AccessContextManagerAccessLevel

Property Value
Google Cloud Service Name AccessContextManager
Google Cloud Service Documentation /access-context-manager/docs/
Google Cloud REST Resource Name accesscontextmanager/v1/accessLevels
Google Cloud REST Resource Documentation /access-context-manager/docs/reference/rest/v1/accessPolicies.accessLevels
Config Connector Resource Short Names gcpaccesscontextmanageraccesslevel
gcpaccesscontextmanageraccesslevels
accesscontextmanageraccesslevel
Config Connector Service Name accesscontextmanager.googleapis.com
Config Connector Resource Fully Qualified Name accesscontextmanageraccesslevels.accesscontextmanager.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Spec

Schema

accessPolicyRef:
  external: string
  name: string
  namespace: string
basic:
  combiningFunction: string
  conditions:
  - devicePolicy:
      allowedDeviceManagementLevels:
      - string
      allowedEncryptionStatuses:
      - string
      osConstraints:
      - minimumVersion: string
        osType: string
      requireAdminApproval: boolean
      requireCorpOwned: boolean
      requireScreenLock: boolean
    ipSubnetworks:
    - string
    members:
    - serviceAccountRef:
        external: string
        name: string
        namespace: string
      user: string
    negate: boolean
    regions:
    - string
    requiredAccessLevels:
    - external: string
      name: string
      namespace: string
description: string
title: string
Fields

accessPolicyRef

Required

object

The AccessContextManagerAccessPolicy this AccessContextManagerAccessLevel lives in.

accessPolicyRef.external

Optional

string

The name of an AccessContextManagerAccessPolicy.

accessPolicyRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

accessPolicyRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

basic

Optional

object

A set of predefined conditions for the access level and a combining function.

basic.combiningFunction

Optional

string

How the conditions list should be combined to determine if a request is granted this AccessLevel. If AND is used, each Condition in conditions must be satisfied for the AccessLevel to be applied. If OR is used, at least one Condition in conditions must be satisfied for the AccessLevel to be applied. Default value: "AND" Possible values: ["AND", "OR"]

basic.conditions

Required*

list (object)

basic.conditions.[]

Required*

object

basic.conditions.[].devicePolicy

Optional

object

Device specific restrictions, all restrictions must hold for the Condition to be true. If not specified, all devices are allowed.

basic.conditions.[].devicePolicy.allowedDeviceManagementLevels

Optional

list (string)

basic.conditions.[].devicePolicy.allowedDeviceManagementLevels.[]

Optional

string

basic.conditions.[].devicePolicy.allowedEncryptionStatuses

Optional

list (string)

basic.conditions.[].devicePolicy.allowedEncryptionStatuses.[]

Optional

string

basic.conditions.[].devicePolicy.osConstraints

Optional

list (object)

basic.conditions.[].devicePolicy.osConstraints.[]

Optional

object

basic.conditions.[].devicePolicy.osConstraints.[].minimumVersion

Optional

string

The minimum allowed OS version. If not set, any version of this OS satisfies the constraint. Format: "major.minor.patch" such as "10.5.301", "9.2.1".

basic.conditions.[].devicePolicy.osConstraints.[].osType

Required*

string

The operating system type of the device. Possible values: ["OS_UNSPECIFIED", "DESKTOP_MAC", "DESKTOP_WINDOWS", "DESKTOP_LINUX", "DESKTOP_CHROME_OS"]

basic.conditions.[].devicePolicy.requireAdminApproval

Optional

boolean

Whether the device needs to be approved by the customer admin.

basic.conditions.[].devicePolicy.requireCorpOwned

Optional

boolean

Whether the device needs to be corp owned.

basic.conditions.[].devicePolicy.requireScreenLock

Optional

boolean

Whether or not screenlock is required for the DevicePolicy to be true. Defaults to false.

basic.conditions.[].ipSubnetworks

Optional

list (string)

basic.conditions.[].ipSubnetworks.[]

Optional

string

basic.conditions.[].members

Optional

list (object)

An allowed list of members (users, service accounts). Using groups is not supported. The signed-in user originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, not present in any groups, etc.).

basic.conditions.[].members.[]

Optional

object

An allowed list of members (users, service accounts). Using groups is not supported. The signed-in user originating the request must be a part of one of the provided members. If not specified, a request may come from any user (logged in/not logged in, not present in any groups, etc.).

basic.conditions.[].members.[].serviceAccountRef

Optional

object

basic.conditions.[].members.[].serviceAccountRef.external

Optional

string

The email of an IAMServiceAccount.

basic.conditions.[].members.[].serviceAccountRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

basic.conditions.[].members.[].serviceAccountRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

basic.conditions.[].members.[].user

Optional

string

basic.conditions.[].negate

Optional

boolean

Whether to negate the Condition. If true, the Condition becomes a NAND over its non-empty fields, each field must be false for the Condition overall to be satisfied. Defaults to false.

basic.conditions.[].regions

Optional

list (string)

basic.conditions.[].regions.[]

Optional

string

basic.conditions.[].requiredAccessLevels

Optional

list (object)

A list of other access levels defined in the same policy. Referencing an AccessContextManagerAccessLevel which does not exist is an error. All access levels listed must be granted for the condition to be true.

basic.conditions.[].requiredAccessLevels.[]

Optional

object

A list of other access levels defined in the same policy. Referencing an AccessContextManagerAccessLevel which does not exist is an error. All access levels listed must be granted for the condition to be true.

basic.conditions.[].requiredAccessLevels.[].external

Optional

string

The name of an AccessContextManagerAccessLevel.

basic.conditions.[].requiredAccessLevels.[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

basic.conditions.[].requiredAccessLevels.[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

description

Optional

string

Description of the AccessLevel and its use. Does not affect behavior.

title

Required

string

Human readable title. Must be unique within the Policy.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
Fields
conditions

list (object)

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1
kind: AccessContextManagerAccessLevel
metadata:
  annotations:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    cnrm.cloud.google.com/organization-id: "${ORG_ID}"
  name: accesslevelsample
spec:
  accessPolicyRef:
    name: accessleveldep
  title: Config Connector Sample Access Level
  basic:
    conditions:
      - devicePolicy:
          requireCorpOwned: true
      - devicePolicy:
          osConstraints:
          - osType: DESKTOP_CHROME_OS
    combiningFunction: OR
---
apiVersion: accesscontextmanager.cnrm.cloud.google.com/v1beta1
kind: AccessContextManagerAccessPolicy
metadata:
  annotations:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    cnrm.cloud.google.com/organization-id: "${ORG_ID}"
  name: accessleveldep
spec:
  title: Config Connector Access Level Dependency