Skip to content

resources.v5.teleportRole

"Role is the Schema for the roles API"

Index

Fields

fn new

new(name)

new returns an instance of TeleportRole

obj metadata

"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."

fn metadata.withAnnotations

withAnnotations(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

fn metadata.withAnnotationsMixin

withAnnotationsMixin(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

Note: This function appends passed data to existing values

fn metadata.withClusterName

withClusterName(clusterName)

"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."

fn metadata.withCreationTimestamp

withCreationTimestamp(creationTimestamp)

"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."

fn metadata.withDeletionGracePeriodSeconds

withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)

"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."

fn metadata.withDeletionTimestamp

withDeletionTimestamp(deletionTimestamp)

"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."

fn metadata.withFinalizers

withFinalizers(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."

fn metadata.withFinalizersMixin

withFinalizersMixin(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."

Note: This function appends passed data to existing values

fn metadata.withGenerateName

withGenerateName(generateName)

"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency"

fn metadata.withGeneration

withGeneration(generation)

"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."

fn metadata.withLabels

withLabels(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

fn metadata.withLabelsMixin

withLabelsMixin(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

Note: This function appends passed data to existing values

fn metadata.withName

withName(name)

"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"

fn metadata.withNamespace

withNamespace(namespace)

"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"

fn metadata.withOwnerReferences

withOwnerReferences(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

fn metadata.withOwnerReferencesMixin

withOwnerReferencesMixin(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

Note: This function appends passed data to existing values

fn metadata.withResourceVersion

withResourceVersion(resourceVersion)

"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"

withSelfLink(selfLink)

"SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release."

fn metadata.withUid

withUid(uid)

"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"

obj spec

"Role resource definition v5 from Teleport"

obj spec.allow

"Allow is the set of conditions evaluated to grant access."

fn spec.allow.withApp_labels

withApp_labels(app_labels)

"AppLabels is a map of labels used as part of the RBAC system."

fn spec.allow.withApp_labelsMixin

withApp_labelsMixin(app_labels)

"AppLabels is a map of labels used as part of the RBAC system."

Note: This function appends passed data to existing values

fn spec.allow.withApp_labels_expression

withApp_labels_expression(app_labels_expression)

"AppLabelsExpression is a predicate expression used to allow/deny access to Apps."

fn spec.allow.withAws_role_arns

withAws_role_arns(aws_role_arns)

"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."

fn spec.allow.withAws_role_arnsMixin

withAws_role_arnsMixin(aws_role_arns)

"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.allow.withAzure_identities

withAzure_identities(azure_identities)

"AzureIdentities is a list of Azure identities this role is allowed to assume."

fn spec.allow.withAzure_identitiesMixin

withAzure_identitiesMixin(azure_identities)

"AzureIdentities is a list of Azure identities this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.allow.withCluster_labels

withCluster_labels(cluster_labels)

"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."

fn spec.allow.withCluster_labelsMixin

withCluster_labelsMixin(cluster_labels)

"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."

Note: This function appends passed data to existing values

fn spec.allow.withCluster_labels_expression

withCluster_labels_expression(cluster_labels_expression)

"ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters."

fn spec.allow.withDb_labels

withDb_labels(db_labels)

"DatabaseLabels are used in RBAC system to allow/deny access to databases."

fn spec.allow.withDb_labelsMixin

withDb_labelsMixin(db_labels)

"DatabaseLabels are used in RBAC system to allow/deny access to databases."

Note: This function appends passed data to existing values

fn spec.allow.withDb_labels_expression

withDb_labels_expression(db_labels_expression)

"DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases."

fn spec.allow.withDb_names

withDb_names(db_names)

"DatabaseNames is a list of database names this role is allowed to connect to."

fn spec.allow.withDb_namesMixin

withDb_namesMixin(db_names)

"DatabaseNames is a list of database names this role is allowed to connect to."

Note: This function appends passed data to existing values

fn spec.allow.withDb_permissions

withDb_permissions(db_permissions)

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

fn spec.allow.withDb_permissionsMixin

withDb_permissionsMixin(db_permissions)

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

Note: This function appends passed data to existing values

fn spec.allow.withDb_roles

withDb_roles(db_roles)

"DatabaseRoles is a list of databases roles for automatic user creation."

fn spec.allow.withDb_rolesMixin

withDb_rolesMixin(db_roles)

"DatabaseRoles is a list of databases roles for automatic user creation."

Note: This function appends passed data to existing values

fn spec.allow.withDb_service_labels

withDb_service_labels(db_service_labels)

"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."

fn spec.allow.withDb_service_labelsMixin

withDb_service_labelsMixin(db_service_labels)

"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."

Note: This function appends passed data to existing values

fn spec.allow.withDb_service_labels_expression

withDb_service_labels_expression(db_service_labels_expression)

"DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services."

fn spec.allow.withDb_users

withDb_users(db_users)

"DatabaseUsers is a list of databases users this role is allowed to connect as."

fn spec.allow.withDb_usersMixin

withDb_usersMixin(db_users)

"DatabaseUsers is a list of databases users this role is allowed to connect as."

Note: This function appends passed data to existing values

fn spec.allow.withDesktop_groups

withDesktop_groups(desktop_groups)

"DesktopGroups is a list of groups for created desktop users to be added to"

fn spec.allow.withDesktop_groupsMixin

withDesktop_groupsMixin(desktop_groups)

"DesktopGroups is a list of groups for created desktop users to be added to"

Note: This function appends passed data to existing values

fn spec.allow.withGcp_service_accounts

withGcp_service_accounts(gcp_service_accounts)

"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."

fn spec.allow.withGcp_service_accountsMixin

withGcp_service_accountsMixin(gcp_service_accounts)

"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.allow.withGroup_labels

withGroup_labels(group_labels)

"GroupLabels is a map of labels used as part of the RBAC system."

fn spec.allow.withGroup_labelsMixin

withGroup_labelsMixin(group_labels)

"GroupLabels is a map of labels used as part of the RBAC system."

Note: This function appends passed data to existing values

fn spec.allow.withGroup_labels_expression

withGroup_labels_expression(group_labels_expression)

"GroupLabelsExpression is a predicate expression used to allow/deny access to user groups."

fn spec.allow.withHost_groups

withHost_groups(host_groups)

"HostGroups is a list of groups for created users to be added to"

fn spec.allow.withHost_groupsMixin

withHost_groupsMixin(host_groups)

"HostGroups is a list of groups for created users to be added to"

Note: This function appends passed data to existing values

fn spec.allow.withHost_sudoers

withHost_sudoers(host_sudoers)

"HostSudoers is a list of entries to include in a users sudoer file"

fn spec.allow.withHost_sudoersMixin

withHost_sudoersMixin(host_sudoers)

"HostSudoers is a list of entries to include in a users sudoer file"

Note: This function appends passed data to existing values

fn spec.allow.withJoin_sessions

withJoin_sessions(join_sessions)

"JoinSessions specifies policies to allow users to join other sessions."

fn spec.allow.withJoin_sessionsMixin

withJoin_sessionsMixin(join_sessions)

"JoinSessions specifies policies to allow users to join other sessions."

Note: This function appends passed data to existing values

fn spec.allow.withKubernetes_groups

withKubernetes_groups(kubernetes_groups)

"KubeGroups is a list of kubernetes groups"

fn spec.allow.withKubernetes_groupsMixin

withKubernetes_groupsMixin(kubernetes_groups)

"KubeGroups is a list of kubernetes groups"

Note: This function appends passed data to existing values

fn spec.allow.withKubernetes_labels

withKubernetes_labels(kubernetes_labels)

"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."

fn spec.allow.withKubernetes_labelsMixin

withKubernetes_labelsMixin(kubernetes_labels)

"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."

Note: This function appends passed data to existing values

fn spec.allow.withKubernetes_labels_expression

withKubernetes_labels_expression(kubernetes_labels_expression)

"KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters."

fn spec.allow.withKubernetes_resources

withKubernetes_resources(kubernetes_resources)

"KubernetesResources is the Kubernetes Resources this Role grants access to."

fn spec.allow.withKubernetes_resourcesMixin

withKubernetes_resourcesMixin(kubernetes_resources)

"KubernetesResources is the Kubernetes Resources this Role grants access to."

Note: This function appends passed data to existing values

fn spec.allow.withKubernetes_users

withKubernetes_users(kubernetes_users)

"KubeUsers is an optional kubernetes users to impersonate"

fn spec.allow.withKubernetes_usersMixin

withKubernetes_usersMixin(kubernetes_users)

"KubeUsers is an optional kubernetes users to impersonate"

Note: This function appends passed data to existing values

fn spec.allow.withLogins

withLogins(logins)

"Logins is a list of *nix system logins."

fn spec.allow.withLoginsMixin

withLoginsMixin(logins)

"Logins is a list of *nix system logins."

Note: This function appends passed data to existing values

fn spec.allow.withNode_labels

withNode_labels(node_labels)

"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."

fn spec.allow.withNode_labelsMixin

withNode_labelsMixin(node_labels)

"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."

Note: This function appends passed data to existing values

fn spec.allow.withNode_labels_expression

withNode_labels_expression(node_labels_expression)

"NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes."

fn spec.allow.withRequire_session_join

withRequire_session_join(require_session_join)

"RequireSessionJoin specifies policies for required users to start a session."

fn spec.allow.withRequire_session_joinMixin

withRequire_session_joinMixin(require_session_join)

"RequireSessionJoin specifies policies for required users to start a session."

Note: This function appends passed data to existing values

fn spec.allow.withRules

withRules(rules)

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

fn spec.allow.withRulesMixin

withRulesMixin(rules)

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

Note: This function appends passed data to existing values

fn spec.allow.withSpiffe

withSpiffe(spiffe)

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

fn spec.allow.withSpiffeMixin

withSpiffeMixin(spiffe)

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

Note: This function appends passed data to existing values

fn spec.allow.withWindows_desktop_labels

withWindows_desktop_labels(windows_desktop_labels)

"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."

fn spec.allow.withWindows_desktop_labelsMixin

withWindows_desktop_labelsMixin(windows_desktop_labels)

"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."

Note: This function appends passed data to existing values

fn spec.allow.withWindows_desktop_labels_expression

withWindows_desktop_labels_expression(windows_desktop_labels_expression)

"WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops."

fn spec.allow.withWindows_desktop_logins

withWindows_desktop_logins(windows_desktop_logins)

"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."

fn spec.allow.withWindows_desktop_loginsMixin

withWindows_desktop_loginsMixin(windows_desktop_logins)

"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."

Note: This function appends passed data to existing values

obj spec.allow.db_permissions

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

fn spec.allow.db_permissions.withMatch

withMatch(match)

"Match is a list of object labels that must be matched for the permission to be granted."

fn spec.allow.db_permissions.withMatchMixin

withMatchMixin(match)

"Match is a list of object labels that must be matched for the permission to be granted."

Note: This function appends passed data to existing values

fn spec.allow.db_permissions.withPermissions

withPermissions(permissions)

"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."

fn spec.allow.db_permissions.withPermissionsMixin

withPermissionsMixin(permissions)

"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."

Note: This function appends passed data to existing values

obj spec.allow.impersonate

"Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means."

fn spec.allow.impersonate.withRoles

withRoles(roles)

"Roles is a list of resources this role is allowed to impersonate"

fn spec.allow.impersonate.withRolesMixin

withRolesMixin(roles)

"Roles is a list of resources this role is allowed to impersonate"

Note: This function appends passed data to existing values

fn spec.allow.impersonate.withUsers

withUsers(users)

"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"

fn spec.allow.impersonate.withUsersMixin

withUsersMixin(users)

"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"

Note: This function appends passed data to existing values

fn spec.allow.impersonate.withWhere

withWhere(where)

"Where specifies optional advanced matcher"

obj spec.allow.join_sessions

"JoinSessions specifies policies to allow users to join other sessions."

fn spec.allow.join_sessions.withKinds

withKinds(kinds)

"Kinds are the session kinds this policy applies to."

fn spec.allow.join_sessions.withKindsMixin

withKindsMixin(kinds)

"Kinds are the session kinds this policy applies to."

Note: This function appends passed data to existing values

fn spec.allow.join_sessions.withModes

withModes(modes)

"Modes is a list of permitted participant modes for this policy."

fn spec.allow.join_sessions.withModesMixin

withModesMixin(modes)

"Modes is a list of permitted participant modes for this policy."

Note: This function appends passed data to existing values

fn spec.allow.join_sessions.withName

withName(name)

"Name is the name of the policy."

fn spec.allow.join_sessions.withRoles

withRoles(roles)

"Roles is a list of roles that you can join the session of."

fn spec.allow.join_sessions.withRolesMixin

withRolesMixin(roles)

"Roles is a list of roles that you can join the session of."

Note: This function appends passed data to existing values

obj spec.allow.kubernetes_resources

"KubernetesResources is the Kubernetes Resources this Role grants access to."

fn spec.allow.kubernetes_resources.withKind

withKind(kind)

"Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported."

fn spec.allow.kubernetes_resources.withName

withName(name)

"Name is the resource name. It supports wildcards."

fn spec.allow.kubernetes_resources.withNamespace

withNamespace(namespace)

"Namespace is the resource namespace. It supports wildcards."

fn spec.allow.kubernetes_resources.withVerbs

withVerbs(verbs)

"Verbs are the allowed Kubernetes verbs for the following resource."

fn spec.allow.kubernetes_resources.withVerbsMixin

withVerbsMixin(verbs)

"Verbs are the allowed Kubernetes verbs for the following resource."

Note: This function appends passed data to existing values

obj spec.allow.request

fn spec.allow.request.withAnnotations

withAnnotations(annotations)

"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions."

fn spec.allow.request.withAnnotationsMixin

withAnnotationsMixin(annotations)

"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions."

Note: This function appends passed data to existing values

fn spec.allow.request.withClaims_to_roles

withClaims_to_roles(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.allow.request.withClaims_to_rolesMixin

withClaims_to_rolesMixin(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

Note: This function appends passed data to existing values

fn spec.allow.request.withKubernetes_resources

withKubernetes_resources(kubernetes_resources)

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

fn spec.allow.request.withKubernetes_resourcesMixin

withKubernetes_resourcesMixin(kubernetes_resources)

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

Note: This function appends passed data to existing values

fn spec.allow.request.withMax_duration

withMax_duration(max_duration)

"MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used."

fn spec.allow.request.withRoles

withRoles(roles)

"Roles is the name of roles which will match the request rule."

fn spec.allow.request.withRolesMixin

withRolesMixin(roles)

"Roles is the name of roles which will match the request rule."

Note: This function appends passed data to existing values

fn spec.allow.request.withSearch_as_roles

withSearch_as_roles(search_as_roles)

"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."

fn spec.allow.request.withSearch_as_rolesMixin

withSearch_as_rolesMixin(search_as_roles)

"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."

Note: This function appends passed data to existing values

fn spec.allow.request.withSuggested_reviewers

withSuggested_reviewers(suggested_reviewers)

"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."

fn spec.allow.request.withSuggested_reviewersMixin

withSuggested_reviewersMixin(suggested_reviewers)

"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."

Note: This function appends passed data to existing values

fn spec.allow.request.withThresholds

withThresholds(thresholds)

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

fn spec.allow.request.withThresholdsMixin

withThresholdsMixin(thresholds)

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

Note: This function appends passed data to existing values

obj spec.allow.request.claims_to_roles

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.allow.request.claims_to_roles.withClaim

withClaim(claim)

"Claim is a claim name."

fn spec.allow.request.claims_to_roles.withRoles

withRoles(roles)

"Roles is a list of static teleport roles to match."

fn spec.allow.request.claims_to_roles.withRolesMixin

withRolesMixin(roles)

"Roles is a list of static teleport roles to match."

Note: This function appends passed data to existing values

fn spec.allow.request.claims_to_roles.withValue

withValue(value)

"Value is a claim value to match."

obj spec.allow.request.kubernetes_resources

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

fn spec.allow.request.kubernetes_resources.withKind

withKind(kind)

"kind specifies the Kubernetes Resource type."

obj spec.allow.request.thresholds

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

fn spec.allow.request.thresholds.withApprove

withApprove(approve)

"Approve is the number of matching approvals needed for state-transition."

fn spec.allow.request.thresholds.withDeny

withDeny(deny)

"Deny is the number of denials needed for state-transition."

fn spec.allow.request.thresholds.withFilter

withFilter(filter)

"Filter is an optional predicate used to determine which reviews count toward this threshold."

fn spec.allow.request.thresholds.withName

withName(name)

"Name is the optional human-readable name of the threshold."

obj spec.allow.require_session_join

"RequireSessionJoin specifies policies for required users to start a session."

fn spec.allow.require_session_join.withCount

withCount(count)

"Count is the amount of people that need to be matched for this policy to be fulfilled."

fn spec.allow.require_session_join.withFilter

withFilter(filter)

"Filter is a predicate that determines what users count towards this policy."

fn spec.allow.require_session_join.withKinds

withKinds(kinds)

"Kinds are the session kinds this policy applies to."

fn spec.allow.require_session_join.withKindsMixin

withKindsMixin(kinds)

"Kinds are the session kinds this policy applies to."

Note: This function appends passed data to existing values

fn spec.allow.require_session_join.withModes

withModes(modes)

"Modes is the list of modes that may be used to fulfill this policy."

fn spec.allow.require_session_join.withModesMixin

withModesMixin(modes)

"Modes is the list of modes that may be used to fulfill this policy."

Note: This function appends passed data to existing values

fn spec.allow.require_session_join.withName

withName(name)

"Name is the name of the policy."

fn spec.allow.require_session_join.withOn_leave

withOn_leave(on_leave)

"OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session."

obj spec.allow.review_requests

"ReviewRequests defines conditions for submitting access reviews."

fn spec.allow.review_requests.withClaims_to_roles

withClaims_to_roles(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.allow.review_requests.withClaims_to_rolesMixin

withClaims_to_rolesMixin(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

Note: This function appends passed data to existing values

fn spec.allow.review_requests.withPreview_as_roles

withPreview_as_roles(preview_as_roles)

"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."

fn spec.allow.review_requests.withPreview_as_rolesMixin

withPreview_as_rolesMixin(preview_as_roles)

"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."

Note: This function appends passed data to existing values

fn spec.allow.review_requests.withRoles

withRoles(roles)

"Roles is the name of roles which may be reviewed."

fn spec.allow.review_requests.withRolesMixin

withRolesMixin(roles)

"Roles is the name of roles which may be reviewed."

Note: This function appends passed data to existing values

fn spec.allow.review_requests.withWhere

withWhere(where)

"Where is an optional predicate which further limits which requests are reviewable."

obj spec.allow.review_requests.claims_to_roles

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.allow.review_requests.claims_to_roles.withClaim

withClaim(claim)

"Claim is a claim name."

fn spec.allow.review_requests.claims_to_roles.withRoles

withRoles(roles)

"Roles is a list of static teleport roles to match."

fn spec.allow.review_requests.claims_to_roles.withRolesMixin

withRolesMixin(roles)

"Roles is a list of static teleport roles to match."

Note: This function appends passed data to existing values

fn spec.allow.review_requests.claims_to_roles.withValue

withValue(value)

"Value is a claim value to match."

obj spec.allow.rules

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

fn spec.allow.rules.withActions

withActions(actions)

"Actions specifies optional actions taken when this rule matches"

fn spec.allow.rules.withActionsMixin

withActionsMixin(actions)

"Actions specifies optional actions taken when this rule matches"

Note: This function appends passed data to existing values

fn spec.allow.rules.withResources

withResources(resources)

"Resources is a list of resources"

fn spec.allow.rules.withResourcesMixin

withResourcesMixin(resources)

"Resources is a list of resources"

Note: This function appends passed data to existing values

fn spec.allow.rules.withVerbs

withVerbs(verbs)

"Verbs is a list of verbs"

fn spec.allow.rules.withVerbsMixin

withVerbsMixin(verbs)

"Verbs is a list of verbs"

Note: This function appends passed data to existing values

fn spec.allow.rules.withWhere

withWhere(where)

"Where specifies optional advanced matcher"

obj spec.allow.spiffe

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

fn spec.allow.spiffe.withDns_sans

withDns_sans(dns_sans)

"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"

fn spec.allow.spiffe.withDns_sansMixin

withDns_sansMixin(dns_sans)

"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"

Note: This function appends passed data to existing values

fn spec.allow.spiffe.withIp_sans

withIp_sans(ip_sans)

"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"

fn spec.allow.spiffe.withIp_sansMixin

withIp_sansMixin(ip_sans)

"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"

Note: This function appends passed data to existing values

fn spec.allow.spiffe.withPath

withPath(path)

"Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar"

obj spec.deny

"Deny is the set of conditions evaluated to deny access. Deny takes priority over allow."

fn spec.deny.withApp_labels

withApp_labels(app_labels)

"AppLabels is a map of labels used as part of the RBAC system."

fn spec.deny.withApp_labelsMixin

withApp_labelsMixin(app_labels)

"AppLabels is a map of labels used as part of the RBAC system."

Note: This function appends passed data to existing values

fn spec.deny.withApp_labels_expression

withApp_labels_expression(app_labels_expression)

"AppLabelsExpression is a predicate expression used to allow/deny access to Apps."

fn spec.deny.withAws_role_arns

withAws_role_arns(aws_role_arns)

"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."

fn spec.deny.withAws_role_arnsMixin

withAws_role_arnsMixin(aws_role_arns)

"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.deny.withAzure_identities

withAzure_identities(azure_identities)

"AzureIdentities is a list of Azure identities this role is allowed to assume."

fn spec.deny.withAzure_identitiesMixin

withAzure_identitiesMixin(azure_identities)

"AzureIdentities is a list of Azure identities this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.deny.withCluster_labels

withCluster_labels(cluster_labels)

"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."

fn spec.deny.withCluster_labelsMixin

withCluster_labelsMixin(cluster_labels)

"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."

Note: This function appends passed data to existing values

fn spec.deny.withCluster_labels_expression

withCluster_labels_expression(cluster_labels_expression)

"ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters."

fn spec.deny.withDb_labels

withDb_labels(db_labels)

"DatabaseLabels are used in RBAC system to allow/deny access to databases."

fn spec.deny.withDb_labelsMixin

withDb_labelsMixin(db_labels)

"DatabaseLabels are used in RBAC system to allow/deny access to databases."

Note: This function appends passed data to existing values

fn spec.deny.withDb_labels_expression

withDb_labels_expression(db_labels_expression)

"DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases."

fn spec.deny.withDb_names

withDb_names(db_names)

"DatabaseNames is a list of database names this role is allowed to connect to."

fn spec.deny.withDb_namesMixin

withDb_namesMixin(db_names)

"DatabaseNames is a list of database names this role is allowed to connect to."

Note: This function appends passed data to existing values

fn spec.deny.withDb_permissions

withDb_permissions(db_permissions)

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

fn spec.deny.withDb_permissionsMixin

withDb_permissionsMixin(db_permissions)

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

Note: This function appends passed data to existing values

fn spec.deny.withDb_roles

withDb_roles(db_roles)

"DatabaseRoles is a list of databases roles for automatic user creation."

fn spec.deny.withDb_rolesMixin

withDb_rolesMixin(db_roles)

"DatabaseRoles is a list of databases roles for automatic user creation."

Note: This function appends passed data to existing values

fn spec.deny.withDb_service_labels

withDb_service_labels(db_service_labels)

"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."

fn spec.deny.withDb_service_labelsMixin

withDb_service_labelsMixin(db_service_labels)

"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."

Note: This function appends passed data to existing values

fn spec.deny.withDb_service_labels_expression

withDb_service_labels_expression(db_service_labels_expression)

"DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services."

fn spec.deny.withDb_users

withDb_users(db_users)

"DatabaseUsers is a list of databases users this role is allowed to connect as."

fn spec.deny.withDb_usersMixin

withDb_usersMixin(db_users)

"DatabaseUsers is a list of databases users this role is allowed to connect as."

Note: This function appends passed data to existing values

fn spec.deny.withDesktop_groups

withDesktop_groups(desktop_groups)

"DesktopGroups is a list of groups for created desktop users to be added to"

fn spec.deny.withDesktop_groupsMixin

withDesktop_groupsMixin(desktop_groups)

"DesktopGroups is a list of groups for created desktop users to be added to"

Note: This function appends passed data to existing values

fn spec.deny.withGcp_service_accounts

withGcp_service_accounts(gcp_service_accounts)

"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."

fn spec.deny.withGcp_service_accountsMixin

withGcp_service_accountsMixin(gcp_service_accounts)

"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."

Note: This function appends passed data to existing values

fn spec.deny.withGroup_labels

withGroup_labels(group_labels)

"GroupLabels is a map of labels used as part of the RBAC system."

fn spec.deny.withGroup_labelsMixin

withGroup_labelsMixin(group_labels)

"GroupLabels is a map of labels used as part of the RBAC system."

Note: This function appends passed data to existing values

fn spec.deny.withGroup_labels_expression

withGroup_labels_expression(group_labels_expression)

"GroupLabelsExpression is a predicate expression used to allow/deny access to user groups."

fn spec.deny.withHost_groups

withHost_groups(host_groups)

"HostGroups is a list of groups for created users to be added to"

fn spec.deny.withHost_groupsMixin

withHost_groupsMixin(host_groups)

"HostGroups is a list of groups for created users to be added to"

Note: This function appends passed data to existing values

fn spec.deny.withHost_sudoers

withHost_sudoers(host_sudoers)

"HostSudoers is a list of entries to include in a users sudoer file"

fn spec.deny.withHost_sudoersMixin

withHost_sudoersMixin(host_sudoers)

"HostSudoers is a list of entries to include in a users sudoer file"

Note: This function appends passed data to existing values

fn spec.deny.withJoin_sessions

withJoin_sessions(join_sessions)

"JoinSessions specifies policies to allow users to join other sessions."

fn spec.deny.withJoin_sessionsMixin

withJoin_sessionsMixin(join_sessions)

"JoinSessions specifies policies to allow users to join other sessions."

Note: This function appends passed data to existing values

fn spec.deny.withKubernetes_groups

withKubernetes_groups(kubernetes_groups)

"KubeGroups is a list of kubernetes groups"

fn spec.deny.withKubernetes_groupsMixin

withKubernetes_groupsMixin(kubernetes_groups)

"KubeGroups is a list of kubernetes groups"

Note: This function appends passed data to existing values

fn spec.deny.withKubernetes_labels

withKubernetes_labels(kubernetes_labels)

"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."

fn spec.deny.withKubernetes_labelsMixin

withKubernetes_labelsMixin(kubernetes_labels)

"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."

Note: This function appends passed data to existing values

fn spec.deny.withKubernetes_labels_expression

withKubernetes_labels_expression(kubernetes_labels_expression)

"KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters."

fn spec.deny.withKubernetes_resources

withKubernetes_resources(kubernetes_resources)

"KubernetesResources is the Kubernetes Resources this Role grants access to."

fn spec.deny.withKubernetes_resourcesMixin

withKubernetes_resourcesMixin(kubernetes_resources)

"KubernetesResources is the Kubernetes Resources this Role grants access to."

Note: This function appends passed data to existing values

fn spec.deny.withKubernetes_users

withKubernetes_users(kubernetes_users)

"KubeUsers is an optional kubernetes users to impersonate"

fn spec.deny.withKubernetes_usersMixin

withKubernetes_usersMixin(kubernetes_users)

"KubeUsers is an optional kubernetes users to impersonate"

Note: This function appends passed data to existing values

fn spec.deny.withLogins

withLogins(logins)

"Logins is a list of *nix system logins."

fn spec.deny.withLoginsMixin

withLoginsMixin(logins)

"Logins is a list of *nix system logins."

Note: This function appends passed data to existing values

fn spec.deny.withNode_labels

withNode_labels(node_labels)

"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."

fn spec.deny.withNode_labelsMixin

withNode_labelsMixin(node_labels)

"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."

Note: This function appends passed data to existing values

fn spec.deny.withNode_labels_expression

withNode_labels_expression(node_labels_expression)

"NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes."

fn spec.deny.withRequire_session_join

withRequire_session_join(require_session_join)

"RequireSessionJoin specifies policies for required users to start a session."

fn spec.deny.withRequire_session_joinMixin

withRequire_session_joinMixin(require_session_join)

"RequireSessionJoin specifies policies for required users to start a session."

Note: This function appends passed data to existing values

fn spec.deny.withRules

withRules(rules)

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

fn spec.deny.withRulesMixin

withRulesMixin(rules)

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

Note: This function appends passed data to existing values

fn spec.deny.withSpiffe

withSpiffe(spiffe)

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

fn spec.deny.withSpiffeMixin

withSpiffeMixin(spiffe)

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

Note: This function appends passed data to existing values

fn spec.deny.withWindows_desktop_labels

withWindows_desktop_labels(windows_desktop_labels)

"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."

fn spec.deny.withWindows_desktop_labelsMixin

withWindows_desktop_labelsMixin(windows_desktop_labels)

"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."

Note: This function appends passed data to existing values

fn spec.deny.withWindows_desktop_labels_expression

withWindows_desktop_labels_expression(windows_desktop_labels_expression)

"WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops."

fn spec.deny.withWindows_desktop_logins

withWindows_desktop_logins(windows_desktop_logins)

"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."

fn spec.deny.withWindows_desktop_loginsMixin

withWindows_desktop_loginsMixin(windows_desktop_logins)

"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."

Note: This function appends passed data to existing values

obj spec.deny.db_permissions

"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."

fn spec.deny.db_permissions.withMatch

withMatch(match)

"Match is a list of object labels that must be matched for the permission to be granted."

fn spec.deny.db_permissions.withMatchMixin

withMatchMixin(match)

"Match is a list of object labels that must be matched for the permission to be granted."

Note: This function appends passed data to existing values

fn spec.deny.db_permissions.withPermissions

withPermissions(permissions)

"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."

fn spec.deny.db_permissions.withPermissionsMixin

withPermissionsMixin(permissions)

"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."

Note: This function appends passed data to existing values

obj spec.deny.impersonate

"Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means."

fn spec.deny.impersonate.withRoles

withRoles(roles)

"Roles is a list of resources this role is allowed to impersonate"

fn spec.deny.impersonate.withRolesMixin

withRolesMixin(roles)

"Roles is a list of resources this role is allowed to impersonate"

Note: This function appends passed data to existing values

fn spec.deny.impersonate.withUsers

withUsers(users)

"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"

fn spec.deny.impersonate.withUsersMixin

withUsersMixin(users)

"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"

Note: This function appends passed data to existing values

fn spec.deny.impersonate.withWhere

withWhere(where)

"Where specifies optional advanced matcher"

obj spec.deny.join_sessions

"JoinSessions specifies policies to allow users to join other sessions."

fn spec.deny.join_sessions.withKinds

withKinds(kinds)

"Kinds are the session kinds this policy applies to."

fn spec.deny.join_sessions.withKindsMixin

withKindsMixin(kinds)

"Kinds are the session kinds this policy applies to."

Note: This function appends passed data to existing values

fn spec.deny.join_sessions.withModes

withModes(modes)

"Modes is a list of permitted participant modes for this policy."

fn spec.deny.join_sessions.withModesMixin

withModesMixin(modes)

"Modes is a list of permitted participant modes for this policy."

Note: This function appends passed data to existing values

fn spec.deny.join_sessions.withName

withName(name)

"Name is the name of the policy."

fn spec.deny.join_sessions.withRoles

withRoles(roles)

"Roles is a list of roles that you can join the session of."

fn spec.deny.join_sessions.withRolesMixin

withRolesMixin(roles)

"Roles is a list of roles that you can join the session of."

Note: This function appends passed data to existing values

obj spec.deny.kubernetes_resources

"KubernetesResources is the Kubernetes Resources this Role grants access to."

fn spec.deny.kubernetes_resources.withKind

withKind(kind)

"Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported."

fn spec.deny.kubernetes_resources.withName

withName(name)

"Name is the resource name. It supports wildcards."

fn spec.deny.kubernetes_resources.withNamespace

withNamespace(namespace)

"Namespace is the resource namespace. It supports wildcards."

fn spec.deny.kubernetes_resources.withVerbs

withVerbs(verbs)

"Verbs are the allowed Kubernetes verbs for the following resource."

fn spec.deny.kubernetes_resources.withVerbsMixin

withVerbsMixin(verbs)

"Verbs are the allowed Kubernetes verbs for the following resource."

Note: This function appends passed data to existing values

obj spec.deny.request

fn spec.deny.request.withAnnotations

withAnnotations(annotations)

"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions."

fn spec.deny.request.withAnnotationsMixin

withAnnotationsMixin(annotations)

"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}} style substitutions."

Note: This function appends passed data to existing values

fn spec.deny.request.withClaims_to_roles

withClaims_to_roles(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.deny.request.withClaims_to_rolesMixin

withClaims_to_rolesMixin(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

Note: This function appends passed data to existing values

fn spec.deny.request.withKubernetes_resources

withKubernetes_resources(kubernetes_resources)

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

fn spec.deny.request.withKubernetes_resourcesMixin

withKubernetes_resourcesMixin(kubernetes_resources)

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

Note: This function appends passed data to existing values

fn spec.deny.request.withMax_duration

withMax_duration(max_duration)

"MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used."

fn spec.deny.request.withRoles

withRoles(roles)

"Roles is the name of roles which will match the request rule."

fn spec.deny.request.withRolesMixin

withRolesMixin(roles)

"Roles is the name of roles which will match the request rule."

Note: This function appends passed data to existing values

fn spec.deny.request.withSearch_as_roles

withSearch_as_roles(search_as_roles)

"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."

fn spec.deny.request.withSearch_as_rolesMixin

withSearch_as_rolesMixin(search_as_roles)

"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."

Note: This function appends passed data to existing values

fn spec.deny.request.withSuggested_reviewers

withSuggested_reviewers(suggested_reviewers)

"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."

fn spec.deny.request.withSuggested_reviewersMixin

withSuggested_reviewersMixin(suggested_reviewers)

"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."

Note: This function appends passed data to existing values

fn spec.deny.request.withThresholds

withThresholds(thresholds)

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

fn spec.deny.request.withThresholdsMixin

withThresholdsMixin(thresholds)

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

Note: This function appends passed data to existing values

obj spec.deny.request.claims_to_roles

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.deny.request.claims_to_roles.withClaim

withClaim(claim)

"Claim is a claim name."

fn spec.deny.request.claims_to_roles.withRoles

withRoles(roles)

"Roles is a list of static teleport roles to match."

fn spec.deny.request.claims_to_roles.withRolesMixin

withRolesMixin(roles)

"Roles is a list of static teleport roles to match."

Note: This function appends passed data to existing values

fn spec.deny.request.claims_to_roles.withValue

withValue(value)

"Value is a claim value to match."

obj spec.deny.request.kubernetes_resources

"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."

fn spec.deny.request.kubernetes_resources.withKind

withKind(kind)

"kind specifies the Kubernetes Resource type."

obj spec.deny.request.thresholds

"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."

fn spec.deny.request.thresholds.withApprove

withApprove(approve)

"Approve is the number of matching approvals needed for state-transition."

fn spec.deny.request.thresholds.withDeny

withDeny(deny)

"Deny is the number of denials needed for state-transition."

fn spec.deny.request.thresholds.withFilter

withFilter(filter)

"Filter is an optional predicate used to determine which reviews count toward this threshold."

fn spec.deny.request.thresholds.withName

withName(name)

"Name is the optional human-readable name of the threshold."

obj spec.deny.require_session_join

"RequireSessionJoin specifies policies for required users to start a session."

fn spec.deny.require_session_join.withCount

withCount(count)

"Count is the amount of people that need to be matched for this policy to be fulfilled."

fn spec.deny.require_session_join.withFilter

withFilter(filter)

"Filter is a predicate that determines what users count towards this policy."

fn spec.deny.require_session_join.withKinds

withKinds(kinds)

"Kinds are the session kinds this policy applies to."

fn spec.deny.require_session_join.withKindsMixin

withKindsMixin(kinds)

"Kinds are the session kinds this policy applies to."

Note: This function appends passed data to existing values

fn spec.deny.require_session_join.withModes

withModes(modes)

"Modes is the list of modes that may be used to fulfill this policy."

fn spec.deny.require_session_join.withModesMixin

withModesMixin(modes)

"Modes is the list of modes that may be used to fulfill this policy."

Note: This function appends passed data to existing values

fn spec.deny.require_session_join.withName

withName(name)

"Name is the name of the policy."

fn spec.deny.require_session_join.withOn_leave

withOn_leave(on_leave)

"OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session."

obj spec.deny.review_requests

"ReviewRequests defines conditions for submitting access reviews."

fn spec.deny.review_requests.withClaims_to_roles

withClaims_to_roles(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.deny.review_requests.withClaims_to_rolesMixin

withClaims_to_rolesMixin(claims_to_roles)

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

Note: This function appends passed data to existing values

fn spec.deny.review_requests.withPreview_as_roles

withPreview_as_roles(preview_as_roles)

"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."

fn spec.deny.review_requests.withPreview_as_rolesMixin

withPreview_as_rolesMixin(preview_as_roles)

"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."

Note: This function appends passed data to existing values

fn spec.deny.review_requests.withRoles

withRoles(roles)

"Roles is the name of roles which may be reviewed."

fn spec.deny.review_requests.withRolesMixin

withRolesMixin(roles)

"Roles is the name of roles which may be reviewed."

Note: This function appends passed data to existing values

fn spec.deny.review_requests.withWhere

withWhere(where)

"Where is an optional predicate which further limits which requests are reviewable."

obj spec.deny.review_requests.claims_to_roles

"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."

fn spec.deny.review_requests.claims_to_roles.withClaim

withClaim(claim)

"Claim is a claim name."

fn spec.deny.review_requests.claims_to_roles.withRoles

withRoles(roles)

"Roles is a list of static teleport roles to match."

fn spec.deny.review_requests.claims_to_roles.withRolesMixin

withRolesMixin(roles)

"Roles is a list of static teleport roles to match."

Note: This function appends passed data to existing values

fn spec.deny.review_requests.claims_to_roles.withValue

withValue(value)

"Value is a claim value to match."

obj spec.deny.rules

"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."

fn spec.deny.rules.withActions

withActions(actions)

"Actions specifies optional actions taken when this rule matches"

fn spec.deny.rules.withActionsMixin

withActionsMixin(actions)

"Actions specifies optional actions taken when this rule matches"

Note: This function appends passed data to existing values

fn spec.deny.rules.withResources

withResources(resources)

"Resources is a list of resources"

fn spec.deny.rules.withResourcesMixin

withResourcesMixin(resources)

"Resources is a list of resources"

Note: This function appends passed data to existing values

fn spec.deny.rules.withVerbs

withVerbs(verbs)

"Verbs is a list of verbs"

fn spec.deny.rules.withVerbsMixin

withVerbsMixin(verbs)

"Verbs is a list of verbs"

Note: This function appends passed data to existing values

fn spec.deny.rules.withWhere

withWhere(where)

"Where specifies optional advanced matcher"

obj spec.deny.spiffe

"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."

fn spec.deny.spiffe.withDns_sans

withDns_sans(dns_sans)

"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"

fn spec.deny.spiffe.withDns_sansMixin

withDns_sansMixin(dns_sans)

"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"

Note: This function appends passed data to existing values

fn spec.deny.spiffe.withIp_sans

withIp_sans(ip_sans)

"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"

fn spec.deny.spiffe.withIp_sansMixin

withIp_sansMixin(ip_sans)

"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"

Note: This function appends passed data to existing values

fn spec.deny.spiffe.withPath

withPath(path)

"Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar"

obj spec.options

"Options is for OpenSSH options like agent forwarding."

fn spec.options.withCert_extensions

withCert_extensions(cert_extensions)

"CertExtensions specifies the key/values"

fn spec.options.withCert_extensionsMixin

withCert_extensionsMixin(cert_extensions)

"CertExtensions specifies the key/values"

Note: This function appends passed data to existing values

fn spec.options.withCert_format

withCert_format(cert_format)

"CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH."

fn spec.options.withClient_idle_timeout

withClient_idle_timeout(client_idle_timeout)

"ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration."

fn spec.options.withCreate_db_user

withCreate_db_user(create_db_user)

"CreateDatabaseUser enabled automatic database user creation."

fn spec.options.withCreate_db_user_mode

withCreate_db_user_mode(create_db_user_mode)

"CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is \"unspecified\", 1 is \"off\", 2 is \"keep\", 3 is \"best_effort_drop\"."

fn spec.options.withCreate_desktop_user

withCreate_desktop_user(create_desktop_user)

"CreateDesktopUser allows users to be automatically created on a Windows desktop"

fn spec.options.withCreate_host_user

withCreate_host_user(create_host_user)

"Deprecated: use CreateHostUserMode instead."

fn spec.options.withCreate_host_user_default_shell

withCreate_host_user_default_shell(create_host_user_default_shell)

"CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users."

fn spec.options.withCreate_host_user_mode

withCreate_host_user_mode(create_host_user_mode)

"CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is \"unspecified\"; 1 is \"off\"; 2 is \"drop\" (removed for v15 and above), 3 is \"keep\"; 4 is \"insecure-drop\"."

fn spec.options.withDesktop_clipboard

withDesktop_clipboard(desktop_clipboard)

"DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false."

fn spec.options.withDesktop_directory_sharing

withDesktop_directory_sharing(desktop_directory_sharing)

"DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true."

fn spec.options.withDevice_trust_mode

withDevice_trust_mode(device_trust_mode)

"DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode."

fn spec.options.withDisconnect_expired_cert

withDisconnect_expired_cert(disconnect_expired_cert)

"DisconnectExpiredCert sets disconnect clients on expired certificates."

fn spec.options.withEnhanced_recording

withEnhanced_recording(enhanced_recording)

"BPF defines what events to record for the BPF-based session recorder."

fn spec.options.withEnhanced_recordingMixin

withEnhanced_recordingMixin(enhanced_recording)

"BPF defines what events to record for the BPF-based session recorder."

Note: This function appends passed data to existing values

fn spec.options.withForward_agent

withForward_agent(forward_agent)

"ForwardAgent is SSH agent forwarding."

fn spec.options.withLock

withLock(lock)

"Lock specifies the locking mode (strict|best_effort) to be applied with the role."

fn spec.options.withMax_connections

withMax_connections(max_connections)

"MaxConnections defines the maximum number of concurrent connections a user may hold."

fn spec.options.withMax_kubernetes_connections

withMax_kubernetes_connections(max_kubernetes_connections)

"MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold."

fn spec.options.withMax_session_ttl

withMax_session_ttl(max_session_ttl)

"MaxSessionTTL defines how long a SSH session can last for."

fn spec.options.withMax_sessions

withMax_sessions(max_sessions)

"MaxSessions defines the maximum number of concurrent sessions per connection."

fn spec.options.withMfa_verification_interval

withMfa_verification_interval(mfa_verification_interval)

"MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl."

fn spec.options.withPermit_x11_forwarding

withPermit_x11_forwarding(permit_x11_forwarding)

"PermitX11Forwarding authorizes use of X11 forwarding."

fn spec.options.withPin_source_ip

withPin_source_ip(pin_source_ip)

"PinSourceIP forces the same client IP for certificate generation and usage"

fn spec.options.withPort_forwarding

withPort_forwarding(port_forwarding)

"PortForwarding defines if the certificate will have \"permit-port-forwarding\" in the certificate. PortForwarding is \"yes\" if not set, that's why this is a pointer"

fn spec.options.withRequest_access

withRequest_access(request_access)

"RequestAccess defines the request strategy (optional|note|always) where optional is the default."

fn spec.options.withRequest_prompt

withRequest_prompt(request_prompt)

"RequestPrompt is an optional message which tells users what they aught to request."

fn spec.options.withRequire_session_mfa

withRequire_session_mfa(require_session_mfa)

"RequireMFAType is the type of MFA requirement enforced for this user. 0 is \"OFF\", 1 is \"SESSION\", 2 is \"SESSION_AND_HARDWARE_KEY\", 3 is \"HARDWARE_KEY_TOUCH\", 4 is \"HARDWARE_KEY_PIN\", 5 is \"HARDWARE_KEY_TOUCH_AND_PIN\"."

fn spec.options.withSsh_file_copy

withSsh_file_copy(ssh_file_copy)

"SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false."

obj spec.options.cert_extensions

"CertExtensions specifies the key/values"

fn spec.options.cert_extensions.withMode

withMode(mode)

"Mode is the type of extension to be used -- currently critical-option is not supported. 0 is \"extension\"."

fn spec.options.cert_extensions.withName

withName(name)

"Name specifies the key to be used in the cert extension."

fn spec.options.cert_extensions.withType

withType(type)

"Type represents the certificate type being extended, only ssh is supported at this time. 0 is \"ssh\"."

fn spec.options.cert_extensions.withValue

withValue(value)

"Value specifies the value to be used in the cert extension."

obj spec.options.idp

"IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise."

obj spec.options.idp.saml

"SAML are options related to the Teleport SAML IdP."

fn spec.options.idp.saml.withEnabled

withEnabled(enabled)

"Enabled is set to true if this option allows access to the Teleport SAML IdP."

obj spec.options.record_session

"RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false."

fn spec.options.record_session.withDefault

withDefault(default)

"Default indicates the default value for the services."

fn spec.options.record_session.withDesktop

withDesktop(desktop)

"Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false."

fn spec.options.record_session.withSsh

withSsh(ssh)

"SSH indicates the session mode used on SSH sessions."