API Reference

Packages

activity.miloapis.com/v1alpha1
crm.miloapis.com/v1alpha1
dns.networking.miloapis.com/v1alpha1
iam.miloapis.com/v1alpha1
identity.miloapis.com/v1alpha1
infrastructure.miloapis.com/v1alpha1
networking.datumapis.com/v1alpha
notification.miloapis.com/v1alpha1
quota.miloapis.com/v1alpha1
resourcemanager.miloapis.com/v1alpha1
telemetry.miloapis.com/v1alpha1

activity.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the activity v1alpha1 API group

AuditLogQuery

AuditLogQuery searches your control plane’s audit logs.

Use this to investigate incidents, track resource changes, generate compliance reports, or analyze user activity. Results are returned in the Status field, ordered newest-first.

Quick Start:

apiVersion: activity.miloapis.com/v1alpha1 kind: AuditLogQuery metadata: name: recent-deletions spec: startTime: “now-30d” # last 30 days endTime: “now” filter: “verb == ‘delete’” # optional: narrow your search limit: 100

Time Formats:

Relative: “now-30d” (great for dashboards and recurring queries)
Absolute: “2024-01-01T00:00:00Z” (great for historical analysis)

Appears in:

AuditLogQueryList

Field	Description	Default	Validation
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />AuditLogQuerySpec
`status` <br />AuditLogQueryStatus

AuditLogQuerySpec

AuditLogQuerySpec defines the search parameters.

Required: startTime and endTime define your search window. Optional: filter (narrow results), limit (page size, default 100), continue (pagination).

Performance: Smaller time ranges and specific filters perform better. The maximum time window is typically 30 days. If your range is too large, you’ll get an error with guidance on splitting your query into smaller chunks.

Appears in:

AuditLogQuery

Field	Description	Default	Validation
`startTime` <br />string	StartTime is the beginning of your search window (inclusive).<br />Format Options:<br />- Relative: “now-30d”, “now-2h”, “now-30m” (units: s, m, h, d, w)<br /> Use for dashboards and recurring queries - they adjust automatically.<br />- Absolute: “2024-01-01T00:00:00Z” (RFC3339 with timezone)<br /> Use for historical analysis of specific time periods.<br />Examples:<br /> “now-30d” → 30 days ago<br /> “2024-06-15T14:30:00-05:00” → specific time with timezone offset
`endTime` <br />string	EndTime is the end of your search window (exclusive).<br />Uses the same formats as StartTime. Commonly “now” for current moment.<br />Must be greater than StartTime.<br />Examples:<br /> “now” → current time<br /> “2024-01-02T00:00:00Z” → specific end point
`filter` <br />string	Filter narrows results using CEL (Common Expression Language). Leave empty to get all events.<br />Available Fields:<br /> verb - API action: get, list, create, update, patch, delete, watch<br /> auditID - unique event identifier<br /> stageTimestamp - when this stage occurred (RFC3339 timestamp)<br /> user.username - who made the request (user or service account)<br /> responseStatus.code - HTTP response code (200, 201, 404, 500, etc.)<br /> objectRef.namespace - target resource namespace<br /> objectRef.resource - resource type (pods, deployments, secrets, configmaps, etc.)<br /> objectRef.name - specific resource name<br />Operators: ==, !=, <, >, <=, >=, &&, \|\|, in<br />String Functions: startsWith(), endsWith(), contains()<br />Common Patterns:<br /> “verb == ‘delete’” - All deletions<br /> “objectRef.namespace == ‘production’” - Activity in production namespace<br /> “verb in [‘create’, ‘update’, ‘delete’, ‘patch’]” - All write operations<br /> “responseStatus.code >= 400” - Failed requests<br /> “user.username.startsWith(‘system:serviceaccount:’)” - Service account activity<br /> “objectRef.resource == ‘secrets’” - Secret access<br /> “verb == ‘delete’ && objectRef.namespace == ‘production’” - Production deletions<br />Note: Use single quotes for strings. Field names are case-sensitive.<br />CEL reference: https://cel.dev
`limit` <br />integer	Limit sets the maximum number of results per page.<br />Default: 100, Maximum: 1000.<br />Use smaller values (10-50) for exploration, larger (500-1000) for data collection.<br />Use continue to fetch additional pages.
`continue` <br />string	Continue is the pagination cursor for fetching additional pages.<br />Leave empty for the first page. If status.continue is non-empty after a query,<br />copy that value here in a new query with identical parameters to get the next page.<br />Repeat until status.continue is empty.<br />Important: Keep all other parameters (startTime, endTime, filter, limit) identical<br />across paginated requests. The cursor is opaque - copy it exactly without modification.

AuditLogQueryStatus

AuditLogQueryStatus contains the query results and pagination state.

Appears in:

AuditLogQuery

Field	Description	Default	Validation
`results` <br />Event array	Results contains matching audit events, sorted newest-first.<br />Each event follows the Kubernetes audit.Event format with fields like:<br /> verb, user.username, objectRef.{namespace,resource,name}, stageTimestamp,<br /> responseStatus.code, requestObject, responseObject<br />Empty results? Try broadening your filter or time range.<br />Full documentation: https://kubernetes.io/docs/reference/config-api/apiserver-audit.v1/
`continue` <br />string	Continue is the pagination cursor.<br />Non-empty means more results are available - copy this to spec.continue for the next page.<br />Empty means you have all results.
`effectiveStartTime` <br />string	EffectiveStartTime is the actual start time used for this query (RFC3339 format).<br />When you use relative times like “now-7d”, this shows the exact timestamp that was<br />calculated. Useful for understanding exactly what time range was queried, especially<br />for auditing, debugging, or recreating queries with absolute timestamps.<br />Example: If you query with startTime=“now-7d” at 2025-12-17T12:00:00Z,<br />this will be “2025-12-10T12:00:00Z”.
`effectiveEndTime` <br />string	EffectiveEndTime is the actual end time used for this query (RFC3339 format).<br />When you use relative times like “now”, this shows the exact timestamp that was<br />calculated. Useful for understanding exactly what time range was queried.<br />Example: If you query with endTime=“now” at 2025-12-17T12:00:00Z,<br />this will be “2025-12-17T12:00:00Z”.

crm.miloapis.com/v1alpha1

Note

Note is the Schema for the notes API. It represents a note attached to a subject (e.g. Contact or User).

Appears in:

NoteList

Field	Description	Validation
`apiVersion` <br />string	`crm.miloapis.com/v1alpha1`
`kind` <br />string	`Note`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />NoteSpec		Type: object <br />
`status` <br />NoteStatus

NoteList

NoteList contains a list of Note.

Field	Description	Default	Validation
`apiVersion` <br />string	`crm.miloapis.com/v1alpha1`
`kind` <br />string	`NoteList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Note array

NoteSpec

NoteSpec defines the desired state of Note.

Validation:

Type: object

Appears in:

Note

Field	Description	Default	Validation
`subjectRef` <br />SubjectReference	Subject is a reference to the subject of the note.		Required: {} <br />Type: object <br />
`content` <br />string	Content is the text content of the note.		MaxLength: 1000 <br />Required: {} <br />
`interactionTime` <br />Time	InteractionTime is the timestamp of the interaction with the subject.		Optional: {} <br />
`nextAction` <br />string	NextAction is an optional follow-up action.		Optional: {} <br />
`nextActionTime` <br />Time	NextActionTime is the timestamp for the follow-up action.		Optional: {} <br />
`followUp` <br />boolean	FollowUp indicates whether this note requires follow-up.<br />When true, the note is being actively tracked for further action.	false	Optional: {} <br />
`creatorRef` <br />UserReference	CreatorRef is a reference to the user that created the note.<br />Defaults to the user that created the note.		Optional: {} <br />

NoteStatus

NoteStatus defines the observed state of Note

Appears in:

Note

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the Note.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />
`createdBy` <br />string	CreatedBy is the email of the user that created the note.		Optional: {} <br />

SubjectReference

SubjectReference is a reference to the subject of the note.

Validation:

Type: object

Appears in:

NoteSpec

Field	Description	Validation
`apiGroup` <br />string	APIGroup is the group for the resource being referenced.	Enum: [iam.miloapis.com notification.miloapis.com] <br />Required: {} <br />
`kind` <br />string	Kind is the type of resource being referenced.	Enum: [User Contact] <br />Required: {} <br />
`name` <br />string	Name is the name of resource being referenced.	Required: {} <br />
`namespace` <br />string	Namespace is the namespace of resource being referenced.<br />Required for namespace-scoped resources. Omitted for cluster-scoped resources.	Optional: {} <br />

dns.networking.miloapis.com/v1alpha1

SPDX-License-Identifier: AGPL-3.0-only

One-shot discovery/snapshot of existing DNS records for a DNSZone. On creation, a controller queries common RR types for the zone and stores them in .status for easy extraction/translation into DNSRecordSet objects. This object is write-once (status) and has no lifecycle beyond initial discovery.

Package v1alpha1 contains API Schema definitions for the dns v1alpha1 API group.

Resource Types

DNSRecordSet
DNSRecordSetList
DNSZone
DNSZoneClass
DNSZoneClassList
DNSZoneDiscovery
DNSZoneDiscoveryList
DNSZoneList

AAAARecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string			Format: ipv6 <br />

ARecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string			Format: ipv4 <br />

CAARecordSpec

Appears in:

RecordEntry

Field	Description	Validation
`flag` <br />integer	0–255 flag	Maximum: 255 <br />Minimum: 0 <br />
`tag` <br />string	RFC-style tags: keep it simple: [a-z0-9]+	MinLength: 1 <br />Pattern: `^[a-z0-9]+$` <br />
`value` <br />string		MinLength: 1 <br />

CNAMERecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string			MaxLength: 253 <br />MinLength: 1 <br />Pattern: `^([A-Za-z0-9_](?:[-A-Za-z0-9_]\{0,61\}[A-Za-z0-9_])?)(?:\.([A-Za-z0-9_](?:[-A-Za-z0-9_]\{0,61\}[A-Za-z0-9_])?))*\.?$` <br />

DNSRecordSet

DNSRecordSet is the Schema for the dnsrecordsets API

Appears in:

DNSRecordSetList

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSRecordSet`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />DNSRecordSetSpec	spec defines the desired state of DNSRecordSet
`status` <br />DNSRecordSetStatus	status defines the observed state of DNSRecordSet

DNSRecordSetList

DNSRecordSetList contains a list of DNSRecordSet

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSRecordSetList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />DNSRecordSet array

DNSRecordSetSpec

DNSRecordSetSpec defines the desired state of DNSRecordSet

Appears in:

DNSRecordSet

Field	Description	Validation
`dnsZoneRef` <br />LocalObjectReference	DNSZoneRef references the DNSZone (same namespace) this recordset belongs to.	Required: {} <br />
`recordType` <br />RRType	RecordType is the DNS RR type for this recordset.	Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB] <br />Required: {} <br />
`records` <br />RecordEntry array	Records contains one or more owner names with values appropriate for the RecordType.	MinItems: 1 <br />

DNSRecordSetStatus

DNSRecordSetStatus defines the observed state of DNSRecordSet.

Appears in:

DNSRecordSet

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions includes Accepted and Programmed readiness.
`recordSets` <br />RecordSetStatus array	RecordSets captures per-owner (per name) status and conditions.

DNSZone

DNSZone is the Schema for the dnszones API

Appears in:

DNSZoneList

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZone`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />DNSZoneSpec	spec defines the desired state of DNSZone
`status` <br />DNSZoneStatus	status defines the observed state of DNSZone

DNSZoneClass

DNSZoneClass is the Schema for the dnszoneclasses API

Appears in:

DNSZoneClassList

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZoneClass`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />DNSZoneClassSpec	spec defines the desired state of DNSZoneClass
`status` <br />DNSZoneClassStatus	status defines the observed state of DNSZoneClass

DNSZoneClassList

DNSZoneClassList contains a list of DNSZoneClass

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZoneClassList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />DNSZoneClass array

DNSZoneClassSpec

DNSZoneClassSpec defines the desired state of DNSZoneClass

Appears in:

DNSZoneClass

Field	Description	Validation
`controllerName` <br />string	ControllerName identifies the downstream controller/backend implementation (e.g., “powerdns”, “hickory”).	Required: {} <br />
`nameServerPolicy` <br />NameServerPolicy	NameServerPolicy defines how nameservers are assigned for zones using this class.
`defaults` <br />ZoneDefaults	Defaults provides optional default values applied to managed zones.

DNSZoneClassStatus

DNSZoneClassStatus defines the observed state of DNSZoneClass.

Appears in:

DNSZoneClass

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the current state of the resource. Common types include<br />“Accepted” and “Programmed” to standardize readiness reporting across controllers.

DNSZoneDiscovery

DNSZoneDiscovery is the Schema for the DNSZone discovery API.

Appears in:

DNSZoneDiscoveryList

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZoneDiscovery`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />DNSZoneDiscoverySpec	spec defines the desired target for discovery.
`status` <br />DNSZoneDiscoveryStatus	status contains the discovered data (write-once).

DNSZoneDiscoveryList

DNSZoneDiscoveryList contains a list of DNSZoneDiscovery

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZoneDiscoveryList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />DNSZoneDiscovery array

DNSZoneDiscoverySpec

DNSZoneDiscoverySpec defines the desired discovery target.

Appears in:

DNSZoneDiscovery

Field	Description	Default	Validation
`dnsZoneRef` <br />LocalObjectReference	DNSZoneRef references the DNSZone (same namespace) this discovery targets.		Required: {} <br />

DNSZoneDiscoveryStatus

DNSZoneDiscoveryStatus defines the observed snapshot of a DNS zone.

Appears in:

DNSZoneDiscovery

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions includes Accepted and Discovered.
`recordSets` <br />DiscoveredRecordSet array	RecordSets is the set of discovered RRsets grouped by RecordType.

DNSZoneList

DNSZoneList contains a list of DNSZone

Field	Description	Default	Validation
`apiVersion` <br />string	`dns.networking.miloapis.com/v1alpha1`
`kind` <br />string	`DNSZoneList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />DNSZone array

DNSZoneSpec

DNSZoneSpec defines the desired state of DNSZone

Appears in:

DNSZone

Field	Description	Default	Validation
`domainName` <br />string	DomainName is the FQDN of the zone (e.g., “example.com”).		MaxLength: 253 <br />MinLength: 1 <br />Pattern: `^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` <br />Required: {} <br />
`dnsZoneClassName` <br />string	DNSZoneClassName references the DNSZoneClass used to provision this zone.		Required: {} <br />

DNSZoneStatus

DNSZoneStatus defines the observed state of DNSZone.

Appears in:

DNSZone

Field	Description	Default	Validation
`nameservers` <br />string array	Nameservers lists the active authoritative nameservers for this zone.
`recordCount` <br />integer	RecordCount is the number of DNSRecordSet resources in this namespace that reference this zone.
`conditions` <br />Condition array	Conditions tracks state such as Accepted and Programmed readiness.
`domainRef` <br />DomainRef	DomainRef references the Domain this zone belongs to.

DiscoveredRecordSet

DiscoveredRecordSet groups discovered records by type.

Appears in:

DNSZoneDiscoveryStatus

Field	Description	Default	Validation
`recordType` <br />RRType	RecordType is the DNS RR type for this recordset.		Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB] <br />Required: {} <br />
`records` <br />RecordEntry array	Records contains one or more owner names with values appropriate for the RecordType.<br />The RecordEntry schema is shared with DNSRecordSet for easy translation.

DomainRef

Appears in:

DNSZoneStatus

Field	Description	Default	Validation
`name` <br />string
`status` <br />DomainRefStatus

DomainRefStatus

Appears in:

DomainRef

Field	Description	Default	Validation
`nameservers` <br />Nameserver array

HTTPSRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`priority` <br />integer			Maximum: 65535 <br />Minimum: 0 <br />
`target` <br />string
`params` <br />object (keys:string, values:string)

MXRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`preference` <br />integer			Maximum: 65535 <br />Minimum: 0 <br />
`exchange` <br />string			MinLength: 1 <br />

NSRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string	Require a hostname (FQDN or relative), allow optional trailing dot, no underscores.<br />Labels: 1-63 chars, alphanum with interior hyphens, total length <=253.		MaxLength: 253 <br />MinLength: 1 <br />Pattern: `^([A-Za-z0-9](?:[A-Za-z0-9-]\{0,61\}[A-Za-z0-9])?)(?:\.([A-Za-z0-9](?:[A-Za-z0-9-]\{0,61\}[A-Za-z0-9])?))*\.?$` <br />

NameServerPolicy

NameServerPolicy specifies the policy for nameserver assignment.

Appears in:

DNSZoneClassSpec

Field	Description	Default	Validation
`mode` <br />NameServerPolicyMode	Mode defines which policy to use.		Enum: [Static] <br />
`static` <br />StaticNS	Static contains a static list of authoritative nameservers when Mode == “Static”.

NameServerPolicyMode

Underlying type: string

Validation:

Enum: [Static]

Appears in:

NameServerPolicy

PTRRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string

RRType

Underlying type: string

Validation:

Enum: [A AAAA CNAME TXT MX SRV CAA NS SOA PTR TLSA HTTPS SVCB]

Appears in:

DNSRecordSetSpec
DiscoveredRecordSet

| Field | Description | | A | | | AAAA | | | CNAME | | | TXT | | | MX | | | SRV | | | CAA | | | NS | | | SOA | | | PTR | | | TLSA | | | HTTPS | | | SVCB | |

RecordEntry

RecordEntry represents one owner name and its values.

Appears in:

DNSRecordSetSpec
DiscoveredRecordSet

Field	Description	Validation
`name` <br />string	Name is the owner name (relative to the zone or FQDN).	MinLength: 1 <br />Pattern: `^(@\|[A-Za-z0-9*._-]+)$` <br />Required: {} <br />
`ttl` <br />integer	TTL optionally overrides TTL for this owner/RRset.
`a` <br />ARecordSpec	Exactly one of the following type-specific fields should be set matching RecordType.
`aaaa` <br />AAAARecordSpec
`cname` <br />CNAMERecordSpec
`ns` <br />NSRecordSpec
`txt` <br />TXTRecordSpec
`soa` <br />SOARecordSpec
`caa` <br />CAARecordSpec
`mx` <br />MXRecordSpec
`srv` <br />SRVRecordSpec
`tlsa` <br />TLSARecordSpec
`https` <br />HTTPSRecordSpec
`svcb` <br />HTTPSRecordSpec
`ptr` <br />PTRRecordSpec

RecordSetStatus

Appears in:

DNSRecordSetStatus

Field	Description	Default	Validation
`name` <br />string	Name is the owner name this status pertains to.
`conditions` <br />Condition array	Conditions captures per-name readiness information such as RecordProgrammed.

SOARecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`mname` <br />string			MinLength: 1 <br />
`rname` <br />string			MinLength: 1 <br />
`serial` <br />integer
`refresh` <br />integer
`retry` <br />integer
`expire` <br />integer
`ttl` <br />integer

SRVRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`priority` <br />integer			Maximum: 65535 <br />Minimum: 0 <br />
`weight` <br />integer			Maximum: 65535 <br />Minimum: 0 <br />
`port` <br />integer			Maximum: 65535 <br />Minimum: 0 <br />
`target` <br />string			MinLength: 1 <br />

StaticNS

StaticNS lists static authoritative nameserver hostnames.

Appears in:

NameServerPolicy

Field	Description	Default	Validation
`servers` <br />string array

TLSARecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`usage` <br />integer
`selector` <br />integer
`matchingType` <br />integer
`certData` <br />string

TXTRecordSpec

Appears in:

RecordEntry

Field	Description	Default	Validation
`content` <br />string

ZoneDefaults

ZoneDefaults holds optional default settings for zones.

Appears in:

DNSZoneClassSpec

Field	Description	Default	Validation
`defaultTTL` <br />integer	DefaultTTL is the default TTL applied to records when not otherwise specified.

iam.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the iam v1alpha1 API group

Resource Types

Group
GroupList
GroupMembership
GroupMembershipList
MachineAccount
MachineAccountKey
MachineAccountKeyList
MachineAccountList
PlatformAccessApproval
PlatformAccessApprovalList
PlatformAccessRejection
PlatformAccessRejectionList
PlatformInvitation
PlatformInvitationList
PolicyBinding
PolicyBindingList
UserDeactivation
UserDeactivationList
UserInvitation
UserInvitationList

AuthProvider

Underlying type: string

AuthProvider represents an external identity provider used for user authentication.

Validation:

Enum: [github google]

Appears in:

UserStatus

Group

Group is the Schema for the groups API

Appears in:

GroupList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`Group`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`status` <br />GroupStatus

GroupList

GroupList contains a list of Group

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`GroupList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Group array

GroupMembership

GroupMembership is the Schema for the groupmemberships API

Appears in:

GroupMembershipList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`GroupMembership`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />GroupMembershipSpec
`status` <br />GroupMembershipStatus

GroupMembershipList

GroupMembershipList contains a list of GroupMembership

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`GroupMembershipList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />GroupMembership array

GroupMembershipSpec

GroupMembershipSpec defines the desired state of GroupMembership

Appears in:

GroupMembership

Field	Description	Default	Validation
`userRef` <br />UserReference	UserRef is a reference to the User that is a member of the Group.<br />User is a cluster-scoped resource.		Required: {} <br />
`groupRef` <br />GroupReference	GroupRef is a reference to the Group.<br />Group is a namespaced resource.		Required: {} <br />

GroupMembershipStatus

GroupMembershipStatus defines the observed state of GroupMembership

Appears in:

GroupMembership

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.

GroupReference

GroupReference contains information that points to the Group being referenced. Group is a namespaced resource.

Appears in:

GroupMembershipSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of the Group being referenced.		Required: {} <br />
`namespace` <br />string	Namespace of the referenced Group.		Required: {} <br />

GroupStatus

GroupStatus defines the observed state of Group

Appears in:

Group

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.

MachineAccount

MachineAccount is the Schema for the machine accounts API

Appears in:

MachineAccountList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`MachineAccount`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />MachineAccountSpec
`status` <br />MachineAccountStatus

MachineAccountKey

MachineAccountKey is the Schema for the machineaccountkeys API

Appears in:

MachineAccountKeyList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`MachineAccountKey`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />MachineAccountKeySpec
`status` <br />MachineAccountKeyStatus

MachineAccountKeyList

MachineAccountKeyList contains a list of MachineAccountKey

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`MachineAccountKeyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />MachineAccountKey array

MachineAccountKeySpec

MachineAccountKeySpec defines the desired state of MachineAccountKey

Appears in:

MachineAccountKey

Field	Description	Validation
`machineAccountName` <br />string	MachineAccountName is the name of the MachineAccount that owns this key.	Required: {} <br />
`expirationDate` <br />Time	ExpirationDate is the date and time when the MachineAccountKey will expire.<br />If not specified, the MachineAccountKey will never expire.	Optional: {} <br />
`publicKey` <br />string	PublicKey is the public key of the MachineAccountKey.<br />If not specified, the MachineAccountKey will be created with an auto-generated public key.	Optional: {} <br />

MachineAccountKeyStatus

MachineAccountKeyStatus defines the observed state of MachineAccountKey

Appears in:

MachineAccountKey

Field	Description	Default	Validation
`authProviderKeyId` <br />string	AuthProviderKeyID is the unique identifier for the key in the auth provider.<br />This field is populated by the controller after the key is created in the auth provider.<br />For example, when using Zitadel, a typical value might be: “326102453042806786”
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the MachineAccountKey.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />

MachineAccountList

MachineAccountList contains a list of MachineAccount

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`MachineAccountList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />MachineAccount array

MachineAccountSpec

MachineAccountSpec defines the desired state of MachineAccount

Appears in:

MachineAccount

Field	Description	Default	Validation
`state` <br />string	The state of the machine account. This state can be safely changed as needed.<br />States:<br /> - Active: The machine account can be used to authenticate.<br /> - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.	Active	Enum: [Active Inactive] <br />Optional: {} <br />

MachineAccountStatus

MachineAccountStatus defines the observed state of MachineAccount

Appears in:

MachineAccount

Field	Description	Validation
`email` <br />string	The computed email of the machine account following the pattern:<br />{metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
`state` <br />string	State represents the current activation state of the machine account from the auth provider.<br />This field tracks the state from the previous generation and is updated when state changes<br />are successfully propagated to the auth provider. It helps optimize performance by only<br />updating the auth provider when a state change is detected.	Enum: [Active Inactive] <br />
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the MachineAccount.

ParentResourceRef

ParentResourceRef defines the reference to a parent resource

Appears in:

ProtectedResourceSpec

Field	Description	Default	Validation
`apiGroup` <br />string	APIGroup is the group for the resource being referenced.<br />If APIGroup is not specified, the specified Kind must be in the core API group.<br />For any other third-party types, APIGroup is required.		Optional: {} <br />
`kind` <br />string	Kind is the type of resource being referenced.		Required: {} <br />

PlatformAccessApproval

PlatformAccessApproval is the Schema for the platformaccessapprovals API. It represents a platform access approval for a user. Once the platform access approval is created, an email will be sent to the user.

Appears in:

PlatformAccessApprovalList

Field	Description	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformAccessApproval`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />PlatformAccessApprovalSpec		Type: object <br />

PlatformAccessApprovalList

PlatformAccessApprovalList contains a list of PlatformAccessApproval.

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformAccessApprovalList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />PlatformAccessApproval array

PlatformAccessApprovalSpec

PlatformAccessApprovalSpec defines the desired state of PlatformAccessApproval.

Validation:

Type: object

Appears in:

PlatformAccessApproval

Field	Description	Default	Validation
`subjectRef` <br />SubjectReference	SubjectRef is the reference to the subject being approved.		Required: {} <br />
`approverRef` <br />UserReference	ApproverRef is the reference to the approver being approved.<br />If not specified, the approval was made by the system.		Optional: {} <br />

PlatformAccessRejection

PlatformAccessRejection is the Schema for the platformaccessrejections API. It represents a formal denial of platform access for a user. Once the rejection is created, a notification can be sent to the user.

Appears in:

PlatformAccessRejectionList

Field	Description	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformAccessRejection`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />PlatformAccessRejectionSpec		Type: object <br />

PlatformAccessRejectionList

PlatformAccessRejectionList contains a list of PlatformAccessRejection.

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformAccessRejectionList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />PlatformAccessRejection array

PlatformAccessRejectionSpec

PlatformAccessRejectionSpec defines the desired state of PlatformAccessRejection.

Validation:

Type: object

Appears in:

PlatformAccessRejection

Field	Description	Validation
`subjectRef` <br />UserReference	UserRef is the reference to the user being rejected.	Required: {} <br />
`reason` <br />string	Reason is the reason for the rejection.	Required: {} <br />
`rejecterRef` <br />UserReference	RejecterRef is the reference to the actor who issued the rejection.<br />If not specified, the rejection was made by the system.	Optional: {} <br />

PlatformInvitation

PlatformInvitation is the Schema for the platforminvitations API It represents a platform invitation for a user. Once the platform invitation is created, an email will be sent to the user to invite them to the platform. The invited user will have access to the platform after they create an account using the asociated email. It represents a platform invitation for a user.

Appears in:

PlatformInvitationList

Field	Description	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformInvitation`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />PlatformInvitationSpec		Type: object <br />
`status` <br />PlatformInvitationStatus		Type: object <br />

PlatformInvitationEmailStatus

Appears in:

PlatformInvitationStatus

Field	Description	Default	Validation
`name` <br />string	The name of the email resource that was created for the platform invitation.		Optional: {} <br />
`namespace` <br />string	The namespace of the email resource that was created for the platform invitation.		Optional: {} <br />

PlatformInvitationList

PlatformInvitationList contains a list of PlatformInvitation.

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PlatformInvitationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />PlatformInvitation array

PlatformInvitationSpec

PlatformInvitationSpec defines the desired state of PlatformInvitation.

Validation:

Type: object

Appears in:

PlatformInvitation

Field	Description	Validation
`email` <br />string	The email of the user being invited.	Required: {} <br />
`givenName` <br />string	The given name of the user being invited.	Optional: {} <br />
`familyName` <br />string	The family name of the user being invited.	Optional: {} <br />
`scheduleAt` <br />Time	The schedule at which the platform invitation will be sent.<br />It can only be updated before the platform invitation is sent.	Optional: {} <br />
`invitedBy` <br />UserReference	The user who created the platform invitation. A mutation webhook will default this field to the user who made the request.

PlatformInvitationStatus

PlatformInvitationStatus defines the observed state of PlatformInvitation.

Validation:

Type: object

Appears in:

PlatformInvitation

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the PlatformInvitation.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Platform invitation reconciliation is pending reason:ReconcilePending status:Unknown type:Ready]]	Optional: {} <br />
`email` <br />PlatformInvitationEmailStatus	The email resource that was created for the platform invitation.		Optional: {} <br />

PolicyBinding

PolicyBinding is the Schema for the policybindings API

Appears in:

PolicyBindingList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PolicyBinding`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />PolicyBindingSpec
`status` <br />PolicyBindingStatus

PolicyBindingList

PolicyBindingList contains a list of PolicyBinding

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`PolicyBindingList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />PolicyBinding array

PolicyBindingSpec

PolicyBindingSpec defines the desired state of PolicyBinding

Appears in:

PolicyBinding

Field	Description	Validation
`roleRef` <br />RoleReference	RoleRef is a reference to the Role that is being bound. This can be a reference to a Role custom resource.	Required: {} <br />
`subjects` <br />Subject array	Subjects holds references to the objects the role applies to.	MinItems: 1 <br />Required: {} <br />
`resourceSelector` <br />ResourceSelector	ResourceSelector defines which resources the subjects in the policy binding<br />should have the role applied to. Options within this struct are mutually<br />exclusive.	Required: {} <br />

PolicyBindingStatus

PolicyBindingStatus defines the observed state of PolicyBinding

Appears in:

PolicyBinding

Field	Description	Default	Validation
`observedGeneration` <br />integer	ObservedGeneration is the most recent generation observed for this PolicyBinding by the controller.		Optional: {} <br />
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the PolicyBinding.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />

ProtectedResource

ProtectedResource is the Schema for the protectedresources API

Appears in:

ProtectedResourceList

Field	Description	Default	Validation
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ProtectedResourceSpec
`status` <br />ProtectedResourceStatus

ProtectedResourceSpec

ProtectedResourceSpec defines the desired state of ProtectedResource

Appears in:

ProtectedResource

Field	Description	Validation
`serviceRef` <br />ServiceReference	ServiceRef references the service definition this protected resource belongs to.	Required: {} <br />
`kind` <br />string	The kind of the resource.<br />This will be in the format `Workload`.	Required: {} <br />
`singular` <br />string	The singular form for the resource type, e.g. ‘workload’. Must follow camelCase format.	Required: {} <br />
`plural` <br />string	The plural form for the resource type, e.g. ‘workloads’. Must follow<br />camelCase format.	Required: {} <br />
`parentResources` <br />ParentResourceRef array	A list of resources that are registered with the platform that may be a<br />parent to the resource. Permissions may be bound to a parent resource so<br />they can be inherited down the resource hierarchy.	Optional: {} <br />
`permissions` <br />string array	A list of permissions that are associated with the resource.	Required: {} <br />

ProtectedResourceStatus

ProtectedResourceStatus defines the observed state of ProtectedResource

Appears in:

ProtectedResource

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the ProtectedResource.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />
`observedGeneration` <br />integer	ObservedGeneration is the most recent generation observed for this ProtectedResource. It corresponds to the<br />ProtectedResource’s generation, which is updated on mutation by the API Server.		Optional: {} <br />

RegistrationApprovalState

Underlying type: string

Appears in:

UserStatus

ResourceKind

ResourceKind contains enough information to identify a resource type.

Appears in:

ResourceSelector

Field	Description	Default	Validation
`apiGroup` <br />string	APIGroup is the group for the resource type being referenced. If APIGroup<br />is not specified, the specified Kind must be in the core API group.		Optional: {} <br />
`kind` <br />string	Kind is the type of resource being referenced.		Required: {} <br />

ResourceReference

ResourceReference contains enough information to let you identify a specific API resource instance.

Appears in:

ResourceSelector

Field	Description	Validation
`apiGroup` <br />string	APIGroup is the group for the resource being referenced.<br />If APIGroup is not specified, the specified Kind must be in the core API group.<br />For any other third-party types, APIGroup is required.	Optional: {} <br />
`kind` <br />string	Kind is the type of resource being referenced.	Required: {} <br />
`name` <br />string	Name is the name of resource being referenced.	Required: {} <br />
`uid` <br />string	UID is the unique identifier of the resource being referenced.	Required: {} <br />
`namespace` <br />string	Namespace is the namespace of resource being referenced.<br />Required for namespace-scoped resources. Omitted for cluster-scoped resources.	Optional: {} <br />

ResourceSelector

ResourceSelector defines which resources the policy binding applies to. Either resourceRef or resourceKind must be specified, but not both.

Appears in:

PolicyBindingSpec

Field	Description	Default	Validation
`resourceRef` <br />ResourceReference	ResourceRef provides a reference to a specific resource instance. Mutually exclusive with resourceKind.		Optional: {} <br />
`resourceKind` <br />ResourceKind	ResourceKind specifies that the policy binding should apply to all resources of a specific kind.<br />Mutually exclusive with resourceRef.		Optional: {} <br />

Role

Role is the Schema for the roles API

Appears in:

RoleList

Field	Description	Default
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />RoleSpec
`status` <br />RoleStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]] }

RoleReference

RoleReference contains information that points to the Role being used

Appears in:

PolicyBindingSpec
UserInvitationSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of resource being referenced		Required: {} <br />
`namespace` <br />string	Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding’s namespace.		Optional: {} <br />

RoleSpec

RoleSpec defines the desired state of Role

Appears in:

Role

Field	Description	Validation
`includedPermissions` <br />string array	The names of the permissions this role grants when bound in an IAM policy.<br />All permissions must be in the format: `\{service\}.\{resource\}.\{action\}`<br />(e.g. compute.workloads.create).	Optional: {} <br />
`launchStage` <br />string	Defines the launch stage of the IAM Role. Must be one of: Early Access,<br />Alpha, Beta, Stable, Deprecated.	Required: {} <br />
`inheritedRoles` <br />ScopedRoleReference array	The list of roles from which this role inherits permissions.<br />Each entry must be a valid role resource name.	Optional: {} <br />

RoleStatus

RoleStatus defines the observed state of Role

Appears in:

Role

Field	Description	Validation
`parent` <br />string	The resource name of the parent the role was created under.	Optional: {} <br />
`effectivePermissions` <br />string array	EffectivePermissions is the complete flattened list of all permissions<br />granted by this role, including permissions from inheritedRoles and<br />directly specified includedPermissions. This is computed by the controller<br />and provides a single source of truth for all permissions this role grants.	Optional: {} <br />
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the Role.	Optional: {} <br />
`observedGeneration` <br />integer	ObservedGeneration is the most recent generation observed by the controller.

ScopedRoleReference

ScopedRoleReference defines a reference to another Role, scoped by namespace. This is used for purposes like role inheritance where a simple name and namespace is sufficient to identify the target role.

Appears in:

RoleSpec

Field	Description	Default	Validation
`name` <br />string	Name of the referenced Role.		Required: {} <br />
`namespace` <br />string	Namespace of the referenced Role.<br />If not specified, it defaults to the namespace of the resource containing this reference.		Optional: {} <br />

ServiceReference

ServiceReference holds a reference to a service definition.

Appears in:

ProtectedResourceSpec

Field	Description	Default	Validation
`name` <br />string	Name is the resource name of the service definition.		Required: {} <br />

Subject

Subject contains a reference to the object or user identities a role binding applies to. This can be a User or Group.

Appears in:

PolicyBindingSpec

Field	Description	Validation
`kind` <br />string	Kind of object being referenced. Values defined in Kind constants.	Enum: [User Group] <br />Required: {} <br />
`name` <br />string	Name of the object being referenced. A special group name of<br />“system:authenticated-users” can be used to refer to all authenticated<br />users.	Required: {} <br />
`namespace` <br />string	Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource’s namespace.<br />For a User or Group, it is ignored.	Optional: {} <br />
`uid` <br />string	UID of the referenced object. Optional for system groups (groups with names starting with “system:”).	Optional: {} <br />

SubjectReference

Appears in:

PlatformAccessApprovalSpec

Field	Description	Default	Validation
`email` <br />string	Email is the email of the user being approved.<br />Use Email to approve an email address that is not associated with a created user. (e.g. when using PlatformInvitation)<br />UserRef and Email are mutually exclusive. Exactly one of them must be specified.		Optional: {} <br />
`userRef` <br />UserReference	UserRef is the reference to the user being approved.<br />UserRef and Email are mutually exclusive. Exactly one of them must be specified.		Optional: {} <br />

User

User is the Schema for the users API

Appears in:

UserList

Field	Description	Default	Validation
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />UserSpec
`status` <br />UserStatus

UserDeactivation

UserDeactivation is the Schema for the userdeactivations API

Appears in:

UserDeactivationList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`UserDeactivation`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />UserDeactivationSpec
`status` <br />UserDeactivationStatus

UserDeactivationList

UserDeactivationList contains a list of UserDeactivation

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`UserDeactivationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />UserDeactivation array

UserDeactivationSpec

UserDeactivationSpec defines the desired state of UserDeactivation

Appears in:

UserDeactivation

Field	Description	Validation
`userRef` <br />UserReference	UserRef is a reference to the User being deactivated.<br />User is a cluster-scoped resource.	Required: {} <br />
`reason` <br />string	Reason is the internal reason for deactivation.	Required: {} <br />
`description` <br />string	Description provides detailed internal description for the deactivation.	Optional: {} <br />
`deactivatedBy` <br />string	DeactivatedBy indicates who initiated the deactivation.	Required: {} <br />

UserDeactivationStatus

UserDeactivationStatus defines the observed state of UserDeactivation

Appears in:

UserDeactivation

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />

UserInvitation

UserInvitation is the Schema for the userinvitations API

Appears in:

UserInvitationList

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`UserInvitation`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />UserInvitationSpec
`status` <br />UserInvitationStatus

UserInvitationInviteeUserStatus

UserInvitationInviteeUserStatus contains information about the invitee user in the invitation.

Appears in:

UserInvitationStatus

Field	Description	Default	Validation
`name` <br />string	Name is the name of the invitee user in the invitation.<br />Name is a cluster-scoped resource, so Namespace is not needed.		Required: {} <br />

UserInvitationList

UserInvitationList contains a list of UserInvitation

Field	Description	Default	Validation
`apiVersion` <br />string	`iam.miloapis.com/v1alpha1`
`kind` <br />string	`UserInvitationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />UserInvitation array

UserInvitationOrganizationStatus

UserInvitationOrganizationStatus contains information about the organization in the invitation.

Appears in:

UserInvitationStatus

Field	Description	Default	Validation
`displayName` <br />string	DisplayName is the display name of the organization in the invitation.		Optional: {} <br />

UserInvitationSpec

UserInvitationSpec defines the desired state of UserInvitation

Appears in:

UserInvitation

Field	Description	Validation
`organizationRef` <br />OrganizationReference	OrganizationRef is a reference to the Organization that the user is invoted to.	Required: {} <br />
`email` <br />string	The email of the user being invited.	Required: {} <br />
`givenName` <br />string	The first name of the user being invited.	Optional: {} <br />
`familyName` <br />string	The last name of the user being invited.	Optional: {} <br />
`roles` <br />RoleReference array	The roles that will be assigned to the user when they accept the invitation.	MaxItems: 100 <br />MinItems: 1 <br />Required: {} <br />
`invitedBy` <br />UserReference	InvitedBy is the user who invited the user. A mutation webhook will default this field to the user who made the request.	Optional: {} <br />
`expirationDate` <br />Time	ExpirationDate is the date and time when the UserInvitation will expire.<br />If not specified, the UserInvitation will never expire.	Optional: {} <br />
`state` <br />UserInvitationStateType	State is the state of the UserInvitation. In order to accept the invitation, the invited user<br />must set the state to Accepted.	Enum: [Pending Accepted Declined] <br />Required: {} <br />

UserInvitationStateType

Underlying type: string

Appears in:

UserInvitationSpec

UserInvitationStatus

UserInvitationStatus defines the observed state of UserInvitation

Appears in:

UserInvitation

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the UserInvitation.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Unknown]]	Optional: {} <br />
`organization` <br />UserInvitationOrganizationStatus	Organization contains information about the organization in the invitation.		Optional: {} <br />
`inviterUser` <br />UserInvitationUserStatus	InviterUser contains information about the user who invited the user in the invitation.		Optional: {} <br />
`inviteeUser` <br />UserInvitationInviteeUserStatus	InviteeUser contains information about the invitee user in the invitation.<br />This value may be nil if the invitee user has not been created yet.		Optional: {} <br />

UserInvitationUserStatus

UserInvitationInviterUserStatus contains information about the user who invited the user in the invitation.

Appears in:

UserInvitationStatus

Field	Description	Default	Validation
`displayName` <br />string	DisplayName is the display name of the user who invited the user in the invitation.		Optional: {} <br />
`emailAddress` <br />string	EmailAddress is the email address of the user who invited the user in the invitation.		Optional: {} <br />

UserPreference

UserPreference is the Schema for the userpreferences API

Appears in:

UserPreferenceList

Field	Description	Default	Validation
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />UserPreferenceSpec
`status` <br />UserPreferenceStatus

UserPreferenceSpec

UserPreferenceSpec defines the desired state of UserPreference

Appears in:

UserPreference

Field	Description	Default	Validation
`userRef` <br />UserReference	Reference to the user these preferences belong to.		Required: {} <br />
`theme` <br />string	The user’s theme preference.	system	Enum: [light dark system] <br />Optional: {} <br />

UserPreferenceStatus

UserPreferenceStatus defines the observed state of UserPreference

Appears in:

UserPreference

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the UserPreference.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />

UserReference

UserReference contains information that points to the User being referenced. User is a cluster-scoped resource, so Namespace is not needed.

Appears in:

GroupMembershipSpec
NoteSpec
PlatformAccessApprovalSpec
PlatformAccessRejectionSpec
PlatformInvitationSpec
SubjectReference
UserDeactivationSpec
UserInvitationSpec
UserPreferenceSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of the User being referenced.		Required: {} <br />

UserSpec

UserSpec defines the desired state of User

Appears in:

User

Field	Description	Validation
`email` <br />string	The email of the user.	Required: {} <br />
`givenName` <br />string	The first name of the user.	Optional: {} <br />
`familyName` <br />string	The last name of the user.	Optional: {} <br />

UserState

Underlying type: string

Appears in:

UserStatus

UserStatus

UserStatus defines the observed state of User

Appears in:

User

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions provide conditions that represent the current status of the User.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />
`state` <br />UserState	State represents the current activation state of the user account from the<br />auth provider. This field is managed exclusively by the UserDeactivation CRD<br />and cannot be changed directly by the user. When a UserDeactivation resource<br />is created for the user, the user is deactivated in the auth provider; when<br />the UserDeactivation is deleted, the user is reactivated.<br />States:<br /> - Active: The user can be used to authenticate.<br /> - Inactive: The user is prohibited to be used to authenticate, and revokes all existing sessions.	Active	Enum: [Active Inactive] <br />
`registrationApproval` <br />RegistrationApprovalState	RegistrationApproval represents the administrator’s decision on the user’s registration request.<br />States:<br /> - Pending: The user is awaiting review by an administrator.<br /> - Approved: The user registration has been approved.<br /> - Rejected: The user registration has been rejected.<br />The User resource is always created regardless of this value, but the<br />ability for the person to sign into the platform and access resources is<br />governed by this status: only Approved users are granted access, while<br />Pending and Rejected users are prevented for interacting with resources.		Enum: [Pending Approved Rejected] <br />
`lastLoginProvider` <br />AuthProvider	LastLoginProvider records the identity provider that was most recently used by the<br />user to log in (e.g., “github” or “google”). This field is set by the auth provider<br />based on authentication events.		Enum: [github google] <br />Optional: {} <br />
`avatarUrl` <br />string	AvatarURL points to the avatar image associated with the user. This value is<br />populated by the auth provider or any service that provides a user avatar URL.		Format: uri <br />Optional: {} <br />

identity.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the identity.miloapis.com group

This package defines virtual types served by the Milo API server. These types are backed by provider-specific implementations and are not persisted in etcd.

infrastructure.miloapis.com/v1alpha1

Resource Types

ProjectControlPlane
ProjectControlPlaneList

ProjectControlPlane

ProjectControlPlane is the Schema for the projectcontrolplanes API.

Appears in:

ProjectControlPlaneList

Field	Description	Default	Validation
`apiVersion` <br />string	`infrastructure.miloapis.com/v1alpha1`
`kind` <br />string	`ProjectControlPlane`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ProjectControlPlaneSpec			Required: {} <br />
`status` <br />ProjectControlPlaneStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Creating a new control plane for the project reason:Creating status:False type:ControlPlaneReady]] }

ProjectControlPlaneList

ProjectControlPlaneList contains a list of ProjectControlPlane.

Field	Description	Default	Validation
`apiVersion` <br />string	`infrastructure.miloapis.com/v1alpha1`
`kind` <br />string	`ProjectControlPlaneList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ProjectControlPlane array

ProjectControlPlaneSpec

ProjectControlPlaneSpec defines the desired state of ProjectControlPlane.

Appears in:

ProjectControlPlane

ProjectControlPlaneStatus

ProjectControlPlaneStatus defines the observed state of ProjectControlPlane.

Appears in:

ProjectControlPlane

Field	Description	Default	Validation
`conditions` <br />Condition array	Represents the observations of a project control plane’s current state. Known condition types are: “Ready”

networking.datumapis.com/v1alpha

Package v1alpha contains API Schema definitions for the networking v1alpha API group.

Resource Types

Domain
DomainList
HTTPProxy
HTTPProxyList
Location
LocationList
Network
NetworkBinding
NetworkBindingList
NetworkContext
NetworkContextList
NetworkList
NetworkPolicy
NetworkPolicyList
Subnet
SubnetClaim
SubnetClaimList
SubnetList
TrafficProtectionPolicy
TrafficProtectionPolicyList

AbuseContact

Appears in:

Registration

Field	Description	Default	Validation
`email` <br />string
`phone` <br />string

Contact

Appears in:

ContactSet

Field	Description	Default	Validation
`organization` <br />string
`email` <br />string
`phone` <br />string

ContactSet

Appears in:

Registration

Field	Description	Default	Validation
`registrant` <br />Contact
`admin` <br />Contact
`tech` <br />Contact

DNSSECInfo

Appears in:

Registration

Field	Description	Default	Validation
`enabled` <br />boolean
`ds` <br />DSRecord array

DNSVerificationRecord

DNSVerificationRecord represents a DNS record required for verification

Appears in:

DomainVerificationStatus

Field	Description	Default	Validation
`name` <br />string
`type` <br />string
`content` <br />string

DSRecord

Appears in:

DNSSECInfo

Field	Description	Default	Validation
`keyTag` <br />integer
`algorithm` <br />integer
`digestType` <br />integer
`digest` <br />string

Domain

Domain represents a domain name in the Datum system

Appears in:

DomainList

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`Domain`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />DomainSpec			Required: {} <br />
`status` <br />DomainStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Verified] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedDNS] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedHTTP]] }

DomainList

DomainList contains a list of Domain

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`DomainList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Domain array

DomainSpec

DomainSpec defines the desired state of Domain

Appears in:

Domain

Field	Description	Default	Validation
`domainName` <br />string	DomainName is the fully qualified domain name (FQDN) to be managed		MaxLength: 253 <br />MinLength: 1 <br />Pattern: `^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` <br />Required: {} <br />
`desiredRegistrationRefreshAttempt` <br />Time	DesiredRegistrationRefreshAttempt is the desired time of the next registration refresh attempt.		Optional: {} <br />

DomainStatus

DomainStatus defines the observed state of Domain

Appears in:

Domain

Field	Description	Default	Validation
`verification` <br />DomainVerificationStatus
`registration` <br />Registration
`nameservers` <br />Nameserver array	Nameservers lists the authoritative NS for the effective domain name:<br />- If Apex == true: taken from RDAP for the registered domain (eTLD+1)<br />- If Apex == false: taken from DNS delegation for the subdomain; falls back to apex NS if no cut
`apex` <br />boolean	Apex is true when spec.domainName is the registered domain (eTLD+1).
`conditions` <br />Condition array

DomainVerificationStatus

DomainVerificationStatus represents the verification status of a domain

Appears in:

DomainStatus

Field	Description	Default	Validation
`dnsRecord` <br />DNSVerificationRecord
`httpToken` <br />HTTPVerificationToken
`nextVerificationAttempt` <br />Time

GCPLocationProvider

Appears in:

LocationProvider

Field	Description	Validation
`projectId` <br />string	The GCP project servicing the location For locations with the class of `datum-managed`, a service account will be<br />required for each unique GCP project ID across all locations registered in a<br />namespace.	Required: {} <br />
`region` <br />string	The GCP region servicing the location	Required: {} <br />
`zone` <br />string	The GCP zone servicing the location	Required: {} <br />

HTTPProxy

An HTTPProxy builds on top of Gateway API resources to provide a more convenient method to manage simple reverse proxy use cases.

Appears in:

HTTPProxyList

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`HTTPProxy`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />HTTPProxySpec	Spec defines the desired state of an HTTPProxy.		Required: {} <br />
`status` <br />HTTPProxyStatus	Status defines the current state of an HTTPProxy.	{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] }

HTTPProxyList

HTTPProxyList contains a list of HTTPProxy.

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`HTTPProxyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />HTTPProxy array

HTTPProxyRule

HTTPProxyRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to backends.

Appears in:

HTTPProxySpec

Field	Description	Default	Validation
`name` <br />SectionName	Name is the name of the route rule. This name MUST be unique within a Route<br />if it is set.
`matches` <br />HTTPRouteMatch array	Matches define conditions used for matching the rule against incoming<br />HTTP requests. Each match is independent, i.e. this rule will be matched<br />if any one of the matches is satisfied.<br />See documentation for the `matches` field in the `HTTPRouteRule` type at<br />https://gateway-api.sigs.k8s.io/reference/spec/#httprouterule	[map[path:map[type:PathPrefix value:/]]]	MaxItems: 64 <br />MinItems: 1 <br />
`filters` <br />HTTPRouteFilter array	Filters define the filters that are applied to requests that match<br />this rule.<br />See documentation for the `filters` field in the `HTTPRouteRule` type at<br />https://gateway-api.sigs.k8s.io/reference/spec/#httprouterule		MaxItems: 16 <br />
`backends` <br />HTTPProxyRuleBackend array	Backends defines the backend(s) where matching requests should be<br />sent.<br />Note: While this field is a list, only a single element is permitted at<br />this time due to underlying Gateway limitations. Once addressed, MaxItems<br />will be increased to allow for multiple backends on any given route.		MaxItems: 1 <br />MinItems: 0 <br />

HTTPProxyRuleBackend

Appears in:

HTTPProxyRule

Field	Description	Default	Validation
`endpoint` <br />string	Endpoint for the backend. Must be a valid URL.<br />Supports http and https protocols, IPs or DNS addresses in the host, custom<br />ports, and paths.		Required: {} <br />
`filters` <br />HTTPRouteFilter array	Filters defined at this level should be executed if and only if the<br />request is being forwarded to the backend defined here.		MaxItems: 16 <br />

HTTPProxySpec

HTTPProxySpec defines the desired state of HTTPProxy.

Appears in:

HTTPProxy

Field	Description	Default	Validation
`hostnames` <br />Hostname array	Hostnames defines a set of hostnames that should match against the HTTP<br />Host header to select a HTTPProxy used to process the request.<br />Valid values for Hostnames are determined by RFC 1123 definition of a<br />hostname with 1 notable exception:<br />1. IPs are not allowed.<br />Hostnames must be verified before being programmed. This is accomplished<br />via the use of `Domain` resources. A hostname is considered verified if any<br />verified `Domain` resource exists in the same namespace where the<br />`spec.domainName` of the resource either exactly matches the hostname, or<br />is a suffix match of the hostname. That means that a Domain with a<br />`spec.domainName` of `example.com` will match a hostname of<br />`test.example.com`, `foo.test.example.com`, and exactly `example.com`, but<br />not a hostname of `test-example.com`. If a `Domain` resource does not exist<br />that matches a hostname, one will automatically be created when the system<br />attempts to program the HTTPProxy.<br />In addition to verifying ownership, hostnames must be unique across the<br />platform. If a hostname is already programmed on another resource, a<br />conflict will be encountered and communicated in the `HostnamesVerified`<br />condition.<br />Hostnames which have been programmed will be listed in the<br />`status.hostnames` field. Any hostname which has not been programmed will<br />be listed in the `message` field of the `HostnamesVerified` condition with<br />an indication as to why it was not programmed.<br />The system may automatically generate and associate hostnames with the<br />HTTPProxy. In such cases, these will be listed in the `status.hostnames`<br />field and do not require additional configuration by the user.<br />Wildcard hostnames are not supported at this time.		MaxItems: 16 <br />Optional: {} <br />
`rules` <br />HTTPProxyRule array	Rules are a list of HTTP matchers, filters and actions.		MaxItems: 16 <br />MinItems: 1 <br />Required: {} <br />

HTTPProxyStatus

HTTPProxyStatus defines the observed state of HTTPProxy.

Appears in:

HTTPProxy

Field	Description	Validation
`addresses` <br />GatewayStatusAddress array	Addresses lists the network addresses that have been bound to the HTTPProxy. This field will not contain custom hostnames defined in the HTTPProxy. See the `hostnames` field	MaxItems: 16 <br />
`hostnames` <br />Hostname array	Hostnames lists the hostnames that have been bound to the HTTPProxy.<br />If this list does not match that defined in the HTTPProxy, see the<br />`HostnamesVerified` condition message for details.
`conditions` <br />Condition array	Conditions describe the current conditions of the HTTPProxy.

HTTPVerificationToken

Appears in:

DomainVerificationStatus

Field	Description	Default	Validation
`url` <br />string
`body` <br />string

IPBlock

IPBlock describes a particular CIDR (Ex. “192.168.1.0/24”,“2001:db8::/64”) that is allowed to the targets matched by a network policy. The except entry describes CIDRs that should not be included within this rule.

Appears in:

NetworkPolicyPeer

Field	Description	Default	Validation
`cidr` <br />string	cidr is a string representing the IPBlock<br />Valid examples are “192.168.1.0/24” or “2001:db8::/64”		Required: {} <br />
`except` <br />string array	except is a slice of CIDRs that should not be included within an IPBlock<br />Valid examples are “192.168.1.0/24” or “2001:db8::/64”<br />Except values will be rejected if they are outside the cidr range		Optional: {} <br />

IPFamily

Underlying type: string

Validation:

Enum: [IPv4 IPv6]

Appears in:

NetworkSpec
SubnetClaimSpec
SubnetSpec

| Field | Description | | IPv4 | | | IPv6 | |

LocalNetworkContextRef

Appears in:

SubnetClaimSpec
SubnetSpec

Field	Description	Default	Validation
`name` <br />string	The network context name		Required: {} <br />

LocalNetworkRef

Appears in:

NetworkContextSpec

Field	Description	Default	Validation
`name` <br />string	The network name		Required: {} <br />

LocalSubnetReference

Appears in:

SubnetClaimStatus

Field	Description	Default	Validation
`name` <br />string

Location

Location is the Schema for the locations API.

Appears in:

LocationList

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`Location`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />LocationSpec
`status` <br />LocationStatus

LocationList

LocationList contains a list of Location.

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`LocationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Location array

LocationProvider

Appears in:

LocationSpec

Field	Description	Default	Validation
`gcp` <br />GCPLocationProvider

LocationReference

Appears in:

NetworkBindingSpec
NetworkContextSpec
SubnetClaimSpec
SubnetSpec

Field	Description	Default	Validation
`name` <br />string	Name of a datum location		Required: {} <br />
`namespace` <br />string	Namespace for the datum location		Required: {} <br />

LocationSpec

LocationSpec defines the desired state of Location.

Appears in:

Location

Field	Description	Validation
`locationClassName` <br />string	The location class that indicates control plane behavior of entities associated with the location. Valid values are: - datum-managed - self-managed	Required: {} <br />
`topology` <br />object (keys:string, values:string)	The topology of the location This may contain arbitrary topology keys. Some keys may be well known, such as: - topology.datum.net/city-code	Required: {} <br />
`provider` <br />LocationProvider	The location provider	Required: {} <br />

LocationStatus

LocationStatus defines the observed state of Location.

Appears in:

Location

Field	Description	Default	Validation
`conditions` <br />Condition array	Represents the observations of a location’s current state.

Nameserver

Appears in:

DomainRefStatus
DomainStatus

Field	Description	Default	Validation
`hostname` <br />string
`ips` <br />NameserverIP array

NameserverIP

NameserverIP captures per-address provenance for a nameserver.

Appears in:

Nameserver

Field	Description	Default	Validation
`address` <br />string
`registrantName` <br />string

Network

Network is the Schema for the networks API

Appears in:

NetworkList

Field	Description	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`Network`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />NetworkSpec		Required: {} <br />
`status` <br />NetworkStatus

NetworkBinding

NetworkBinding is the Schema for the networkbindings API

Appears in:

NetworkBindingList

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkBinding`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />NetworkBindingSpec			Required: {} <br />
`status` <br />NetworkBindingStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] }

NetworkBindingList

NetworkBindingList contains a list of NetworkBinding

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkBindingList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />NetworkBinding array

NetworkBindingSpec

NetworkBindingSpec defines the desired state of NetworkBinding

Appears in:

NetworkBinding

Field	Description	Default	Validation
`network` <br />NetworkRef	The network that the binding is for.		Required: {} <br />
`location` <br />LocationReference	The location of where a network binding exists.		Required: {} <br />

NetworkBindingStatus

NetworkBindingStatus defines the observed state of NetworkBinding

Appears in:

NetworkBinding

Field	Description	Default	Validation
`networkContextRef` <br />NetworkContextRef
`conditions` <br />Condition array	Represents the observations of a network binding’s current state.

NetworkContext

NetworkContext is the Schema for the networkcontexts API

Appears in:

NetworkContextList

Field	Description	Default
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkContext`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />NetworkContextSpec
`status` <br />NetworkContextStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] }

NetworkContextList

NetworkContextList contains a list of NetworkContext

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkContextList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />NetworkContext array

NetworkContextRef

Appears in:

NetworkBindingStatus

Field	Description	Default	Validation
`namespace` <br />string	The network context namespace		Required: {} <br />
`name` <br />string	The network context name		Required: {} <br />

NetworkContextSpec

NetworkContextSpec defines the desired state of NetworkContext

Appears in:

NetworkContext

Field	Description	Default	Validation
`network` <br />LocalNetworkRef	The attached network		Required: {} <br />
`location` <br />LocationReference	The location of where a network context exists.		Required: {} <br />

NetworkContextStatus

NetworkContextStatus defines the observed state of NetworkContext

Appears in:

NetworkContext

Field	Description	Default	Validation
`conditions` <br />Condition array	Represents the observations of a network context’s current state.

NetworkIPAM

Appears in:

NetworkSpec

Field	Description	Validation
`mode` <br />NetworkIPAMMode	IPAM mode	Enum: [Auto Policy] <br />Required: {} <br />
`ipv4Range` <br />string	IPv4 range to use in auto mode networks. Defaults to 10.128.0.0/9.	Optional: {} <br />
`ipv6Range` <br />string	IPv6 range to use in auto mode networks. Defaults to a /48 allocated from `fd20::/20`.	Optional: {} <br />

NetworkIPAMMode

Underlying type: string

Appears in:

NetworkIPAM

NetworkList

NetworkList contains a list of Network

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Network array

NetworkPolicy

NetworkPolicy is the Schema for the networkpolicies API

Appears in:

NetworkPolicyList

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkPolicy`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />NetworkPolicySpec
`status` <br />NetworkPolicyStatus

NetworkPolicyList

NetworkPolicyList contains a list of NetworkPolicy

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`NetworkPolicyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />NetworkPolicy array

NetworkPolicyPeer

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

Appears in:

NetworkPolicyIngressRule

Field	Description	Default	Validation
`ipBlock` <br />IPBlock	ipBlock defines policy on a particular IPBlock. If this field is set then<br />neither of the other fields can be.		Optional: {} <br />

NetworkPolicyPort

NetworkPolicyPort describes a port to allow traffic on

Appears in:

NetworkPolicyIngressRule

Field	Description	Validation
`protocol` <br />Protocol	protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.<br />If not specified, this field defaults to TCP.	Optional: {} <br />
`port` <br />IntOrString	port represents the port on the given protocol. This can either be a numerical or named port on an instance. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.	Optional: {} <br />
`endPort` <br />integer	endPort indicates that the range of ports from port to endPort if set, inclusive,<br />should be allowed by the policy. This field cannot be defined if the port field<br />is not defined or if the port field is defined as a named (string) port.<br />The endPort must be equal or greater than port.	Optional: {} <br />

NetworkPolicySpec

NetworkPolicySpec defines the desired state of NetworkPolicy

Appears in:

NetworkPolicy

NetworkPolicyStatus

NetworkPolicyStatus defines the observed state of NetworkPolicy

Appears in:

NetworkPolicy

NetworkRef

Appears in:

NetworkBindingSpec

Field	Description	Default	Validation
`namespace` <br />string	The network namespace. Defaults to the namespace for the type the reference is embedded in.		Optional: {} <br />
`name` <br />string	The network name		Required: {} <br />

NetworkSpec

NetworkSpec defines the desired state of a Network

Appears in:

Network

Field	Description	Default	Validation
`ipam` <br />NetworkIPAM	IPAM settings for the network.		Required: {} <br />
`ipFamilies` <br />IPFamily array	IP Families to permit on a network. Defaults to IPv4.	[IPv4]	Enum: [IPv4 IPv6] <br />Optional: {} <br />
`mtu` <br />integer	Network MTU. May be between 1300 and 8856.	1460	Maximum: 8856 <br />Minimum: 1300 <br />Optional: {} <br />

NetworkStatus

NetworkStatus defines the observed state of Network

Appears in:

Network

Field	Description	Default	Validation
`conditions` <br />Condition array	Represents the observations of a network’s current state.

OWASPCRS

OWASPCRS defines configuration options for the OWASP ModSecurity Core Rule Set (CRS).

Appears in:

TrafficProtectionPolicyRuleSet

Field	Description	Default	Validation
`paranoiaLevels` <br />ParanoiaLevels	ParanoiaLevels specifies the OWASP ModSecurity Core Rule Set (CRS)<br />paranoia levels to use.	{ }
`scoreThresholds` <br />OWASPScoreThresholds	ScoreThresholds specifies the OWASP ModSecurity Core Rule Set (CRS)<br />score thresholds to block a request or response.<br />See: https://coreruleset.org/docs/2-how-crs-works/2-1-anomaly_scoring/	{ }
`ruleExclusions` <br />OWASPRuleExclusions	RuleExclusions can be used to disable specific OWASP ModSecurity Rules.<br />This allows operators to disable specific rules that may be causing false<br />positives.		Optional: {} <br />

OWASPIDRange

Underlying type: string

OWASPIDRange is a range of OWASP ModSecurity Rule IDs.

Validation:

MaxLength: 21
Pattern: ^\d{1,10}-\d{1,10}$

Appears in:

OWASPRuleExclusions

OWASPRuleExclusions

Appears in:

OWASPCRS

Field	Description	Validation
`tags` <br />OWASPTag array	Tags is a list of rule tags to disable.	MaxItems: 100 <br />Pattern: `^[a-zA-Z0-9_\-/]+$` <br />
`ids` <br />integer array	IDs is a list of specific rule IDs to disable	MaxItems: 100 <br />
`idRanges` <br />OWASPIDRange array	IDRanges is a list of specific rule ID ranges to disable.	MaxItems: 100 <br />MaxLength: 21 <br />Pattern: `^\d\{1,10\}-\d\{1,10\}$` <br />

OWASPScoreThresholds

Appears in:

OWASPCRS

Field	Description	Default	Validation
`inbound` <br />integer	Inbound is the score threshold for blocking inbound (request) traffic.	5	Maximum: 10000 <br />Minimum: 1 <br />
`outbound` <br />integer	Outbound is the score threshold for blocking outbound (response) traffic.	4	Maximum: 10000 <br />Minimum: 1 <br />

OWASPTag

Underlying type: string

Validation:

Pattern: ^[a-zA-Z0-9_\-/]+$

Appears in:

OWASPRuleExclusions

ParanoiaLevels

Appears in:

OWASPCRS

Field	Description	Default	Validation
`blocking` <br />integer	Blocking specifies the paranoia level for blocking requests or responses.	1	Maximum: 4 <br />Minimum: 1 <br />
`detection` <br />integer	Detection specifies the paranoia level for detection only. This allows<br />setting a higher paranoia level for detection while keeping blocking at a<br />lower level.	1	Maximum: 4 <br />Minimum: 1 <br />

RegistrarInfo

Appears in:

Registration

Field	Description	Default	Validation
`ianaID` <br />string
`name` <br />string
`url` <br />string

Registration

Registration represents the registration information for a domain

Appears in:

DomainStatus

Field	Description	Default	Validation
`domain` <br />string	Identity & provenance
`registryDomainID` <br />string
`handle` <br />string
`source` <br />string
`registrar` <br />RegistrarInfo
`registry` <br />RegistryInfo
`createdAt` <br />Time	Lifecycle
`updatedAt` <br />Time
`expiresAt` <br />Time
`statuses` <br />string array	Raw statuses that will either be rdap rfc8056 or whois EPP status strings
`dnssec` <br />DNSSECInfo	DNSSEC (from RDAP secureDNS, with WHOIS fallback when parsable)
`contacts` <br />ContactSet	Contacts (minimal, non-PII summary if available)
`abuse` <br />AbuseContact	Abuse / support contacts (registrar/registry)
`nextRefreshAttempt` <br />Time
`lastRefreshAttempt` <br />Time

RegistryInfo

Appears in:

Registration

Field	Description	Default	Validation
`name` <br />string
`url` <br />string

Subnet

Subnet is the Schema for the subnets API

Appears in:

SubnetList

Field	Description	Default
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`Subnet`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />SubnetSpec
`status` <br />SubnetStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Allocated] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] }

SubnetClaim

SubnetClaim is the Schema for the subnetclaims API

Appears in:

SubnetClaimList

Field	Description	Default
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`SubnetClaim`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />SubnetClaimSpec
`status` <br />SubnetClaimStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Allocated] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Ready]] }

SubnetClaimList

SubnetClaimList contains a list of SubnetClaim

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`SubnetClaimList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />SubnetClaim array

SubnetClaimSpec

SubnetClaimSpec defines the desired state of SubnetClaim

Appears in:

SubnetClaim

Field	Description	Validation
`subnetClass` <br />string	The class of subnet required	Required: {} <br />
`networkContext` <br />LocalNetworkContextRef	The network context to claim a subnet in	Required: {} <br />
`location` <br />LocationReference	The location which a subnet claim is associated with	Required: {} <br />
`ipFamily` <br />IPFamily	The IP family of a subnet claim	Enum: [IPv4 IPv6] <br />Required: {} <br />
`startAddress` <br />string	The start address of a subnet claim	Optional: {} <br />
`prefixLength` <br />integer	The prefix length of a subnet claim	Optional: {} <br />

SubnetClaimStatus

SubnetClaimStatus defines the observed state of SubnetClaim

Appears in:

SubnetClaim

Field	Description	Default	Validation
`subnetRef` <br />LocalSubnetReference	The subnet which has been claimed from
`startAddress` <br />string	The start address of a subnet claim
`prefixLength` <br />integer	The prefix length of a subnet claim
`conditions` <br />Condition array	Represents the observations of a subnet claim’s current state.

SubnetList

SubnetList contains a list of Subnet

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`SubnetList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Subnet array

SubnetSpec

SubnetSpec defines the desired state of Subnet

Appears in:

Subnet

Field	Description	Validation
`subnetClass` <br />string	The class of subnet	Required: {} <br />
`networkContext` <br />LocalNetworkContextRef	A subnet’s network context	Required: {} <br />
`location` <br />LocationReference	The location which a subnet is associated with	Required: {} <br />
`ipFamily` <br />IPFamily	The IP family of a subnet	Enum: [IPv4 IPv6] <br />Required: {} <br />
`startAddress` <br />string	The start address of a subnet	Required: {} <br />
`prefixLength` <br />integer	The prefix length of a subnet	Required: {} <br />

SubnetStatus

SubnetStatus defines the observed state of a Subnet

Appears in:

Subnet

Field	Description	Default	Validation
`startAddress` <br />string	The start address of a subnet
`prefixLength` <br />integer	The prefix length of a subnet
`conditions` <br />Condition array	Represents the observations of a subnet’s current state.

TrafficProtectionPolicy

TrafficProtectionPolicy is the Schema for the trafficprotectionpolicies API.

Appears in:

TrafficProtectionPolicyList

Field	Description	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`TrafficProtectionPolicy`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />TrafficProtectionPolicySpec		Required: {} <br />
`status` <br />TrafficProtectionPolicyStatus

TrafficProtectionPolicyList

TrafficProtectionPolicyList contains a list of TrafficProtectionPolicy.

Field	Description	Default	Validation
`apiVersion` <br />string	`networking.datumapis.com/v1alpha`
`kind` <br />string	`TrafficProtectionPolicyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />TrafficProtectionPolicy array

TrafficProtectionPolicyMode

Underlying type: string

TrafficProtectionPolicyMode defines the mode of traffic protection to apply.

Validation:

Enum: [Observe Enforce Disabled]

Appears in:

TrafficProtectionPolicySpec

TrafficProtectionPolicyRuleSet

Appears in:

TrafficProtectionPolicySpec

Field	Description	Default	Validation
`type` <br />TrafficProtectionPolicyRuleSetType	Type specifies the type of TrafficProtectionPolicy ruleset.		Enum: [OWASPCoreRuleSet] <br />Required: {} <br />
`owaspCoreRuleSet` <br />OWASPCRS	OWASPCoreRuleSet defines configuration options for the OWASP ModSecurity<br />Core Rule Set (CRS).		Optional: {} <br />

TrafficProtectionPolicyRuleSetType

Underlying type: string

TrafficProtectionPolicyRuleSetType identifies a type of TrafficProtectionPolicy ruleset.

Appears in:

TrafficProtectionPolicyRuleSet

TrafficProtectionPolicySpec

TrafficProtectionPolicySpec defines the desired state of TrafficProtectionPolicy.

Appears in:

TrafficProtectionPolicy

Field	Description	Default	Validation
`targetRefs` <br />LocalPolicyTargetReferenceWithSectionName array	TargetRefs are the names of the Gateway resources this policy<br />is being attached to.		MinItems: 1 <br />Required: {} <br />
`mode` <br />TrafficProtectionPolicyMode	Mode specifies the mode of traffic protection to apply.<br />If not specified, defaults to “Observe”.	Observe	Enum: [Observe Enforce Disabled] <br />
`samplingPercentage` <br />integer	SamplingPercentage controls the percentage of traffic that will be processed<br />by the TrafficProtectionPolicy.	100	Maximum: 100 <br />Minimum: 1 <br />
`ruleSets` <br />TrafficProtectionPolicyRuleSet array	RuleSets specifies the TrafficProtectionPolicy rulesets to apply.	[map[owaspCoreRuleSet:map type:OWASPCoreRuleSet]]	MaxItems: 16 <br />MinItems: 1 <br />Required: {} <br />

TrafficProtectionPolicyStatus

TrafficProtectionPolicyStatus defines the observed state of TrafficProtectionPolicy.

Appears in:

TrafficProtectionPolicy

Field	Description	Default	Validation
`ancestors` <br />PolicyAncestorStatus array	Ancestors is a list of ancestor resources (usually Gateways) that are<br />associated with the policy, and the status of the policy with respect to<br />each ancestor. When this policy attaches to a parent, the controller that<br />manages the parent and the ancestors MUST add an entry to this list when<br />the controller first sees the policy and SHOULD update the entry as<br />appropriate when the relevant ancestor is modified.<br />Note that choosing the relevant ancestor is left to the Policy designers;<br />an important part of Policy design is designing the right object level at<br />which to namespace this status.<br />Note also that implementations MUST ONLY populate ancestor status for<br />the Ancestor resources they are responsible for. Implementations MUST<br />use the ControllerName field to uniquely identify the entries in this list<br />that they are responsible for.<br />Note that to achieve this, the list of PolicyAncestorStatus structs<br />MUST be treated as a map with a composite key, made up of the AncestorRef<br />and ControllerName fields combined.<br />A maximum of 16 ancestors will be represented in this list. An empty list<br />means the Policy is not relevant for any ancestors.<br />If this slice is full, implementations MUST NOT add further entries.<br />Instead they MUST consider the policy unimplementable and signal that<br />on any related resources such as the ancestor that would be referenced<br />here. For example, if this list was full on BackendTLSPolicy, no<br />additional Gateways would be able to reference the Service targeted by<br />the BackendTLSPolicy.		MaxItems: 16 <br />

notification.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the email v1alpha1 API group

Resource Types

Contact
ContactGroup
ContactGroupList
ContactGroupMembership
ContactGroupMembershipList
ContactGroupMembershipRemoval
ContactGroupMembershipRemovalList
ContactList
Email
EmailBroadcast
EmailBroadcastList
EmailList
EmailTemplate
EmailTemplateList

Contact

Contact is the Schema for the contacts API. It represents a contact for a user.

Appears in:

ContactList

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`Contact`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ContactSpec		Type: object <br />
`status` <br />ContactStatus

ContactGroup

ContactGroup is the Schema for the contactgroups API. It represents a logical grouping of Contacts.

Appears in:

ContactGroupList

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroup`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ContactGroupSpec		Type: object <br />
`status` <br />ContactGroupStatus

ContactGroupList

ContactGroupList contains a list of ContactGroup.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroupList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ContactGroup array

ContactGroupMembership

ContactGroupMembership is the Schema for the contactgroupmemberships API. It represents a membership of a Contact in a ContactGroup.

Appears in:

ContactGroupMembershipList

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroupMembership`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ContactGroupMembershipSpec		Type: object <br />
`status` <br />ContactGroupMembershipStatus

ContactGroupMembershipList

ContactGroupMembershipList contains a list of ContactGroupMembership.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroupMembershipList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ContactGroupMembership array

ContactGroupMembershipRemoval

ContactGroupMembershipRemoval is the Schema for the contactgroupmembershipremovals API. It represents a removal of a Contact from a ContactGroup, it also prevents the Contact from being added to the ContactGroup.

Validation:

Type: object

Appears in:

ContactGroupMembershipRemovalList

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroupMembershipRemoval`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ContactGroupMembershipRemovalSpec
`status` <br />ContactGroupMembershipRemovalStatus

ContactGroupMembershipRemovalList

ContactGroupMembershipRemovalList contains a list of ContactGroupMembershipRemoval.

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactGroupMembershipRemovalList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ContactGroupMembershipRemoval array		Type: object <br />

ContactGroupMembershipRemovalSpec

Appears in:

ContactGroupMembershipRemoval

Field	Description	Default	Validation
`contactRef` <br />ContactReference	ContactRef is a reference to the Contact that prevents the Contact from being part of the ContactGroup.		Required: {} <br />
`contactGroupRef` <br />ContactGroupReference	ContactGroupRef is a reference to the ContactGroup that the Contact does not want to be a member of.		Required: {} <br />

ContactGroupMembershipRemovalStatus

Appears in:

ContactGroupMembershipRemoval

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Ready” which tracks contact group membership removal creation status.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group membership removal to be created reason:CreatePending status:Unknown type:Ready]]	Optional: {} <br />
`username` <br />string	Username is the username of the user that owns the ContactGroupMembershipRemoval.<br />This is populated by the controller based on the referenced Contact’s subject.

ContactGroupMembershipSpec

ContactGroupMembershipSpec defines the desired state of ContactGroupMembership.

Validation:

Type: object

Appears in:

ContactGroupMembership

Field	Description	Default	Validation
`contactRef` <br />ContactReference	ContactRef is a reference to the Contact that is a member of the ContactGroup.		Required: {} <br />
`contactGroupRef` <br />ContactGroupReference	ContactGroupRef is a reference to the ContactGroup that the Contact is a member of.		Required: {} <br />

ContactGroupMembershipStatus

Appears in:

ContactGroupMembership

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Ready” which tracks contact group membership creation status and sync to the contact group membership provider.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group membership to be created reason:CreatePending status:Unknown type:Ready]]	Optional: {} <br />
`providers` <br />ContactProviderStatus array	Providers contains the per-provider status for this contact group membership.<br />This enables tracking multiple provider backends simultaneously.		Optional: {} <br />
`providerID` <br />string	ProviderID is the identifier returned by the underlying contact provider<br />(e.g. Resend) when the membership is created in the associated audience. It is usually<br />used to track the contact-group membership creation status (e.g. provider webhooks).<br />Deprecated: Use Providers instead.
`username` <br />string	Username is the username of the user that owns the ContactGroupMembership.<br />This is populated by the controller based on the referenced Contact’s subject.

ContactGroupProviderSpec

ContactGroupProviderSpec defines the desired state of a contact group in a specific provider.

Appears in:

ContactGroupSpec

Field	Description	Default	Validation
`name` <br />string	Name is the provider handling this contact group.<br />Allowed values is Loops.		Enum: [Loops] <br />
`id` <br />string	ID is the identifier of the contact group in the external provider.<br />This field is used when a provider does not expose an API for creating mailing lists,<br />requiring an existing ContactList ID to be provided for synchronization purposes (e.g. Loops).<br />If not provided, a new group will be created if supported by the provider.		Required: {} <br />

ContactGroupReference

ContactGroupReference contains information that points to the ContactGroup being referenced.

Appears in:

ContactGroupMembershipRemovalSpec
ContactGroupMembershipSpec
EmailBroadcastSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of the ContactGroup being referenced.		Required: {} <br />
`namespace` <br />string	Namespace is the namespace of the ContactGroup being referenced.		Required: {} <br />

ContactGroupSpec

ContactGroupSpec defines the desired state of ContactGroup.

Validation:

Type: object

Appears in:

ContactGroup

Field	Description	Validation
`displayName` <br />string	DisplayName is the display name of the contact group.	Required: {} <br />
`visibility` <br />ContactGroupVisibility	Visibility determines whether members are allowed opt-in or opt-out of the contactgroup.<br /> • “public” – members may leave via ContactGroupMembershipRemoval.<br /> • “private” – membership is enforced; opt-out requests are rejected.	Enum: [public private] <br />Required: {} <br />
`providers` <br />ContactGroupProviderSpec array	Providers defines the providers this group should be synced to.	MaxItems: 1 <br />

ContactGroupStatus

Appears in:

ContactGroup

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Ready” which tracks contact group creation status and sync to the contact group provider.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact group to be created reason:CreatePending status:Unknown type:Ready]]	Optional: {} <br />
`providers` <br />ContactProviderStatus array	Providers contains the per-provider status for this contact group.<br />This enables tracking multiple provider backends simultaneously.		Optional: {} <br />
`providerID` <br />string	ProviderID is the identifier returned by the underlying contact groupprovider<br />(e.g. Resend) when the contact groupis created. It is usually<br />used to track the contact creation status (e.g. provider webhooks).<br />Deprecated: Use Providers instead.

ContactGroupVisibility

Underlying type: string

ContactGroupVisibility declares whether a group is open for opt-out.

Appears in:

ContactGroupSpec

ContactList

ContactList contains a list of Contact.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`ContactList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Contact array

ContactProviderStatus

ContactProviderStatus represents status information for a single contact provider. It allows tracking the provider name and the provider-specific identifier.

Appears in:

ContactGroupMembershipStatus
ContactGroupStatus
ContactStatus

Field	Description	Default	Validation
`name` <br />string	Name is the provider handling this contact.<br />Allowed values are Resend and Loops.		Enum: [Resend Loops] <br />
`id` <br />string	ID is the identifier returned by the specific contact provider for this contact.		Required: {} <br />

ContactReference

ContactReference contains information that points to the Contact being referenced.

Appears in:

ContactGroupMembershipRemovalSpec
ContactGroupMembershipSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of the Contact being referenced.		Required: {} <br />
`namespace` <br />string	Namespace is the namespace of the Contact being referenced.		Required: {} <br />

ContactSpec

ContactSpec defines the desired state of Contact.

Validation:

Type: object

Appears in:

Contact

Field	Description	Validation
`subject` <br />SubjectReference	Subject is a reference to the subject of the contact.	Optional: {} <br />Type: object <br />
`familyName` <br />string		Optional: {} <br />
`givenName` <br />string		Optional: {} <br />
`email` <br />string		Required: {} <br />

ContactStatus

Appears in:

Contact

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Ready” which tracks contact creation status and sync to the contact provider.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for contact to be created reason:CreatePending status:Unknown type:Ready]]	Optional: {} <br />
`providers` <br />ContactProviderStatus array	Providers contains the per-provider status for this contact.<br />This enables tracking multiple provider backends simultaneously.		Optional: {} <br />
`providerID` <br />string	ProviderID is the identifier returned by the underlying contact provider<br />(e.g. Resend) when the contact is created. It is usually<br />used to track the contact creation status (e.g. provider webhooks).<br />Deprecated: Use Providers instead.

Email

Email is the Schema for the emails API. It represents a concrete e-mail that should be sent to the referenced users. For idempotency purposes, controllers can use metadata.uid as a unique identifier to prevent duplicate email delivery, since it’s guaranteed to be unique per resource instance.

Appears in:

EmailList

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`Email`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />EmailSpec		Type: object <br />
`status` <br />EmailStatus		Type: object <br />

EmailBroadcast

EmailBroadcast is the Schema for the emailbroadcasts API. It represents a broadcast of an email to a set of contacts (ContactGroup). If the broadcast needs to be updated, delete and recreate the resource.

Appears in:

EmailBroadcastList

Field	Description	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`EmailBroadcast`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />EmailBroadcastSpec		Type: object <br />
`status` <br />EmailBroadcastStatus

EmailBroadcastList

EmailBroadcastList contains a list of EmailBroadcast.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`EmailBroadcastList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />EmailBroadcast array

EmailBroadcastSpec

EmailBroadcastSpec defines the desired state of EmailBroadcast.

Validation:

Type: object

Appears in:

EmailBroadcast

Field	Description	Validation
`displayName` <br />string	DisplayName is the display name of the email broadcast.	Optional: {} <br />
`contactGroupRef` <br />ContactGroupReference	ContactGroupRef is a reference to the ContactGroup that the email broadcast is for.	Required: {} <br />
`templateRef` <br />TemplateReference	TemplateRef references the EmailTemplate to render the broadcast message.<br />When using the Resend provider you can include the following placeholders<br />in HTMLBody or TextBody; they will be substituted by the provider at send time:<br /> {{{FIRST_NAME}}} {{{LAST_NAME}}} {{{EMAIL}}}	Required: {} <br />Type: object <br />
`scheduledAt` <br />Time	ScheduledAt optionally specifies the time at which the broadcast should be executed.<br />If omitted, the message is sent as soon as the controller reconciles the resource.<br />Example: “2024-08-05T11:52:01.858Z”	Optional: {} <br />

EmailBroadcastStatus

Appears in:

EmailBroadcast

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Ready” which tracks email broadcast status and sync to the email broadcast provider.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for email broadcast to be created reason:CreatePending status:Unknown type:Ready]]	Optional: {} <br />
`providerID` <br />string	ProviderID is the identifier returned by the underlying email broadcast provider<br />(e.g. Resend) when the email broadcast is created. It is usually<br />used to track the email broadcast creation status (e.g. provider webhooks).

EmailList

EmailList contains a list of Email.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`EmailList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Email array

EmailPriority

Underlying type: string

EmailPriority defines the priority for sending an Email.

Validation:

Enum: [low normal high]

Appears in:

EmailSpec

EmailRecipient

EmailRecipient contains information about the recipient of the email.

Validation:

Type: object

Appears in:

EmailSpec

Field	Description	Default	Validation
`userRef` <br />EmailUserReference	UserRef references the User resource that will receive the message.<br />It is mutually exclusive with EmailAddress: exactly one of them must be specified.		Optional: {} <br />Type: object <br />
`emailAddress` <br />string	EmailAddress allows specifying a literal e-mail address for the recipient instead of referencing a User resource.<br />It is mutually exclusive with UserRef: exactly one of them must be specified.		Optional: {} <br />

EmailSpec

EmailSpec defines the desired state of Email. It references a template, recipients, and any variables required to render the final message.

Validation:

Type: object

Appears in:

Field	Description	Default	Validation
`templateRef` <br />TemplateReference	TemplateRef references the EmailTemplate that should be rendered.		Required: {} <br />Type: object <br />
`recipient` <br />EmailRecipient	Recipient contain the recipient of the email.		Required: {} <br />Type: object <br />
`cc` <br />string array	CC contains additional e-mail addresses that will receive a carbon copy of the message.<br />Maximum 10 addresses.		MaxItems: 10 <br />Optional: {} <br />
`bcc` <br />string array	BCC contains e-mail addresses that will receive a blind-carbon copy of the message.<br />Maximum 10 addresses.		MaxItems: 10 <br />Optional: {} <br />
`variables` <br />EmailVariable array	Variables supplies the values that will be substituted in the template.		Optional: {} <br />Type: object <br />
`priority` <br />EmailPriority	Priority influences the order in which pending e-mails are processed.	normal	Enum: [low normal high] <br />Optional: {} <br />

EmailStatus

EmailStatus captures the observed state of an Email. Uses standard Kubernetes conditions to track both processing and delivery state.

Validation:

Type: object

Appears in:

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.<br />Standard condition is “Delivered” which tracks email delivery status.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for email delivery reason:DeliveryPending status:Unknown type:Delivered]]	Optional: {} <br />
`providerID` <br />string	ProviderID is the identifier returned by the underlying email provider<br />(e.g. Resend) when the e-mail is accepted for delivery. It is usually<br />used to track the email delivery status (e.g. provider webhooks).
`htmlBody` <br />string	HTMLBody stores the rendered HTML content of the e-mail.
`textBody` <br />string	TextBody stores the rendered plain-text content of the e-mail.
`subject` <br />string	Subject stores the subject line used for the e-mail.
`emailAddress` <br />string	EmailAddress stores the final recipient address used for delivery,<br />after resolving any referenced User.

EmailTemplate

EmailTemplate is the Schema for the email templates API. It represents a reusable e-mail template that can be rendered by substituting the declared variables.

Appears in:

EmailTemplateList

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`EmailTemplate`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />EmailTemplateSpec
`status` <br />EmailTemplateStatus

EmailTemplateList

EmailTemplateList contains a list of EmailTemplate.

Field	Description	Default	Validation
`apiVersion` <br />string	`notification.miloapis.com/v1alpha1`
`kind` <br />string	`EmailTemplateList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />EmailTemplate array

EmailTemplateSpec

EmailTemplateSpec defines the desired state of EmailTemplate. It contains the subject, content, and declared variables.

Appears in:

EmailTemplate

Field	Description	Validation
`subject` <br />string	Subject is the string that composes the email subject line.	Required: {} <br />
`htmlBody` <br />string	HTMLBody is the string for the HTML representation of the message.	Required: {} <br />
`textBody` <br />string	TextBody is the Go template string for the plain-text representation of the message.	Required: {} <br />
`variables` <br />TemplateVariable array	Variables enumerates all variables that can be referenced inside the template expressions.	MaxItems: 100 <br />Optional: {} <br />Type: object <br />

EmailTemplateStatus

EmailTemplateStatus captures the observed state of an EmailTemplate. Right now we only expose standard Kubernetes conditions so callers can determine whether the template is ready for use.

Appears in:

EmailTemplate

Field	Description	Default	Validation
`conditions` <br />Condition array	Conditions represent the latest available observations of an object’s current state.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />

EmailTemplateVariableType

Underlying type: string

EmailTemplateVariableType defines the set of supported variable kinds.

Validation:

Enum: [string url]

Appears in:

TemplateVariable

EmailUserReference

EmailUserReference contains information about the recipient User resource. Users are cluster-scoped resources, hence Namespace is not included.

Validation:

Type: object

Appears in:

EmailRecipient

Field	Description	Default	Validation
`name` <br />string	Name contain the name of the User resource that will receive the email.		Required: {} <br />

EmailVariable

EmailVariable represents a name/value pair that will be injected into the template.

Validation:

Type: object

Appears in:

EmailSpec

Field	Description	Default	Validation
`name` <br />string	Name of the variable as declared in the associated EmailTemplate.		Required: {} <br />
`value` <br />string	Value provided for this variable.		Required: {} <br />

SubjectReference

SubjectReference is a reference to the subject of the contact.

Validation:

Type: object

Appears in:

ContactSpec

Field	Description	Validation
`apiGroup` <br />string	APIGroup is the group for the resource being referenced.	Enum: [iam.miloapis.com] <br />Required: {} <br />
`kind` <br />string	Kind is the type of resource being referenced.	Enum: [User] <br />Required: {} <br />
`name` <br />string	Name is the name of resource being referenced.	Required: {} <br />
`namespace` <br />string	Namespace is the namespace of resource being referenced.<br />Required for namespace-scoped resources. Omitted for cluster-scoped resources.	Optional: {} <br />

TemplateReference

TemplateReference contains information that points to the EmailTemplate being used. EmailTemplate is a cluster-scoped resource, so Namespace is not required.

Validation:

Type: object

Appears in:

EmailBroadcastSpec
EmailSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of the EmailTemplate being referenced.		Required: {} <br />

TemplateVariable

TemplateVariable declares a variable that can be referenced in the template body or subject. Each variable must be listed here so that callers know which parameters are expected.

Validation:

Type: object

Appears in:

EmailTemplateSpec

Field	Description	Validation
`name` <br />string	Name is the identifier of the variable as it appears inside the Go template (e.g. {{.UserName}}).	Required: {} <br />
`required` <br />boolean	Required indicates whether the variable must be provided when rendering the template.	Required: {} <br />
`type` <br />EmailTemplateVariableType	Type provides a hint about the expected value of this variable (e.g. plain string or URL).	Enum: [string url] <br />Required: {} <br />

quota.miloapis.com/v1alpha1

Package v1alpha1 contains API schema definitions for the quota.miloapis.com group.

Quota System Overview

The quota system enables platform administrators to control resource consumption through real-time enforcement and automated policy execution. The system tracks resource usage, allocates capacity to consumers, and prevents resource creation when limits are exceeded.

Core Resource Types

The quota system uses four core types that manage resource tracking and allocation:

ResourceRegistration: Registers a resource type for quota tracking. Platform administrators create registrations to define measurement units, display formats, and specify which resources can consume the tracked resource type. For example, registering “Projects per Organization” allows the system to track Project creation within Organizations.

ResourceGrant: Allocates quota capacity to a specific consumer. Grants provide concrete allowances (for example, “100 Projects”) to consumers like Organizations. Multiple grants for the same consumer and resource type combine to determine total capacity. Administrators create grants manually or automate them using GrantCreationPolicy.

ResourceClaim: Requests quota during resource creation. Claims consume allocated capacity when resources are created. The system evaluates each claim against available quota and either grants or denies the request. ClaimCreationPolicy typically creates claims automatically during admission.

AllowanceBucket: Aggregates quota limits and usage for decision-making. The system creates one bucket per consumer-resource type combination. Buckets combine capacity from all active ResourceGrants and track consumption from all granted ResourceClaims to calculate real-time availability for admission decisions.

Policy Automation Types

Two policy types automate quota management based on resource lifecycle events:

GrantCreationPolicy: Creates ResourceGrants when conditions are met. Policies watch for resource changes and automatically provision quota capacity. For example, automatically grant “100 Projects” when a new Organization is created. Supports cross-cluster allocation and CEL expression-based conditions.

ClaimCreationPolicy: Creates ResourceClaims during admission. Policies intercept resource creation requests and generate quota claims for evaluation. For example, create a “1 Project” claim when a Project resource is created. Uses CEL expressions for dynamic claim content and trigger conditions.

How the System Works

The quota system follows this workflow:

Registration: Administrators register resource types that require quota tracking.
Allocation: ResourceGrants provide quota capacity to consumers.
Aggregation: AllowanceBuckets combine grants and track usage for each consumer-resource pair.
Enforcement: ResourceClaims request quota during admission; the system grants or denies based on bucket availability.
Monitoring: Bucket status provides real-time quota usage visibility.

Policy Automation Workflow

Policies automate the allocation and enforcement steps:

Grant Policies: Monitor resource changes and create grants when conditions match.
Claim Policies: Intercept admission requests and create claims for quota enforcement.
Evaluation: The system processes claims against bucket capacity in real-time.

Status and Conditions

All resource types use standard Kubernetes status conditions to communicate state:

Active/Ready conditions: Indicate when resources are operational and contributing to quota decisions.
Validation conditions: Report configuration errors and resolution guidance.
ObservedGeneration: Tracks which specification version the system has processed.

The system updates status conditions to reflect current state and provide troubleshooting information when problems occur.

Resource Types

AllowanceBucket
AllowanceBucketList
ClaimCreationPolicy
ClaimCreationPolicyList
GrantCreationPolicy
GrantCreationPolicyList
ResourceClaim
ResourceClaimList
ResourceGrant
ResourceGrantList
ResourceRegistration
ResourceRegistrationList

Allowance

Allowance defines quota allocation for a specific resource type within a ResourceGrant. Each allowance can contain multiple buckets that sum to provide total capacity.

Appears in:

ResourceGrantSpec

Field	Description	Default	Validation
`resourceType` <br />string	ResourceType identifies the specific resource type receiving quota allocation.<br />Must exactly match a ResourceRegistration.spec.resourceType that is currently active.<br />The quota system validates this reference when processing the grant.<br />The identifier format is flexible, as defined by platform administrators<br />in their ResourceRegistrations.<br />Examples:<br />- “resourcemanager.miloapis.com/projects”<br />- “compute_cpu”<br />- “storage.volumes”<br />- “custom-service-quota”		Required: {} <br />
`buckets` <br />Bucket array	Buckets contains the quota allocations for this resource type.<br />All bucket amounts are summed to determine the total allowance.<br />Minimum 1 bucket required per allowance.<br />Multiple buckets can be used for:<br />- Separating quota from different sources or tiers<br />- Managing incremental quota increases over time<br />- Tracking quota attribution for billing or reporting		MinItems: 1 <br />Required: {} <br />

AllowanceBucket

AllowanceBucket aggregates quota limits and usage for a single (consumer, resourceType) combination. The system automatically creates buckets to provide real-time quota availability information for ResourceClaim evaluation during admission.

How It Works

Auto-Creation: Quota system creates buckets automatically for each unique (consumer, resourceType) pair found in active ResourceGrants
Aggregation: Quota system continuously aggregates capacity from active ResourceGrants and consumption from granted ResourceClaims
Decision Support: Quota system uses bucket status.available to determine if ResourceClaims can be granted
Updates: Quota system updates bucket status whenever contributing grants or claims change

Aggregation Logic

AllowanceBuckets serve as the central aggregation point where quota capacity meets quota consumption. The quota system continuously scans for ResourceGrants that match both the bucket’s consumer and resource type, but only considers grants with an Active status condition. For each qualifying grant, the quota system examines all allowances targeting the bucket’s resource type and sums the amounts from every bucket within those allowances. This sum becomes the bucket’s limit - the total quota capacity available to the consumer for that specific resource type.

Simultaneously, the quota system tracks quota consumption by finding all ResourceClaims with matching consumer and resource type specifications. However, only claims that have been successfully granted contribute to the allocated total. The quota system sums the allocated amounts from all granted requests, creating a running total of consumed quota capacity.

The available quota emerges from this simple relationship: Available = Limit - Allocated. The system ensures this value never goes negative, treating any calculated negative as zero. This available amount represents the quota capacity remaining for new ResourceClaims and drives real-time admission decisions throughout the cluster.

Real-Time Admission Decisions

When a ResourceClaim is created:

Quota system identifies the relevant bucket (matching consumer and resource type)
Compares requested amount with bucket’s status.available
Grants claim if requested amount <= available capacity
Denies claim if requested amount > available capacity
Updates bucket status to reflect the new allocation (if granted)

Bucket Lifecycle

Auto-Created: When first ResourceGrant creates allowance for (consumer, resourceType)
Active: Continuously aggregated while ResourceGrants or ResourceClaims exist
Updated: Status refreshed whenever contributing resources change
Persistent: Buckets remain even when limit drops to 0 (for monitoring)

Consistency and Performance

Eventual Consistency:

Status may lag briefly after ResourceGrant or ResourceClaim changes
Controller processes updates asynchronously for performance
LastReconciliation timestamp indicates data freshness

Scale Optimization:

Stores aggregates (limit, allocated, available) rather than individual entries
ContributingGrantRefs tracks grants (few) but not claims (many)
Single bucket per (consumer, resourceType) regardless of claim count

Status Information

Limit: Total quota capacity from all contributing ResourceGrants
Allocated: Total quota consumed by all granted ResourceClaims
Available: Remaining quota capacity (Limit - Allocated)
ClaimCount: Number of granted claims consuming from this bucket
GrantCount: Number of active grants contributing to this bucket
ContributingGrantRefs: Detailed information about contributing grants

Monitoring and Troubleshooting

Quota Monitoring:

Monitor status.available to track quota usage trends
Check status.allocated vs status.limit for utilization ratios
Use status.claimCount to understand resource creation patterns

Troubleshooting Issues: When investigating quota problems, start with the bucket’s limit value. A limit of zero typically indicates that no ResourceGrants are contributing capacity for this consumer and resource type combination. Verify that ResourceGrants exist with matching consumer and resource type specifications, and confirm their status conditions show Active=True. Grants with validation failures or pending states won’t contribute to bucket limits.

High allocation values relative to limits suggest quota consumption issues. Review the ResourceClaims that match this bucket’s consumer and resource type to identify which resources are consuming large amounts of quota. Check the claim allocation details to understand consumption patterns and identify potential quota leaks where claims aren’t being cleaned up properly.

Stale bucket data manifests as allocation or limit values that don’t reflect recent changes to grants or claims. Check the lastReconciliation timestamp to determine data freshness, then examine quota system logs for aggregation errors or performance issues. The quota system should process changes within seconds under normal conditions.

System Architecture

Single Writer: Only the quota system updates bucket status (prevents races)
Dedicated Processing: Separate components focus solely on bucket aggregation
Event-Driven: Responds to ResourceGrant and ResourceClaim changes
Efficient Queries: Uses indexes and field selectors for fast aggregation

Selectors and Filtering

Field selectors: spec.consumerRef.kind, spec.consumerRef.name, spec.resourceType
System labels (set automatically by quota system):
- quota.miloapis.com/consumer-kind: Organization
- quota.miloapis.com/consumer-name: acme-corp

Common Queries

All buckets for a consumer: label selector quota.miloapis.com/consumer-kind + quota.miloapis.com/consumer-name
All buckets for a resource type: field selector spec.resourceType=<value>
Specific bucket: field selector spec.consumerRef.name + spec.resourceType
Overutilized buckets: filter by status.available < threshold
Empty buckets: filter by status.limit = 0

Performance Considerations

Bucket status updates are asynchronous and may lag resource changes
Large numbers of ResourceClaims can impact aggregation performance
Controller uses efficient aggregation queries to handle scale
Status updates are batched to reduce API server load

Appears in:

AllowanceBucketList

Field	Description	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`AllowanceBucket`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />AllowanceBucketSpec		Required: {} <br />
`status` <br />AllowanceBucketStatus

AllowanceBucketList

AllowanceBucketList contains a list of AllowanceBucket.

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`AllowanceBucketList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />AllowanceBucket array

AllowanceBucketSpec

AllowanceBucketSpec defines the desired state of AllowanceBucket. The system automatically creates buckets for each unique (consumer, resourceType) combination found in active ResourceGrants.

Appears in:

AllowanceBucket

Field	Description	Default	Validation
`consumerRef` <br />ConsumerRef	ConsumerRef identifies the quota consumer tracked by this bucket.<br />Must match the ConsumerRef from ResourceGrants that contribute to this bucket.<br />Only one bucket exists per unique (ConsumerRef, ResourceType) combination.<br />Examples:<br />- Organization “acme-corp” consuming Project quota<br />- Project “web-app” consuming User quota<br />- Organization “enterprise-corp” consuming storage quota		Required: {} <br />
`resourceType` <br />string	ResourceType specifies which resource type this bucket aggregates quota for.<br />Must exactly match a ResourceRegistration.spec.resourceType that is currently active.<br />The quota system validates this reference and only creates buckets for registered types.<br />The identifier format is flexible, as defined by platform administrators<br />in their ResourceRegistrations.<br />Examples:<br />- “resourcemanager.miloapis.com/projects”<br />- “compute_cpu”<br />- “storage.volumes”<br />- “custom-service-quota”		MaxLength: 253 <br />MinLength: 1 <br />Required: {} <br />

AllowanceBucketStatus

AllowanceBucketStatus contains the quota system-computed quota aggregation for a specific (consumer, resourceType) combination. The quota system continuously updates this status by aggregating capacity from active ResourceGrants and consumption from granted ResourceClaims.

Appears in:

AllowanceBucket

Field	Description	Validation
`observedGeneration` <br />integer	ObservedGeneration indicates the most recent spec generation the quota system has processed.<br />When ObservedGeneration matches metadata.generation, the status reflects the current spec.<br />When ObservedGeneration is lower, the quota system is still processing recent changes.	Optional: {} <br />
`limit` <br />integer	Limit represents the total quota capacity available for this (consumer, resourceType) combination.<br />Calculated by summing all bucket amounts from active ResourceGrants that match the bucket’s<br />spec.consumerRef and spec.resourceType. Measured in BaseUnit from the ResourceRegistration.<br />Aggregation logic:<br />- Only ResourceGrants with status.conditions[type=Active]=True contribute to the limit<br />- All allowances matching spec.resourceType are included from contributing grants<br />- All bucket amounts within matching allowances are summed	Minimum: 0 <br />Required: {} <br />
`allocated` <br />integer	Allocated represents the total quota currently consumed by granted ResourceClaims.<br />Calculated by summing all allocation amounts from ResourceClaims with status.conditions[type=Granted]=True<br />that match the bucket’s spec.consumerRef and have requests for spec.resourceType.<br />Aggregation logic:<br />- Only ResourceClaims with Granted=True contribute to allocated amount<br />- Only requests matching spec.resourceType are included<br />- All allocated amounts from matching requests are summed	Minimum: 0 <br />Required: {} <br />
`available` <br />integer	Available represents the quota capacity remaining for new ResourceClaims.<br />Always calculated as: Available = Limit - Allocated (never negative).<br />The system uses this value to determine whether new ResourceClaims can be granted.<br />Decision logic:<br />- ResourceClaim is granted if requested amount <= Available<br />- ResourceClaim is denied if requested amount > Available<br />- Multiple concurrent claims may race; first to be processed wins	Minimum: 0 <br />Required: {} <br />
`claimCount` <br />integer	ClaimCount indicates the total number of granted ResourceClaims consuming quota from this bucket.<br />Includes all ResourceClaims with status.conditions[type=Granted]=True that have requests<br />matching spec.resourceType and spec.consumerRef.<br />Used for monitoring quota usage patterns and identifying potential issues.	Minimum: 0 <br />Required: {} <br />
`grantCount` <br />integer	GrantCount indicates the total number of active ResourceGrants contributing to this bucket’s limit.<br />Includes all ResourceGrants with status.conditions[type=Active]=True that have allowances<br />matching spec.resourceType and spec.consumerRef.<br />Used for understanding quota source distribution and debugging capacity issues.	Minimum: 0 <br />Required: {} <br />
`contributingGrantRefs` <br />ContributingGrantRef array	ContributingGrantRefs provides detailed information about each ResourceGrant that contributes<br />to this bucket’s limit. Includes grant names, amounts, and last observed generations for<br />tracking and debugging quota sources.<br />This field provides visibility into:<br />- Which grants are providing quota capacity<br />- How much each grant contributes<br />- Whether grants have been updated since last bucket calculation<br />Grants are tracked individually because they are typically few in number compared to claims.	Optional: {} <br />
`lastReconciliation` <br />Time	LastReconciliation records when the quota system last recalculated this status.<br />Used for monitoring quota system health and understanding how fresh the aggregated data is.<br />The quota system updates this timestamp every time it processes the bucket, regardless of<br />whether the aggregated values changed.	Optional: {} <br />

Bucket

Bucket represents a single allocation of quota capacity within an allowance. Each bucket contributes its amount to the total allowance for a resource type.

Appears in:

Allowance

Field	Description	Default	Validation
`amount` <br />integer	Amount specifies the quota capacity provided by this bucket.<br />Must be measured in the BaseUnit defined by the corresponding ResourceRegistration.<br />Must be a non-negative integer (0 is valid but provides no quota).<br />Examples:<br />- 100 (providing 100 projects)<br />- 2048000 (providing 2048000 bytes = 2GB)<br />- 5000 (providing 5000 CPU millicores = 5 cores)		Minimum: 0 <br />Required: {} <br />

ClaimCreationPolicy

ClaimCreationPolicy automatically creates ResourceClaims during admission to enforce quota in real-time. Policies intercept resource creation requests, evaluate trigger conditions, and generate quota claims that prevent resource creation when quota limits are exceeded.

How It Works

Trigger Matching: Admission webhook matches incoming resource creates against spec.trigger.resource
Constraint Evaluation: All CEL expressions in spec.trigger.constraints must evaluate to true
Template Rendering: Policy renders spec.target.resourceClaimTemplate using available template variables
Claim Creation: System creates the rendered ResourceClaim in the specified namespace
Quota Evaluation: Claim is immediately evaluated against AllowanceBucket capacity
Admission Decision: Original resource creation succeeds or fails based on claim result

Policy Processing Flow

Active Policies (spec.disabled=false):

Admission webhook receives resource creation request
Finds all ClaimCreationPolicies matching the resource type
Evaluates trigger constraints for each matching policy
Creates ResourceClaim for each policy where all constraints are true
Evaluates all created claims against quota buckets
Allows resource creation only if all claims are granted

Disabled Policies (spec.disabled=true):

Completely ignored during admission processing
No constraints evaluated, no claims created
Useful for temporarily disabling quota enforcement

Template Expressions

Template expressions generate dynamic content for ResourceClaim fields including metadata and specification. Content inside {{ }} delimiters is evaluated as CEL expressions, while content outside is treated as literal text.

Template Expression Rules:

{{expression}} - Pure CEL expression, evaluated and substituted
literal-text - Used as-is without any evaluation
{{expression}}-literal - CEL output combined with literal text
prefix-{{expression}}-suffix - Literal text surrounding CEL expression

Template Expression Examples:

{{trigger.metadata.name + '-claim'}} - Pure CEL expression (metadata)
{{trigger.metadata.name}}-quota-claim - CEL + literal suffix (metadata)
{{trigger.spec.organization}} - Extract spec field for consumer name (spec)
{{trigger.metadata.labels["tier"] + "-tier"}} - Label-based naming (spec)
fixed-claim-name - Literal string only (no evaluation)

Use Template Expressions For: ResourceClaimTemplate fields (metadata and spec)

Constraint Expressions

Constraint expressions determine whether a policy should trigger by evaluating boolean conditions. These are pure CEL expressions without delimiters that must return true/false values.

Constraint Expression Rules:

Write pure CEL expressions directly (no wrapping syntax)
Must return boolean values (true = trigger policy, false = skip)
All constraints in a policy must return true for the policy to activate

Constraint Expression Examples:

trigger.spec.tier == "premium" - Field equality check
trigger.metadata.labels["environment"] == "prod" - Label-based filtering
user.groups.exists(g, g == "admin") - User authorization check
has(trigger.spec.quotaProfile) - Field existence check

Use Constraint Expressions For: spec.trigger.constraints fields

Expression Variables

Both template and constraint expressions have access to the same context variables:

trigger: The complete resource that triggered the policy, including all metadata, spec, and status fields. Navigate using CEL property access: trigger.metadata.name, trigger.spec.replicas.

user: Authentication context providing access to the requester’s name, unique identifier, group memberships, and additional attributes. Enables user-based quota policies.

requestInfo: Operational context including the API verb being performed and resource type being manipulated. Useful for distinguishing between create, update, and delete operations.

CEL Functions: Standard CEL functions available for data manipulation including conditional expressions (condition ? value1 : value2), string methods (lowerAscii(), upperAscii(), trim()), and collection operations (exists(), all(), filter()).

Consumer Resolution

The system automatically resolves spec.consumerRef for created claims:

Uses parent context resolution to find the appropriate consumer
Typically resolves to Organization for Project resources, Project for User resources, etc.
Consumer must match the ResourceRegistration.spec.consumerType for the requested resource type

Validation and Dependencies

Policy Validation:

Target resource type must exist and be accessible
All resource types in claim specification must have active ResourceRegistrations
Consumer resolution must be resolvable for target resources
CEL expressions must be syntactically valid

Runtime Dependencies:

ResourceRegistration must be Active for each requested resource type
Triggering resource kind must be listed in ResourceRegistration.spec.claimingResources
AllowanceBucket must exist (created automatically when ResourceGrants are active)

Policy Lifecycle

Creation: Administrator creates ClaimCreationPolicy
Validation: System validates target resource and expressions
Activation: System sets Ready=True when validation passes
Operation: Admission webhook uses active policies to create claims
Updates: Changes trigger re-validation; only Ready policies are used

Status Conditions

Ready=True: Policy is validated and actively creating claims
Ready=False, reason=ValidationFailed: Configuration errors prevent activation (check message)
Ready=False, reason=PolicyDisabled: Policy is disabled (spec.disabled=true)

Automatic Claim Features

Claims created by ClaimCreationPolicy include:

Standard Labels: quota.miloapis.com/auto-created=true, quota.miloapis.com/policy=<policy-name>
Standard Annotations: quota.miloapis.com/created-by=claim-creation-plugin, timestamps
Owner References: Set to triggering resource when possible for lifecycle management
Cleanup: Automatically cleaned up when denied to prevent accumulation

Field Constraints and Limits

Maximum 10 constraints per trigger (spec.trigger.constraints)
Static amounts only in v1alpha1 (no expression-based quota amounts)
Template metadata labels are literal strings (no expression processing)
Template annotation values support CEL expressions

Selectors and Filtering

Field selectors: spec.trigger.resource.kind, spec.trigger.resource.apiVersion, spec.disabled
Recommended labels (add manually):
- quota.miloapis.com/target-kind: Project
- quota.miloapis.com/environment: production
- quota.miloapis.com/tier: premium

Common Queries

All policies for a resource kind: label selector quota.miloapis.com/target-kind=<kind>
Active policies only: field selector spec.disabled=false
Environment-specific policies: label selector quota.miloapis.com/environment=<env>
Failed policies: filter by status.conditions[type=Ready].status=False

Troubleshooting

Policy not triggering: Check spec.disabled=false and status.conditions[type=Ready]=True
Template errors: Review status condition message for CEL expression syntax issues
CEL expression failures: Validate expression syntax and available variables
Claims not created: Verify trigger constraints match the incoming resource
Consumer resolution errors: Check parent context resolution and ResourceRegistration setup

Performance Considerations

Policies are evaluated synchronously during admission (affects API latency)
Complex CEL expressions can impact admission performance
Template rendering occurs for every matching admission request
Consider using specific trigger constraints to limit policy evaluation scope

Security Considerations

Templates can access complete trigger resource data (sensitive field exposure)
CEL expressions have access to user information and request details
Only trusted administrators should create or modify policies
Review template output to ensure no sensitive data leakage in claim metadata

Appears in:

ClaimCreationPolicyList

Field	Description	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ClaimCreationPolicy`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ClaimCreationPolicySpec		Required: {} <br />
`status` <br />ClaimCreationPolicyStatus

ClaimCreationPolicyList

ClaimCreationPolicyList contains a list of ClaimCreationPolicy.

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ClaimCreationPolicyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ClaimCreationPolicy array

ClaimCreationPolicySpec

ClaimCreationPolicySpec defines the desired state of ClaimCreationPolicy.

Appears in:

ClaimCreationPolicy

Field	Description	Default	Validation
`trigger` <br />ClaimTriggerSpec	Trigger defines what resource changes should trigger claim creation.		Required: {} <br />
`target` <br />ClaimTargetSpec	Target defines how and where ResourceClaims should be created.		Required: {} <br />
`disabled` <br />boolean	Disabled determines if this policy is inactive.<br />If true, no ResourceClaims will be created for matching resources.	false

ClaimCreationPolicyStatus

ClaimCreationPolicyStatus defines the observed state of ClaimCreationPolicy.

Status fields

conditions[type=Ready]: True when the policy is validated and active.

ClaimTargetSpec

ClaimTargetSpec defines how ResourceClaims are created for a matched trigger.

Appears in:

ClaimCreationPolicySpec

Field	Description	Default	Validation
`resourceClaimTemplate` <br />ResourceClaimTemplate	ResourceClaimTemplate defines how to create ResourceClaims.<br />String fields support CEL expressions for dynamic content.		Required: {} <br />

ClaimTriggerResource

ClaimTriggerResource identifies the resource type that triggers this policy.

Appears in:

ClaimTriggerSpec

Field	Description	Default	Validation
`apiVersion` <br />string	APIVersion of the trigger resource in the format “group/version” or “version” for core resources.<br />Examples: “v1” for core resources like Secret, “resourcemanager.miloapis.com/v1alpha1” for custom resources.		Pattern: `^(v[0-9]+((alpha\|beta)[0-9])?\|[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)\/v[0-9]+((alpha\|beta)[0-9]*)?)$` <br />Required: {} <br />
`kind` <br />string	Kind is the kind of the trigger resource.		MinLength: 1 <br />Required: {} <br />

ClaimTriggerSpec

ClaimTriggerSpec defines the resource type and optional conditions for triggering claim creation.

Appears in:

ClaimCreationPolicySpec

Field	Description	Default	Validation
`resource` <br />ClaimTriggerResource	Resource specifies which resource type triggers this policy.		Required: {} <br />
`constraints` <br />ConditionExpression array	Constraints are CEL expressions that must evaluate to true for claim creation to occur.<br />These are pure CEL expressions WITHOUT {{ }} delimiters (unlike template fields).<br />Evaluated in the admission context.		MaxItems: 10 <br />

ClaimingResource

ClaimingResource identifies a resource type that can create ResourceClaims for this registration. Uses unversioned references to remain valid across API version changes.

Appears in:

ResourceRegistrationSpec

Field	Description	Default	Validation
`apiGroup` <br />string	APIGroup specifies the API group of the resource that can create claims.<br />Use empty string for Kubernetes core resources (Secret, ConfigMap, etc.).<br />Use full group name for custom resources.<br />Examples:<br />- `""` (core resources like Secret, ConfigMap)<br />- `resourcemanager.miloapis.com` (custom resource group) - `iam.miloapis.com` (Milo IAM resources)		Optional: {} <br />Pattern: `^$\|^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` <br />
`kind` <br />string	Kind specifies the resource type that can create ResourceClaims for this registration.<br />Must match an existing resource type. Maximum 63 characters.<br />Examples:<br />- `Project` (Project resource creating claims for Project quota)<br />- `User` (User resource creating claims for User quota)<br />- `Organization` (Organization resource creating claims for Organization quota)		MaxLength: 63 <br />MinLength: 1 <br />Required: {} <br />

ConditionExpression

ConditionExpression defines a CEL expression that determines when the policy should trigger. All expressions in a policy’s trigger conditions must evaluate to true for the policy to activate.

Appears in:

ClaimTriggerSpec
GrantTriggerSpec

Field	Description	Default	Validation
`expression` <br />string	Expression specifies the CEL expression to evaluate against the trigger resource.<br />This is a pure CEL expression WITHOUT {{ }} delimiters (unlike template fields).<br />Must return a boolean value (true to match, false to skip).<br />Maximum 1024 characters.<br />Available variables in GrantCreationPolicy context:<br />- trigger: The complete resource being watched (map[string]any)<br /> - trigger.metadata.name, trigger.spec., trigger.status., etc.<br />Common expression patterns:<br />- trigger.spec.tier == “premium” (check resource field)<br />- trigger.metadata.labels[“environment”] == “prod” (check labels)<br />- trigger.status.phase == “Active” (check status)<br />- trigger.metadata.namespace == “production” (check namespace)<br />- has(trigger.spec.quotaProfile) (check field existence)		MaxLength: 1024 <br />MinLength: 1 <br />Required: {} <br />
`message` <br />string	Message provides a human-readable description explaining when this condition applies.<br />Used for documentation and debugging. Maximum 256 characters.<br />Examples:<br />- “Applies only to premium tier organizations”<br />- “Matches organizations in production environment”<br />- “Triggers when quota profile is specified”		MaxLength: 256 <br />

ConsumerRef

ConsumerRef identifies a quota consumer - the entity that receives quota grants and creates quota claims. Consumers are typically hierarchical (Organization > Project > User).

Appears in:

Allocation
AllowanceBucketSpec
ResourceClaimSpec
ResourceGrantSpec

Field	Description	Validation
`apiGroup` <br />string	APIGroup specifies the API group of the consumer resource.<br />Use full group name for Milo resources.<br />Examples:<br />- “resourcemanager.miloapis.com” (Organization/Project resources)<br />- “iam.miloapis.com” (User/Group resources)<br />- “infrastructure.miloapis.com” (infrastructure resources)	Optional: {} <br />
`kind` <br />string	Kind specifies the type of consumer resource.<br />Must match an existing Kubernetes resource type that can receive quota grants.<br />Common consumer types:<br />- “Organization” (top-level quota consumer)<br />- “Project” (project-level quota consumer)<br />- “User” (user-level quota consumer)	Required: {} <br />
`name` <br />string	Name identifies the specific consumer resource instance. Must match the name of an existing consumer resource in the cluster. Examples: - “acme-corp” (Organization name) - “web-application” (Project name) - “john.doe” (User name)	Required: {} <br />
`namespace` <br />string	Namespace identifies the namespace of the consumer resource.<br />Required for namespaced consumer resources (e.g., Projects).<br />Leave empty for cluster-scoped consumer resources (e.g., Organizations).<br />Examples:<br />- "" (empty for cluster-scoped Organizations)<br />- “organization-acme-corp” (namespace for Projects within an organization)<br />- “project-web-app” (namespace for resources within a project)	Optional: {} <br />

ConsumerType

ConsumerType identifies the resource type that consumes quota. The consumer receives ResourceGrants and creates ResourceClaims for the registered resource. For example, when registering “Projects per Organization”, Organization is the consumer type.

Appears in:

ResourceRegistrationSpec

Field	Description	Default	Validation
`apiGroup` <br />string	APIGroup specifies the API group of the quota consumer resource type.<br />Use empty string for Kubernetes core resources (Secret, ConfigMap, etc.).<br />Use full group name for custom resources (for example, `resourcemanager.miloapis.com`).<br />Must follow DNS subdomain format with lowercase letters, numbers, and hyphens.<br />Examples:<br />- `resourcemanager.miloapis.com` (Organizations, Projects)<br />- `iam.miloapis.com` (Users, Groups)<br />- `infrastructure.miloapis.com` (custom infrastructure resources)		Pattern: `^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` <br />Required: {} <br />
`kind` <br />string	Kind specifies the resource type that receives quota grants and creates quota claims.<br />Must match an existing Kubernetes resource type (core or custom).<br />Use the exact Kind name as defined in the resource’s schema.<br />Examples:<br />- Organization (receives Project quotas)<br />- Project (receives User quotas)<br />- User (receives resource quotas within projects)		Required: {} <br />

ContributingGrantRef

ContributingGrantRef tracks a ResourceGrant that contributes capacity to this bucket. The quota system maintains these references to provide visibility into quota sources and to detect when grants change.

Appears in:

AllowanceBucketStatus

Field	Description	Validation
`name` <br />string	Name identifies the ResourceGrant that contributes to this bucket’s limit.<br />Used for tracking quota sources and debugging allocation issues.	Required: {} <br />
`lastObservedGeneration` <br />integer	LastObservedGeneration records the ResourceGrant’s generation when the bucket<br />quota system last processed it. Used to detect when grants have been updated<br />and the bucket needs to recalculate its aggregated limit.	Required: {} <br />
`amount` <br />integer	Amount specifies how much quota capacity this grant contributes to the bucket.<br />Represents the sum of all buckets within all allowances for the matching<br />resource type in the referenced grant. Measured in BaseUnit.	Minimum: 0 <br />Required: {} <br />

GrantCreationPolicy

GrantCreationPolicy automates ResourceGrant creation when observed resources meet conditions. Use it to provision quota based on resource lifecycle events and attributes.

How It Works

Watch the kind in spec.trigger.resource and evaluate all spec.trigger.constraints[].
When all constraints are true, evaluate spec.target.resourceGrantTemplate and create a ResourceGrant.
Optionally target a parent control plane via spec.target.parentContext (CEL-resolved name) for cross-cluster allocation.
Allowances (resource types and amounts) are static in v1alpha1.

Template Expressions

Template expressions generate dynamic content for ResourceGrant fields including metadata and specification. Content inside {{ }} delimiters is evaluated as CEL expressions, while content outside is treated as literal text.

Template Expression Rules:

{{expression}} - Pure CEL expression, evaluated and substituted
literal-text - Used as-is without any evaluation
{{expression}}-literal - CEL output combined with literal text
prefix-{{expression}}-suffix - Literal text surrounding CEL expression

Template Expression Examples:

{{trigger.metadata.name + '-grant'}} - Pure CEL expression (metadata)
{{trigger.metadata.name}}-quota-grant - CEL + literal suffix (metadata)
{{trigger.spec.type + "-consumer"}} - Extract spec field for consumer name (spec)
{{trigger.metadata.labels["environment"] + "-grants"}} - Label-based naming (spec)
fixed-grant-name - Literal string only (no evaluation)

Use Template Expressions For: ResourceGrantTemplate fields (metadata and spec)

Constraint Expressions

Constraint expressions determine whether a policy should trigger by evaluating boolean conditions. These are pure CEL expressions without delimiters that must return true/false values.

Constraint Expression Rules:

Write pure CEL expressions directly (no wrapping syntax)
Must return boolean values (true = trigger policy, false = skip)
All constraints in a policy must return true for the policy to activate

Constraint Expression Examples:

trigger.spec.tier == "premium" - Field equality check
trigger.metadata.labels["environment"] == "prod" - Label-based filtering
trigger.status.phase == "Active" - Status condition check
has(trigger.spec.quotaProfile) - Field existence check

Use Constraint Expressions For: spec.trigger.constraints fields

Expression Variables

Both template and constraint expressions have access to the resource context variables:

trigger: The complete resource that triggered the policy, including all metadata, spec, and status fields. Navigate using CEL property access: trigger.metadata.name, trigger.spec.tier. This is the only variable available since GrantCreationPolicy runs during resource watching, not during admission processing.

Works With

Creates ResourceGrant objects whose allowances[].resourceType must exist in a ResourceRegistration.
May target a parent control plane via spec.target.parentContext for cross-plane quota allocation.
Policy readiness (status.conditions[type=Ready]) signals expression/constraint validity.

Status

status.conditions[type=Ready]: Policy validated and active.
status.conditions[type=ParentContextReady]: Cross‑cluster targeting is resolvable.
status.observedGeneration: Latest spec generation processed.

Selectors and Filtering

Field selectors (server-side): spec.trigger.resource.kind, spec.trigger.resource.apiVersion, spec.target.parentContext.kind, spec.target.parentContext.apiGroup.
Label selectors (add your own):
quota.miloapis.com/trigger-kind: Organization
quota.miloapis.com/environment: prod
Common queries:
All policies for a trigger kind: label selector quota.miloapis.com/trigger-kind.
All active policies: field selector spec.disabled=false.

Defaults and Limits

Resource grant allowances are static (no expression-based amounts) in v1alpha1.

Notes

If ParentContextReady=False, verify nameExpression and referenced attributes.
Disabled policies (spec.disabled=true) do not create grants.

How It Works

ResourceClaims follow a straightforward lifecycle from creation to resolution. When a ClaimCreationPolicy triggers during admission, it creates a ResourceClaim that immediately enters the quota evaluation pipeline. The quota system first validates that the consumer type matches the expected ConsumerType from the ResourceRegistration, then verifies that the triggering resource kind is authorized to claim the requested resource types.

Once validation passes, the quota system checks quota availability by consulting the relevant AllowanceBuckets, one for each (consumer, resourceType) combination in the claim’s requests. The quota system treats all requests in a claim as an atomic unit: either sufficient quota exists for every request and the entire claim is granted, or any shortage results in denying the complete claim. This atomic approach ensures consistency and prevents partial resource allocations that could leave the system in an inconsistent state.

When a claim is granted, it permanently reserves the requested quota amounts until the claim is deleted. This consumption immediately reduces the available quota in the corresponding AllowanceBuckets, preventing other claims from accessing that capacity. The quota system updates the claim’s status with detailed results for each resource request, including which AllowanceBucket provided the quota and any relevant error messages.

Core Relationships

Created by: ClaimCreationPolicy during admission (automatically) or administrators (manually)
Consumes from: AllowanceBucket matching (spec.consumerRef, spec.requests[].resourceType)
Capacity sourced from: ResourceGrant objects aggregated by the bucket
Linked to: Triggering resource via spec.resourceRef for lifecycle management
Validated against: ResourceRegistration for each spec.requests[].resourceType

Claim Lifecycle States

Initial: Granted=False, reason=PendingEvaluation (claim created, awaiting processing)
Granted: Granted=True, reason=QuotaAvailable (all requests allocated successfully)
Denied: Granted=False, reason=QuotaExceeded or ValidationFailed (requests could not be satisfied)

Automatic vs Manual Claims

Automatic Claims (created by ClaimCreationPolicy):

Include standard labels and annotations for tracking
Set owner references to triggering resource when possible
Automatically cleaned up when denied to prevent accumulation
Marked with quota.miloapis.com/auto-created=true label

Manual Claims (created by administrators):

Require explicit metadata and references
Not automatically cleaned up when denied
Used for testing or special allocation scenarios

Status Information

Overall Status: status.conditions[type=Granted] indicates claim approval
Detailed Results: status.allocations[] provides per-request allocation details
Bucket References: status.allocations[].allocatingBucket identifies quota sources

Field Constraints and Validation

Maximum 20 resource requests per claim
Each resource type can appear only once in requests
Consumer type must match ResourceRegistration.spec.consumerType for each requested type
Triggering resource kind must be listed in ResourceRegistration.spec.claimingResources

Selectors and Filtering

Field selectors: spec.consumerRef.kind, spec.consumerRef.name, spec.resourceRef.apiGroup, spec.resourceRef.kind, spec.resourceRef.name, spec.resourceRef.namespace
Auto-created labels: quota.miloapis.com/auto-created, quota.miloapis.com/policy, quota.miloapis.com/gvk
Auto-created annotations: quota.miloapis.com/created-by, quota.miloapis.com/created-at, quota.miloapis.com/resource-name

Common Queries

All claims for a consumer: field selector spec.consumerRef.kind + spec.consumerRef.name
Claims from a specific policy: label selector quota.miloapis.com/policy=<policy-name>
Claims for a resource type: add custom labels via policy template
Failed claims: field selector on status conditions

Troubleshooting

Denied claims: Check status.allocations[].message for specific quota or validation errors
Pending claims: Verify ResourceRegistration is Active and AllowanceBucket exists
Missing claims: Check ClaimCreationPolicy conditions and trigger expressions

Performance Considerations

Claims are processed synchronously during admission (affects API latency)
Large numbers of claims can impact bucket aggregation performance
Consider batch processing for bulk resource creation

Appears in:

ResourceClaimList

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceClaim`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ResourceClaimSpec			Required: {} <br />
`status` <br />ResourceClaimStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Awaiting capacity evaluation reason:PendingEvaluation status:False type:Granted]] }

ResourceClaimAllocationStatus

ResourceClaimAllocationStatus tracks the allocation status for a specific resource request within a claim. The system creates one allocation entry for each request in the claim specification.

Appears in:

ResourceClaimStatus

Field	Description	Validation
`resourceType` <br />string	ResourceType identifies which resource request this allocation status<br />describes. Must exactly match one of the resourceType values in<br />spec.requests.	MinLength: 1 <br />Required: {} <br />
`status` <br />string	Status indicates the allocation result for this specific resource request.<br />Valid values:<br /> - “Granted”: Quota was available and the request was approved<br /> - “Denied”: Insufficient quota or validation failure prevented allocation<br /> - “Pending”: Request is being evaluated (initial state)	Enum: [Granted Denied Pending] <br />Required: {} <br />
`reason` <br />string	Reason provides a machine-readable explanation for the current status.<br />Standard reasons include “QuotaAvailable”, “QuotaExceeded”,<br />“ValidationFailed”.	Optional: {} <br />
`message` <br />string	Message provides a human-readable explanation of the allocation result.<br />Includes specific details about quota availability or validation errors.<br />Examples:<br /> - “Allocated 1 project from bucket organization-acme-projects”<br /> - “Insufficient quota: need 2048 bytes, only 1024 available”<br /> - “ResourceRegistration not found for resourceType”	Optional: {} <br />
`allocatedAmount` <br />integer	AllocatedAmount specifies how much quota was actually allocated for this<br />request. Measured in the BaseUnit defined by the ResourceRegistration.<br />Currently always equals the requested amount or 0 (partial allocations not<br />supported).<br />Set to the requested amount when Status=Granted, 0 when Status=Denied or<br />Pending.	Minimum: 0 <br />Optional: {} <br />
`allocatingBucket` <br />string	AllocatingBucket identifies the AllowanceBucket that provided the quota for<br />this request. Set only when Status=Granted. Used for tracking and debugging<br />quota consumption.<br />Format: bucket name (generated as:<br />consumer-kind-consumer-name-resource-type-hash)	Optional: {} <br />
`lastTransitionTime` <br />Time	LastTransitionTime records when this allocation status last changed.<br />Updates whenever Status, Reason, or Message changes.	Required: {} <br />

ResourceClaimList

ResourceClaimList contains a list of ResourceClaim.

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceClaimList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ResourceClaim array

ResourceClaimSpec

ResourceClaimSpec defines the desired state of ResourceClaim.

Appears in:

ResourceClaim
ResourceClaimTemplate

Field	Description	Validation
`consumerRef` <br />ConsumerRef	ConsumerRef identifies the quota consumer making this claim. The consumer<br />must match the ConsumerType defined in the ResourceRegistration for each<br />requested resource type. The system validates this relationship during<br />claim processing.<br />When creating ResourceClaims via ClaimCreationPolicy, this field can be<br />omitted and the admission plugin will automatically fill it based on the<br />authenticated user’s context (organization or project).<br />Examples:<br /> - Organization consuming Project quota<br /> - Project consuming User quota<br /> - Organization consuming storage quota	Optional: {} <br />
`requests` <br />ResourceRequest array	Requests specifies the resource types and amounts being claimed from quota.<br />Each resource type can appear only once in the requests array. Minimum 1<br />request, maximum 20 requests per claim.<br />The system processes all requests as a single atomic operation: either all<br />requests are granted or all are denied.	MaxItems: 20 <br />MinItems: 1 <br />Required: {} <br />
`resourceRef` <br />UnversionedObjectReference	ResourceRef identifies the actual Kubernetes resource that triggered this<br />claim. ClaimCreationPolicy automatically populates this field during<br />admission. Uses unversioned reference (apiGroup + kind + name + namespace)<br />to remain valid across API version changes.<br />The referenced resource’s kind must be listed in the ResourceRegistration’s<br />spec.claimingResources for the claim to be valid.<br />Examples:<br /> - Project resource triggering Project quota claim<br /> - User resource triggering User quota claim<br /> - Organization resource triggering storage quota claim

ResourceClaimStatus

ResourceClaimStatus reports the claim’s processing state and allocation results. The system updates this status to communicate whether quota was granted and provide detailed allocation information for each requested resource type.

Appears in:

ResourceClaim

Field	Description	Validation
`observedGeneration` <br />integer	ObservedGeneration indicates the most recent spec generation the system has<br />processed. When ObservedGeneration matches metadata.generation, the status<br />reflects the current spec. When ObservedGeneration is lower, the system is<br />still processing recent changes.	Optional: {} <br />
`allocations` <br />ResourceClaimAllocationStatus array	Allocations provides detailed status for each resource request in the<br />claim. The system creates one allocation entry for each request in<br />spec.requests. Use this field to understand which specific requests were<br />granted or denied.<br />List is indexed by ResourceType for efficient lookups.	Optional: {} <br />
`conditions` <br />Condition array	Conditions represents the overall status of the claim evaluation.<br />Controllers set these conditions to provide a high-level view of claim<br />processing.<br />Standard condition types:<br /> - “Granted”: Indicates whether the claim was approved and quota allocated<br />Standard condition reasons for “Granted”:<br /> - “QuotaAvailable”: All requested quota was available and allocated<br /> - “QuotaExceeded”: Insufficient quota prevented allocation (claim denied)<br /> - “ValidationFailed”: Configuration errors prevented evaluation (claim denied)<br /> - “PendingEvaluation”: Claim is still being processed (initial state)<br />Claim Lifecycle:<br /> 1. Created: Granted=False, reason=PendingEvaluation<br /> 2. Processed: Granted=True/False based on quota availability and validation<br /> 3. Updated: Granted condition changes only when allocation results change

ResourceClaimTemplate

ResourceClaimTemplate defines how to create ResourceClaims using actual ResourceClaim structure.

Appears in:

ClaimTargetSpec

Field	Description	Default	Validation
`metadata` <br />ObjectMetaTemplate	Refer to Kubernetes API documentation for fields of `metadata`.		Required: {} <br />
`spec` <br />ResourceClaimSpec	Spec for the created ResourceClaim.<br />String fields support CEL expressions.		Required: {} <br />

ResourceGrant

ResourceGrant allocates quota capacity to a consumer for specific resource types. Grants provide the allowances that AllowanceBuckets aggregate to determine available quota for ResourceClaim evaluation.

How It Works

ResourceGrants begin their lifecycle when either an administrator creates them manually or a GrantCreationPolicy generates them automatically in response to observed resource changes. Upon creation, the grant enters a validation phase where the quota system examines the consumer type to ensure it matches the expected ConsumerType from each ResourceRegistration targeted by the grant’s allowances. The quota system also verifies that all specified resource types correspond to active registrations and that the allowance amounts are valid non-negative integers.

When validation succeeds, the quota system marks the grant as Active, signaling to AllowanceBucket resources that this grant should contribute to quota calculations. The bucket resources continuously monitor for active grants and aggregate their allowance amounts into the appropriate buckets based on consumer and resource type matching. This aggregation process makes the granted quota capacity available for ResourceClaim consumption.

ResourceClaims then consume the capacity that active grants provide, creating a flow from grants through buckets to claims. The grant’s capacity remains reserved as long as claims reference it, ensuring that quota allocations persist until the consuming resources are removed. This creates a stable quota environment where capacity allocations remain consistent across resource lifecycles.

Core Relationships

Provides capacity to: AllowanceBucket matching (spec.consumerRef, spec.allowances[].resourceType)
Consumed by: ResourceClaim objects processed against the aggregated buckets
Validated against: ResourceRegistration for each spec.allowances[].resourceType
Created by: Administrators manually or GrantCreationPolicy automatically

Quota Aggregation Logic

Multiple ResourceGrants for the same (consumer, resourceType) combination:

Aggregate into a single AllowanceBucket for that combination
All bucket amounts from all allowances are summed for total capacity
Only Active grants contribute to the aggregated limit
Inactive grants are excluded from quota calculations

Grant vs Bucket Relationship

ResourceGrant: Specifies intended quota allocations
AllowanceBucket: Aggregates actual available quota from active grants
ResourceClaim: Consumes quota from buckets (which source from grants)

Allowance Structure

Each grant can contain multiple allowances for different resource types:

All allowances share the same consumer (spec.consumerRef)
Each allowance can have multiple buckets (for tracking, attribution, or incremental increases)
Bucket amounts within an allowance are summed for that resource type

Manual vs Automated Grants

Manual Grants (created by administrators):

Explicit quota allocations for specific consumers
Require direct management and updates
Useful for base quotas, special allocations, or testing

Automated Grants (created by GrantCreationPolicy):

Generated based on resource lifecycle events
Include labels/annotations for tracking policy source
Automatically managed based on trigger conditions

Validation Requirements

Consumer type must match ResourceRegistration.spec.consumerType for each resource type
All resource types must reference active ResourceRegistration objects
Maximum 20 allowances per grant
All amounts must be non-negative integers in BaseUnit

Field Constraints and Limits

Maximum 20 allowances per grant
Each allowance must have at least 1 bucket
Bucket amounts must be non-negative (0 is allowed but provides no quota)
All amounts measured in BaseUnit from ResourceRegistration

Status Information

Active condition: Indicates whether grant is contributing to quota buckets
Validation errors: Reported in condition message when Active=False
Processing status: ObservedGeneration tracks spec changes

Selectors and Filtering

Field selectors: spec.consumerRef.kind, spec.consumerRef.name
Recommended labels (add manually for better organization):
- quota.miloapis.com/consumer-kind: Organization
- quota.miloapis.com/consumer-name: acme-corp
- quota.miloapis.com/source: policy-name or manual
- quota.miloapis.com/tier: basic, premium, enterprise

Common Queries

All grants for a consumer: field selector spec.consumerRef.kind + spec.consumerRef.name
Grants by source policy: label selector quota.miloapis.com/source=<policy-name>
Grants by resource tier: label selector quota.miloapis.com/tier=<tier-name>
Active vs inactive grants: check status.conditions[type=Active].status

Cross-Cluster Allocation

GrantCreationPolicy can create grants in parent control planes for cross-cluster quota:

Policy running in child cluster creates grants in parent cluster
Grants provide capacity that spans multiple child clusters
Enables centralized quota management across cluster hierarchies

Troubleshooting

Inactive grants: Check status.conditions[type=Active] for validation errors
Missing quota: Verify grants are Active and contributing to correct buckets
Grant conflicts: Multiple grants for same consumer+resourceType are aggregated, not conflicting

Performance Considerations

Large numbers of grants can impact bucket aggregation performance
Consider consolidating grants where possible to reduce aggregation overhead
Grant status updates are asynchronous and may lag spec changes

Appears in:

ResourceGrantList

Field	Description	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceGrant`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ResourceGrantSpec		Required: {} <br />
`status` <br />ResourceGrantStatus

ResourceGrantList

ResourceGrantList contains a list of ResourceGrant.

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceGrantList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ResourceGrant array

ResourceGrantSpec

ResourceGrantSpec defines the desired state of ResourceGrant.

Appears in:

ResourceGrant
ResourceGrantTemplate

Field	Description	Default	Validation
`consumerRef` <br />ConsumerRef	ConsumerRef identifies the quota consumer that receives these allowances.<br />The consumer type must match the ConsumerType defined in the ResourceRegistration<br />for each allowance resource type. The system validates this relationship.<br />Examples:<br />- Organization receiving Project quota allowances<br />- Project receiving User quota allowances<br />- Organization receiving storage quota allowances		Required: {} <br />
`allowances` <br />Allowance array	Allowances specifies the quota allocations provided by this grant.<br />Each allowance grants capacity for a specific resource type.<br />Minimum 1 allowance required, maximum 20 allowances per grant.<br />All allowances in a single grant:<br />- Apply to the same consumer (spec.consumerRef)<br />- Contribute to the same AllowanceBucket for each resource type<br />- Activate and deactivate together based on the grant’s status		MinItems: 1 <br />Required: {} <br />

ResourceGrantStatus

ResourceGrantStatus reports the grant’s operational state and processing status. Controllers update status conditions to indicate whether the grant is active and contributing capacity to AllowanceBuckets.

Appears in:

ResourceGrant

Field	Description	Default	Validation
`observedGeneration` <br />integer	ObservedGeneration indicates the most recent spec generation the quota system has processed.<br />When ObservedGeneration matches metadata.generation, the status reflects the current spec.<br />When ObservedGeneration is lower, the quota system is still processing recent changes.		Optional: {} <br />
`conditions` <br />Condition array	Conditions represents the latest available observations of the grant’s state.<br />Controllers set these conditions to communicate operational status.<br />Standard condition types:<br />- “Active”: Indicates whether the grant is operational and contributing to quota buckets.<br /> When True, allowances are aggregated into AllowanceBuckets and available for claims.<br /> When False, allowances do not contribute to quota decisions.<br />Standard condition reasons for “Active”:<br />- “GrantActive”: Grant is validated and contributing to quota buckets<br />- “ValidationFailed”: Specification contains errors preventing activation (see message)<br />- “GrantPending”: Grant is being processed by the quota system<br />Grant Lifecycle:<br />1. Created: Active=Unknown, reason=GrantPending<br />2. Validated: Active=True, reason=GrantActive OR Active=False, reason=ValidationFailed<br />3. Updated: Active condition changes only when validation results change

ResourceGrantTemplate

ResourceGrantTemplate defines the specification for creating ResourceGrants using actual ResourceGrant structure.

Appears in:

GrantTargetSpec

Field	Description	Default	Validation
`metadata` <br />ObjectMetaTemplate	Refer to Kubernetes API documentation for fields of `metadata`.		Required: {} <br />
`spec` <br />ResourceGrantSpec	Spec for the created ResourceGrant.<br />String fields support CEL expressions wrapped in {{ }} delimiters.		Required: {} <br />

ResourceRegistration

ResourceRegistration enables quota tracking for a specific resource type. Administrators create registrations to define measurement units, consumer relationships, and claiming permissions.

How It Works

Administrators create registrations to enable quota tracking for specific resource types
The system validates the registration and sets the “Active” condition when ready
ResourceGrants can then allocate capacity for the registered resource type
ResourceClaims can consume capacity when allowed resources are created

Core Relationships

ResourceGrant.spec.allowances[].resourceType must match this registration’s spec.resourceType
ResourceClaim.spec.requests[].resourceType must match this registration’s spec.resourceType
ResourceClaim.spec.consumerRef must match this registration’s spec.consumerType type
ResourceClaim.spec.resourceRef kind must be listed in this registration’s spec.claimingResources

Registration Lifecycle

Creation: Administrator creates ResourceRegistration with resource type and consumer type
Validation: System validates that referenced resource types exist and are accessible
Activation: System sets Active=True condition when validation passes
Operation: ResourceGrants and ResourceClaims can reference the active registration
Updates: Only mutable fields (description, claimingResources) can be changed

Status Conditions

Active=True: Registration is validated and operational; grants and claims can use it
Active=False, reason=ValidationFailed: Configuration errors prevent activation (check message)
Active=False, reason=RegistrationPending: Quota system is processing the registration

Measurement Types

Entity registrations (spec.type=Entity): Count discrete resource instances (Projects, Users)
Allocation registrations (spec.type=Allocation): Measure capacity amounts (CPU, memory, storage)

Field Constraints and Limits

Maximum 20 entries in spec.claimingResources
spec.resourceType, spec.consumerType, and spec.type are immutable after creation
spec.description maximum 500 characters
spec.baseUnit and spec.displayUnit maximum 50 characters each
spec.unitConversionFactor minimum value is 1

Selectors and Filtering

Field selectors: spec.consumerType.kind, spec.consumerType.apiGroup, spec.resourceType
Recommended labels (add manually):
- quota.miloapis.com/resource-kind: Project
- quota.miloapis.com/resource-apigroup: resourcemanager.miloapis.com
- quota.miloapis.com/consumer-kind: Organization

Security Considerations

Only include trusted resource types in spec.claimingResources
Registrations are cluster-scoped and affect quota system-wide
Consumer types must have appropriate RBAC permissions to create claims

Appears in:

ResourceRegistrationList

Field	Description	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceRegistration`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ResourceRegistrationSpec		Required: {} <br />
`status` <br />ResourceRegistrationStatus

ResourceRegistrationList

ResourceRegistrationList contains a list of ResourceRegistration.

Field	Description	Default	Validation
`apiVersion` <br />string	`quota.miloapis.com/v1alpha1`
`kind` <br />string	`ResourceRegistrationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ResourceRegistration array

ResourceRegistrationSpec

ResourceRegistrationSpec defines the desired state of ResourceRegistration.

Appears in:

ResourceRegistration

Field	Description	Validation
`consumerType` <br />ConsumerType	ConsumerType specifies which resource type receives grants and creates claims for this registration.<br />The consumer type must exist in the cluster before creating the registration.<br />Example: When registering “Projects per Organization”, set `ConsumerType` to Organization<br />(apiGroup: `resourcemanager.miloapis.com`, kind: `Organization`). Organizations then<br />receive ResourceGrants allocating Project quota and create ResourceClaims when Projects are created.	Required: {} <br />
`type` <br />string	Type specifies the measurement method for quota tracking.<br />This field is immutable after creation.<br />Valid values:<br />- `Entity`: Counts discrete resource instances. Use for resources where each instance consumes exactly 1 quota unit (for example, Projects, Users, Databases).<br /> Claims always request integer quantities.<br />- `Allocation`: Measures numeric capacity or resource amounts. Use for resources<br /> with variable consumption (for example, CPU millicores, memory bytes, storage capacity).<br /> Claims can request fractional amounts based on resource specifications.	Enum: [Entity Allocation] <br />Required: {} <br />
`resourceType` <br />string	ResourceType identifies the resource to track with quota.<br />Platform administrators define resource type identifiers that make sense for their<br />quota system usage. This field is immutable after creation.<br />The identifier format is flexible to accommodate various naming conventions<br />and organizational needs. Service providers can use any meaningful identifier.<br />Examples:<br />- “resourcemanager.miloapis.com/projects”<br />- “iam.miloapis.com/users”<br />- “compute_cpu”<br />- “storage.volumes”<br />- “custom-service-quota”	MaxLength: 253 <br />MinLength: 1 <br />Required: {} <br />
`description` <br />string	Description provides human-readable context about what this registration tracks.<br />Use clear, specific language that explains the resource type and measurement approach.<br />Maximum 500 characters.<br />Examples:<br />- “Projects created within Organizations”<br />- “CPU millicores allocated to workloads”<br />- “Storage bytes claimed by volume requests”	MaxLength: 500 <br />MinLength: 1 <br />Optional: {} <br />
`baseUnit` <br />string	BaseUnit defines the internal measurement unit for all quota calculations.<br />The system stores and processes all quota amounts using this unit.<br />Use singular form with lowercase letters. Maximum 50 characters.<br />Examples:<br />- “project” (for Entity type tracking Projects)<br />- “millicore” (for CPU allocation)<br />- “byte” (for storage or memory)<br />- “user” (for Entity type tracking Users)	MaxLength: 50 <br />MinLength: 1 <br />Required: {} <br />
`displayUnit` <br />string	DisplayUnit defines the unit shown in user interfaces and API responses.<br />Should be more human-readable than BaseUnit. Use singular form. Maximum 50 characters.<br />Examples:<br />- “project” (same as BaseUnit when no conversion needed)<br />- “core” (for displaying CPU instead of millicores)<br />- “GiB” (for displaying memory/storage instead of bytes)<br />- “TB” (for large storage volumes)	MaxLength: 50 <br />MinLength: 1 <br />Required: {} <br />
`unitConversionFactor` <br />integer	UnitConversionFactor converts BaseUnit values to DisplayUnit values for presentation.<br />Must be a positive integer. Minimum value is 1 (no conversion).<br />Formula: displayValue = baseValue / unitConversionFactor<br />Examples:<br />- 1 (no conversion: “project” to “project”)<br />- 1000 (millicores to cores: 2000 millicores displays as 2 cores)<br />- 1073741824 (bytes to GiB: 2147483648 bytes displays as 2 GiB)<br />- 1000000000000 (bytes to TB: 2000000000000 bytes displays as 2 TB)	Minimum: 1 <br />Required: {} <br />
`claimingResources` <br />ClaimingResource array	ClaimingResources specifies which resource types can create ResourceClaims for this registration.<br />Only resources listed here can trigger quota consumption for this resource type.<br />At least one claiming resource must be specified.<br />Maximum 20 entries.	MaxItems: 20 <br />MinItems: 1 <br />Required: {} <br />

ResourceRegistrationStatus

ResourceRegistrationStatus reports the registration’s operational state and processing status. The system updates status conditions to indicate whether the registration is active and usable for quota operations.

Appears in:

ResourceRegistration

Field	Description	Default	Validation
`observedGeneration` <br />integer	ObservedGeneration indicates the most recent spec generation that the system has processed.<br />When ObservedGeneration matches metadata.generation, the status reflects the current spec.<br />When ObservedGeneration is lower, the system is still processing recent changes.		Optional: {} <br />
`conditions` <br />Condition array	Conditions represents the latest available observations of the registration’s state.<br />The system sets these conditions to communicate operational status.<br />Standard condition types:<br />- “Active”: Indicates whether the registration is operational. When True, ResourceGrants<br /> and ResourceClaims can reference this registration. When False, quota operations are blocked.<br />Standard condition reasons for “Active”:<br />- “RegistrationActive”: Registration is validated and operational<br />- “ValidationFailed”: Specification contains errors (see message for details)<br />- “RegistrationPending”: Registration is being processed

ResourceRequest

ResourceRequest defines a single resource request within a ResourceClaim. Each request specifies a resource type and the amount of quota being claimed.

Appears in:

ResourceClaimSpec

Field	Description	Default	Validation
`resourceType` <br />string	ResourceType identifies the specific resource type being claimed. Must<br />exactly match a ResourceRegistration.spec.resourceType that is currently<br />active. The quota system validates this reference during claim processing.<br />The format is defined by platform administrators when creating ResourceRegistrations.<br />Service providers can use any identifier that makes sense for their quota system usage.<br />Examples:<br /> - “resourcemanager.miloapis.com/projects”<br /> - “compute_cpu”<br /> - “storage.volumes”<br /> - “custom-service-quota”		Required: {} <br />
`amount` <br />integer	Amount specifies how much quota to claim for this resource type. Must be<br />measured in the BaseUnit defined by the corresponding ResourceRegistration.<br />Must be a positive integer (minimum value is 0, but 0 means no quota<br />requested).<br />For Entity registrations: Use 1 for single resource instances (1 Project, 1<br />User) For Allocation registrations: Use actual capacity amounts (2048 for<br />2048 MB, 1000 for 1000 millicores)<br />Examples:<br /> - 1 (claiming 1 Project)<br /> - 2048 (claiming 2048 bytes of storage)<br /> - 1000 (claiming 1000 CPU millicores)		Minimum: 0 <br />Required: {} <br />

UnversionedObjectReference

UnversionedObjectReference provides a stable reference to a Kubernetes resource that remains valid across API version changes. Used to link ResourceClaims to their triggering resources for lifecycle management.

Appears in:

ResourceClaimSpec

Field	Description	Validation
`apiGroup` <br />string	APIGroup specifies the API group of the referenced resource.<br />Use full group name for Milo resources.<br />Examples:<br />- “resourcemanager.miloapis.com” (Project, Organization)<br />- “iam.miloapis.com” (User, Group)<br />- “infrastructure.miloapis.com” (infrastructure resources)	Optional: {} <br />
`kind` <br />string	Kind specifies the type of the referenced resource.<br />Must match an existing Kubernetes resource type.<br />Examples:<br />- “Project” (Project resource that triggered quota claim)<br />- “User” (User resource that triggered quota claim)<br />- “Organization” (Organization resource that triggered quota claim)	Required: {} <br />
`name` <br />string	Name identifies the specific resource instance that triggered the quota claim. Used for linking claims back to their triggering resources. Examples: - “web-app-project” (Project that triggered Project quota claim) - “john.doe” (User that triggered User quota claim)	Required: {} <br />
`namespace` <br />string	Namespace specifies the namespace containing the referenced resource.<br />Required for namespaced resources, omitted for cluster-scoped resources.<br />Examples:<br />- “acme-corp” (organization namespace containing Project)<br />- “team-alpha” (project namespace containing User)<br />- "" or omitted (for cluster-scoped resources like Organization)	Optional: {} <br />

resourcemanager.miloapis.com/v1alpha1

Resource Types

Organization
OrganizationList
OrganizationMembership
OrganizationMembershipList
Project
ProjectList

AppliedRole

AppliedRole tracks the reconciliation status of a single role assignment within an organization membership. The controller maintains this status to provide visibility into which roles are successfully applied and which failed.

Appears in:

OrganizationMembershipStatus

Field	Description	Validation
`name` <br />string	Name identifies the Role resource.<br />Required field.	Required: {} <br />
`namespace` <br />string	Namespace identifies the namespace containing the Role resource.<br />Empty when the role is in the membership’s namespace.	Optional: {} <br />
`status` <br />string	Status indicates the current state of this role assignment.<br />Valid values:<br /> - “Applied”: PolicyBinding successfully created and role is active<br /> - “Pending”: Role is being reconciled (transitional state)<br /> - “Failed”: PolicyBinding could not be created (see Message for details)<br />Required field.	Enum: [Applied Pending Failed] <br />Required: {} <br />
`message` <br />string	Message provides additional context about the role status.<br />Contains error details when Status is “Failed”, explaining why the<br />PolicyBinding could not be created.<br />Common failure messages:<br /> - “role ‘role-name’ not found in namespace ‘namespace’“<br /> - “Failed to create PolicyBinding: <error details>“<br />Empty when Status is “Applied” or “Pending”.	Optional: {} <br />
`policyBindingRef` <br />PolicyBindingReference	PolicyBindingRef references the PolicyBinding resource that was<br />automatically created for this role.<br />Only populated when Status is “Applied”. Use this reference to<br />inspect or troubleshoot the underlying PolicyBinding.	Optional: {} <br />
`appliedAt` <br />Time	AppliedAt records when this role was successfully applied.<br />Corresponds to the PolicyBinding creation time.<br />Only populated when Status is “Applied”.	Optional: {} <br />

MemberReference

MemberReference contains information that points to the User being referenced.

Appears in:

OrganizationMembershipSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of resource being referenced		Required: {} <br />

Organization

Use lowercase for path, which influences plural name. Ensure kind is Organization. Organization is the Schema for the Organizations API

Appears in:

OrganizationList

Field	Description	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`Organization`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />OrganizationSpec		Required: {} <br />
`status` <br />OrganizationStatus

OrganizationList

OrganizationList contains a list of Organization

Field	Description	Default	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`OrganizationList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Organization array

OrganizationMembership

OrganizationMembership establishes a user’s membership in an organization and optionally assigns roles to grant permissions. The controller automatically manages PolicyBinding resources for each assigned role, simplifying access control management.

Key features:

Establishes user-organization relationship
Automatic PolicyBinding creation and deletion for assigned roles
Supports multiple roles per membership
Cross-namespace role references
Detailed status tracking with per-role reconciliation state

Prerequisites:

User resource must exist
Organization resource must exist
Referenced Role resources must exist in their respective namespaces

Example - Basic membership with role assignment:

apiVersion: resourcemanager.miloapis.com/v1alpha1 kind: OrganizationMembership metadata: name: jane-acme-membership namespace: organization-acme-corp spec: organizationRef: name: acme-corp userRef: name: jane-doe roles:

name: organization-viewer namespace: organization-acme-corp

Related resources:

User: The user being granted membership
Organization: The organization the user joins
Role: Defines permissions granted to the user
PolicyBinding: Automatically created by the controller for each role

Appears in:

OrganizationMembershipList

Field	Description	Default	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`OrganizationMembership`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />OrganizationMembershipSpec
`status` <br />OrganizationMembershipStatus

OrganizationMembershipList

OrganizationMembershipList contains a list of OrganizationMembership

Field	Description	Default	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`OrganizationMembershipList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />OrganizationMembership array

OrganizationMembershipOrganizationStatus

OrganizationMembershipOrganizationStatus defines the observed state of an organization in a membership.

Appears in:

OrganizationMembershipStatus

Field	Description	Default	Validation
`type` <br />string	Type is the type of the organization in the membership.		Optional: {} <br />
`displayName` <br />string	DisplayName is the display name of the organization in the membership.		Optional: {} <br />

OrganizationMembershipSpec

OrganizationMembershipSpec defines the desired state of OrganizationMembership. It specifies which user should be a member of which organization, and optionally which roles should be assigned to grant permissions.

Appears in:

OrganizationMembership

Field	Description	Validation
`organizationRef` <br />OrganizationReference	OrganizationRef identifies the organization to grant membership in.<br />The organization must exist before creating the membership.<br />Required field.	Required: {} <br />
`userRef` <br />MemberReference	UserRef identifies the user to grant organization membership.<br />The user must exist before creating the membership.<br />Required field.	Required: {} <br />
`roles` <br />RoleReference array	Roles specifies a list of roles to assign to the user within the organization.<br />The controller automatically creates and manages PolicyBinding resources for<br />each role. Roles can be added or removed after the membership is created.<br />Optional field. When omitted or empty, the membership is established without<br />any role assignments. Roles can be added later via update operations.<br />Each role reference must specify:<br /> - name: The role name (required)<br /> - namespace: The role namespace (optional, defaults to membership namespace)<br />Duplicate roles are prevented by admission webhook validation.<br />Example:<br /> roles:<br /> - name: organization-admin<br /> namespace: organization-acme-corp<br /> - name: billing-manager<br /> namespace: organization-acme-corp<br /> - name: shared-developer<br /> namespace: milo-system	Optional: {} <br />

OrganizationMembershipStatus

OrganizationMembershipStatus defines the observed state of OrganizationMembership. The controller populates this status to reflect the current reconciliation state, including whether the membership is ready and which roles have been successfully applied.

Appears in:

OrganizationMembership

Field	Description	Default	Validation
`observedGeneration` <br />integer	ObservedGeneration tracks the most recent membership spec that the<br />controller has processed. Use this to determine if status reflects<br />the latest changes.		Optional: {} <br />
`conditions` <br />Condition array	Conditions represent the current status of the membership.<br />Standard conditions:<br /> - Ready: Indicates membership has been established (user and org exist)<br /> - RolesApplied: Indicates whether all roles have been successfully applied<br />Check the RolesApplied condition to determine overall role assignment status:<br /> - True with reason “AllRolesApplied”: All roles successfully applied<br /> - True with reason “NoRolesSpecified”: No roles in spec, membership only<br /> - False with reason “PartialRolesApplied”: Some roles failed (check appliedRoles for details)	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {} <br />
`user` <br />OrganizationMembershipUserStatus	User contains cached information about the user in this membership.<br />This information is populated by the controller from the referenced user.		Optional: {} <br />
`organization` <br />OrganizationMembershipOrganizationStatus	Organization contains cached information about the organization in this membership.<br />This information is populated by the controller from the referenced organization.		Optional: {} <br />
`appliedRoles` <br />AppliedRole array	AppliedRoles tracks the reconciliation state of each role in spec.roles. This array provides per-role status, making it easy to identify which roles are applied and which failed. Each entry includes: - name and namespace: Identifies the role - status: “Applied”, “Pending”, or “Failed” - policyBindingRef: Reference to the created PolicyBinding (when Applied) - appliedAt: Timestamp when role was applied (when Applied) - message: Error details (when Failed) Use this to troubleshoot role assignment issues. Roles marked as “Failed” include a message explaining why the PolicyBinding could not be created. Example: appliedRoles: - name: org-admin namespace: organization-acme-corp status: Applied appliedAt: “2025-10-28T10:00:00Z” policyBindingRef: name: jane-acme-membership-a1b2c3d4 namespace: organization-acme-corp - name: invalid-role namespace: organization-acme-corp status: Failed message: “role ‘invalid-role’ not found in namespace ‘organization-acme-corp‘“		Optional: {} <br />

OrganizationMembershipUserStatus

OrganizationMembershipUserStatus defines the observed state of a user in a membership.

Appears in:

OrganizationMembershipStatus

Field	Description	Validation
`email` <br />string	Email is the email of the user in the membership.	Optional: {} <br />
`givenName` <br />string	GivenName is the given name of the user in the membership.	Optional: {} <br />
`familyName` <br />string	FamilyName is the family name of the user in the membership.	Optional: {} <br />
`avatarUrl` <br />string	AvatarURL is the avatar URL of the user in the membership.	Optional: {} <br />

OrganizationReference

OrganizationReference contains information that points to the Organization being referenced.

Appears in:

OrganizationMembershipSpec
UserInvitationSpec

Field	Description	Default	Validation
`name` <br />string	Name is the name of resource being referenced		Required: {} <br />

OrganizationSpec

OrganizationSpec defines the desired state of Organization

Appears in:

Organization

Field	Description	Default	Validation
`type` <br />string	The type of organization.		Enum: [Personal Standard] <br />Required: {} <br />

OrganizationStatus

OrganizationStatus defines the observed state of Organization

Appears in:

Organization

Field	Description	Default	Validation
`observedGeneration` <br />integer	ObservedGeneration is the most recent generation observed for this Organization by the controller.
`conditions` <br />Condition array	Conditions represents the observations of an organization’s current state.<br />Known condition types are: “Ready”	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]

OwnerReference

OwnerReference is a reference to the owner of the project.

Appears in:

ProjectSpec

Field	Description	Default	Validation
`kind` <br />string	Kind is the kind of the resource.		Enum: [Organization] <br />Required: {} <br />
`name` <br />string	Name is the name of the resource.		Required: {} <br />

PolicyBindingReference

PolicyBindingReference contains information about the PolicyBinding created for a role.

Appears in:

AppliedRole

Field	Description	Default	Validation
`name` <br />string	Name of the PolicyBinding resource.		Required: {} <br />
`namespace` <br />string	Namespace of the PolicyBinding resource.		Optional: {} <br />

Project

Project is the Schema for the projects API.

Appears in:

ProjectList

Field	Description	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`Project`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ProjectSpec		Required: {} <br />
`status` <br />ProjectStatus

ProjectList

ProjectList contains a list of Project.

Field	Description	Default	Validation
`apiVersion` <br />string	`resourcemanager.miloapis.com/v1alpha1`
`kind` <br />string	`ProjectList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />Project array

ProjectSpec

ProjectSpec defines the desired state of Project.

Appears in:

Project

Field	Description	Default	Validation
`ownerRef` <br />OwnerReference	OwnerRef is a reference to the owner of the project. Must be a valid<br />resource.		Required: {} <br />

ProjectStatus

ProjectStatus defines the observed state of Project.

Appears in:

Project

Field	Description	Default	Validation
`conditions` <br />Condition array	Represents the observations of a project’s current state.<br />Known condition types are: “Ready”	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]

RoleReference

RoleReference defines a reference to a Role resource for organization membership.

Appears in:

OrganizationMembershipSpec

Field	Description	Default	Validation
`name` <br />string	Name of the referenced Role.		Required: {} <br />
`namespace` <br />string	Namespace of the referenced Role.<br />If not specified, it defaults to the organization membership’s namespace.		Optional: {} <br />

telemetry.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the telemetry v1alpha1 API group.

Resource Types

ExportPolicy
ExportPolicyList

Authentication

Configures how the sink will authenticate with the configured endpoint. These options are mutually exclusive.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`basicAuth` <br />BasicAuthAuthentication	Configures the sink to use basic auth to authenticate with the configured<br />endpoint.

BasicAuthAuthentication

Underlying type: struct{SecretRef LocalSecretReference “json:“secretRef""}

Configures how the sink should use Basic Auth for authenticating with a telemetry endpoint.

Appears in:

Authentication

Batch

Configures the batching behavior the sink will use to batch requests before publishing them to the endpoint.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`timeout` <br />Duration	Batch timeout before sending telemetry. Must be a duration (e.g. 5s).		Required: {} <br />
`maxSize` <br />integer	Maximum number of telemetry entries per batch.		Maximum: 5000 <br />Minimum: 1 <br />Required: {} <br />

ExportPolicy

ExportPolicy is the Schema for the export policy API.

Appears in:

ExportPolicyList

Field	Description	Default	Validation
`apiVersion` <br />string	`telemetry.miloapis.com/v1alpha1`
`kind` <br />string	`ExportPolicy`
`metadata` <br />ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` <br />ExportPolicySpec	Describes the expected state of the ExportPolicy’s configuration. The control plane will constantly evaluate the current state of exporters that are deployed and ensure it matches the expected configuration. This field is required when configuring an export policy.
`status` <br />ExportPolicyStatus	Provides information on the current state of the export policy that was observed by the control plane. This will be continuously updated as the control plane monitors exporters.

ExportPolicyList

ExportPolicyList contains a list of ExportPolicy.

Field	Description	Default	Validation
`apiVersion` <br />string	`telemetry.miloapis.com/v1alpha1`
`kind` <br />string	`ExportPolicyList`
`metadata` <br />ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` <br />ExportPolicy array

ExportPolicySpec

ExportPolicySpec defines the desired state of ExportPolicy.

Appears in:

ExportPolicy

Field	Description	Default	Validation
`sources` <br />TelemetrySource array	Defines how the export policy should source telemetry data to publish to<br />the configured sinks. An export policy can define multiple telemetry<br />sources. The export policy will not de-duplicate telemetry data that<br />matches multiple sources.		MaxItems: 20 <br />MinItems: 1 <br />Required: {} <br />
`sinks` <br />TelemetrySink array	Configures how telemetry data should be sent to a third-party telemetry<br />platforms.		MaxItems: 20 <br />MinItems: 1 <br />Required: {} <br />

ExportPolicyStatus

ExportPolicyStatus defines the observed state of ExportPolicy.

Appears in:

ExportPolicy

Field	Description	Default	Validation
`conditions` <br />Condition array	Provides summary status information on the export policy as a whole. Review<br />the sink status information for detailed information on each sink.<br />Known condition types are: “Ready”
`sinks` <br />SinkStatus array	Provides status information on each sink that’s configured.

MetricSource

A metric source configures the metric data that should be exported to the configured sinks. The options below are expected to be mutually exclusive.

Appears in:

TelemetrySource

Field	Description	Default	Validation
`metricsql` <br />string	The MetricSQL option allows to user to provide a metricsql query that can<br />be used to select and filter metric data that should be published by the<br />export policy.<br />Here’s an example of a metricsql query that will publish gateway metrics:<br />`\{service_name=“networking.miloapis.com”, resource_kind="Gateway"\}`<br />See: https://docs.victoriametrics.com/metricsql/

PrometheusRemoteWriteSink

Configures how the sink should send data to a OTLP HTTP endpoint.

Appears in:

SinkTarget

Field	Description	Default	Validation
`authentication` <br />Authentication	Configures how the sink should authenticate with the HTTP endpoint.
`endpoint` <br />string	Configure an HTTP endpoint to use for publishing telemetry data.		Required: {} <br />
`batch` <br />Batch	Configures how telemetry data should be batched before sending to the sink.<br />By default, the sink will batch telemetry data every 5 seconds or when<br />the batch size reaches 500 entries, whichever comes first.	{ maxSize:500 timeout:5s }
`retry` <br />Retry	Configures the export policies’ retry behavior when it fails to send<br />requests to the sink’s endpoint. There’s no guarantees that the export<br />policy will retry until success if the endpoint is not available or<br />configured incorrectly.	{ backoffDuration:5s maxAttempts:3 }

Retry

Configures the retry behavior of the sink when it fails to send telemetry data to the configured endpoint.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`maxAttempts` <br />integer	Maximum number of attempts before telemetry data should be dropped.		Maximum: 10 <br />Minimum: 1 <br />Required: {} <br />
`backoffDuration` <br />Duration	Backoff duration that should be used to backoff when retrying requests.		Required: {} <br />

SinkStatus

SinkStatus provides status information on the current status of a sink. This can be used to determine whether a sink is configured correctly and is exporting telemetry data.

Appears in:

ExportPolicyStatus

Field	Description	Default	Validation
`name` <br />string	The name of the corresponding sink configuration in the spec of the export<br />policy.
`conditions` <br />Condition array	Provides status information on the current status of the sink. This can be<br />used to determine whether a sink is configured correctly and is exporting<br />telemetry data.<br />Known condition types are: “Ready”

SinkTarget

Configures the target of the telemetry sink. The target defines the protocol that’s used to send telemetry data to the sink. Only one target protocol can be configured per sink.

Appears in:

TelemetrySink

Field	Description	Default	Validation
`prometheusRemoteWrite` <br />PrometheusRemoteWriteSink	Configures the export policy to publish telemetry using the Prometheus<br />Remote Write protocol.

TelemetrySink

Configures how telemetry data should be sent to a third-party platform. As of now there are no guarantees around delivery of telemetry data, especially if the sink’s endpoint is unavailable.

Appears in:

ExportPolicySpec

Field	Description	Validation
`name` <br />string	A name provided to the telemetry sink that’s unique within the export<br />policy.	MaxLength: 63 <br />MinLength: 1 <br />Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` <br />Required: {} <br />
`sources` <br />string array	A list of sources that should be sent to the telemetry sink.	MaxItems: 20 <br />MinItems: 1 <br />Required: {} <br />
`target` <br />SinkTarget	Configures the target of the telemetry sink.	Required: {} <br />

TelemetrySource

Defines how the export policy should source telemetry data from resources on the platform.

Appears in:

ExportPolicySpec

Field	Description	Default	Validation
`name` <br />string	A unique name given to the telemetry source within an export policy. Must<br />be a valid DNS label.		MaxLength: 63 <br />MinLength: 1 <br />Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` <br />Required: {} <br />
`metrics` <br />MetricSource	Configures how the telemetry source should retrieve metric data from the<br />Datum Cloud platform.

Field	Description	Default	Validation
`trigger` <br />GrantTriggerSpec	Trigger defines what resource changes should trigger grant creation.		Required: {} <br />
`target` <br />GrantTargetSpec	Target defines where and how grants should be created.		Required: {} <br />
`disabled` <br />boolean	Disabled determines if this policy is inactive.<br />If true, no ResourceGrants will be created for matching resources.	false

Field	Description	Validation
`apiGroup` <br />string	APIGroup specifies the API group of the parent context resource.<br />Must follow DNS subdomain format. Maximum 253 characters.<br />Examples:<br />- “resourcemanager.miloapis.com” (for Organization parent context)<br />- “infrastructure.miloapis.com” (for Cluster parent context)	MaxLength: 253 <br />Pattern: `^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` <br />Required: {} <br />
`kind` <br />string	Kind specifies the resource type that represents the parent context. Must be a valid Kubernetes resource Kind. Maximum 63 characters. Examples: - “Organization” (create grants in organization’s parent control plane) - “Cluster” (create grants in cluster’s parent infrastructure)	MaxLength: 63 <br />MinLength: 1 <br />Pattern: `^[A-Z][a-zA-Z0-9]*$` <br />Required: {} <br />
`nameExpression` <br />string	NameExpression is a CEL expression that resolves the name of the parent context resource. Must return a string value that identifies the specific parent context instance. Maximum 512 characters. Available variables: - object: The trigger resource being evaluated (complete object) Common expression patterns: - object.spec.organization (direct field reference) - object.metadata.labels[“parent-org”] (label-based resolution) - object.metadata.namespace.split(”-”)[0] (derived from namespace naming) Examples: - “acme-corp” (literal parent name) - object.spec.parentOrganization (field from trigger resource) - object.metadata.labels[“quota.miloapis.com/organization”] (label value)	MaxLength: 512 <br />MinLength: 1 <br />Required: {} <br />

Field	Description	Default	Validation
`parentContext` <br />GrantParentContextSpec	ParentContext defines cross-control-plane targeting. If specified, grants will be created in the target parent context instead of the current control plane.
`resourceGrantTemplate` <br />ResourceGrantTemplate	ResourceGrantTemplate defines how to create ResourceGrants.<br />String fields support CEL expressions wrapped in {{ }} delimiters for dynamic content.<br />Plain strings without {{ }} are treated as literal values.		Required: {} <br />

Field	Description	Default	Validation
`apiVersion` <br />string	APIVersion of the trigger resource in the format “group/version”.<br />For core resources, use “v1”.		Pattern: `^([a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)\/)?v[0-9]+((alpha\|beta)[0-9])?$` <br />Required: {} <br />
`kind` <br />string	Kind is the kind of the trigger resource.		MaxLength: 63 <br />MinLength: 1 <br />Pattern: `^[A-Z][a-zA-Z0-9]*$` <br />Required: {} <br />

Field	Description	Default	Validation
`resource` <br />GrantTriggerResource	Resource specifies which resource type triggers this policy.		Required: {} <br />
`constraints` <br />ConditionExpression array	Constraints are CEL expressions that must evaluate to true for grant creation.<br />These are pure CEL expressions WITHOUT {{ }} delimiters (unlike template fields).<br />All constraints must pass for the policy to trigger.<br />The ‘object’ variable contains the trigger resource being evaluated.		MaxItems: 10 <br />

Field	Description	Default	Validation
`name` <br />string	Name specifies the exact name for the created ResourceClaim.<br />Supports CEL expressions wrapped in {{ }} delimiters with access to template variables.<br />Leave empty to use GenerateName for auto-generated names.<br />CEL Expression Syntax: CEL expressions must be enclosed in double curly braces {{ }}.<br />Plain strings without {{ }} are treated as literal values.<br />Template variables available:<br />- trigger: The resource triggering claim creation<br />- requestInfo: Request details (verb, resource, name, etc.)<br />- user: User information (name, uid, groups, extra)<br />Examples:<br />- “{{trigger.metadata.name + ‘-quota-claim’}}” (CEL expression)<br />- “{{trigger.metadata.name}}-claim” (CEL + literal)<br />- “fixed-claim-name” (literal string)
`generateName` <br />string	GenerateName specifies a prefix for auto-generated names when Name is empty.<br />Kubernetes appends random characters to create unique names.<br />Supports CEL expressions wrapped in {{ }} delimiters.<br />Examples:<br />- “{{trigger.spec.type + ‘-claim-’}}” (CEL expression)<br />- “{{trigger.spec.type}}-claim-” (CEL + literal)<br />- “quota-claim-” (literal string)
`namespace` <br />string	Namespace specifies where the ResourceClaim will be created.<br />Supports CEL expressions wrapped in {{ }} delimiters to derive namespace from trigger resource.<br />Leave empty to create in the same namespace as the trigger resource.<br />Examples:<br />- “{{trigger.metadata.namespace}}” (CEL: same namespace as trigger)<br />- “milo-system” (literal: fixed system namespace)<br />- “{{trigger.spec.organization + ‘-claims’}}” (CEL: derived namespace)
`labels` <br />object (keys:string, values:string)	Labels specifies static labels to apply to the created ResourceClaim.<br />Values are literal strings (no template processing).<br />The system automatically adds standard labels for policy tracking.<br />Useful for:<br />- Organizing claims by policy or resource type<br />- Adding environment or tier indicators<br />- Enabling label-based queries and monitoring
`annotations` <br />object (keys:string, values:string)	Annotations specifies annotations to apply to the created ResourceClaim.<br />Values support CEL expressions wrapped in {{ }} delimiters for dynamic content.<br />The system automatically adds standard annotations for tracking.<br />Template variables available:<br />- trigger: The resource triggering claim creation<br />- requestInfo: Request details<br />- user: User information<br />Examples:<br />- created-for: “{{trigger.metadata.name}}” (CEL expression)<br />- requested-by: “{{user.name}}” (CEL expression)<br />- environment: “production” (literal string)