11.8. マネージドサービスアカウント (テクノロジープレビュー)
11.8.1. 概要
このドキュメントは、Kubernetes Operator のマルチクラスターエンジンの ManagedServiceAccount リソースを対象としています。ManagedServiceAccount リソースには、create、query、delete、update の 4 つのリクエストがあります。
11.8.1.1. URI スキーム
ベースパス: /kubernetes/apis
スキーム: HTTPS
11.8.1.2. タグ
-
managedserviceaccounts.multicluster.openshift.io`:ManagedServiceAccountsを作成および管理します
11.8.2. パス
11.8.2.1. ManagedServiceAccount を作成する
POST /apis/multicluster.openshift.io/v1alpha1/ManagedServiceAccounts
11.8.2.1.1. 説明
ManagedServiceAccount を作成します。
11.8.2.1.2. パラメーター
| 型 | 名前 | 説明 | スキーマ |
|---|---|---|---|
| ヘッダー |
COOKIE | Authorization: Bearer {ACCESS_TOKEN}。ACCESS_TOKEN はユーザーのアクセストークンに置き換えます。 | 文字列 |
| ボディー |
body | 作成する ManagedServiceAccount を説明するパラメーター。 | ManagedServiceAccount |
11.8.2.1.3. 応答
| HTTP コード | 説明 | スキーマ |
|---|---|---|
| 200 | 成功 | コンテンツなし |
| 403 | アクセス禁止 | コンテンツなし |
| 404 | リソースが見つからない | コンテンツなし |
| 500 | 内部サービスエラー | コンテンツなし |
| 503 | サービスが利用できない | コンテンツなし |
11.8.2.1.4. 消費
-
managedserviceaccount/yaml
11.8.2.1.5. タグ
- managedserviceaccount.multicluster.openshift.io
11.8.2.1.5.1. 要求のボディー
{
"apiVersion": "apiextensions.k8s.io/v1",
"kind": "CustomResourceDefinition",
"metadata": {
"annotations": {
"controller-gen.kubebuilder.io/version": "v0.4.1"
},
"creationTimestamp": null,
"name": "managedserviceaccount.authentication.open-cluster-management.io"
},
"spec": {
"group": "authentication.open-cluster-management.io",
"names": {
"kind": "ManagedServiceAccount",
"listKind": "ManagedServiceAccountList",
"plural": "managedserviceaccounts",
"singular": "managedserviceaccount"
},
"scope": "Namespaced",
"versions": [
{
"name": "v1alpha1",
"schema": {
"openAPIV3Schema": {
"description": "ManagedServiceAccount is the Schema for the managedserviceaccounts\nAPI",
"properties": {
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation\nof an object. Servers should convert recognized schemas to the latest\ninternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
"type": "string"
},
"kind": {
"description": "Kind is a string value representing the REST resource this\nobject represents. Servers may infer this from the endpoint the client\nsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
"type": "string"
},
"metadata": {
"type": "object"
},
"spec": {
"description": "ManagedServiceAccountSpec defines the desired state of ManagedServiceAccount",
"properties": {
"rotation": {
"description": "Rotation is the policy for rotation the credentials.",
"properties": {
"enabled": {
"default": true,
"description": "Enabled prescribes whether the ServiceAccount token\nwill be rotated from the upstream",
"type": "boolean"
},
"validity": {
"default": "8640h0m0s",
"description": "Validity is the duration for which the signed ServiceAccount\ntoken is valid.",
"type": "string"
}
},
"type": "object"
},
"ttlSecondsAfterCreation": {
"description": "ttlSecondsAfterCreation limits the lifetime of a ManagedServiceAccount.\nIf the ttlSecondsAfterCreation field is set, the ManagedServiceAccount\nwill be automatically deleted regardless of the ManagedServiceAccount's\nstatus. When the ManagedServiceAccount is deleted, its lifecycle\nguarantees (e.g. finalizers) will be honored. If this field is unset,\nthe ManagedServiceAccount won't be automatically deleted. If this\nfield is set to zero, the ManagedServiceAccount becomes eligible\nfor deletion immediately after its creation. In order to use ttlSecondsAfterCreation,\nthe EphemeralIdentity feature gate must be enabled.",
"exclusiveMinimum": true,
"format": "int32",
"minimum": 0,
"type": "integer"
}
},
"required": [
"rotation"
],
"type": "object"
},
"status": {
"description": "ManagedServiceAccountStatus defines the observed state of\nManagedServiceAccount",
"properties": {
"conditions": {
"description": "Conditions is the condition list.",
"items": {
"description": "Condition contains details for one aspect of the current\nstate of this API Resource. --- This struct is intended for direct\nuse as an array at the field path .status.conditions. For example,\ntype FooStatus struct{ // Represents the observations of a\nfoo's current state. // Known .status.conditions.type are:\n\"Available\", \"Progressing\", and \"Degraded\" // +patchMergeKey=type\n // +patchStrategy=merge // +listType=map // +listMapKey=type\n Conditions []metav1.Condition `json:\"conditions,omitempty\"\npatchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n // other fields }",
"properties": {
"lastTransitionTime": {
"description": "lastTransitionTime is the last time the condition\ntransitioned from one status to another. This should be when\nthe underlying condition changed. If that is not known, then\nusing the time when the API field changed is acceptable.",
"format": "date-time",
"type": "string"
},
"message": {
"description": "message is a human readable message indicating\ndetails about the transition. This may be an empty string.",
"maxLength": 32768,
"type": "string"
},
"observedGeneration": {
"description": "observedGeneration represents the .metadata.generation\nthat the condition was set based upon. For instance, if .metadata.generation\nis currently 12, but the .status.conditions[x].observedGeneration\nis 9, the condition is out of date with respect to the current\nstate of the instance.",
"format": "int64",
"minimum": 0,
"type": "integer"
},
"reason": {
"description": "reason contains a programmatic identifier indicating\nthe reason for the condition's last transition. Producers\nof specific condition types may define expected values and\nmeanings for this field, and whether the values are considered\na guaranteed API. The value should be a CamelCase string.\nThis field may not be empty.",
"maxLength": 1024,
"minLength": 1,
"pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$",
"type": "string"
},
"status": {
"description": "status of the condition, one of True, False, Unknown.",
"enum": [
"True",
"False",
"Unknown"
],
"type": "string"
},
"type": {
"description": "type of condition in CamelCase or in foo.example.com/CamelCase.\n--- Many .condition.type values are consistent across resources\nlike Available, but because arbitrary conditions can be useful\n(see .node.status.conditions), the ability to deconflict is\nimportant. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)",
"maxLength": 316,
"pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$",
"type": "string"
}
},
"required": [
"lastTransitionTime",
"message",
"reason",
"status",
"type"
],
"type": "object"
},
"type": "array"
},
"expirationTimestamp": {
"description": "ExpirationTimestamp is the time when the token will expire.",
"format": "date-time",
"type": "string"
},
"tokenSecretRef": {
"description": "TokenSecretRef is a reference to the corresponding ServiceAccount's\nSecret, which stores the CA certficate and token from the managed\ncluster.",
"properties": {
"lastRefreshTimestamp": {
"description": "LastRefreshTimestamp is the timestamp indicating\nwhen the token in the Secret is refreshed.",
"format": "date-time",
"type": "string"
},
"name": {
"description": "Name is the name of the referenced secret.",
"type": "string"
}
},
"required": [
"lastRefreshTimestamp",
"name"
],
"type": "object"
}
},
"type": "object"
}
},
"type": "object"
}
},
"served": true,
"storage": true,
"subresources": {
"status": {}
}
}
]
},
"status": {
"acceptedNames": {
"kind": "",
"plural": ""
},
"conditions": [],
"storedVersions": []
}
}11.8.2.2. 単一の ManagedServiceAccount をクエリーする
GET /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}11.8.2.2.1. 説明
詳細については、単一の ManagedServiceAccount を照会してください。
11.8.2.2.2. パラメーター
| 型 | 名前 | 説明 | スキーマ |
|---|---|---|---|
| ヘッダー |
COOKIE | Authorization: Bearer {ACCESS_TOKEN}。ACCESS_TOKEN はユーザーのアクセストークンに置き換えます。 | 文字列 |
| パス |
managedserviceaccount_name |
照会する | 文字列 |
11.8.2.2.3. レスポンス
| HTTP コード | 説明 | スキーマ |
|---|---|---|
| 200 | 成功 | コンテンツなし |
| 403 | アクセス禁止 | コンテンツなし |
| 404 | リソースが見つからない | コンテンツなし |
| 500 | 内部サービスエラー | コンテンツなし |
| 503 | サービスが利用できない | コンテンツなし |
11.8.2.2.4. タグ
- cluster.open-cluster-management.io
11.8.2.3. ManagedServiceAccount を削除する
DELETE /cluster.open-cluster-management.io/v1alpha1/namespaces/{namespace}/managedserviceaccounts/{managedserviceaccount_name}11.8.2.3.1. 説明
単一の ManagedServiceAccount を削除します。
11.8.2.3.2. パラメーター
| 型 | 名前 | 説明 | スキーマ |
|---|---|---|---|
| ヘッダー |
COOKIE | Authorization: Bearer {ACCESS_TOKEN}。ACCESS_TOKEN はユーザーのアクセストークンに置き換えます。 | 文字列 |
| パス |
managedserviceaccount_name |
削除する | 文字列 |
11.8.2.3.3. レスポンス
| HTTP コード | 説明 | スキーマ |
|---|---|---|
| 200 | 成功 | コンテンツなし |
| 403 | アクセス禁止 | コンテンツなし |
| 404 | リソースが見つからない | コンテンツなし |
| 500 | 内部サービスエラー | コンテンツなし |
| 503 | サービスが利用できない | コンテンツなし |
11.8.2.3.4. タグ
- cluster.open-cluster-management.io
11.8.3. 定義
11.8.3.1. ManagedServiceAccount
| 名前 | 説明 | スキーマ |
|---|---|---|
|
apiVersion |
| string |
|
kind | REST リソースを表す文字列の値 | string |
|
metadata |
| object |
|
spec |
|
