |||
statusSubnetStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Allocated] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] } |
SubnetClaim
Section titled “SubnetClaim”SubnetClaim is the Schema for the subnetclaims API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | SubnetClaim | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specSubnetClaimSpec | |||
statusSubnetClaimStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Allocated] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] } |
SubnetClaimList
Section titled “SubnetClaimList”SubnetClaimList contains a list of SubnetClaim
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | SubnetClaimList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsSubnetClaim array |
SubnetClaimSpec
Section titled “SubnetClaimSpec”SubnetClaimSpec defines the desired state of SubnetClaim
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subnetClassstring | The class of subnet required | Required: {} | |
networkContextLocalNetworkContextRef | The network context to claim a subnet in | Required: {} | |
locationLocationReference | The location which a subnet claim is associated with | Required: {} | |
ipFamilyIPFamily | The IP family of a subnet claim | Enum: [IPv4 IPv6] Required: {} | |
startAddressstring | The start address of a subnet claim | Optional: {} | |
prefixLengthinteger | The prefix length of a subnet claim | Optional: {} |
SubnetClaimStatus
Section titled “SubnetClaimStatus”SubnetClaimStatus defines the observed state of SubnetClaim
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subnetRefLocalSubnetReference | The subnet which has been claimed from | ||
startAddressstring | The start address of a subnet claim | ||
prefixLengthinteger | The prefix length of a subnet claim | ||
conditionsCondition array | Represents the observations of a subnet claim’s current state. |
SubnetList
Section titled “SubnetList”SubnetList contains a list of Subnet
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | SubnetList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsSubnet array |
SubnetSpec
Section titled “SubnetSpec”SubnetSpec defines the desired state of Subnet
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subnetClassstring | The class of subnet | Required: {} | |
networkContextLocalNetworkContextRef | A subnet’s network context | Required: {} | |
locationLocationReference | The location which a subnet is associated with | Required: {} | |
ipFamilyIPFamily | The IP family of a subnet | Enum: [IPv4 IPv6] Required: {} | |
startAddressstring | The start address of a subnet | Required: {} | |
prefixLengthinteger | The prefix length of a subnet | Required: {} |
SubnetStatus
Section titled “SubnetStatus”SubnetStatus defines the observed state of a Subnet
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
startAddressstring | The start address of a subnet | ||
prefixLengthinteger | The prefix length of a subnet | ||
conditionsCondition array | Represents the observations of a subnet’s current state. |
TrafficProtectionPolicy
Section titled “TrafficProtectionPolicy”TrafficProtectionPolicy is the Schema for the trafficprotectionpolicies API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | TrafficProtectionPolicy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specTrafficProtectionPolicySpec | Required: {} | ||
statusTrafficProtectionPolicyStatus |
TrafficProtectionPolicyList
Section titled “TrafficProtectionPolicyList”TrafficProtectionPolicyList contains a list of TrafficProtectionPolicy.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | networking.datumapis.com/v1alpha | ||
kindstring | TrafficProtectionPolicyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsTrafficProtectionPolicy array |
TrafficProtectionPolicyMode
Section titled “TrafficProtectionPolicyMode”Underlying type: string
TrafficProtectionPolicyMode defines the mode of traffic protection to apply.
Validation:
- Enum: [Observe Enforce Disabled]
Appears in:
| Field | Description | | Observe | Observe will log violations but not block traffic.
| | Enforce | Enforce will block traffic that violates the policy.
| | Disabled | Disabled will turn off traffic protection.
|
TrafficProtectionPolicyRuleSet
Section titled “TrafficProtectionPolicyRuleSet”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
typeTrafficProtectionPolicyRuleSetType | Type specifies the type of TrafficProtectionPolicy ruleset. | Enum: [OWASPCoreRuleSet] Required: {} | |
owaspCoreRuleSetOWASPCRS | OWASPCoreRuleSet defines configuration options for the OWASP ModSecurity Core Rule Set (CRS). | Optional: {} |
TrafficProtectionPolicyRuleSetType
Section titled “TrafficProtectionPolicyRuleSetType”Underlying type: string
TrafficProtectionPolicyRuleSetType identifies a type of TrafficProtectionPolicy ruleset.
Appears in:
| Field | Description | | OWASPCoreRuleSet | |
TrafficProtectionPolicySpec
Section titled “TrafficProtectionPolicySpec”TrafficProtectionPolicySpec defines the desired state of TrafficProtectionPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
targetRefsLocalPolicyTargetReferenceWithSectionName array | TargetRefs are the names of the Gateway resources this policy is being attached to. | MinItems: 1 Required: {} | |
modeTrafficProtectionPolicyMode | Mode specifies the mode of traffic protection to apply. If not specified, defaults to “Observe”. | Observe | Enum: [Observe Enforce Disabled] |
samplingPercentageinteger | SamplingPercentage controls the percentage of traffic that will be processed by the TrafficProtectionPolicy. | 100 | Maximum: 100 Minimum: 1 |
ruleSetsTrafficProtectionPolicyRuleSet array | RuleSets specifies the TrafficProtectionPolicy rulesets to apply. | [map[owaspCoreRuleSet:map type:OWASPCoreRuleSet]] | MaxItems: 16 MinItems: 1 Required: {} |
TrafficProtectionPolicyStatus
Section titled “TrafficProtectionPolicyStatus”TrafficProtectionPolicyStatus defines the observed state of TrafficProtectionPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ancestorsPolicyAncestorStatus array | Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy. | MaxItems: 16 |
notification.miloapis.com/v1alpha1
Section titled “notification.miloapis.com/v1alpha1”Package v1alpha1 contains API Schema definitions for the email v1alpha1 API group
Resource Types
Section titled “Resource Types”- Contact
- ContactGroup
- ContactGroupList
- ContactGroupMembership
- ContactGroupMembershipList
- ContactGroupMembershipRemoval
- ContactGroupMembershipRemovalList
- ContactList
- EmailBroadcast
- EmailBroadcastList
- EmailList
- EmailTemplate
- EmailTemplateList
Contact
Section titled “Contact”Contact is the Schema for the contacts API. It represents a contact for a user.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | Contact | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specContactSpec | Type: object | ||
statusContactStatus |
ContactGroup
Section titled “ContactGroup”ContactGroup is the Schema for the contactgroups API. It represents a logical grouping of Contacts.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroup | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specContactGroupSpec | Type: object | ||
statusContactGroupStatus |
ContactGroupList
Section titled “ContactGroupList”ContactGroupList contains a list of ContactGroup.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroupList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsContactGroup array |
ContactGroupMembership
Section titled “ContactGroupMembership”ContactGroupMembership is the Schema for the contactgroupmemberships API. It represents a membership of a Contact in a ContactGroup.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroupMembership | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specContactGroupMembershipSpec | Type: object | ||
statusContactGroupMembershipStatus |
ContactGroupMembershipList
Section titled “ContactGroupMembershipList”ContactGroupMembershipList contains a list of ContactGroupMembership.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroupMembershipList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsContactGroupMembership array |
ContactGroupMembershipRemoval
Section titled “ContactGroupMembershipRemoval”ContactGroupMembershipRemoval is the Schema for the contactgroupmembershipremovals API. It represents a removal of a Contact from a ContactGroup, it also prevents the Contact from being added to the ContactGroup.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroupMembershipRemoval | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specContactGroupMembershipRemovalSpec | |||
statusContactGroupMembershipRemovalStatus |
ContactGroupMembershipRemovalList
Section titled “ContactGroupMembershipRemovalList”ContactGroupMembershipRemovalList contains a list of ContactGroupMembershipRemoval.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactGroupMembershipRemovalList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsContactGroupMembershipRemoval array | Type: object |
ContactGroupMembershipRemovalSpec
Section titled “ContactGroupMembershipRemovalSpec”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contactRefContactReference | ContactRef is a reference to the Contact that prevents the Contact from being part of the ContactGroup. | Required: {} | |
contactGroupRefContactGroupReference | ContactGroupRef is a reference to the ContactGroup that the Contact does not want to be a member of. | Required: {} |
ContactGroupMembershipRemovalStatus
Section titled “ContactGroupMembershipRemovalStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Ready” which tracks contact group membership removal creation status. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group membership removal to be created reason:CreatePending status:Unknown type:Ready]] | Optional: {} |
usernamestring | Username is the username of the user that owns the ContactGroupMembershipRemoval. This is populated by the controller based on the referenced Contact’s subject. |
ContactGroupMembershipSpec
Section titled “ContactGroupMembershipSpec”ContactGroupMembershipSpec defines the desired state of ContactGroupMembership.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
contactRefContactReference | ContactRef is a reference to the Contact that is a member of the ContactGroup. | Required: {} | |
contactGroupRefContactGroupReference | ContactGroupRef is a reference to the ContactGroup that the Contact is a member of. | Required: {} |
ContactGroupMembershipStatus
Section titled “ContactGroupMembershipStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Ready” which tracks contact group membership creation status and sync to the contact group membership provider. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group membership to be created reason:CreatePending status:Unknown type:Ready]] | Optional: {} |
providersContactProviderStatus array | Providers contains the per-provider status for this contact group membership. This enables tracking multiple provider backends simultaneously. | Optional: {} | |
providerIDstring | ProviderID is the identifier returned by the underlying contact provider (e.g. Resend) when the membership is created in the associated audience. It is usually used to track the contact-group membership creation status (e.g. provider webhooks). Deprecated: Use Providers instead. | ||
usernamestring | Username is the username of the user that owns the ContactGroupMembership. This is populated by the controller based on the referenced Contact’s subject. |
ContactGroupProviderSpec
Section titled “ContactGroupProviderSpec”ContactGroupProviderSpec defines the desired state of a contact group in a specific provider.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the provider handling this contact group. Allowed values is Loops. | Enum: [Loops] | |
idstring | ID is the identifier of the contact group in the external provider. This field is used when a provider does not expose an API for creating mailing lists, requiring an existing ContactList ID to be provided for synchronization purposes (e.g. Loops). If not provided, a new group will be created if supported by the provider. | Required: {} |
ContactGroupReference
Section titled “ContactGroupReference”ContactGroupReference contains information that points to the ContactGroup being referenced.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the ContactGroup being referenced. | Required: {} | |
namespacestring | Namespace is the namespace of the ContactGroup being referenced. | Required: {} |
ContactGroupSpec
Section titled “ContactGroupSpec”ContactGroupSpec defines the desired state of ContactGroup.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
displayNamestring | DisplayName is the display name of the contact group. | Required: {} | |
visibilityContactGroupVisibility | Visibility determines whether members are allowed opt-in or opt-out of the contactgroup. • “public” – members may leave via ContactGroupMembershipRemoval. • “private” – membership is enforced; opt-out requests are rejected. | Enum: [public private] Required: {} | |
providersContactGroupProviderSpec array | Providers defines the providers this group should be synced to. | MaxItems: 1 |
ContactGroupStatus
Section titled “ContactGroupStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Ready” which tracks contact group creation status and sync to the contact group provider. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group to be created reason:CreatePending status:Unknown type:Ready]] | Optional: {} |
providersContactProviderStatus array | Providers contains the per-provider status for this contact group. This enables tracking multiple provider backends simultaneously. | Optional: {} | |
providerIDstring | ProviderID is the identifier returned by the underlying contact groupprovider (e.g. Resend) when the contact groupis created. It is usually used to track the contact creation status (e.g. provider webhooks). Deprecated: Use Providers instead. |
ContactGroupVisibility
Section titled “ContactGroupVisibility”Underlying type: string
ContactGroupVisibility declares whether a group is open for opt-out.
Appears in:
| Field | Description | | public | | | private | |
ContactList
Section titled “ContactList”ContactList contains a list of Contact.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | ContactList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsContact array |
ContactProviderStatus
Section titled “ContactProviderStatus”ContactProviderStatus represents status information for a single contact provider. It allows tracking the provider name and the provider-specific identifier.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the provider handling this contact. Allowed values are Resend and Loops. | Enum: [Resend Loops] | |
idstring | ID is the identifier returned by the specific contact provider for this contact. | Required: {} |
ContactReference
Section titled “ContactReference”ContactReference contains information that points to the Contact being referenced.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the Contact being referenced. | Required: {} | |
namespacestring | Namespace is the namespace of the Contact being referenced. | Required: {} |
ContactSpec
Section titled “ContactSpec”ContactSpec defines the desired state of Contact.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subjectSubjectReference | Subject is a reference to the subject of the contact. | Optional: {} Type: object | |
familyNamestring | Optional: {} | ||
givenNamestring | Optional: {} | ||
emailstring | Required: {} |
ContactStatus
Section titled “ContactStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Ready” which tracks contact creation status and sync to the contact provider. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact to be created reason:CreatePending status:Unknown type:Ready]] | Optional: {} |
providersContactProviderStatus array | Providers contains the per-provider status for this contact. This enables tracking multiple provider backends simultaneously. | Optional: {} | |
providerIDstring | ProviderID is the identifier returned by the underlying contact provider (e.g. Resend) when the contact is created. It is usually used to track the contact creation status (e.g. provider webhooks). Deprecated: Use Providers instead. |
Email is the Schema for the emails API. It represents a concrete e-mail that should be sent to the referenced users. For idempotency purposes, controllers can use metadata.uid as a unique identifier to prevent duplicate email delivery, since it’s guaranteed to be unique per resource instance.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | Email | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specEmailSpec | Type: object | ||
statusEmailStatus | Type: object |
EmailBroadcast
Section titled “EmailBroadcast”EmailBroadcast is the Schema for the emailbroadcasts API. It represents a broadcast of an email to a set of contacts (ContactGroup). If the broadcast needs to be updated, delete and recreate the resource.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | EmailBroadcast | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specEmailBroadcastSpec | Type: object | ||
statusEmailBroadcastStatus |
EmailBroadcastList
Section titled “EmailBroadcastList”EmailBroadcastList contains a list of EmailBroadcast.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | EmailBroadcastList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsEmailBroadcast array |
EmailBroadcastSpec
Section titled “EmailBroadcastSpec”EmailBroadcastSpec defines the desired state of EmailBroadcast.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
displayNamestring | DisplayName is the display name of the email broadcast. | Optional: {} | |
contactGroupRefContactGroupReference | ContactGroupRef is a reference to the ContactGroup that the email broadcast is for. | Required: {} | |
templateRefTemplateReference | TemplateRef references the EmailTemplate to render the broadcast message. When using the Resend provider you can include the following placeholders in HTMLBody or TextBody; they will be substituted by the provider at send time: {{{FIRST_NAME}}} {{{LAST_NAME}}} {{{EMAIL}}} | Required: {} Type: object | |
scheduledAtTime | ScheduledAt optionally specifies the time at which the broadcast should be executed. If omitted, the message is sent as soon as the controller reconciles the resource. Example: “2024-08-05T11:52:01.858Z” | Optional: {} |
EmailBroadcastStatus
Section titled “EmailBroadcastStatus”Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Ready” which tracks email broadcast status and sync to the email broadcast provider. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for email broadcast to be created reason:CreatePending status:Unknown type:Ready]] | Optional: {} |
providerIDstring | ProviderID is the identifier returned by the underlying email broadcast provider (e.g. Resend) when the email broadcast is created. It is usually used to track the email broadcast creation status (e.g. provider webhooks). |
EmailList
Section titled “EmailList”EmailList contains a list of Email.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | EmailList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsEmail array |
EmailPriority
Section titled “EmailPriority”Underlying type: string
EmailPriority defines the priority for sending an Email.
Validation:
- Enum: [low normal high]
Appears in:
| Field | Description | | low | | | normal | | | high | |
EmailRecipient
Section titled “EmailRecipient”EmailRecipient contains information about the recipient of the email.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
userRefEmailUserReference | UserRef references the User resource that will receive the message. It is mutually exclusive with EmailAddress: exactly one of them must be specified. | Optional: {} Type: object | |
emailAddressstring | EmailAddress allows specifying a literal e-mail address for the recipient instead of referencing a User resource. It is mutually exclusive with UserRef: exactly one of them must be specified. | Optional: {} |
EmailSpec
Section titled “EmailSpec”EmailSpec defines the desired state of Email. It references a template, recipients, and any variables required to render the final message.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
templateRefTemplateReference | TemplateRef references the EmailTemplate that should be rendered. | Required: {} Type: object | |
recipientEmailRecipient | Recipient contain the recipient of the email. | Required: {} Type: object | |
ccstring array | CC contains additional e-mail addresses that will receive a carbon copy of the message. Maximum 10 addresses. | MaxItems: 10 Optional: {} | |
bccstring array | BCC contains e-mail addresses that will receive a blind-carbon copy of the message. Maximum 10 addresses. | MaxItems: 10 Optional: {} | |
variablesEmailVariable array | Variables supplies the values that will be substituted in the template. | Optional: {} Type: object | |
priorityEmailPriority | Priority influences the order in which pending e-mails are processed. | normal | Enum: [low normal high] Optional: {} |
EmailStatus
Section titled “EmailStatus”EmailStatus captures the observed state of an Email. Uses standard Kubernetes conditions to track both processing and delivery state.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. Standard condition is “Delivered” which tracks email delivery status. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for email delivery reason:DeliveryPending status:Unknown type:Delivered]] | Optional: {} |
providerIDstring | ProviderID is the identifier returned by the underlying email provider (e.g. Resend) when the e-mail is accepted for delivery. It is usually used to track the email delivery status (e.g. provider webhooks). | ||
htmlBodystring | HTMLBody stores the rendered HTML content of the e-mail. | ||
textBodystring | TextBody stores the rendered plain-text content of the e-mail. | ||
subjectstring | Subject stores the subject line used for the e-mail. | ||
emailAddressstring | EmailAddress stores the final recipient address used for delivery, after resolving any referenced User. |
EmailTemplate
Section titled “EmailTemplate”EmailTemplate is the Schema for the email templates API. It represents a reusable e-mail template that can be rendered by substituting the declared variables.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | EmailTemplate | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specEmailTemplateSpec | |||
statusEmailTemplateStatus |
EmailTemplateList
Section titled “EmailTemplateList”EmailTemplateList contains a list of EmailTemplate.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | notification.miloapis.com/v1alpha1 | ||
kindstring | EmailTemplateList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsEmailTemplate array |
EmailTemplateSpec
Section titled “EmailTemplateSpec”EmailTemplateSpec defines the desired state of EmailTemplate. It contains the subject, content, and declared variables.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
subjectstring | Subject is the string that composes the email subject line. | Required: {} | |
htmlBodystring | HTMLBody is the string for the HTML representation of the message. | Required: {} | |
textBodystring | TextBody is the Go template string for the plain-text representation of the message. | Required: {} | |
variablesTemplateVariable array | Variables enumerates all variables that can be referenced inside the template expressions. | MaxItems: 100 Optional: {} Type: object |
EmailTemplateStatus
Section titled “EmailTemplateStatus”EmailTemplateStatus captures the observed state of an EmailTemplate. Right now we only expose standard Kubernetes conditions so callers can determine whether the template is ready for use.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Conditions represent the latest available observations of an object’s current state. | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
EmailTemplateVariableType
Section titled “EmailTemplateVariableType”Underlying type: string
EmailTemplateVariableType defines the set of supported variable kinds.
Validation:
- Enum: [string url]
Appears in:
| Field | Description | | string | | | url | |
EmailUserReference
Section titled “EmailUserReference”EmailUserReference contains information about the recipient User resource. Users are cluster-scoped resources, hence Namespace is not included.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name contain the name of the User resource that will receive the email. | Required: {} |
EmailVariable
Section titled “EmailVariable”EmailVariable represents a name/value pair that will be injected into the template.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name of the variable as declared in the associated EmailTemplate. | Required: {} | |
valuestring | Value provided for this variable. | Required: {} |
SubjectReference
Section titled “SubjectReference”SubjectReference is a reference to the subject of the contact.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup is the group for the resource being referenced. | Enum: [iam.miloapis.com] Required: {} | |
kindstring | Kind is the type of resource being referenced. | Enum: [User] Required: {} | |
namestring | Name is the name of resource being referenced. | Required: {} | |
namespacestring | Namespace is the namespace of resource being referenced. Required for namespace-scoped resources. Omitted for cluster-scoped resources. | Optional: {} |
TemplateReference
Section titled “TemplateReference”TemplateReference contains information that points to the EmailTemplate being used. EmailTemplate is a cluster-scoped resource, so Namespace is not required.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of the EmailTemplate being referenced. | Required: {} |
TemplateVariable
Section titled “TemplateVariable”TemplateVariable declares a variable that can be referenced in the template body or subject. Each variable must be listed here so that callers know which parameters are expected.
Validation:
- Type: object
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the identifier of the variable as it appears inside the Go template (e.g. {{.UserName}}). | Required: {} | |
requiredboolean | Required indicates whether the variable must be provided when rendering the template. | Required: {} | |
typeEmailTemplateVariableType | Type provides a hint about the expected value of this variable (e.g. plain string or URL). | Enum: [string url] Required: {} |
quota.miloapis.com/v1alpha1
Section titled “quota.miloapis.com/v1alpha1”Package v1alpha1 contains API schema definitions for the quota.miloapis.com group.
Quota System Overview
Section titled “Quota System Overview”The quota system enables platform administrators to control resource consumption through real-time enforcement and automated policy execution. The system tracks resource usage, allocates capacity to consumers, and prevents resource creation when limits are exceeded.
Core Resource Types
Section titled “Core Resource Types”The quota system uses four core types that manage resource tracking and allocation:
ResourceRegistration: Registers a resource type for quota tracking. Platform administrators create registrations to define measurement units, display formats, and specify which resources can consume the tracked resource type. For example, registering “Projects per Organization” allows the system to track Project creation within Organizations.
ResourceGrant: Allocates quota capacity to a specific consumer. Grants provide concrete allowances (for example, “100 Projects”) to consumers like Organizations. Multiple grants for the same consumer and resource type combine to determine total capacity. Administrators create grants manually or automate them using GrantCreationPolicy.
ResourceClaim: Requests quota during resource creation. Claims consume allocated capacity when resources are created. The system evaluates each claim against available quota and either grants or denies the request. ClaimCreationPolicy typically creates claims automatically during admission.
AllowanceBucket: Aggregates quota limits and usage for decision-making. The system creates one bucket per consumer-resource type combination. Buckets combine capacity from all active ResourceGrants and track consumption from all granted ResourceClaims to calculate real-time availability for admission decisions.
Policy Automation Types
Section titled “Policy Automation Types”Two policy types automate quota management based on resource lifecycle events:
GrantCreationPolicy: Creates ResourceGrants when conditions are met. Policies watch for resource changes and automatically provision quota capacity. For example, automatically grant “100 Projects” when a new Organization is created. Supports cross-cluster allocation and CEL expression-based conditions.
ClaimCreationPolicy: Creates ResourceClaims during admission. Policies intercept resource creation requests and generate quota claims for evaluation. For example, create a “1 Project” claim when a Project resource is created. Uses CEL expressions for dynamic claim content and trigger conditions.
How the System Works
Section titled “How the System Works”The quota system follows this workflow:
- Registration: Administrators register resource types that require quota tracking.
- Allocation: ResourceGrants provide quota capacity to consumers.
- Aggregation: AllowanceBuckets combine grants and track usage for each consumer-resource pair.
- Enforcement: ResourceClaims request quota during admission; the system grants or denies based on bucket availability.
- Monitoring: Bucket status provides real-time quota usage visibility.
Policy Automation Workflow
Section titled “Policy Automation Workflow”Policies automate the allocation and enforcement steps:
- Grant Policies: Monitor resource changes and create grants when conditions match.
- Claim Policies: Intercept admission requests and create claims for quota enforcement.
- Evaluation: The system processes claims against bucket capacity in real-time.
Status and Conditions
Section titled “Status and Conditions”All resource types use standard Kubernetes status conditions to communicate state:
- Active/Ready conditions: Indicate when resources are operational and contributing to quota decisions.
- Validation conditions: Report configuration errors and resolution guidance.
- ObservedGeneration: Tracks which specification version the system has processed.
The system updates status conditions to reflect current state and provide troubleshooting information when problems occur.
Resource Types
Section titled “Resource Types”- AllowanceBucket
- AllowanceBucketList
- ClaimCreationPolicy
- ClaimCreationPolicyList
- GrantCreationPolicy
- GrantCreationPolicyList
- ResourceClaim
- ResourceClaimList
- ResourceGrant
- ResourceGrantList
- ResourceRegistration
- ResourceRegistrationList
Allowance
Section titled “Allowance”Allowance defines quota allocation for a specific resource type within a ResourceGrant. Each allowance can contain multiple buckets that sum to provide total capacity.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceTypestring | ResourceType identifies the specific resource type receiving quota allocation. Must exactly match a ResourceRegistration.spec.resourceType that is currently active. The quota system validates this reference when processing the grant. The identifier format is flexible, as defined by platform administrators in their ResourceRegistrations. Examples: - “resourcemanager.miloapis.com/projects” - “compute_cpu” - “storage.volumes” - “custom-service-quota” | Required: {} | |
bucketsBucket array | Buckets contains the quota allocations for this resource type. All bucket amounts are summed to determine the total allowance. Minimum 1 bucket required per allowance. Multiple buckets can be used for: - Separating quota from different sources or tiers - Managing incremental quota increases over time - Tracking quota attribution for billing or reporting | MinItems: 1 Required: {} |
AllowanceBucket
Section titled “AllowanceBucket”AllowanceBucket aggregates quota limits and usage for a single (consumer, resourceType) combination. The system automatically creates buckets to provide real-time quota availability information for ResourceClaim evaluation during admission.
How It Works
Section titled “How It Works”- Auto-Creation: Quota system creates buckets automatically for each unique (consumer, resourceType) pair found in active ResourceGrants
- Aggregation: Quota system continuously aggregates capacity from active ResourceGrants and consumption from granted ResourceClaims
- Decision Support: Quota system uses bucket
status.availableto determine if ResourceClaims can be granted - Updates: Quota system updates bucket status whenever contributing grants or claims change
Aggregation Logic
Section titled “Aggregation Logic”AllowanceBuckets serve as the central aggregation point where quota capacity meets quota consumption. The quota system continuously scans for ResourceGrants that match both the bucket’s consumer and resource type, but only considers grants with an Active status condition. For each qualifying grant, the quota system examines all allowances targeting the bucket’s resource type and sums the amounts from every bucket within those allowances. This sum becomes the bucket’s limit - the total quota capacity available to the consumer for that specific resource type.
Simultaneously, the quota system tracks quota consumption by finding all ResourceClaims with matching consumer and resource type specifications. However, only claims that have been successfully granted contribute to the allocated total. The quota system sums the allocated amounts from all granted requests, creating a running total of consumed quota capacity.
The available quota emerges from this simple relationship: Available = Limit - Allocated. The system ensures this value never goes negative, treating any calculated negative as zero. This available amount represents the quota capacity remaining for new ResourceClaims and drives real-time admission decisions throughout the cluster.
Real-Time Admission Decisions
Section titled “Real-Time Admission Decisions”When a ResourceClaim is created:
- Quota system identifies the relevant bucket (matching consumer and resource type)
- Compares requested amount with bucket’s
status.available - Grants claim if requested amount <= available capacity
- Denies claim if requested amount > available capacity
- Updates bucket status to reflect the new allocation (if granted)
Bucket Lifecycle
Section titled “Bucket Lifecycle”- Auto-Created: When first ResourceGrant creates allowance for (consumer, resourceType)
- Active: Continuously aggregated while ResourceGrants or ResourceClaims exist
- Updated: Status refreshed whenever contributing resources change
- Persistent: Buckets remain even when limit drops to 0 (for monitoring)
Consistency and Performance
Section titled “Consistency and Performance”Eventual Consistency:
- Status may lag briefly after ResourceGrant or ResourceClaim changes
- Controller processes updates asynchronously for performance
- LastReconciliation timestamp indicates data freshness
Scale Optimization:
- Stores aggregates (limit, allocated, available) rather than individual entries
- ContributingGrantRefs tracks grants (few) but not claims (many)
- Single bucket per (consumer, resourceType) regardless of claim count
Status Information
Section titled “Status Information”- Limit: Total quota capacity from all contributing ResourceGrants
- Allocated: Total quota consumed by all granted ResourceClaims
- Available: Remaining quota capacity (Limit - Allocated)
- ClaimCount: Number of granted claims consuming from this bucket
- GrantCount: Number of active grants contributing to this bucket
- ContributingGrantRefs: Detailed information about contributing grants
Monitoring and Troubleshooting
Section titled “Monitoring and Troubleshooting”Quota Monitoring:
- Monitor status.available to track quota usage trends
- Check status.allocated vs status.limit for utilization ratios
- Use status.claimCount to understand resource creation patterns
Troubleshooting Issues: When investigating quota problems, start with the bucket’s limit value. A limit of zero typically indicates that no ResourceGrants are contributing capacity for this consumer and resource type combination. Verify that ResourceGrants exist with matching consumer and resource type specifications, and confirm their status conditions show Active=True. Grants with validation failures or pending states won’t contribute to bucket limits.
High allocation values relative to limits suggest quota consumption issues. Review the ResourceClaims that match this bucket’s consumer and resource type to identify which resources are consuming large amounts of quota. Check the claim allocation details to understand consumption patterns and identify potential quota leaks where claims aren’t being cleaned up properly.
Stale bucket data manifests as allocation or limit values that don’t reflect recent changes to grants or claims. Check the lastReconciliation timestamp to determine data freshness, then examine quota system logs for aggregation errors or performance issues. The quota system should process changes within seconds under normal conditions.
System Architecture
Section titled “System Architecture”- Single Writer: Only the quota system updates bucket status (prevents races)
- Dedicated Processing: Separate components focus solely on bucket aggregation
- Event-Driven: Responds to ResourceGrant and ResourceClaim changes
- Efficient Queries: Uses indexes and field selectors for fast aggregation
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors: spec.consumerRef.kind, spec.consumerRef.name, spec.resourceType
- System labels (set automatically by quota system):
- quota.miloapis.com/consumer-kind: Organization
- quota.miloapis.com/consumer-name: acme-corp
Common Queries
Section titled “Common Queries”- All buckets for a consumer: label selector quota.miloapis.com/consumer-kind + quota.miloapis.com/consumer-name
- All buckets for a resource type: field selector spec.resourceType=<value>
- Specific bucket: field selector spec.consumerRef.name + spec.resourceType
- Overutilized buckets: filter by status.available < threshold
- Empty buckets: filter by status.limit = 0
Performance Considerations
Section titled “Performance Considerations”- Bucket status updates are asynchronous and may lag resource changes
- Large numbers of ResourceClaims can impact aggregation performance
- Controller uses efficient aggregation queries to handle scale
- Status updates are batched to reduce API server load
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | AllowanceBucket | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specAllowanceBucketSpec | Required: {} | ||
statusAllowanceBucketStatus |
AllowanceBucketList
Section titled “AllowanceBucketList”AllowanceBucketList contains a list of AllowanceBucket.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | AllowanceBucketList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsAllowanceBucket array |
AllowanceBucketSpec
Section titled “AllowanceBucketSpec”AllowanceBucketSpec defines the desired state of AllowanceBucket. The system automatically creates buckets for each unique (consumer, resourceType) combination found in active ResourceGrants.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
consumerRefConsumerRef | ConsumerRef identifies the quota consumer tracked by this bucket. Must match the ConsumerRef from ResourceGrants that contribute to this bucket. Only one bucket exists per unique (ConsumerRef, ResourceType) combination. Examples: - Organization “acme-corp” consuming Project quota - Project “web-app” consuming User quota - Organization “enterprise-corp” consuming storage quota | Required: {} | |
resourceTypestring | ResourceType specifies which resource type this bucket aggregates quota for. Must exactly match a ResourceRegistration.spec.resourceType that is currently active. The quota system validates this reference and only creates buckets for registered types. The identifier format is flexible, as defined by platform administrators in their ResourceRegistrations. Examples: - “resourcemanager.miloapis.com/projects” - “compute_cpu” - “storage.volumes” - “custom-service-quota” | MaxLength: 253 MinLength: 1 Required: {} |
AllowanceBucketStatus
Section titled “AllowanceBucketStatus”AllowanceBucketStatus contains the quota system-computed quota aggregation for a specific (consumer, resourceType) combination. The quota system continuously updates this status by aggregating capacity from active ResourceGrants and consumption from granted ResourceClaims.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration indicates the most recent spec generation the quota system has processed. When ObservedGeneration matches metadata.generation, the status reflects the current spec. When ObservedGeneration is lower, the quota system is still processing recent changes. | Optional: {} | |
limitinteger | Limit represents the total quota capacity available for this (consumer, resourceType) combination. Calculated by summing all bucket amounts from active ResourceGrants that match the bucket’s spec.consumerRef and spec.resourceType. Measured in BaseUnit from the ResourceRegistration. Aggregation logic: - Only ResourceGrants with status.conditions[type=Active]=True contribute to the limit - All allowances matching spec.resourceType are included from contributing grants - All bucket amounts within matching allowances are summed | Minimum: 0 Required: {} | |
allocatedinteger | Allocated represents the total quota currently consumed by granted ResourceClaims. Calculated by summing all allocation amounts from ResourceClaims with status.conditions[type=Granted]=True that match the bucket’s spec.consumerRef and have requests for spec.resourceType. Aggregation logic: - Only ResourceClaims with Granted=True contribute to allocated amount - Only requests matching spec.resourceType are included - All allocated amounts from matching requests are summed | Minimum: 0 Required: {} | |
availableinteger | Available represents the quota capacity remaining for new ResourceClaims. Always calculated as: Available = Limit - Allocated (never negative). The system uses this value to determine whether new ResourceClaims can be granted. Decision logic: - ResourceClaim is granted if requested amount <= Available - ResourceClaim is denied if requested amount > Available - Multiple concurrent claims may race; first to be processed wins | Minimum: 0 Required: {} | |
claimCountinteger | ClaimCount indicates the total number of granted ResourceClaims consuming quota from this bucket. Includes all ResourceClaims with status.conditions[type=Granted]=True that have requests matching spec.resourceType and spec.consumerRef. Used for monitoring quota usage patterns and identifying potential issues. | Minimum: 0 Required: {} | |
grantCountinteger | GrantCount indicates the total number of active ResourceGrants contributing to this bucket’s limit. Includes all ResourceGrants with status.conditions[type=Active]=True that have allowances matching spec.resourceType and spec.consumerRef. Used for understanding quota source distribution and debugging capacity issues. | Minimum: 0 Required: {} | |
contributingGrantRefsContributingGrantRef array | ContributingGrantRefs provides detailed information about each ResourceGrant that contributes to this bucket’s limit. Includes grant names, amounts, and last observed generations for tracking and debugging quota sources. This field provides visibility into: - Which grants are providing quota capacity - How much each grant contributes - Whether grants have been updated since last bucket calculation Grants are tracked individually because they are typically few in number compared to claims. | Optional: {} | |
lastReconciliationTime | LastReconciliation records when the quota system last recalculated this status. Used for monitoring quota system health and understanding how fresh the aggregated data is. The quota system updates this timestamp every time it processes the bucket, regardless of whether the aggregated values changed. | Optional: {} |
Bucket
Section titled “Bucket”Bucket represents a single allocation of quota capacity within an allowance. Each bucket contributes its amount to the total allowance for a resource type.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
amountinteger | Amount specifies the quota capacity provided by this bucket. Must be measured in the BaseUnit defined by the corresponding ResourceRegistration. Must be a non-negative integer (0 is valid but provides no quota). Examples: - 100 (providing 100 projects) - 2048000 (providing 2048000 bytes = 2GB) - 5000 (providing 5000 CPU millicores = 5 cores) | Minimum: 0 Required: {} |
ClaimCreationPolicy
Section titled “ClaimCreationPolicy”ClaimCreationPolicy automatically creates ResourceClaims during admission to enforce quota in real-time. Policies intercept resource creation requests, evaluate trigger conditions, and generate quota claims that prevent resource creation when quota limits are exceeded.
How It Works
Section titled “How It Works”- Trigger Matching: Admission webhook matches incoming resource creates against spec.trigger.resource
- Constraint Evaluation: All CEL expressions in spec.trigger.constraints must evaluate to true
- Template Rendering: Policy renders spec.target.resourceClaimTemplate using available template variables
- Claim Creation: System creates the rendered ResourceClaim in the specified namespace
- Quota Evaluation: Claim is immediately evaluated against AllowanceBucket capacity
- Admission Decision: Original resource creation succeeds or fails based on claim result
Policy Processing Flow
Section titled “Policy Processing Flow”Active Policies (spec.disabled=false):
- Admission webhook receives resource creation request
- Finds all ClaimCreationPolicies matching the resource type
- Evaluates trigger constraints for each matching policy
- Creates ResourceClaim for each policy where all constraints are true
- Evaluates all created claims against quota buckets
- Allows resource creation only if all claims are granted
Disabled Policies (spec.disabled=true):
- Completely ignored during admission processing
- No constraints evaluated, no claims created
- Useful for temporarily disabling quota enforcement
Template Expressions
Section titled “Template Expressions”Template expressions generate dynamic content for ResourceClaim fields including metadata and specification. Content inside {{ }} delimiters is evaluated as CEL expressions, while content outside is treated as literal text.
Template Expression Rules:
{{expression}}- Pure CEL expression, evaluated and substitutedliteral-text- Used as-is without any evaluation{{expression}}-literal- CEL output combined with literal textprefix-{{expression}}-suffix- Literal text surrounding CEL expression
Template Expression Examples:
{{trigger.metadata.name + '-claim'}}- Pure CEL expression (metadata){{trigger.metadata.name}}-quota-claim- CEL + literal suffix (metadata){{trigger.spec.organization}}- Extract spec field for consumer name (spec){{trigger.metadata.labels["tier"] + "-tier"}}- Label-based naming (spec)fixed-claim-name- Literal string only (no evaluation)
Use Template Expressions For: ResourceClaimTemplate fields (metadata and spec)
Constraint Expressions
Section titled “Constraint Expressions”Constraint expressions determine whether a policy should trigger by evaluating boolean conditions. These are pure CEL expressions without delimiters that must return true/false values.
Constraint Expression Rules:
- Write pure CEL expressions directly (no wrapping syntax)
- Must return boolean values (true = trigger policy, false = skip)
- All constraints in a policy must return true for the policy to activate
Constraint Expression Examples:
trigger.spec.tier == "premium"- Field equality checktrigger.metadata.labels["environment"] == "prod"- Label-based filteringuser.groups.exists(g, g == "admin")- User authorization checkhas(trigger.spec.quotaProfile)- Field existence check
Use Constraint Expressions For: spec.trigger.constraints fields
Expression Variables
Section titled “Expression Variables”Both template and constraint expressions have access to the same context variables:
trigger: The complete resource that triggered the policy, including all metadata, spec, and status fields. Navigate using CEL property access: trigger.metadata.name, trigger.spec.replicas.
user: Authentication context providing access to the requester’s name, unique identifier, group memberships, and additional attributes. Enables user-based quota policies.
requestInfo: Operational context including the API verb being performed and resource type being manipulated. Useful for distinguishing between create, update, and delete operations.
CEL Functions: Standard CEL functions available for data manipulation including conditional expressions (condition ? value1 : value2), string methods (lowerAscii(), upperAscii(), trim()), and collection operations (exists(), all(), filter()).
Consumer Resolution
Section titled “Consumer Resolution”The system automatically resolves spec.consumerRef for created claims:
- Uses parent context resolution to find the appropriate consumer
- Typically resolves to Organization for Project resources, Project for User resources, etc.
- Consumer must match the ResourceRegistration.spec.consumerType for the requested resource type
Validation and Dependencies
Section titled “Validation and Dependencies”Policy Validation:
- Target resource type must exist and be accessible
- All resource types in claim specification must have active ResourceRegistrations
- Consumer resolution must be resolvable for target resources
- CEL expressions must be syntactically valid
Runtime Dependencies:
- ResourceRegistration must be Active for each requested resource type
- Triggering resource kind must be listed in ResourceRegistration.spec.claimingResources
- AllowanceBucket must exist (created automatically when ResourceGrants are active)
Policy Lifecycle
Section titled “Policy Lifecycle”- Creation: Administrator creates ClaimCreationPolicy
- Validation: System validates target resource and expressions
- Activation: System sets Ready=True when validation passes
- Operation: Admission webhook uses active policies to create claims
- Updates: Changes trigger re-validation; only Ready policies are used
Status Conditions
Section titled “Status Conditions”- Ready=True: Policy is validated and actively creating claims
- Ready=False, reason=ValidationFailed: Configuration errors prevent activation (check message)
- Ready=False, reason=PolicyDisabled: Policy is disabled (spec.disabled=true)
Automatic Claim Features
Section titled “Automatic Claim Features”Claims created by ClaimCreationPolicy include:
- Standard Labels: quota.miloapis.com/auto-created=true, quota.miloapis.com/policy=<policy-name>
- Standard Annotations: quota.miloapis.com/created-by=claim-creation-plugin, timestamps
- Owner References: Set to triggering resource when possible for lifecycle management
- Cleanup: Automatically cleaned up when denied to prevent accumulation
Field Constraints and Limits
Section titled “Field Constraints and Limits”- Maximum 10 constraints per trigger (spec.trigger.constraints)
- Static amounts only in v1alpha1 (no expression-based quota amounts)
- Template metadata labels are literal strings (no expression processing)
- Template annotation values support CEL expressions
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors: spec.trigger.resource.kind, spec.trigger.resource.apiVersion, spec.disabled
- Recommended labels (add manually):
- quota.miloapis.com/target-kind: Project
- quota.miloapis.com/environment: production
- quota.miloapis.com/tier: premium
Common Queries
Section titled “Common Queries”- All policies for a resource kind: label selector quota.miloapis.com/target-kind=<kind>
- Active policies only: field selector spec.disabled=false
- Environment-specific policies: label selector quota.miloapis.com/environment=<env>
- Failed policies: filter by status.conditions[type=Ready].status=False
Troubleshooting
Section titled “Troubleshooting”- Policy not triggering: Check spec.disabled=false and status.conditions[type=Ready]=True
- Template errors: Review status condition message for CEL expression syntax issues
- CEL expression failures: Validate expression syntax and available variables
- Claims not created: Verify trigger constraints match the incoming resource
- Consumer resolution errors: Check parent context resolution and ResourceRegistration setup
Performance Considerations
Section titled “Performance Considerations”- Policies are evaluated synchronously during admission (affects API latency)
- Complex CEL expressions can impact admission performance
- Template rendering occurs for every matching admission request
- Consider using specific trigger constraints to limit policy evaluation scope
Security Considerations
Section titled “Security Considerations”- Templates can access complete trigger resource data (sensitive field exposure)
- CEL expressions have access to user information and request details
- Only trusted administrators should create or modify policies
- Review template output to ensure no sensitive data leakage in claim metadata
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ClaimCreationPolicy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specClaimCreationPolicySpec | Required: {} | ||
statusClaimCreationPolicyStatus |
ClaimCreationPolicyList
Section titled “ClaimCreationPolicyList”ClaimCreationPolicyList contains a list of ClaimCreationPolicy.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ClaimCreationPolicyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsClaimCreationPolicy array |
ClaimCreationPolicySpec
Section titled “ClaimCreationPolicySpec”ClaimCreationPolicySpec defines the desired state of ClaimCreationPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
triggerClaimTriggerSpec | Trigger defines what resource changes should trigger claim creation. | Required: {} | |
targetClaimTargetSpec | Target defines how and where ResourceClaims should be created. | Required: {} | |
disabledboolean | Disabled determines if this policy is inactive. If true, no ResourceClaims will be created for matching resources. | false |
ClaimCreationPolicyStatus
Section titled “ClaimCreationPolicyStatus”ClaimCreationPolicyStatus defines the observed state of ClaimCreationPolicy.
Status fields
- conditions[type=Ready]: True when the policy is validated and active.
See also
- ResourceClaim: The object created by this policy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration is the most recent generation observed. | ||
conditionsCondition array | Conditions represent the latest available observations of the policy’s current state. |
ClaimTargetSpec
Section titled “ClaimTargetSpec”ClaimTargetSpec defines how ResourceClaims are created for a matched trigger.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceClaimTemplateResourceClaimTemplate | ResourceClaimTemplate defines how to create ResourceClaims. String fields support CEL expressions for dynamic content. | Required: {} |
ClaimTriggerResource
Section titled “ClaimTriggerResource”ClaimTriggerResource identifies the resource type that triggers this policy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | APIVersion of the trigger resource in the format “group/version” or “version” for core resources. Examples: “v1” for core resources like Secret, “resourcemanager.miloapis.com/v1alpha1” for custom resources. | Pattern: ^(v[0-9]+((alpha|beta)[0-9]*)?|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/v[0-9]+((alpha|beta)[0-9]*)?)$Required: {} | |
kindstring | Kind is the kind of the trigger resource. | MinLength: 1 Required: {} |
ClaimTriggerSpec
Section titled “ClaimTriggerSpec”ClaimTriggerSpec defines the resource type and optional conditions for triggering claim creation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceClaimTriggerResource | Resource specifies which resource type triggers this policy. | Required: {} | |
constraintsConditionExpression array | Constraints are CEL expressions that must evaluate to true for claim creation to occur. These are pure CEL expressions WITHOUT {{ }} delimiters (unlike template fields). Evaluated in the admission context. | MaxItems: 10 |
ClaimingResource
Section titled “ClaimingResource”ClaimingResource identifies a resource type that can create ResourceClaims for this registration. Uses unversioned references to remain valid across API version changes.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup specifies the API group of the resource that can create claims. Use empty string for Kubernetes core resources (Secret, ConfigMap, etc.). Use full group name for custom resources. Examples: - "" (core resources like Secret, ConfigMap)- resourcemanager.miloapis.com (custom resource group)- iam.miloapis.com (Milo IAM resources) | Optional: {} Pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ | |
kindstring | Kind specifies the resource type that can create ResourceClaims for this registration. Must match an existing resource type. Maximum 63 characters. Examples: - Project (Project resource creating claims for Project quota)- User (User resource creating claims for User quota)- Organization (Organization resource creating claims for Organization quota) | MaxLength: 63 MinLength: 1 Required: {} |
ConditionExpression
Section titled “ConditionExpression”ConditionExpression defines a CEL expression that determines when the policy should trigger. All expressions in a policy’s trigger conditions must evaluate to true for the policy to activate.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
expressionstring | Expression specifies the CEL expression to evaluate against the trigger resource. This is a pure CEL expression WITHOUT {{ }} delimiters (unlike template fields). Must return a boolean value (true to match, false to skip). Maximum 1024 characters. Available variables in GrantCreationPolicy context: - trigger: The complete resource being watched (map[string]any) - trigger.metadata.name, trigger.spec., trigger.status., etc. Common expression patterns: - trigger.spec.tier == “premium” (check resource field) - trigger.metadata.labels[“environment”] == “prod” (check labels) - trigger.status.phase == “Active” (check status) - trigger.metadata.namespace == “production” (check namespace) - has(trigger.spec.quotaProfile) (check field existence) | MaxLength: 1024 MinLength: 1 Required: {} | |
messagestring | Message provides a human-readable description explaining when this condition applies. Used for documentation and debugging. Maximum 256 characters. Examples: - “Applies only to premium tier organizations” - “Matches organizations in production environment” - “Triggers when quota profile is specified” | MaxLength: 256 |
ConsumerRef
Section titled “ConsumerRef”ConsumerRef identifies a quota consumer - the entity that receives quota grants and creates quota claims. Consumers are typically hierarchical (Organization > Project > User).
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup specifies the API group of the consumer resource. Use full group name for Milo resources. Examples: - “resourcemanager.miloapis.com” (Organization/Project resources) - “iam.miloapis.com” (User/Group resources) - “infrastructure.miloapis.com” (infrastructure resources) | Optional: {} | |
kindstring | Kind specifies the type of consumer resource. Must match an existing Kubernetes resource type that can receive quota grants. Common consumer types: - “Organization” (top-level quota consumer) - “Project” (project-level quota consumer) - “User” (user-level quota consumer) | Required: {} | |
namestring | Name identifies the specific consumer resource instance. Must match the name of an existing consumer resource in the cluster. Examples: - “acme-corp” (Organization name) - “web-application” (Project name) - “john.doe” (User name) | Required: {} | |
namespacestring | Namespace identifies the namespace of the consumer resource. Required for namespaced consumer resources (e.g., Projects). Leave empty for cluster-scoped consumer resources (e.g., Organizations). Examples: - "" (empty for cluster-scoped Organizations) - “organization-acme-corp” (namespace for Projects within an organization) - “project-web-app” (namespace for resources within a project) | Optional: {} |
ConsumerType
Section titled “ConsumerType”ConsumerType identifies the resource type that consumes quota. The consumer receives ResourceGrants and creates ResourceClaims for the registered resource. For example, when registering “Projects per Organization”, Organization is the consumer type.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup specifies the API group of the quota consumer resource type. Use empty string for Kubernetes core resources (Secret, ConfigMap, etc.). Use full group name for custom resources (for example, resourcemanager.miloapis.com).Must follow DNS subdomain format with lowercase letters, numbers, and hyphens. Examples: - resourcemanager.miloapis.com (Organizations, Projects)- iam.miloapis.com (Users, Groups)- infrastructure.miloapis.com (custom infrastructure resources) | Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Required: {} | |
kindstring | Kind specifies the resource type that receives quota grants and creates quota claims. Must match an existing Kubernetes resource type (core or custom). Use the exact Kind name as defined in the resource’s schema. Examples: - Organization (receives Project quotas) - Project (receives User quotas) - User (receives resource quotas within projects) | Required: {} |
ContributingGrantRef
Section titled “ContributingGrantRef”ContributingGrantRef tracks a ResourceGrant that contributes capacity to this bucket. The quota system maintains these references to provide visibility into quota sources and to detect when grants change.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name identifies the ResourceGrant that contributes to this bucket’s limit. Used for tracking quota sources and debugging allocation issues. | Required: {} | |
lastObservedGenerationinteger | LastObservedGeneration records the ResourceGrant’s generation when the bucket quota system last processed it. Used to detect when grants have been updated and the bucket needs to recalculate its aggregated limit. | Required: {} | |
amountinteger | Amount specifies how much quota capacity this grant contributes to the bucket. Represents the sum of all buckets within all allowances for the matching resource type in the referenced grant. Measured in BaseUnit. | Minimum: 0 Required: {} |
GrantCreationPolicy
Section titled “GrantCreationPolicy”GrantCreationPolicy automates ResourceGrant creation when observed resources meet conditions. Use it to provision quota based on resource lifecycle events and attributes.
How It Works
Section titled “How It Works”- Watch the kind in
spec.trigger.resourceand evaluate allspec.trigger.constraints[]. - When all constraints are true, evaluate
spec.target.resourceGrantTemplateand create aResourceGrant. - Optionally target a parent control plane via
spec.target.parentContext(CEL-resolved name) for cross-cluster allocation. - Allowances (resource types and amounts) are static in
v1alpha1.
Template Expressions
Section titled “Template Expressions”Template expressions generate dynamic content for ResourceGrant fields including metadata and specification. Content inside {{ }} delimiters is evaluated as CEL expressions, while content outside is treated as literal text.
Template Expression Rules:
{{expression}}- Pure CEL expression, evaluated and substitutedliteral-text- Used as-is without any evaluation{{expression}}-literal- CEL output combined with literal textprefix-{{expression}}-suffix- Literal text surrounding CEL expression
Template Expression Examples:
{{trigger.metadata.name + '-grant'}}- Pure CEL expression (metadata){{trigger.metadata.name}}-quota-grant- CEL + literal suffix (metadata){{trigger.spec.type + "-consumer"}}- Extract spec field for consumer name (spec){{trigger.metadata.labels["environment"] + "-grants"}}- Label-based naming (spec)fixed-grant-name- Literal string only (no evaluation)
Use Template Expressions For: ResourceGrantTemplate fields (metadata and spec)
Constraint Expressions
Section titled “Constraint Expressions”Constraint expressions determine whether a policy should trigger by evaluating boolean conditions. These are pure CEL expressions without delimiters that must return true/false values.
Constraint Expression Rules:
- Write pure CEL expressions directly (no wrapping syntax)
- Must return boolean values (true = trigger policy, false = skip)
- All constraints in a policy must return true for the policy to activate
Constraint Expression Examples:
trigger.spec.tier == "premium"- Field equality checktrigger.metadata.labels["environment"] == "prod"- Label-based filteringtrigger.status.phase == "Active"- Status condition checkhas(trigger.spec.quotaProfile)- Field existence check
Use Constraint Expressions For: spec.trigger.constraints fields
Expression Variables
Section titled “Expression Variables”Both template and constraint expressions have access to the resource context variables:
trigger: The complete resource that triggered the policy, including all metadata, spec, and status fields. Navigate using CEL property access: trigger.metadata.name, trigger.spec.tier. This is the only variable available since GrantCreationPolicy runs during resource watching, not during admission processing.
CEL Functions: Standard CEL functions available for data manipulation including conditional expressions (condition ? value1 : value2), string methods (lowerAscii(), upperAscii(), trim()), and collection operations (exists(), all(), filter()).
Works With
Section titled “Works With”- Creates ResourceGrant objects whose
allowances[].resourceTypemust exist in a ResourceRegistration. - May target a parent control plane via
spec.target.parentContextfor cross-plane quota allocation. - Policy readiness (
status.conditions[type=Ready]) signals expression/constraint validity.
Status
Section titled “Status”status.conditions[type=Ready]: Policy validated and active.status.conditions[type=ParentContextReady]: Cross‑cluster targeting is resolvable.status.observedGeneration: Latest spec generation processed.
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors (server-side):
spec.trigger.resource.kind,spec.trigger.resource.apiVersion,spec.target.parentContext.kind,spec.target.parentContext.apiGroup. - Label selectors (add your own):
quota.miloapis.com/trigger-kind:Organizationquota.miloapis.com/environment:prod- Common queries:
- All policies for a trigger kind: label selector
quota.miloapis.com/trigger-kind. - All active policies: field selector
spec.disabled=false.
Defaults and Limits
Section titled “Defaults and Limits”- Resource grant allowances are static (no expression-based amounts) in
v1alpha1.
- If
ParentContextReady=False, verifynameExpressionand referenced attributes. - Disabled policies (
spec.disabled=true) do not create grants.
See Also
Section titled “See Also”- ResourceGrant: The object created by this policy.
- ResourceRegistration: Resource types that grants must reference.
- ClaimCreationPolicy: Creates claims at admission for enforcement.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | GrantCreationPolicy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specGrantCreationPolicySpec | Required: {} | ||
statusGrantCreationPolicyStatus |
GrantCreationPolicyList
Section titled “GrantCreationPolicyList”GrantCreationPolicyList contains a list of GrantCreationPolicy.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | GrantCreationPolicyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsGrantCreationPolicy array |
GrantCreationPolicySpec
Section titled “GrantCreationPolicySpec”GrantCreationPolicySpec defines the desired state of GrantCreationPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
triggerGrantTriggerSpec | Trigger defines what resource changes should trigger grant creation. | Required: {} | |
targetGrantTargetSpec | Target defines where and how grants should be created. | Required: {} | |
disabledboolean | Disabled determines if this policy is inactive. If true, no ResourceGrants will be created for matching resources. | false |
GrantCreationPolicyStatus
Section titled “GrantCreationPolicyStatus”GrantCreationPolicyStatus defines the observed state of GrantCreationPolicy.
Status fields
- conditions[type=Ready]: True when the policy is validated and active.
- conditions[type=ParentContextReady]: True when cross‑cluster targeting is resolvable.
- observedGeneration: Latest spec generation processed by the quota system.
See also
- ResourceGrant: The object created by this policy.
- ResourceRegistration: Resource types for which grants are issued.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration is the most recent generation observed. | ||
conditionsCondition array | Conditions represent the latest available observations of the policy’s current state. |
GrantParentContextSpec
Section titled “GrantParentContextSpec”GrantParentContextSpec enables cross-cluster grant creation by targeting a parent control plane. Used to create grants in infrastructure clusters when policies run in child clusters.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup specifies the API group of the parent context resource. Must follow DNS subdomain format. Maximum 253 characters. Examples: - “resourcemanager.miloapis.com” (for Organization parent context) - “infrastructure.miloapis.com” (for Cluster parent context) | MaxLength: 253 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$Required: {} | |
kindstring | Kind specifies the resource type that represents the parent context. Must be a valid Kubernetes resource Kind. Maximum 63 characters. Examples: - “Organization” (create grants in organization’s parent control plane) - “Cluster” (create grants in cluster’s parent infrastructure) | MaxLength: 63 MinLength: 1 Pattern: ^[A-Z][a-zA-Z0-9]*$Required: {} | |
nameExpressionstring | NameExpression is a CEL expression that resolves the name of the parent context resource. Must return a string value that identifies the specific parent context instance. Maximum 512 characters. Available variables: - object: The trigger resource being evaluated (complete object) Common expression patterns: - object.spec.organization (direct field reference) - object.metadata.labels[“parent-org”] (label-based resolution) - object.metadata.namespace.split(”-”)[0] (derived from namespace naming) Examples: - “acme-corp” (literal parent name) - object.spec.parentOrganization (field from trigger resource) - object.metadata.labels[“quota.miloapis.com/organization”] (label value) | MaxLength: 512 MinLength: 1 Required: {} |
GrantTargetSpec
Section titled “GrantTargetSpec”GrantTargetSpec defines where and how grants are created.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
parentContextGrantParentContextSpec | ParentContext defines cross-control-plane targeting. If specified, grants will be created in the target parent context instead of the current control plane. | ||
resourceGrantTemplateResourceGrantTemplate | ResourceGrantTemplate defines how to create ResourceGrants. String fields support CEL expressions wrapped in {{ }} delimiters for dynamic content. Plain strings without {{ }} are treated as literal values. | Required: {} |
GrantTriggerResource
Section titled “GrantTriggerResource”GrantTriggerResource identifies the resource type that triggers grant creation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | APIVersion of the trigger resource in the format “group/version”. For core resources, use “v1”. | Pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/)?v[0-9]+((alpha|beta)[0-9]*)?$Required: {} | |
kindstring | Kind is the kind of the trigger resource. | MaxLength: 63 MinLength: 1 Pattern: ^[A-Z][a-zA-Z0-9]*$Required: {} |
GrantTriggerSpec
Section titled “GrantTriggerSpec”GrantTriggerSpec defines the resource and conditions that trigger grant creation.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceGrantTriggerResource | Resource specifies which resource type triggers this policy. | Required: {} | |
constraintsConditionExpression array | Constraints are CEL expressions that must evaluate to true for grant creation. These are pure CEL expressions WITHOUT {{ }} delimiters (unlike template fields). All constraints must pass for the policy to trigger. The ‘object’ variable contains the trigger resource being evaluated. | MaxItems: 10 |
ObjectMetaTemplate
Section titled “ObjectMetaTemplate”ObjectMetaTemplate defines metadata fields that support template rendering for created objects. Templates can access trigger resource data to generate dynamic names, namespaces, and annotations.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name specifies the exact name for the created ResourceClaim. Supports CEL expressions wrapped in {{ }} delimiters with access to template variables. Leave empty to use GenerateName for auto-generated names. CEL Expression Syntax: CEL expressions must be enclosed in double curly braces {{ }}. Plain strings without {{ }} are treated as literal values. Template variables available: - trigger: The resource triggering claim creation - requestInfo: Request details (verb, resource, name, etc.) - user: User information (name, uid, groups, extra) Examples: - “{{trigger.metadata.name + ‘-quota-claim’}}” (CEL expression) - “{{trigger.metadata.name}}-claim” (CEL + literal) - “fixed-claim-name” (literal string) | ||
generateNamestring | GenerateName specifies a prefix for auto-generated names when Name is empty. Kubernetes appends random characters to create unique names. Supports CEL expressions wrapped in {{ }} delimiters. Examples: - “{{trigger.spec.type + ‘-claim-’}}” (CEL expression) - “{{trigger.spec.type}}-claim-” (CEL + literal) - “quota-claim-” (literal string) | ||
namespacestring | Namespace specifies where the ResourceClaim will be created. Supports CEL expressions wrapped in {{ }} delimiters to derive namespace from trigger resource. Leave empty to create in the same namespace as the trigger resource. Examples: - “{{trigger.metadata.namespace}}” (CEL: same namespace as trigger) - “milo-system” (literal: fixed system namespace) - “{{trigger.spec.organization + ‘-claims’}}” (CEL: derived namespace) | ||
labelsobject (keys:string, values:string) | Labels specifies static labels to apply to the created ResourceClaim. Values are literal strings (no template processing). The system automatically adds standard labels for policy tracking. Useful for: - Organizing claims by policy or resource type - Adding environment or tier indicators - Enabling label-based queries and monitoring | ||
annotationsobject (keys:string, values:string) | Annotations specifies annotations to apply to the created ResourceClaim. Values support CEL expressions wrapped in {{ }} delimiters for dynamic content. The system automatically adds standard annotations for tracking. Template variables available: - trigger: The resource triggering claim creation - requestInfo: Request details - user: User information Examples: - created-for: “{{trigger.metadata.name}}” (CEL expression) - requested-by: “{{user.name}}” (CEL expression) - environment: “production” (literal string) |
ResourceClaim
Section titled “ResourceClaim”ResourceClaim requests quota allocation during resource creation. Claims consume quota capacity from AllowanceBuckets and link to the triggering Kubernetes resource for lifecycle management and auditing.
How It Works
Section titled “How It Works”ResourceClaims follow a straightforward lifecycle from creation to resolution. When a ClaimCreationPolicy triggers during admission, it creates a ResourceClaim that immediately enters the quota evaluation pipeline. The quota system first validates that the consumer type matches the expected ConsumerType from the ResourceRegistration, then verifies that the triggering resource kind is authorized to claim the requested resource types.
Once validation passes, the quota system checks quota availability by consulting the relevant AllowanceBuckets, one for each (consumer, resourceType) combination in the claim’s requests. The quota system treats all requests in a claim as an atomic unit: either sufficient quota exists for every request and the entire claim is granted, or any shortage results in denying the complete claim. This atomic approach ensures consistency and prevents partial resource allocations that could leave the system in an inconsistent state.
When a claim is granted, it permanently reserves the requested quota amounts until the claim is deleted. This consumption immediately reduces the available quota in the corresponding AllowanceBuckets, preventing other claims from accessing that capacity. The quota system updates the claim’s status with detailed results for each resource request, including which AllowanceBucket provided the quota and any relevant error messages.
Core Relationships
Section titled “Core Relationships”- Created by: ClaimCreationPolicy during admission (automatically) or administrators (manually)
- Consumes from: AllowanceBucket matching (
spec.consumerRef,spec.requests[].resourceType) - Capacity sourced from: ResourceGrant objects aggregated by the bucket
- Linked to: Triggering resource via
spec.resourceReffor lifecycle management - Validated against: ResourceRegistration for each
spec.requests[].resourceType
Claim Lifecycle States
Section titled “Claim Lifecycle States”- Initial:
Granted=False,reason=PendingEvaluation(claim created, awaiting processing) - Granted:
Granted=True,reason=QuotaAvailable(all requests allocated successfully) - Denied:
Granted=False,reason=QuotaExceededorValidationFailed(requests could not be satisfied)
Automatic vs Manual Claims
Section titled “Automatic vs Manual Claims”Automatic Claims (created by ClaimCreationPolicy):
- Include standard labels and annotations for tracking
- Set owner references to triggering resource when possible
- Automatically cleaned up when denied to prevent accumulation
- Marked with
quota.miloapis.com/auto-created=truelabel
Manual Claims (created by administrators):
- Require explicit metadata and references
- Not automatically cleaned up when denied
- Used for testing or special allocation scenarios
Status Information
Section titled “Status Information”- Overall Status:
status.conditions[type=Granted]indicates claim approval - Detailed Results:
status.allocations[]provides per-request allocation details - Bucket References:
status.allocations[].allocatingBucketidentifies quota sources
Field Constraints and Validation
Section titled “Field Constraints and Validation”- Maximum 20 resource requests per claim
- Each resource type can appear only once in requests
- Consumer type must match
ResourceRegistration.spec.consumerTypefor each requested type - Triggering resource kind must be listed in
ResourceRegistration.spec.claimingResources
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors: spec.consumerRef.kind, spec.consumerRef.name, spec.resourceRef.apiGroup, spec.resourceRef.kind, spec.resourceRef.name, spec.resourceRef.namespace
- Auto-created labels: quota.miloapis.com/auto-created, quota.miloapis.com/policy, quota.miloapis.com/gvk
- Auto-created annotations: quota.miloapis.com/created-by, quota.miloapis.com/created-at, quota.miloapis.com/resource-name
Common Queries
Section titled “Common Queries”- All claims for a consumer: field selector spec.consumerRef.kind + spec.consumerRef.name
- Claims from a specific policy: label selector quota.miloapis.com/policy=<policy-name>
- Claims for a resource type: add custom labels via policy template
- Failed claims: field selector on status conditions
Troubleshooting
Section titled “Troubleshooting”- Denied claims: Check status.allocations[].message for specific quota or validation errors
- Pending claims: Verify ResourceRegistration is Active and AllowanceBucket exists
- Missing claims: Check ClaimCreationPolicy conditions and trigger expressions
Performance Considerations
Section titled “Performance Considerations”- Claims are processed synchronously during admission (affects API latency)
- Large numbers of claims can impact bucket aggregation performance
- Consider batch processing for bulk resource creation
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceClaim | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specResourceClaimSpec | Required: {} | ||
statusResourceClaimStatus | { conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Awaiting capacity evaluation reason:PendingEvaluation status:False type:Granted]] } |
ResourceClaimAllocationStatus
Section titled “ResourceClaimAllocationStatus”ResourceClaimAllocationStatus tracks the allocation status for a specific resource request within a claim. The system creates one allocation entry for each request in the claim specification.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceTypestring | ResourceType identifies which resource request this allocation status describes. Must exactly match one of the resourceType values in spec.requests. | MinLength: 1 Required: {} | |
statusstring | Status indicates the allocation result for this specific resource request. Valid values: - “Granted”: Quota was available and the request was approved - “Denied”: Insufficient quota or validation failure prevented allocation - “Pending”: Request is being evaluated (initial state) | Enum: [Granted Denied Pending] Required: {} | |
reasonstring | Reason provides a machine-readable explanation for the current status. Standard reasons include “QuotaAvailable”, “QuotaExceeded”, “ValidationFailed”. | Optional: {} | |
messagestring | Message provides a human-readable explanation of the allocation result. Includes specific details about quota availability or validation errors. Examples: - “Allocated 1 project from bucket organization-acme-projects” - “Insufficient quota: need 2048 bytes, only 1024 available” - “ResourceRegistration not found for resourceType” | Optional: {} | |
allocatedAmountinteger | AllocatedAmount specifies how much quota was actually allocated for this request. Measured in the BaseUnit defined by the ResourceRegistration. Currently always equals the requested amount or 0 (partial allocations not supported). Set to the requested amount when Status=Granted, 0 when Status=Denied or Pending. | Minimum: 0 Optional: {} | |
allocatingBucketstring | AllocatingBucket identifies the AllowanceBucket that provided the quota for this request. Set only when Status=Granted. Used for tracking and debugging quota consumption. Format: bucket name (generated as: consumer-kind-consumer-name-resource-type-hash) | Optional: {} | |
lastTransitionTimeTime | LastTransitionTime records when this allocation status last changed. Updates whenever Status, Reason, or Message changes. | Required: {} |
ResourceClaimList
Section titled “ResourceClaimList”ResourceClaimList contains a list of ResourceClaim.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceClaimList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsResourceClaim array |
ResourceClaimSpec
Section titled “ResourceClaimSpec”ResourceClaimSpec defines the desired state of ResourceClaim.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
consumerRefConsumerRef | ConsumerRef identifies the quota consumer making this claim. The consumer must match the ConsumerType defined in the ResourceRegistration for each requested resource type. The system validates this relationship during claim processing. When creating ResourceClaims via ClaimCreationPolicy, this field can be omitted and the admission plugin will automatically fill it based on the authenticated user’s context (organization or project). Examples: - Organization consuming Project quota - Project consuming User quota - Organization consuming storage quota | Optional: {} | |
requestsResourceRequest array | Requests specifies the resource types and amounts being claimed from quota. Each resource type can appear only once in the requests array. Minimum 1 request, maximum 20 requests per claim. The system processes all requests as a single atomic operation: either all requests are granted or all are denied. | MaxItems: 20 MinItems: 1 Required: {} | |
resourceRefUnversionedObjectReference | ResourceRef identifies the actual Kubernetes resource that triggered this claim. ClaimCreationPolicy automatically populates this field during admission. Uses unversioned reference (apiGroup + kind + name + namespace) to remain valid across API version changes. The referenced resource’s kind must be listed in the ResourceRegistration’s spec.claimingResources for the claim to be valid. Examples: - Project resource triggering Project quota claim - User resource triggering User quota claim - Organization resource triggering storage quota claim |
ResourceClaimStatus
Section titled “ResourceClaimStatus”ResourceClaimStatus reports the claim’s processing state and allocation results. The system updates this status to communicate whether quota was granted and provide detailed allocation information for each requested resource type.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration indicates the most recent spec generation the system has processed. When ObservedGeneration matches metadata.generation, the status reflects the current spec. When ObservedGeneration is lower, the system is still processing recent changes. | Optional: {} | |
allocationsResourceClaimAllocationStatus array | Allocations provides detailed status for each resource request in the claim. The system creates one allocation entry for each request in spec.requests. Use this field to understand which specific requests were granted or denied. List is indexed by ResourceType for efficient lookups. | Optional: {} | |
conditionsCondition array | Conditions represents the overall status of the claim evaluation. Controllers set these conditions to provide a high-level view of claim processing. Standard condition types: - “Granted”: Indicates whether the claim was approved and quota allocated Standard condition reasons for “Granted”: - “QuotaAvailable”: All requested quota was available and allocated - “QuotaExceeded”: Insufficient quota prevented allocation (claim denied) - “ValidationFailed”: Configuration errors prevented evaluation (claim denied) - “PendingEvaluation”: Claim is still being processed (initial state) Claim Lifecycle: 1. Created: Granted=False, reason=PendingEvaluation 2. Processed: Granted=True/False based on quota availability and validation 3. Updated: Granted condition changes only when allocation results change |
ResourceClaimTemplate
Section titled “ResourceClaimTemplate”ResourceClaimTemplate defines how to create ResourceClaims using actual ResourceClaim structure.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMetaTemplate | Refer to Kubernetes API documentation for fields of metadata. | Required: {} | |
specResourceClaimSpec | Spec for the created ResourceClaim. String fields support CEL expressions. | Required: {} |
ResourceGrant
Section titled “ResourceGrant”ResourceGrant allocates quota capacity to a consumer for specific resource types. Grants provide the allowances that AllowanceBuckets aggregate to determine available quota for ResourceClaim evaluation.
How It Works
Section titled “How It Works”ResourceGrants begin their lifecycle when either an administrator creates them manually or a GrantCreationPolicy generates them automatically in response to observed resource changes. Upon creation, the grant enters a validation phase where the quota system examines the consumer type to ensure it matches the expected ConsumerType from each ResourceRegistration targeted by the grant’s allowances. The quota system also verifies that all specified resource types correspond to active registrations and that the allowance amounts are valid non-negative integers.
When validation succeeds, the quota system marks the grant as Active, signaling to AllowanceBucket resources that this grant should contribute to quota calculations. The bucket resources continuously monitor for active grants and aggregate their allowance amounts into the appropriate buckets based on consumer and resource type matching. This aggregation process makes the granted quota capacity available for ResourceClaim consumption.
ResourceClaims then consume the capacity that active grants provide, creating a flow from grants through buckets to claims. The grant’s capacity remains reserved as long as claims reference it, ensuring that quota allocations persist until the consuming resources are removed. This creates a stable quota environment where capacity allocations remain consistent across resource lifecycles.
Core Relationships
Section titled “Core Relationships”- Provides capacity to: AllowanceBucket matching (spec.consumerRef, spec.allowances[].resourceType)
- Consumed by: ResourceClaim objects processed against the aggregated buckets
- Validated against: ResourceRegistration for each spec.allowances[].resourceType
- Created by: Administrators manually or GrantCreationPolicy automatically
Quota Aggregation Logic
Section titled “Quota Aggregation Logic”Multiple ResourceGrants for the same (consumer, resourceType) combination:
- Aggregate into a single AllowanceBucket for that combination
- All bucket amounts from all allowances are summed for total capacity
- Only Active grants contribute to the aggregated limit
- Inactive grants are excluded from quota calculations
Grant vs Bucket Relationship
Section titled “Grant vs Bucket Relationship”- ResourceGrant: Specifies intended quota allocations
- AllowanceBucket: Aggregates actual available quota from active grants
- ResourceClaim: Consumes quota from buckets (which source from grants)
Allowance Structure
Section titled “Allowance Structure”Each grant can contain multiple allowances for different resource types:
- All allowances share the same consumer (spec.consumerRef)
- Each allowance can have multiple buckets (for tracking, attribution, or incremental increases)
- Bucket amounts within an allowance are summed for that resource type
Manual vs Automated Grants
Section titled “Manual vs Automated Grants”Manual Grants (created by administrators):
- Explicit quota allocations for specific consumers
- Require direct management and updates
- Useful for base quotas, special allocations, or testing
Automated Grants (created by GrantCreationPolicy):
- Generated based on resource lifecycle events
- Include labels/annotations for tracking policy source
- Automatically managed based on trigger conditions
Validation Requirements
Section titled “Validation Requirements”- Consumer type must match ResourceRegistration.spec.consumerType for each resource type
- All resource types must reference active ResourceRegistration objects
- Maximum 20 allowances per grant
- All amounts must be non-negative integers in BaseUnit
Field Constraints and Limits
Section titled “Field Constraints and Limits”- Maximum 20 allowances per grant
- Each allowance must have at least 1 bucket
- Bucket amounts must be non-negative (0 is allowed but provides no quota)
- All amounts measured in BaseUnit from ResourceRegistration
Status Information
Section titled “Status Information”- Active condition: Indicates whether grant is contributing to quota buckets
- Validation errors: Reported in condition message when Active=False
- Processing status: ObservedGeneration tracks spec changes
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors: spec.consumerRef.kind, spec.consumerRef.name
- Recommended labels (add manually for better organization):
- quota.miloapis.com/consumer-kind: Organization
- quota.miloapis.com/consumer-name: acme-corp
- quota.miloapis.com/source: policy-name or manual
- quota.miloapis.com/tier: basic, premium, enterprise
Common Queries
Section titled “Common Queries”- All grants for a consumer: field selector spec.consumerRef.kind + spec.consumerRef.name
- Grants by source policy: label selector quota.miloapis.com/source=<policy-name>
- Grants by resource tier: label selector quota.miloapis.com/tier=<tier-name>
- Active vs inactive grants: check status.conditions[type=Active].status
Cross-Cluster Allocation
Section titled “Cross-Cluster Allocation”GrantCreationPolicy can create grants in parent control planes for cross-cluster quota:
- Policy running in child cluster creates grants in parent cluster
- Grants provide capacity that spans multiple child clusters
- Enables centralized quota management across cluster hierarchies
Troubleshooting
Section titled “Troubleshooting”- Inactive grants: Check status.conditions[type=Active] for validation errors
- Missing quota: Verify grants are Active and contributing to correct buckets
- Grant conflicts: Multiple grants for same consumer+resourceType are aggregated, not conflicting
Performance Considerations
Section titled “Performance Considerations”- Large numbers of grants can impact bucket aggregation performance
- Consider consolidating grants where possible to reduce aggregation overhead
- Grant status updates are asynchronous and may lag spec changes
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceGrant | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specResourceGrantSpec | Required: {} | ||
statusResourceGrantStatus |
ResourceGrantList
Section titled “ResourceGrantList”ResourceGrantList contains a list of ResourceGrant.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceGrantList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsResourceGrant array |
ResourceGrantSpec
Section titled “ResourceGrantSpec”ResourceGrantSpec defines the desired state of ResourceGrant.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
consumerRefConsumerRef | ConsumerRef identifies the quota consumer that receives these allowances. The consumer type must match the ConsumerType defined in the ResourceRegistration for each allowance resource type. The system validates this relationship. Examples: - Organization receiving Project quota allowances - Project receiving User quota allowances - Organization receiving storage quota allowances | Required: {} | |
allowancesAllowance array | Allowances specifies the quota allocations provided by this grant. Each allowance grants capacity for a specific resource type. Minimum 1 allowance required, maximum 20 allowances per grant. All allowances in a single grant: - Apply to the same consumer (spec.consumerRef) - Contribute to the same AllowanceBucket for each resource type - Activate and deactivate together based on the grant’s status | MinItems: 1 Required: {} |
ResourceGrantStatus
Section titled “ResourceGrantStatus”ResourceGrantStatus reports the grant’s operational state and processing status. Controllers update status conditions to indicate whether the grant is active and contributing capacity to AllowanceBuckets.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration indicates the most recent spec generation the quota system has processed. When ObservedGeneration matches metadata.generation, the status reflects the current spec. When ObservedGeneration is lower, the quota system is still processing recent changes. | Optional: {} | |
conditionsCondition array | Conditions represents the latest available observations of the grant’s state. Controllers set these conditions to communicate operational status. Standard condition types: - “Active”: Indicates whether the grant is operational and contributing to quota buckets. When True, allowances are aggregated into AllowanceBuckets and available for claims. When False, allowances do not contribute to quota decisions. Standard condition reasons for “Active”: - “GrantActive”: Grant is validated and contributing to quota buckets - “ValidationFailed”: Specification contains errors preventing activation (see message) - “GrantPending”: Grant is being processed by the quota system Grant Lifecycle: 1. Created: Active=Unknown, reason=GrantPending 2. Validated: Active=True, reason=GrantActive OR Active=False, reason=ValidationFailed 3. Updated: Active condition changes only when validation results change |
ResourceGrantTemplate
Section titled “ResourceGrantTemplate”ResourceGrantTemplate defines the specification for creating ResourceGrants using actual ResourceGrant structure.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metadataObjectMetaTemplate | Refer to Kubernetes API documentation for fields of metadata. | Required: {} | |
specResourceGrantSpec | Spec for the created ResourceGrant. String fields support CEL expressions wrapped in {{ }} delimiters. | Required: {} |
ResourceRegistration
Section titled “ResourceRegistration”ResourceRegistration enables quota tracking for a specific resource type. Administrators create registrations to define measurement units, consumer relationships, and claiming permissions.
How It Works
Section titled “How It Works”- Administrators create registrations to enable quota tracking for specific resource types
- The system validates the registration and sets the “Active” condition when ready
- ResourceGrants can then allocate capacity for the registered resource type
- ResourceClaims can consume capacity when allowed resources are created
Core Relationships
Section titled “Core Relationships”- ResourceGrant.spec.allowances[].resourceType must match this registration’s spec.resourceType
- ResourceClaim.spec.requests[].resourceType must match this registration’s spec.resourceType
- ResourceClaim.spec.consumerRef must match this registration’s spec.consumerType type
- ResourceClaim.spec.resourceRef kind must be listed in this registration’s spec.claimingResources
Registration Lifecycle
Section titled “Registration Lifecycle”- Creation: Administrator creates ResourceRegistration with resource type and consumer type
- Validation: System validates that referenced resource types exist and are accessible
- Activation: System sets
Active=Truecondition when validation passes - Operation: ResourceGrants and ResourceClaims can reference the active registration
- Updates: Only mutable fields (
description,claimingResources) can be changed
Status Conditions
Section titled “Status Conditions”- Active=True: Registration is validated and operational; grants and claims can use it
- Active=False, reason=ValidationFailed: Configuration errors prevent activation (check message)
- Active=False, reason=RegistrationPending: Quota system is processing the registration
Measurement Types
Section titled “Measurement Types”- Entity registrations (
spec.type=Entity): Count discrete resource instances (Projects, Users) - Allocation registrations (
spec.type=Allocation): Measure capacity amounts (CPU, memory, storage)
Field Constraints and Limits
Section titled “Field Constraints and Limits”- Maximum 20 entries in spec.claimingResources
- spec.resourceType, spec.consumerType, and spec.type are immutable after creation
- spec.description maximum 500 characters
- spec.baseUnit and spec.displayUnit maximum 50 characters each
- spec.unitConversionFactor minimum value is 1
Selectors and Filtering
Section titled “Selectors and Filtering”- Field selectors: spec.consumerType.kind, spec.consumerType.apiGroup, spec.resourceType
- Recommended labels (add manually):
- quota.miloapis.com/resource-kind: Project
- quota.miloapis.com/resource-apigroup: resourcemanager.miloapis.com
- quota.miloapis.com/consumer-kind: Organization
Security Considerations
Section titled “Security Considerations”- Only include trusted resource types in spec.claimingResources
- Registrations are cluster-scoped and affect quota system-wide
- Consumer types must have appropriate RBAC permissions to create claims
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceRegistration | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specResourceRegistrationSpec | Required: {} | ||
statusResourceRegistrationStatus |
ResourceRegistrationList
Section titled “ResourceRegistrationList”ResourceRegistrationList contains a list of ResourceRegistration.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | quota.miloapis.com/v1alpha1 | ||
kindstring | ResourceRegistrationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsResourceRegistration array |
ResourceRegistrationSpec
Section titled “ResourceRegistrationSpec”ResourceRegistrationSpec defines the desired state of ResourceRegistration.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
consumerTypeConsumerType | ConsumerType specifies which resource type receives grants and creates claims for this registration. The consumer type must exist in the cluster before creating the registration. Example: When registering “Projects per Organization”, set ConsumerType to Organization(apiGroup: resourcemanager.miloapis.com, kind: Organization). Organizations thenreceive ResourceGrants allocating Project quota and create ResourceClaims when Projects are created. | Required: {} | |
typestring | Type specifies the measurement method for quota tracking. This field is immutable after creation. Valid values: - Entity: Counts discrete resource instances. Use for resources where each instanceconsumes exactly 1 quota unit (for example, Projects, Users, Databases). Claims always request integer quantities. - Allocation: Measures numeric capacity or resource amounts. Use for resourceswith variable consumption (for example, CPU millicores, memory bytes, storage capacity). Claims can request fractional amounts based on resource specifications. | Enum: [Entity Allocation] Required: {} | |
resourceTypestring | ResourceType identifies the resource to track with quota. Platform administrators define resource type identifiers that make sense for their quota system usage. This field is immutable after creation. The identifier format is flexible to accommodate various naming conventions and organizational needs. Service providers can use any meaningful identifier. Examples: - “resourcemanager.miloapis.com/projects” - “iam.miloapis.com/users” - “compute_cpu” - “storage.volumes” - “custom-service-quota” | MaxLength: 253 MinLength: 1 Required: {} | |
descriptionstring | Description provides human-readable context about what this registration tracks. Use clear, specific language that explains the resource type and measurement approach. Maximum 500 characters. Examples: - “Projects created within Organizations” - “CPU millicores allocated to workloads” - “Storage bytes claimed by volume requests” | MaxLength: 500 MinLength: 1 Optional: {} | |
baseUnitstring | BaseUnit defines the internal measurement unit for all quota calculations. The system stores and processes all quota amounts using this unit. Use singular form with lowercase letters. Maximum 50 characters. Examples: - “project” (for Entity type tracking Projects) - “millicore” (for CPU allocation) - “byte” (for storage or memory) - “user” (for Entity type tracking Users) | MaxLength: 50 MinLength: 1 Required: {} | |
displayUnitstring | DisplayUnit defines the unit shown in user interfaces and API responses. Should be more human-readable than BaseUnit. Use singular form. Maximum 50 characters. Examples: - “project” (same as BaseUnit when no conversion needed) - “core” (for displaying CPU instead of millicores) - “GiB” (for displaying memory/storage instead of bytes) - “TB” (for large storage volumes) | MaxLength: 50 MinLength: 1 Required: {} | |
unitConversionFactorinteger | UnitConversionFactor converts BaseUnit values to DisplayUnit values for presentation. Must be a positive integer. Minimum value is 1 (no conversion). Formula: displayValue = baseValue / unitConversionFactor Examples: - 1 (no conversion: “project” to “project”) - 1000 (millicores to cores: 2000 millicores displays as 2 cores) - 1073741824 (bytes to GiB: 2147483648 bytes displays as 2 GiB) - 1000000000000 (bytes to TB: 2000000000000 bytes displays as 2 TB) | Minimum: 1 Required: {} | |
claimingResourcesClaimingResource array | ClaimingResources specifies which resource types can create ResourceClaims for this registration. Only resources listed here can trigger quota consumption for this resource type. At least one claiming resource must be specified. Maximum 20 entries. | MaxItems: 20 MinItems: 1 Required: {} |
ResourceRegistrationStatus
Section titled “ResourceRegistrationStatus”ResourceRegistrationStatus reports the registration’s operational state and processing status. The system updates status conditions to indicate whether the registration is active and usable for quota operations.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration indicates the most recent spec generation that the system has processed. When ObservedGeneration matches metadata.generation, the status reflects the current spec. When ObservedGeneration is lower, the system is still processing recent changes. | Optional: {} | |
conditionsCondition array | Conditions represents the latest available observations of the registration’s state. The system sets these conditions to communicate operational status. Standard condition types: - “Active”: Indicates whether the registration is operational. When True, ResourceGrants and ResourceClaims can reference this registration. When False, quota operations are blocked. Standard condition reasons for “Active”: - “RegistrationActive”: Registration is validated and operational - “ValidationFailed”: Specification contains errors (see message for details) - “RegistrationPending”: Registration is being processed |
ResourceRequest
Section titled “ResourceRequest”ResourceRequest defines a single resource request within a ResourceClaim. Each request specifies a resource type and the amount of quota being claimed.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
resourceTypestring | ResourceType identifies the specific resource type being claimed. Must exactly match a ResourceRegistration.spec.resourceType that is currently active. The quota system validates this reference during claim processing. The format is defined by platform administrators when creating ResourceRegistrations. Service providers can use any identifier that makes sense for their quota system usage. Examples: - “resourcemanager.miloapis.com/projects” - “compute_cpu” - “storage.volumes” - “custom-service-quota” | Required: {} | |
amountinteger | Amount specifies how much quota to claim for this resource type. Must be measured in the BaseUnit defined by the corresponding ResourceRegistration. Must be a positive integer (minimum value is 0, but 0 means no quota requested). For Entity registrations: Use 1 for single resource instances (1 Project, 1 User) For Allocation registrations: Use actual capacity amounts (2048 for 2048 MB, 1000 for 1000 millicores) Examples: - 1 (claiming 1 Project) - 2048 (claiming 2048 bytes of storage) - 1000 (claiming 1000 CPU millicores) | Minimum: 0 Required: {} |
UnversionedObjectReference
Section titled “UnversionedObjectReference”UnversionedObjectReference provides a stable reference to a Kubernetes resource that remains valid across API version changes. Used to link ResourceClaims to their triggering resources for lifecycle management.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiGroupstring | APIGroup specifies the API group of the referenced resource. Use full group name for Milo resources. Examples: - “resourcemanager.miloapis.com” (Project, Organization) - “iam.miloapis.com” (User, Group) - “infrastructure.miloapis.com” (infrastructure resources) | Optional: {} | |
kindstring | Kind specifies the type of the referenced resource. Must match an existing Kubernetes resource type. Examples: - “Project” (Project resource that triggered quota claim) - “User” (User resource that triggered quota claim) - “Organization” (Organization resource that triggered quota claim) | Required: {} | |
namestring | Name identifies the specific resource instance that triggered the quota claim. Used for linking claims back to their triggering resources. Examples: - “web-app-project” (Project that triggered Project quota claim) - “john.doe” (User that triggered User quota claim) | Required: {} | |
namespacestring | Namespace specifies the namespace containing the referenced resource. Required for namespaced resources, omitted for cluster-scoped resources. Examples: - “acme-corp” (organization namespace containing Project) - “team-alpha” (project namespace containing User) - "" or omitted (for cluster-scoped resources like Organization) | Optional: {} |
resourcemanager.miloapis.com/v1alpha1
Section titled “resourcemanager.miloapis.com/v1alpha1”Resource Types
Section titled “Resource Types”AppliedRole
Section titled “AppliedRole”AppliedRole tracks the reconciliation status of a single role assignment within an organization membership. The controller maintains this status to provide visibility into which roles are successfully applied and which failed.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name identifies the Role resource. Required field. | Required: {} | |
namespacestring | Namespace identifies the namespace containing the Role resource. Empty when the role is in the membership’s namespace. | Optional: {} | |
statusstring | Status indicates the current state of this role assignment. Valid values: - “Applied”: PolicyBinding successfully created and role is active - “Pending”: Role is being reconciled (transitional state) - “Failed”: PolicyBinding could not be created (see Message for details) Required field. | Enum: [Applied Pending Failed] Required: {} | |
messagestring | Message provides additional context about the role status. Contains error details when Status is “Failed”, explaining why the PolicyBinding could not be created. Common failure messages: - “role ‘role-name’ not found in namespace ‘namespace’” - “Failed to create PolicyBinding: <error details>“ Empty when Status is “Applied” or “Pending”. | Optional: {} | |
policyBindingRefPolicyBindingReference | PolicyBindingRef references the PolicyBinding resource that was automatically created for this role. Only populated when Status is “Applied”. Use this reference to inspect or troubleshoot the underlying PolicyBinding. | Optional: {} | |
appliedAtTime | AppliedAt records when this role was successfully applied. Corresponds to the PolicyBinding creation time. Only populated when Status is “Applied”. | Optional: {} |
MemberReference
Section titled “MemberReference”MemberReference contains information that points to the User being referenced.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of resource being referenced | Required: {} |
Organization
Section titled “Organization”Use lowercase for path, which influences plural name. Ensure kind is Organization. Organization is the Schema for the Organizations API
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | Organization | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specOrganizationSpec | Required: {} | ||
statusOrganizationStatus |
OrganizationList
Section titled “OrganizationList”OrganizationList contains a list of Organization
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | OrganizationList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsOrganization array |
OrganizationMembership
Section titled “OrganizationMembership”OrganizationMembership establishes a user’s membership in an organization and optionally assigns roles to grant permissions. The controller automatically manages PolicyBinding resources for each assigned role, simplifying access control management.
Key features:
- Establishes user-organization relationship
- Automatic PolicyBinding creation and deletion for assigned roles
- Supports multiple roles per membership
- Cross-namespace role references
- Detailed status tracking with per-role reconciliation state
Prerequisites:
- User resource must exist
- Organization resource must exist
- Referenced Role resources must exist in their respective namespaces
Example - Basic membership with role assignment:
apiVersion: resourcemanager.miloapis.com/v1alpha1 kind: OrganizationMembership metadata: name: jane-acme-membership namespace: organization-acme-corp spec: organizationRef: name: acme-corp userRef: name: jane-doe roles:
- name: organization-viewer namespace: organization-acme-corp
Related resources:
- User: The user being granted membership
- Organization: The organization the user joins
- Role: Defines permissions granted to the user
- PolicyBinding: Automatically created by the controller for each role
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | OrganizationMembership | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specOrganizationMembershipSpec | |||
statusOrganizationMembershipStatus |
OrganizationMembershipList
Section titled “OrganizationMembershipList”OrganizationMembershipList contains a list of OrganizationMembership
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | OrganizationMembershipList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsOrganizationMembership array |
OrganizationMembershipOrganizationStatus
Section titled “OrganizationMembershipOrganizationStatus”OrganizationMembershipOrganizationStatus defines the observed state of an organization in a membership.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
typestring | Type is the type of the organization in the membership. | Optional: {} | |
displayNamestring | DisplayName is the display name of the organization in the membership. | Optional: {} |
OrganizationMembershipSpec
Section titled “OrganizationMembershipSpec”OrganizationMembershipSpec defines the desired state of OrganizationMembership. It specifies which user should be a member of which organization, and optionally which roles should be assigned to grant permissions.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
organizationRefOrganizationReference | OrganizationRef identifies the organization to grant membership in. The organization must exist before creating the membership. Required field. | Required: {} | |
userRefMemberReference | UserRef identifies the user to grant organization membership. The user must exist before creating the membership. Required field. | Required: {} | |
rolesRoleReference array | Roles specifies a list of roles to assign to the user within the organization. The controller automatically creates and manages PolicyBinding resources for each role. Roles can be added or removed after the membership is created. Optional field. When omitted or empty, the membership is established without any role assignments. Roles can be added later via update operations. Each role reference must specify: - name: The role name (required) - namespace: The role namespace (optional, defaults to membership namespace) Duplicate roles are prevented by admission webhook validation. Example: roles: - name: organization-admin namespace: organization-acme-corp - name: billing-manager namespace: organization-acme-corp - name: shared-developer namespace: milo-system | Optional: {} |
OrganizationMembershipStatus
Section titled “OrganizationMembershipStatus”OrganizationMembershipStatus defines the observed state of OrganizationMembership. The controller populates this status to reflect the current reconciliation state, including whether the membership is ready and which roles have been successfully applied.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration tracks the most recent membership spec that the controller has processed. Use this to determine if status reflects the latest changes. | Optional: {} | |
conditionsCondition array | Conditions represent the current status of the membership. Standard conditions: - Ready: Indicates membership has been established (user and org exist) - RolesApplied: Indicates whether all roles have been successfully applied Check the RolesApplied condition to determine overall role assignment status: - True with reason “AllRolesApplied”: All roles successfully applied - True with reason “NoRolesSpecified”: No roles in spec, membership only - False with reason “PartialRolesApplied”: Some roles failed (check appliedRoles for details) | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] | Optional: {} |
userOrganizationMembershipUserStatus | User contains cached information about the user in this membership. This information is populated by the controller from the referenced user. | Optional: {} | |
organizationOrganizationMembershipOrganizationStatus | Organization contains cached information about the organization in this membership. This information is populated by the controller from the referenced organization. | Optional: {} | |
appliedRolesAppliedRole array | AppliedRoles tracks the reconciliation state of each role in spec.roles. This array provides per-role status, making it easy to identify which roles are applied and which failed. Each entry includes: - name and namespace: Identifies the role - status: “Applied”, “Pending”, or “Failed” - policyBindingRef: Reference to the created PolicyBinding (when Applied) - appliedAt: Timestamp when role was applied (when Applied) - message: Error details (when Failed) Use this to troubleshoot role assignment issues. Roles marked as “Failed” include a message explaining why the PolicyBinding could not be created. Example: appliedRoles: - name: org-admin namespace: organization-acme-corp status: Applied appliedAt: “2025-10-28T10:00:00Z” policyBindingRef: name: jane-acme-membership-a1b2c3d4 namespace: organization-acme-corp - name: invalid-role namespace: organization-acme-corp status: Failed message: “role ‘invalid-role’ not found in namespace ‘organization-acme-corp‘“ | Optional: {} |
OrganizationMembershipUserStatus
Section titled “OrganizationMembershipUserStatus”OrganizationMembershipUserStatus defines the observed state of a user in a membership.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
emailstring | Email is the email of the user in the membership. | Optional: {} | |
givenNamestring | GivenName is the given name of the user in the membership. | Optional: {} | |
familyNamestring | FamilyName is the family name of the user in the membership. | Optional: {} | |
avatarUrlstring | AvatarURL is the avatar URL of the user in the membership. | Optional: {} |
OrganizationReference
Section titled “OrganizationReference”OrganizationReference contains information that points to the Organization being referenced.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name is the name of resource being referenced | Required: {} |
OrganizationSpec
Section titled “OrganizationSpec”OrganizationSpec defines the desired state of Organization
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
typestring | The type of organization. | Enum: [Personal Standard] Required: {} |
OrganizationStatus
Section titled “OrganizationStatus”OrganizationStatus defines the observed state of Organization
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
observedGenerationinteger | ObservedGeneration is the most recent generation observed for this Organization by the controller. | ||
conditionsCondition array | Conditions represents the observations of an organization’s current state. Known condition types are: “Ready” | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] |
OwnerReference
Section titled “OwnerReference”OwnerReference is a reference to the owner of the project.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
kindstring | Kind is the kind of the resource. | Enum: [Organization] Required: {} | |
namestring | Name is the name of the resource. | Required: {} |
PolicyBindingReference
Section titled “PolicyBindingReference”PolicyBindingReference contains information about the PolicyBinding created for a role.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name of the PolicyBinding resource. | Required: {} | |
namespacestring | Namespace of the PolicyBinding resource. | Optional: {} |
Project
Section titled “Project”Project is the Schema for the projects API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | Project | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specProjectSpec | Required: {} | ||
statusProjectStatus |
ProjectList
Section titled “ProjectList”ProjectList contains a list of Project.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | resourcemanager.miloapis.com/v1alpha1 | ||
kindstring | ProjectList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsProject array |
ProjectSpec
Section titled “ProjectSpec”ProjectSpec defines the desired state of Project.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
ownerRefOwnerReference | OwnerRef is a reference to the owner of the project. Must be a valid resource. | Required: {} |
ProjectStatus
Section titled “ProjectStatus”ProjectStatus defines the observed state of Project.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Represents the observations of a project’s current state. Known condition types are: “Ready” | [map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] |
RoleReference
Section titled “RoleReference”RoleReference defines a reference to a Role resource for organization membership.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | Name of the referenced Role. | Required: {} | |
namespacestring | Namespace of the referenced Role. If not specified, it defaults to the organization membership’s namespace. | Optional: {} |
telemetry.miloapis.com/v1alpha1
Section titled “telemetry.miloapis.com/v1alpha1”Package v1alpha1 contains API Schema definitions for the telemetry v1alpha1 API group.
Resource Types
Section titled “Resource Types”Authentication
Section titled “Authentication”Configures how the sink will authenticate with the configured endpoint. These options are mutually exclusive.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
basicAuthBasicAuthAuthentication | Configures the sink to use basic auth to authenticate with the configured endpoint. |
BasicAuthAuthentication
Section titled “BasicAuthAuthentication”Underlying type: struct{SecretRef LocalSecretReference “json:“secretRef""}
Configures how the sink should use Basic Auth for authenticating with a telemetry endpoint.
Appears in:
Configures the batching behavior the sink will use to batch requests before publishing them to the endpoint.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
timeoutDuration | Batch timeout before sending telemetry. Must be a duration (e.g. 5s). | Required: {} | |
maxSizeinteger | Maximum number of telemetry entries per batch. | Maximum: 5000 Minimum: 1 Required: {} |
ExportPolicy
Section titled “ExportPolicy”ExportPolicy is the Schema for the export policy API.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | telemetry.miloapis.com/v1alpha1 | ||
kindstring | ExportPolicy | ||
metadataObjectMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
specExportPolicySpec | Describes the expected state of the ExportPolicy’s configuration. The control plane will constantly evaluate the current state of exporters that are deployed and ensure it matches the expected configuration. This field is required when configuring an export policy. | ||
statusExportPolicyStatus | Provides information on the current state of the export policy that was observed by the control plane. This will be continuously updated as the control plane monitors exporters. |
ExportPolicyList
Section titled “ExportPolicyList”ExportPolicyList contains a list of ExportPolicy.
| Field | Description | Default | Validation |
|---|---|---|---|
apiVersionstring | telemetry.miloapis.com/v1alpha1 | ||
kindstring | ExportPolicyList | ||
metadataListMeta | Refer to Kubernetes API documentation for fields of metadata. | ||
itemsExportPolicy array |
ExportPolicySpec
Section titled “ExportPolicySpec”ExportPolicySpec defines the desired state of ExportPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
sourcesTelemetrySource array | Defines how the export policy should source telemetry data to publish to the configured sinks. An export policy can define multiple telemetry sources. The export policy will not de-duplicate telemetry data that matches multiple sources. | MaxItems: 20 MinItems: 1 Required: {} | |
sinksTelemetrySink array | Configures how telemetry data should be sent to a third-party telemetry platforms. | MaxItems: 20 MinItems: 1 Required: {} |
ExportPolicyStatus
Section titled “ExportPolicyStatus”ExportPolicyStatus defines the observed state of ExportPolicy.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
conditionsCondition array | Provides summary status information on the export policy as a whole. Review the sink status information for detailed information on each sink. Known condition types are: “Ready” | ||
sinksSinkStatus array | Provides status information on each sink that’s configured. |
MetricSource
Section titled “MetricSource”A metric source configures the metric data that should be exported to the configured sinks. The options below are expected to be mutually exclusive.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
metricsqlstring | The MetricSQL option allows to user to provide a metricsql query that can be used to select and filter metric data that should be published by the export policy. Here’s an example of a metricsql query that will publish gateway metrics: \{service_name=“networking.miloapis.com”, resource_kind="Gateway"\}See: https://docs.victoriametrics.com/metricsql/ |
PrometheusRemoteWriteSink
Section titled “PrometheusRemoteWriteSink”Configures how the sink should send data to a OTLP HTTP endpoint.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
authenticationAuthentication | Configures how the sink should authenticate with the HTTP endpoint. | ||
endpointstring | Configure an HTTP endpoint to use for publishing telemetry data. | Required: {} | |
batchBatch | Configures how telemetry data should be batched before sending to the sink. By default, the sink will batch telemetry data every 5 seconds or when the batch size reaches 500 entries, whichever comes first. | { maxSize:500 timeout:5s } | |
retryRetry | Configures the export policies’ retry behavior when it fails to send requests to the sink’s endpoint. There’s no guarantees that the export policy will retry until success if the endpoint is not available or configured incorrectly. | { backoffDuration:5s maxAttempts:3 } |
Configures the retry behavior of the sink when it fails to send telemetry data to the configured endpoint.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
maxAttemptsinteger | Maximum number of attempts before telemetry data should be dropped. | Maximum: 10 Minimum: 1 Required: {} | |
backoffDurationDuration | Backoff duration that should be used to backoff when retrying requests. | Required: {} |
SinkStatus
Section titled “SinkStatus”SinkStatus provides status information on the current status of a sink. This can be used to determine whether a sink is configured correctly and is exporting telemetry data.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | The name of the corresponding sink configuration in the spec of the export policy. | ||
conditionsCondition array | Provides status information on the current status of the sink. This can be used to determine whether a sink is configured correctly and is exporting telemetry data. Known condition types are: “Ready” |
SinkTarget
Section titled “SinkTarget”Configures the target of the telemetry sink. The target defines the protocol that’s used to send telemetry data to the sink. Only one target protocol can be configured per sink.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
prometheusRemoteWritePrometheusRemoteWriteSink | Configures the export policy to publish telemetry using the Prometheus Remote Write protocol. |
TelemetrySink
Section titled “TelemetrySink”Configures how telemetry data should be sent to a third-party platform. As of now there are no guarantees around delivery of telemetry data, especially if the sink’s endpoint is unavailable.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | A name provided to the telemetry sink that’s unique within the export policy. | MaxLength: 63 MinLength: 1 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$Required: {} | |
sourcesstring array | A list of sources that should be sent to the telemetry sink. | MaxItems: 20 MinItems: 1 Required: {} | |
targetSinkTarget | Configures the target of the telemetry sink. | Required: {} |
TelemetrySource
Section titled “TelemetrySource”Defines how the export policy should source telemetry data from resources on the platform.
Appears in:
| Field | Description | Default | Validation |
|---|---|---|---|
namestring | A unique name given to the telemetry source within an export policy. Must be a valid DNS label. | MaxLength: 63 MinLength: 1 Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$Required: {} | |
metricsMetricSource | Configures how the telemetry source should retrieve metric data from the Datum Cloud platform. |