This resource is part of the v1alpha1 API and is subject to change. Fields and behavior may change in future releases.
Identity
| |
|---|
| Group | iam.miloapis.com |
| Version | v1alpha1 |
| Kind | PolicyBinding |
| Scope | Project |
Overview
A PolicyBinding grants access by binding a Role to one or more subjects (users, groups, or service accounts) for a specific set of resources. Use it to control who can act on what within a Project: you pick the role that defines the permissions, list the subjects that receive them, and select the resources the role applies to.
Spec fields
| Field | Type | Required | Description |
|---|
spec.roleRef | Object | Yes | Reference to the Role being bound. |
spec.roleRef.name | string | Yes | Name of the referenced Role. |
spec.roleRef.namespace | string | No | Namespace of the referenced Role. If empty, the PolicyBinding’s own scope is assumed. |
spec.subjects | []Object | Yes | The identities the role applies to. |
spec.subjects[].kind | string | Yes | Type of subject. One of User, Group, or ServiceAccount. |
spec.subjects[].name | string | Yes | Name of the subject. The special group name system:authenticated-users refers to all authenticated users. |
spec.subjects[].namespace | string | No | Scope of the subject. Ignored for Users, Groups, and ServiceAccounts when not specified. |
spec.subjects[].uid | string | No | Unique identifier of the subject. Optional for system: groups. |
spec.resourceSelector | Object | Yes | Selects which resources the role applies to. resourceKind and resourceRef are mutually exclusive. |
spec.resourceSelector.resourceKind | Object | No | Apply the role to all resources of a specific kind. |
spec.resourceSelector.resourceKind.kind | string | Yes | The resource type being referenced. |
spec.resourceSelector.resourceKind.apiGroup | string | No | API group of the resource type. If omitted, the kind must be in the core API group. |
spec.resourceSelector.resourceRef | Object | No | Apply the role to a single, specific resource instance. |
spec.resourceSelector.resourceRef.kind | string | Yes | The resource type being referenced. |
spec.resourceSelector.resourceRef.name | string | Yes | Name of the resource being referenced. |
spec.resourceSelector.resourceRef.uid | string | Yes | Unique identifier of the resource being referenced. |
spec.resourceSelector.resourceRef.apiGroup | string | No | API group of the resource. Required for third-party types; if omitted, the kind must be in the core API group. |
spec.resourceSelector.resourceRef.namespace | string | No | Scope of the resource. Required for Project-scoped resources; omitted for Platform-scoped resources. |
Status fields (read-only)
| Field | Type | Description |
|---|
status.conditions | []Object | Conditions representing the current status of the PolicyBinding. |
status.observedGeneration | integer | The most recent generation observed for this PolicyBinding by the controller. |
Usage
apiVersion: iam.miloapis.com/v1alpha1
kind: PolicyBinding
metadata:
name: dns-editors
spec:
roleRef:
name: dns-editor
subjects:
- kind: User
name: alice@example.com
resourceSelector:
resourceKind:
apiGroup: dns.networking.miloapis.com
kind: DNSZone
datumctl apply -f policybinding.yaml --project my-project
datumctl get policybindings.iam.miloapis.com --project my-project
datumctl describe policybindings.iam.miloapis.com dns-editors --project my-project
Run datumctl explain policybindings.iam.miloapis.com --recursive to see the full, live field tree for this resource.