resources.v6.teleportRole
"Role is the Schema for the roles API"
Index
fn new(name)
obj metadata
fn withAnnotations(annotations)
fn withAnnotationsMixin(annotations)
fn withClusterName(clusterName)
fn withCreationTimestamp(creationTimestamp)
fn withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)
fn withDeletionTimestamp(deletionTimestamp)
fn withFinalizers(finalizers)
fn withFinalizersMixin(finalizers)
fn withGenerateName(generateName)
fn withGeneration(generation)
fn withLabels(labels)
fn withLabelsMixin(labels)
fn withName(name)
fn withNamespace(namespace)
fn withOwnerReferences(ownerReferences)
fn withOwnerReferencesMixin(ownerReferences)
fn withResourceVersion(resourceVersion)
fn withSelfLink(selfLink)
fn withUid(uid)
obj spec
obj spec.allow
fn withApp_labels(app_labels)
fn withApp_labelsMixin(app_labels)
fn withApp_labels_expression(app_labels_expression)
fn withAws_role_arns(aws_role_arns)
fn withAws_role_arnsMixin(aws_role_arns)
fn withAzure_identities(azure_identities)
fn withAzure_identitiesMixin(azure_identities)
fn withCluster_labels(cluster_labels)
fn withCluster_labelsMixin(cluster_labels)
fn withCluster_labels_expression(cluster_labels_expression)
fn withDb_labels(db_labels)
fn withDb_labelsMixin(db_labels)
fn withDb_labels_expression(db_labels_expression)
fn withDb_names(db_names)
fn withDb_namesMixin(db_names)
fn withDb_permissions(db_permissions)
fn withDb_permissionsMixin(db_permissions)
fn withDb_roles(db_roles)
fn withDb_rolesMixin(db_roles)
fn withDb_service_labels(db_service_labels)
fn withDb_service_labelsMixin(db_service_labels)
fn withDb_service_labels_expression(db_service_labels_expression)
fn withDb_users(db_users)
fn withDb_usersMixin(db_users)
fn withDesktop_groups(desktop_groups)
fn withDesktop_groupsMixin(desktop_groups)
fn withGcp_service_accounts(gcp_service_accounts)
fn withGcp_service_accountsMixin(gcp_service_accounts)
fn withGroup_labels(group_labels)
fn withGroup_labelsMixin(group_labels)
fn withGroup_labels_expression(group_labels_expression)
fn withHost_groups(host_groups)
fn withHost_groupsMixin(host_groups)
fn withHost_sudoers(host_sudoers)
fn withHost_sudoersMixin(host_sudoers)
fn withJoin_sessions(join_sessions)
fn withJoin_sessionsMixin(join_sessions)
fn withKubernetes_groups(kubernetes_groups)
fn withKubernetes_groupsMixin(kubernetes_groups)
fn withKubernetes_labels(kubernetes_labels)
fn withKubernetes_labelsMixin(kubernetes_labels)
fn withKubernetes_labels_expression(kubernetes_labels_expression)
fn withKubernetes_resources(kubernetes_resources)
fn withKubernetes_resourcesMixin(kubernetes_resources)
fn withKubernetes_users(kubernetes_users)
fn withKubernetes_usersMixin(kubernetes_users)
fn withLogins(logins)
fn withLoginsMixin(logins)
fn withNode_labels(node_labels)
fn withNode_labelsMixin(node_labels)
fn withNode_labels_expression(node_labels_expression)
fn withRequire_session_join(require_session_join)
fn withRequire_session_joinMixin(require_session_join)
fn withRules(rules)
fn withRulesMixin(rules)
fn withSpiffe(spiffe)
fn withSpiffeMixin(spiffe)
fn withWindows_desktop_labels(windows_desktop_labels)
fn withWindows_desktop_labelsMixin(windows_desktop_labels)
fn withWindows_desktop_labels_expression(windows_desktop_labels_expression)
fn withWindows_desktop_logins(windows_desktop_logins)
fn withWindows_desktop_loginsMixin(windows_desktop_logins)
obj spec.allow.db_permissions
obj spec.allow.impersonate
obj spec.allow.join_sessions
obj spec.allow.kubernetes_resources
obj spec.allow.request
fn withAnnotations(annotations)
fn withAnnotationsMixin(annotations)
fn withClaims_to_roles(claims_to_roles)
fn withClaims_to_rolesMixin(claims_to_roles)
fn withKubernetes_resources(kubernetes_resources)
fn withKubernetes_resourcesMixin(kubernetes_resources)
fn withMax_duration(max_duration)
fn withRoles(roles)
fn withRolesMixin(roles)
fn withSearch_as_roles(search_as_roles)
fn withSearch_as_rolesMixin(search_as_roles)
fn withSuggested_reviewers(suggested_reviewers)
fn withSuggested_reviewersMixin(suggested_reviewers)
fn withThresholds(thresholds)
fn withThresholdsMixin(thresholds)
obj spec.allow.request.claims_to_roles
obj spec.allow.request.kubernetes_resources
obj spec.allow.request.thresholds
obj spec.allow.require_session_join
obj spec.allow.review_requests
obj spec.allow.rules
obj spec.allow.spiffe
obj spec.deny
fn withApp_labels(app_labels)
fn withApp_labelsMixin(app_labels)
fn withApp_labels_expression(app_labels_expression)
fn withAws_role_arns(aws_role_arns)
fn withAws_role_arnsMixin(aws_role_arns)
fn withAzure_identities(azure_identities)
fn withAzure_identitiesMixin(azure_identities)
fn withCluster_labels(cluster_labels)
fn withCluster_labelsMixin(cluster_labels)
fn withCluster_labels_expression(cluster_labels_expression)
fn withDb_labels(db_labels)
fn withDb_labelsMixin(db_labels)
fn withDb_labels_expression(db_labels_expression)
fn withDb_names(db_names)
fn withDb_namesMixin(db_names)
fn withDb_permissions(db_permissions)
fn withDb_permissionsMixin(db_permissions)
fn withDb_roles(db_roles)
fn withDb_rolesMixin(db_roles)
fn withDb_service_labels(db_service_labels)
fn withDb_service_labelsMixin(db_service_labels)
fn withDb_service_labels_expression(db_service_labels_expression)
fn withDb_users(db_users)
fn withDb_usersMixin(db_users)
fn withDesktop_groups(desktop_groups)
fn withDesktop_groupsMixin(desktop_groups)
fn withGcp_service_accounts(gcp_service_accounts)
fn withGcp_service_accountsMixin(gcp_service_accounts)
fn withGroup_labels(group_labels)
fn withGroup_labelsMixin(group_labels)
fn withGroup_labels_expression(group_labels_expression)
fn withHost_groups(host_groups)
fn withHost_groupsMixin(host_groups)
fn withHost_sudoers(host_sudoers)
fn withHost_sudoersMixin(host_sudoers)
fn withJoin_sessions(join_sessions)
fn withJoin_sessionsMixin(join_sessions)
fn withKubernetes_groups(kubernetes_groups)
fn withKubernetes_groupsMixin(kubernetes_groups)
fn withKubernetes_labels(kubernetes_labels)
fn withKubernetes_labelsMixin(kubernetes_labels)
fn withKubernetes_labels_expression(kubernetes_labels_expression)
fn withKubernetes_resources(kubernetes_resources)
fn withKubernetes_resourcesMixin(kubernetes_resources)
fn withKubernetes_users(kubernetes_users)
fn withKubernetes_usersMixin(kubernetes_users)
fn withLogins(logins)
fn withLoginsMixin(logins)
fn withNode_labels(node_labels)
fn withNode_labelsMixin(node_labels)
fn withNode_labels_expression(node_labels_expression)
fn withRequire_session_join(require_session_join)
fn withRequire_session_joinMixin(require_session_join)
fn withRules(rules)
fn withRulesMixin(rules)
fn withSpiffe(spiffe)
fn withSpiffeMixin(spiffe)
fn withWindows_desktop_labels(windows_desktop_labels)
fn withWindows_desktop_labelsMixin(windows_desktop_labels)
fn withWindows_desktop_labels_expression(windows_desktop_labels_expression)
fn withWindows_desktop_logins(windows_desktop_logins)
fn withWindows_desktop_loginsMixin(windows_desktop_logins)
obj spec.deny.db_permissions
obj spec.deny.impersonate
obj spec.deny.join_sessions
obj spec.deny.kubernetes_resources
obj spec.deny.request
fn withAnnotations(annotations)
fn withAnnotationsMixin(annotations)
fn withClaims_to_roles(claims_to_roles)
fn withClaims_to_rolesMixin(claims_to_roles)
fn withKubernetes_resources(kubernetes_resources)
fn withKubernetes_resourcesMixin(kubernetes_resources)
fn withMax_duration(max_duration)
fn withRoles(roles)
fn withRolesMixin(roles)
fn withSearch_as_roles(search_as_roles)
fn withSearch_as_rolesMixin(search_as_roles)
fn withSuggested_reviewers(suggested_reviewers)
fn withSuggested_reviewersMixin(suggested_reviewers)
fn withThresholds(thresholds)
fn withThresholdsMixin(thresholds)
obj spec.deny.request.claims_to_roles
obj spec.deny.request.kubernetes_resources
obj spec.deny.request.thresholds
obj spec.deny.require_session_join
obj spec.deny.review_requests
obj spec.deny.rules
obj spec.deny.spiffe
obj spec.options
fn withCert_extensions(cert_extensions)
fn withCert_extensionsMixin(cert_extensions)
fn withCert_format(cert_format)
fn withClient_idle_timeout(client_idle_timeout)
fn withCreate_db_user(create_db_user)
fn withCreate_db_user_mode(create_db_user_mode)
fn withCreate_desktop_user(create_desktop_user)
fn withCreate_host_user(create_host_user)
fn withCreate_host_user_default_shell(create_host_user_default_shell)
fn withCreate_host_user_mode(create_host_user_mode)
fn withDesktop_clipboard(desktop_clipboard)
fn withDesktop_directory_sharing(desktop_directory_sharing)
fn withDevice_trust_mode(device_trust_mode)
fn withDisconnect_expired_cert(disconnect_expired_cert)
fn withEnhanced_recording(enhanced_recording)
fn withEnhanced_recordingMixin(enhanced_recording)
fn withForward_agent(forward_agent)
fn withLock(lock)
fn withMax_connections(max_connections)
fn withMax_kubernetes_connections(max_kubernetes_connections)
fn withMax_session_ttl(max_session_ttl)
fn withMax_sessions(max_sessions)
fn withMfa_verification_interval(mfa_verification_interval)
fn withPermit_x11_forwarding(permit_x11_forwarding)
fn withPin_source_ip(pin_source_ip)
fn withPort_forwarding(port_forwarding)
fn withRequest_access(request_access)
fn withRequest_prompt(request_prompt)
fn withRequire_session_mfa(require_session_mfa)
fn withSsh_file_copy(ssh_file_copy)
obj spec.options.cert_extensions
obj spec.options.idp
obj spec.options.record_session
Fields
fn new
new(name)
new returns an instance of TeleportRole
obj metadata
"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."
fn metadata.withAnnotations
withAnnotations(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
fn metadata.withAnnotationsMixin
withAnnotationsMixin(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
Note: This function appends passed data to existing values
fn metadata.withClusterName
withClusterName(clusterName)
"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."
fn metadata.withCreationTimestamp
withCreationTimestamp(creationTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withDeletionGracePeriodSeconds
withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)
"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."
fn metadata.withDeletionTimestamp
withDeletionTimestamp(deletionTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withFinalizers
withFinalizers(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
fn metadata.withFinalizersMixin
withFinalizersMixin(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
Note: This function appends passed data to existing values
fn metadata.withGenerateName
withGenerateName(generateName)
"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency"
fn metadata.withGeneration
withGeneration(generation)
"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."
fn metadata.withLabels
withLabels(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
fn metadata.withLabelsMixin
withLabelsMixin(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
Note: This function appends passed data to existing values
fn metadata.withName
withName(name)
"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"
fn metadata.withNamespace
withNamespace(namespace)
"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"
fn metadata.withOwnerReferences
withOwnerReferences(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
fn metadata.withOwnerReferencesMixin
withOwnerReferencesMixin(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
Note: This function appends passed data to existing values
fn metadata.withResourceVersion
withResourceVersion(resourceVersion)
"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
fn metadata.withSelfLink
withSelfLink(selfLink)
"SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release."
fn metadata.withUid
withUid(uid)
"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"
obj spec
"Role resource definition v6 from Teleport"
obj spec.allow
"Allow is the set of conditions evaluated to grant access."
fn spec.allow.withApp_labels
withApp_labels(app_labels)
"AppLabels is a map of labels used as part of the RBAC system."
fn spec.allow.withApp_labelsMixin
withApp_labelsMixin(app_labels)
"AppLabels is a map of labels used as part of the RBAC system."
Note: This function appends passed data to existing values
fn spec.allow.withApp_labels_expression
withApp_labels_expression(app_labels_expression)
"AppLabelsExpression is a predicate expression used to allow/deny access to Apps."
fn spec.allow.withAws_role_arns
withAws_role_arns(aws_role_arns)
"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."
fn spec.allow.withAws_role_arnsMixin
withAws_role_arnsMixin(aws_role_arns)
"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.allow.withAzure_identities
withAzure_identities(azure_identities)
"AzureIdentities is a list of Azure identities this role is allowed to assume."
fn spec.allow.withAzure_identitiesMixin
withAzure_identitiesMixin(azure_identities)
"AzureIdentities is a list of Azure identities this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.allow.withCluster_labels
withCluster_labels(cluster_labels)
"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."
fn spec.allow.withCluster_labelsMixin
withCluster_labelsMixin(cluster_labels)
"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."
Note: This function appends passed data to existing values
fn spec.allow.withCluster_labels_expression
withCluster_labels_expression(cluster_labels_expression)
"ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters."
fn spec.allow.withDb_labels
withDb_labels(db_labels)
"DatabaseLabels are used in RBAC system to allow/deny access to databases."
fn spec.allow.withDb_labelsMixin
withDb_labelsMixin(db_labels)
"DatabaseLabels are used in RBAC system to allow/deny access to databases."
Note: This function appends passed data to existing values
fn spec.allow.withDb_labels_expression
withDb_labels_expression(db_labels_expression)
"DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases."
fn spec.allow.withDb_names
withDb_names(db_names)
"DatabaseNames is a list of database names this role is allowed to connect to."
fn spec.allow.withDb_namesMixin
withDb_namesMixin(db_names)
"DatabaseNames is a list of database names this role is allowed to connect to."
Note: This function appends passed data to existing values
fn spec.allow.withDb_permissions
withDb_permissions(db_permissions)
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
fn spec.allow.withDb_permissionsMixin
withDb_permissionsMixin(db_permissions)
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
Note: This function appends passed data to existing values
fn spec.allow.withDb_roles
withDb_roles(db_roles)
"DatabaseRoles is a list of databases roles for automatic user creation."
fn spec.allow.withDb_rolesMixin
withDb_rolesMixin(db_roles)
"DatabaseRoles is a list of databases roles for automatic user creation."
Note: This function appends passed data to existing values
fn spec.allow.withDb_service_labels
withDb_service_labels(db_service_labels)
"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."
fn spec.allow.withDb_service_labelsMixin
withDb_service_labelsMixin(db_service_labels)
"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."
Note: This function appends passed data to existing values
fn spec.allow.withDb_service_labels_expression
withDb_service_labels_expression(db_service_labels_expression)
"DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services."
fn spec.allow.withDb_users
withDb_users(db_users)
"DatabaseUsers is a list of databases users this role is allowed to connect as."
fn spec.allow.withDb_usersMixin
withDb_usersMixin(db_users)
"DatabaseUsers is a list of databases users this role is allowed to connect as."
Note: This function appends passed data to existing values
fn spec.allow.withDesktop_groups
withDesktop_groups(desktop_groups)
"DesktopGroups is a list of groups for created desktop users to be added to"
fn spec.allow.withDesktop_groupsMixin
withDesktop_groupsMixin(desktop_groups)
"DesktopGroups is a list of groups for created desktop users to be added to"
Note: This function appends passed data to existing values
fn spec.allow.withGcp_service_accounts
withGcp_service_accounts(gcp_service_accounts)
"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."
fn spec.allow.withGcp_service_accountsMixin
withGcp_service_accountsMixin(gcp_service_accounts)
"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.allow.withGroup_labels
withGroup_labels(group_labels)
"GroupLabels is a map of labels used as part of the RBAC system."
fn spec.allow.withGroup_labelsMixin
withGroup_labelsMixin(group_labels)
"GroupLabels is a map of labels used as part of the RBAC system."
Note: This function appends passed data to existing values
fn spec.allow.withGroup_labels_expression
withGroup_labels_expression(group_labels_expression)
"GroupLabelsExpression is a predicate expression used to allow/deny access to user groups."
fn spec.allow.withHost_groups
withHost_groups(host_groups)
"HostGroups is a list of groups for created users to be added to"
fn spec.allow.withHost_groupsMixin
withHost_groupsMixin(host_groups)
"HostGroups is a list of groups for created users to be added to"
Note: This function appends passed data to existing values
fn spec.allow.withHost_sudoers
withHost_sudoers(host_sudoers)
"HostSudoers is a list of entries to include in a users sudoer file"
fn spec.allow.withHost_sudoersMixin
withHost_sudoersMixin(host_sudoers)
"HostSudoers is a list of entries to include in a users sudoer file"
Note: This function appends passed data to existing values
fn spec.allow.withJoin_sessions
withJoin_sessions(join_sessions)
"JoinSessions specifies policies to allow users to join other sessions."
fn spec.allow.withJoin_sessionsMixin
withJoin_sessionsMixin(join_sessions)
"JoinSessions specifies policies to allow users to join other sessions."
Note: This function appends passed data to existing values
fn spec.allow.withKubernetes_groups
withKubernetes_groups(kubernetes_groups)
"KubeGroups is a list of kubernetes groups"
fn spec.allow.withKubernetes_groupsMixin
withKubernetes_groupsMixin(kubernetes_groups)
"KubeGroups is a list of kubernetes groups"
Note: This function appends passed data to existing values
fn spec.allow.withKubernetes_labels
withKubernetes_labels(kubernetes_labels)
"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."
fn spec.allow.withKubernetes_labelsMixin
withKubernetes_labelsMixin(kubernetes_labels)
"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."
Note: This function appends passed data to existing values
fn spec.allow.withKubernetes_labels_expression
withKubernetes_labels_expression(kubernetes_labels_expression)
"KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters."
fn spec.allow.withKubernetes_resources
withKubernetes_resources(kubernetes_resources)
"KubernetesResources is the Kubernetes Resources this Role grants access to."
fn spec.allow.withKubernetes_resourcesMixin
withKubernetes_resourcesMixin(kubernetes_resources)
"KubernetesResources is the Kubernetes Resources this Role grants access to."
Note: This function appends passed data to existing values
fn spec.allow.withKubernetes_users
withKubernetes_users(kubernetes_users)
"KubeUsers is an optional kubernetes users to impersonate"
fn spec.allow.withKubernetes_usersMixin
withKubernetes_usersMixin(kubernetes_users)
"KubeUsers is an optional kubernetes users to impersonate"
Note: This function appends passed data to existing values
fn spec.allow.withLogins
withLogins(logins)
"Logins is a list of *nix system logins."
fn spec.allow.withLoginsMixin
withLoginsMixin(logins)
"Logins is a list of *nix system logins."
Note: This function appends passed data to existing values
fn spec.allow.withNode_labels
withNode_labels(node_labels)
"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."
fn spec.allow.withNode_labelsMixin
withNode_labelsMixin(node_labels)
"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."
Note: This function appends passed data to existing values
fn spec.allow.withNode_labels_expression
withNode_labels_expression(node_labels_expression)
"NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes."
fn spec.allow.withRequire_session_join
withRequire_session_join(require_session_join)
"RequireSessionJoin specifies policies for required users to start a session."
fn spec.allow.withRequire_session_joinMixin
withRequire_session_joinMixin(require_session_join)
"RequireSessionJoin specifies policies for required users to start a session."
Note: This function appends passed data to existing values
fn spec.allow.withRules
withRules(rules)
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
fn spec.allow.withRulesMixin
withRulesMixin(rules)
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
Note: This function appends passed data to existing values
fn spec.allow.withSpiffe
withSpiffe(spiffe)
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
fn spec.allow.withSpiffeMixin
withSpiffeMixin(spiffe)
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
Note: This function appends passed data to existing values
fn spec.allow.withWindows_desktop_labels
withWindows_desktop_labels(windows_desktop_labels)
"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."
fn spec.allow.withWindows_desktop_labelsMixin
withWindows_desktop_labelsMixin(windows_desktop_labels)
"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."
Note: This function appends passed data to existing values
fn spec.allow.withWindows_desktop_labels_expression
withWindows_desktop_labels_expression(windows_desktop_labels_expression)
"WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops."
fn spec.allow.withWindows_desktop_logins
withWindows_desktop_logins(windows_desktop_logins)
"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."
fn spec.allow.withWindows_desktop_loginsMixin
withWindows_desktop_loginsMixin(windows_desktop_logins)
"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."
Note: This function appends passed data to existing values
obj spec.allow.db_permissions
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
fn spec.allow.db_permissions.withMatch
withMatch(match)
"Match is a list of object labels that must be matched for the permission to be granted."
fn spec.allow.db_permissions.withMatchMixin
withMatchMixin(match)
"Match is a list of object labels that must be matched for the permission to be granted."
Note: This function appends passed data to existing values
fn spec.allow.db_permissions.withPermissions
withPermissions(permissions)
"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."
fn spec.allow.db_permissions.withPermissionsMixin
withPermissionsMixin(permissions)
"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."
Note: This function appends passed data to existing values
obj spec.allow.impersonate
"Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means."
fn spec.allow.impersonate.withRoles
withRoles(roles)
"Roles is a list of resources this role is allowed to impersonate"
fn spec.allow.impersonate.withRolesMixin
withRolesMixin(roles)
"Roles is a list of resources this role is allowed to impersonate"
Note: This function appends passed data to existing values
fn spec.allow.impersonate.withUsers
withUsers(users)
"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"
fn spec.allow.impersonate.withUsersMixin
withUsersMixin(users)
"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"
Note: This function appends passed data to existing values
fn spec.allow.impersonate.withWhere
withWhere(where)
"Where specifies optional advanced matcher"
obj spec.allow.join_sessions
"JoinSessions specifies policies to allow users to join other sessions."
fn spec.allow.join_sessions.withKinds
withKinds(kinds)
"Kinds are the session kinds this policy applies to."
fn spec.allow.join_sessions.withKindsMixin
withKindsMixin(kinds)
"Kinds are the session kinds this policy applies to."
Note: This function appends passed data to existing values
fn spec.allow.join_sessions.withModes
withModes(modes)
"Modes is a list of permitted participant modes for this policy."
fn spec.allow.join_sessions.withModesMixin
withModesMixin(modes)
"Modes is a list of permitted participant modes for this policy."
Note: This function appends passed data to existing values
fn spec.allow.join_sessions.withName
withName(name)
"Name is the name of the policy."
fn spec.allow.join_sessions.withRoles
withRoles(roles)
"Roles is a list of roles that you can join the session of."
fn spec.allow.join_sessions.withRolesMixin
withRolesMixin(roles)
"Roles is a list of roles that you can join the session of."
Note: This function appends passed data to existing values
obj spec.allow.kubernetes_resources
"KubernetesResources is the Kubernetes Resources this Role grants access to."
fn spec.allow.kubernetes_resources.withKind
withKind(kind)
"Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported."
fn spec.allow.kubernetes_resources.withName
withName(name)
"Name is the resource name. It supports wildcards."
fn spec.allow.kubernetes_resources.withNamespace
withNamespace(namespace)
"Namespace is the resource namespace. It supports wildcards."
fn spec.allow.kubernetes_resources.withVerbs
withVerbs(verbs)
"Verbs are the allowed Kubernetes verbs for the following resource."
fn spec.allow.kubernetes_resources.withVerbsMixin
withVerbsMixin(verbs)
"Verbs are the allowed Kubernetes verbs for the following resource."
Note: This function appends passed data to existing values
obj spec.allow.request
fn spec.allow.request.withAnnotations
withAnnotations(annotations)
"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}}
style substitutions."
fn spec.allow.request.withAnnotationsMixin
withAnnotationsMixin(annotations)
"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}}
style substitutions."
Note: This function appends passed data to existing values
fn spec.allow.request.withClaims_to_roles
withClaims_to_roles(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.allow.request.withClaims_to_rolesMixin
withClaims_to_rolesMixin(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
Note: This function appends passed data to existing values
fn spec.allow.request.withKubernetes_resources
withKubernetes_resources(kubernetes_resources)
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
fn spec.allow.request.withKubernetes_resourcesMixin
withKubernetes_resourcesMixin(kubernetes_resources)
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
Note: This function appends passed data to existing values
fn spec.allow.request.withMax_duration
withMax_duration(max_duration)
"MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used."
fn spec.allow.request.withRoles
withRoles(roles)
"Roles is the name of roles which will match the request rule."
fn spec.allow.request.withRolesMixin
withRolesMixin(roles)
"Roles is the name of roles which will match the request rule."
Note: This function appends passed data to existing values
fn spec.allow.request.withSearch_as_roles
withSearch_as_roles(search_as_roles)
"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."
fn spec.allow.request.withSearch_as_rolesMixin
withSearch_as_rolesMixin(search_as_roles)
"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."
Note: This function appends passed data to existing values
fn spec.allow.request.withSuggested_reviewers
withSuggested_reviewers(suggested_reviewers)
"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."
fn spec.allow.request.withSuggested_reviewersMixin
withSuggested_reviewersMixin(suggested_reviewers)
"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."
Note: This function appends passed data to existing values
fn spec.allow.request.withThresholds
withThresholds(thresholds)
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
fn spec.allow.request.withThresholdsMixin
withThresholdsMixin(thresholds)
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
Note: This function appends passed data to existing values
obj spec.allow.request.claims_to_roles
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.allow.request.claims_to_roles.withClaim
withClaim(claim)
"Claim is a claim name."
fn spec.allow.request.claims_to_roles.withRoles
withRoles(roles)
"Roles is a list of static teleport roles to match."
fn spec.allow.request.claims_to_roles.withRolesMixin
withRolesMixin(roles)
"Roles is a list of static teleport roles to match."
Note: This function appends passed data to existing values
fn spec.allow.request.claims_to_roles.withValue
withValue(value)
"Value is a claim value to match."
obj spec.allow.request.kubernetes_resources
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
fn spec.allow.request.kubernetes_resources.withKind
withKind(kind)
"kind specifies the Kubernetes Resource type."
obj spec.allow.request.thresholds
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
fn spec.allow.request.thresholds.withApprove
withApprove(approve)
"Approve is the number of matching approvals needed for state-transition."
fn spec.allow.request.thresholds.withDeny
withDeny(deny)
"Deny is the number of denials needed for state-transition."
fn spec.allow.request.thresholds.withFilter
withFilter(filter)
"Filter is an optional predicate used to determine which reviews count toward this threshold."
fn spec.allow.request.thresholds.withName
withName(name)
"Name is the optional human-readable name of the threshold."
obj spec.allow.require_session_join
"RequireSessionJoin specifies policies for required users to start a session."
fn spec.allow.require_session_join.withCount
withCount(count)
"Count is the amount of people that need to be matched for this policy to be fulfilled."
fn spec.allow.require_session_join.withFilter
withFilter(filter)
"Filter is a predicate that determines what users count towards this policy."
fn spec.allow.require_session_join.withKinds
withKinds(kinds)
"Kinds are the session kinds this policy applies to."
fn spec.allow.require_session_join.withKindsMixin
withKindsMixin(kinds)
"Kinds are the session kinds this policy applies to."
Note: This function appends passed data to existing values
fn spec.allow.require_session_join.withModes
withModes(modes)
"Modes is the list of modes that may be used to fulfill this policy."
fn spec.allow.require_session_join.withModesMixin
withModesMixin(modes)
"Modes is the list of modes that may be used to fulfill this policy."
Note: This function appends passed data to existing values
fn spec.allow.require_session_join.withName
withName(name)
"Name is the name of the policy."
fn spec.allow.require_session_join.withOn_leave
withOn_leave(on_leave)
"OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session."
obj spec.allow.review_requests
"ReviewRequests defines conditions for submitting access reviews."
fn spec.allow.review_requests.withClaims_to_roles
withClaims_to_roles(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.allow.review_requests.withClaims_to_rolesMixin
withClaims_to_rolesMixin(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
Note: This function appends passed data to existing values
fn spec.allow.review_requests.withPreview_as_roles
withPreview_as_roles(preview_as_roles)
"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."
fn spec.allow.review_requests.withPreview_as_rolesMixin
withPreview_as_rolesMixin(preview_as_roles)
"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."
Note: This function appends passed data to existing values
fn spec.allow.review_requests.withRoles
withRoles(roles)
"Roles is the name of roles which may be reviewed."
fn spec.allow.review_requests.withRolesMixin
withRolesMixin(roles)
"Roles is the name of roles which may be reviewed."
Note: This function appends passed data to existing values
fn spec.allow.review_requests.withWhere
withWhere(where)
"Where is an optional predicate which further limits which requests are reviewable."
obj spec.allow.review_requests.claims_to_roles
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.allow.review_requests.claims_to_roles.withClaim
withClaim(claim)
"Claim is a claim name."
fn spec.allow.review_requests.claims_to_roles.withRoles
withRoles(roles)
"Roles is a list of static teleport roles to match."
fn spec.allow.review_requests.claims_to_roles.withRolesMixin
withRolesMixin(roles)
"Roles is a list of static teleport roles to match."
Note: This function appends passed data to existing values
fn spec.allow.review_requests.claims_to_roles.withValue
withValue(value)
"Value is a claim value to match."
obj spec.allow.rules
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
fn spec.allow.rules.withActions
withActions(actions)
"Actions specifies optional actions taken when this rule matches"
fn spec.allow.rules.withActionsMixin
withActionsMixin(actions)
"Actions specifies optional actions taken when this rule matches"
Note: This function appends passed data to existing values
fn spec.allow.rules.withResources
withResources(resources)
"Resources is a list of resources"
fn spec.allow.rules.withResourcesMixin
withResourcesMixin(resources)
"Resources is a list of resources"
Note: This function appends passed data to existing values
fn spec.allow.rules.withVerbs
withVerbs(verbs)
"Verbs is a list of verbs"
fn spec.allow.rules.withVerbsMixin
withVerbsMixin(verbs)
"Verbs is a list of verbs"
Note: This function appends passed data to existing values
fn spec.allow.rules.withWhere
withWhere(where)
"Where specifies optional advanced matcher"
obj spec.allow.spiffe
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
fn spec.allow.spiffe.withDns_sans
withDns_sans(dns_sans)
"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"
fn spec.allow.spiffe.withDns_sansMixin
withDns_sansMixin(dns_sans)
"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"
Note: This function appends passed data to existing values
fn spec.allow.spiffe.withIp_sans
withIp_sans(ip_sans)
"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"
fn spec.allow.spiffe.withIp_sansMixin
withIp_sansMixin(ip_sans)
"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"
Note: This function appends passed data to existing values
fn spec.allow.spiffe.withPath
withPath(path)
"Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar"
obj spec.deny
"Deny is the set of conditions evaluated to deny access. Deny takes priority over allow."
fn spec.deny.withApp_labels
withApp_labels(app_labels)
"AppLabels is a map of labels used as part of the RBAC system."
fn spec.deny.withApp_labelsMixin
withApp_labelsMixin(app_labels)
"AppLabels is a map of labels used as part of the RBAC system."
Note: This function appends passed data to existing values
fn spec.deny.withApp_labels_expression
withApp_labels_expression(app_labels_expression)
"AppLabelsExpression is a predicate expression used to allow/deny access to Apps."
fn spec.deny.withAws_role_arns
withAws_role_arns(aws_role_arns)
"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."
fn spec.deny.withAws_role_arnsMixin
withAws_role_arnsMixin(aws_role_arns)
"AWSRoleARNs is a list of AWS role ARNs this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.deny.withAzure_identities
withAzure_identities(azure_identities)
"AzureIdentities is a list of Azure identities this role is allowed to assume."
fn spec.deny.withAzure_identitiesMixin
withAzure_identitiesMixin(azure_identities)
"AzureIdentities is a list of Azure identities this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.deny.withCluster_labels
withCluster_labels(cluster_labels)
"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."
fn spec.deny.withCluster_labelsMixin
withCluster_labelsMixin(cluster_labels)
"ClusterLabels is a map of node labels (used to dynamically grant access to clusters)."
Note: This function appends passed data to existing values
fn spec.deny.withCluster_labels_expression
withCluster_labels_expression(cluster_labels_expression)
"ClusterLabelsExpression is a predicate expression used to allow/deny access to remote Teleport clusters."
fn spec.deny.withDb_labels
withDb_labels(db_labels)
"DatabaseLabels are used in RBAC system to allow/deny access to databases."
fn spec.deny.withDb_labelsMixin
withDb_labelsMixin(db_labels)
"DatabaseLabels are used in RBAC system to allow/deny access to databases."
Note: This function appends passed data to existing values
fn spec.deny.withDb_labels_expression
withDb_labels_expression(db_labels_expression)
"DatabaseLabelsExpression is a predicate expression used to allow/deny access to Databases."
fn spec.deny.withDb_names
withDb_names(db_names)
"DatabaseNames is a list of database names this role is allowed to connect to."
fn spec.deny.withDb_namesMixin
withDb_namesMixin(db_names)
"DatabaseNames is a list of database names this role is allowed to connect to."
Note: This function appends passed data to existing values
fn spec.deny.withDb_permissions
withDb_permissions(db_permissions)
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
fn spec.deny.withDb_permissionsMixin
withDb_permissionsMixin(db_permissions)
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
Note: This function appends passed data to existing values
fn spec.deny.withDb_roles
withDb_roles(db_roles)
"DatabaseRoles is a list of databases roles for automatic user creation."
fn spec.deny.withDb_rolesMixin
withDb_rolesMixin(db_roles)
"DatabaseRoles is a list of databases roles for automatic user creation."
Note: This function appends passed data to existing values
fn spec.deny.withDb_service_labels
withDb_service_labels(db_service_labels)
"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."
fn spec.deny.withDb_service_labelsMixin
withDb_service_labelsMixin(db_service_labels)
"DatabaseServiceLabels are used in RBAC system to allow/deny access to Database Services."
Note: This function appends passed data to existing values
fn spec.deny.withDb_service_labels_expression
withDb_service_labels_expression(db_service_labels_expression)
"DatabaseServiceLabelsExpression is a predicate expression used to allow/deny access to Database Services."
fn spec.deny.withDb_users
withDb_users(db_users)
"DatabaseUsers is a list of databases users this role is allowed to connect as."
fn spec.deny.withDb_usersMixin
withDb_usersMixin(db_users)
"DatabaseUsers is a list of databases users this role is allowed to connect as."
Note: This function appends passed data to existing values
fn spec.deny.withDesktop_groups
withDesktop_groups(desktop_groups)
"DesktopGroups is a list of groups for created desktop users to be added to"
fn spec.deny.withDesktop_groupsMixin
withDesktop_groupsMixin(desktop_groups)
"DesktopGroups is a list of groups for created desktop users to be added to"
Note: This function appends passed data to existing values
fn spec.deny.withGcp_service_accounts
withGcp_service_accounts(gcp_service_accounts)
"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."
fn spec.deny.withGcp_service_accountsMixin
withGcp_service_accountsMixin(gcp_service_accounts)
"GCPServiceAccounts is a list of GCP service accounts this role is allowed to assume."
Note: This function appends passed data to existing values
fn spec.deny.withGroup_labels
withGroup_labels(group_labels)
"GroupLabels is a map of labels used as part of the RBAC system."
fn spec.deny.withGroup_labelsMixin
withGroup_labelsMixin(group_labels)
"GroupLabels is a map of labels used as part of the RBAC system."
Note: This function appends passed data to existing values
fn spec.deny.withGroup_labels_expression
withGroup_labels_expression(group_labels_expression)
"GroupLabelsExpression is a predicate expression used to allow/deny access to user groups."
fn spec.deny.withHost_groups
withHost_groups(host_groups)
"HostGroups is a list of groups for created users to be added to"
fn spec.deny.withHost_groupsMixin
withHost_groupsMixin(host_groups)
"HostGroups is a list of groups for created users to be added to"
Note: This function appends passed data to existing values
fn spec.deny.withHost_sudoers
withHost_sudoers(host_sudoers)
"HostSudoers is a list of entries to include in a users sudoer file"
fn spec.deny.withHost_sudoersMixin
withHost_sudoersMixin(host_sudoers)
"HostSudoers is a list of entries to include in a users sudoer file"
Note: This function appends passed data to existing values
fn spec.deny.withJoin_sessions
withJoin_sessions(join_sessions)
"JoinSessions specifies policies to allow users to join other sessions."
fn spec.deny.withJoin_sessionsMixin
withJoin_sessionsMixin(join_sessions)
"JoinSessions specifies policies to allow users to join other sessions."
Note: This function appends passed data to existing values
fn spec.deny.withKubernetes_groups
withKubernetes_groups(kubernetes_groups)
"KubeGroups is a list of kubernetes groups"
fn spec.deny.withKubernetes_groupsMixin
withKubernetes_groupsMixin(kubernetes_groups)
"KubeGroups is a list of kubernetes groups"
Note: This function appends passed data to existing values
fn spec.deny.withKubernetes_labels
withKubernetes_labels(kubernetes_labels)
"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."
fn spec.deny.withKubernetes_labelsMixin
withKubernetes_labelsMixin(kubernetes_labels)
"KubernetesLabels is a map of kubernetes cluster labels used for RBAC."
Note: This function appends passed data to existing values
fn spec.deny.withKubernetes_labels_expression
withKubernetes_labels_expression(kubernetes_labels_expression)
"KubernetesLabelsExpression is a predicate expression used to allow/deny access to kubernetes clusters."
fn spec.deny.withKubernetes_resources
withKubernetes_resources(kubernetes_resources)
"KubernetesResources is the Kubernetes Resources this Role grants access to."
fn spec.deny.withKubernetes_resourcesMixin
withKubernetes_resourcesMixin(kubernetes_resources)
"KubernetesResources is the Kubernetes Resources this Role grants access to."
Note: This function appends passed data to existing values
fn spec.deny.withKubernetes_users
withKubernetes_users(kubernetes_users)
"KubeUsers is an optional kubernetes users to impersonate"
fn spec.deny.withKubernetes_usersMixin
withKubernetes_usersMixin(kubernetes_users)
"KubeUsers is an optional kubernetes users to impersonate"
Note: This function appends passed data to existing values
fn spec.deny.withLogins
withLogins(logins)
"Logins is a list of *nix system logins."
fn spec.deny.withLoginsMixin
withLoginsMixin(logins)
"Logins is a list of *nix system logins."
Note: This function appends passed data to existing values
fn spec.deny.withNode_labels
withNode_labels(node_labels)
"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."
fn spec.deny.withNode_labelsMixin
withNode_labelsMixin(node_labels)
"NodeLabels is a map of node labels (used to dynamically grant access to nodes)."
Note: This function appends passed data to existing values
fn spec.deny.withNode_labels_expression
withNode_labels_expression(node_labels_expression)
"NodeLabelsExpression is a predicate expression used to allow/deny access to SSH nodes."
fn spec.deny.withRequire_session_join
withRequire_session_join(require_session_join)
"RequireSessionJoin specifies policies for required users to start a session."
fn spec.deny.withRequire_session_joinMixin
withRequire_session_joinMixin(require_session_join)
"RequireSessionJoin specifies policies for required users to start a session."
Note: This function appends passed data to existing values
fn spec.deny.withRules
withRules(rules)
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
fn spec.deny.withRulesMixin
withRulesMixin(rules)
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
Note: This function appends passed data to existing values
fn spec.deny.withSpiffe
withSpiffe(spiffe)
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
fn spec.deny.withSpiffeMixin
withSpiffeMixin(spiffe)
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
Note: This function appends passed data to existing values
fn spec.deny.withWindows_desktop_labels
withWindows_desktop_labels(windows_desktop_labels)
"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."
fn spec.deny.withWindows_desktop_labelsMixin
withWindows_desktop_labelsMixin(windows_desktop_labels)
"WindowsDesktopLabels are used in the RBAC system to allow/deny access to Windows desktops."
Note: This function appends passed data to existing values
fn spec.deny.withWindows_desktop_labels_expression
withWindows_desktop_labels_expression(windows_desktop_labels_expression)
"WindowsDesktopLabelsExpression is a predicate expression used to allow/deny access to Windows desktops."
fn spec.deny.withWindows_desktop_logins
withWindows_desktop_logins(windows_desktop_logins)
"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."
fn spec.deny.withWindows_desktop_loginsMixin
withWindows_desktop_loginsMixin(windows_desktop_logins)
"WindowsDesktopLogins is a list of desktop login names allowed/denied for Windows desktops."
Note: This function appends passed data to existing values
obj spec.deny.db_permissions
"DatabasePermissions specifies a set of permissions that will be granted to the database user when using automatic database user provisioning."
fn spec.deny.db_permissions.withMatch
withMatch(match)
"Match is a list of object labels that must be matched for the permission to be granted."
fn spec.deny.db_permissions.withMatchMixin
withMatchMixin(match)
"Match is a list of object labels that must be matched for the permission to be granted."
Note: This function appends passed data to existing values
fn spec.deny.db_permissions.withPermissions
withPermissions(permissions)
"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."
fn spec.deny.db_permissions.withPermissionsMixin
withPermissionsMixin(permissions)
"Permission is the list of string representations of the permission to be given, e.g. SELECT, INSERT, UPDATE, ..."
Note: This function appends passed data to existing values
obj spec.deny.impersonate
"Impersonate specifies what users and roles this role is allowed to impersonate by issuing certificates or other possible means."
fn spec.deny.impersonate.withRoles
withRoles(roles)
"Roles is a list of resources this role is allowed to impersonate"
fn spec.deny.impersonate.withRolesMixin
withRolesMixin(roles)
"Roles is a list of resources this role is allowed to impersonate"
Note: This function appends passed data to existing values
fn spec.deny.impersonate.withUsers
withUsers(users)
"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"
fn spec.deny.impersonate.withUsersMixin
withUsersMixin(users)
"Users is a list of resources this role is allowed to impersonate, could be an empty list or a Wildcard pattern"
Note: This function appends passed data to existing values
fn spec.deny.impersonate.withWhere
withWhere(where)
"Where specifies optional advanced matcher"
obj spec.deny.join_sessions
"JoinSessions specifies policies to allow users to join other sessions."
fn spec.deny.join_sessions.withKinds
withKinds(kinds)
"Kinds are the session kinds this policy applies to."
fn spec.deny.join_sessions.withKindsMixin
withKindsMixin(kinds)
"Kinds are the session kinds this policy applies to."
Note: This function appends passed data to existing values
fn spec.deny.join_sessions.withModes
withModes(modes)
"Modes is a list of permitted participant modes for this policy."
fn spec.deny.join_sessions.withModesMixin
withModesMixin(modes)
"Modes is a list of permitted participant modes for this policy."
Note: This function appends passed data to existing values
fn spec.deny.join_sessions.withName
withName(name)
"Name is the name of the policy."
fn spec.deny.join_sessions.withRoles
withRoles(roles)
"Roles is a list of roles that you can join the session of."
fn spec.deny.join_sessions.withRolesMixin
withRolesMixin(roles)
"Roles is a list of roles that you can join the session of."
Note: This function appends passed data to existing values
obj spec.deny.kubernetes_resources
"KubernetesResources is the Kubernetes Resources this Role grants access to."
fn spec.deny.kubernetes_resources.withKind
withKind(kind)
"Kind specifies the Kubernetes Resource type. At the moment only \"pod\" is supported."
fn spec.deny.kubernetes_resources.withName
withName(name)
"Name is the resource name. It supports wildcards."
fn spec.deny.kubernetes_resources.withNamespace
withNamespace(namespace)
"Namespace is the resource namespace. It supports wildcards."
fn spec.deny.kubernetes_resources.withVerbs
withVerbs(verbs)
"Verbs are the allowed Kubernetes verbs for the following resource."
fn spec.deny.kubernetes_resources.withVerbsMixin
withVerbsMixin(verbs)
"Verbs are the allowed Kubernetes verbs for the following resource."
Note: This function appends passed data to existing values
obj spec.deny.request
fn spec.deny.request.withAnnotations
withAnnotations(annotations)
"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}}
style substitutions."
fn spec.deny.request.withAnnotationsMixin
withAnnotationsMixin(annotations)
"Annotations is a collection of annotations to be programmatically appended to pending Access Requests at the time of their creation. These annotations serve as a mechanism to propagate extra information to plugins. Since these annotations support variable interpolation syntax, they also offer a mechanism for forwarding claims from an external identity provider, to a plugin via {{external.trait_name}}
style substitutions."
Note: This function appends passed data to existing values
fn spec.deny.request.withClaims_to_roles
withClaims_to_roles(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.deny.request.withClaims_to_rolesMixin
withClaims_to_rolesMixin(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
Note: This function appends passed data to existing values
fn spec.deny.request.withKubernetes_resources
withKubernetes_resources(kubernetes_resources)
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
fn spec.deny.request.withKubernetes_resourcesMixin
withKubernetes_resourcesMixin(kubernetes_resources)
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
Note: This function appends passed data to existing values
fn spec.deny.request.withMax_duration
withMax_duration(max_duration)
"MaxDuration is the amount of time the access will be granted for. If this is zero, the default duration is used."
fn spec.deny.request.withRoles
withRoles(roles)
"Roles is the name of roles which will match the request rule."
fn spec.deny.request.withRolesMixin
withRolesMixin(roles)
"Roles is the name of roles which will match the request rule."
Note: This function appends passed data to existing values
fn spec.deny.request.withSearch_as_roles
withSearch_as_roles(search_as_roles)
"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."
fn spec.deny.request.withSearch_as_rolesMixin
withSearch_as_rolesMixin(search_as_roles)
"SearchAsRoles is a list of extra roles which should apply to a user while they are searching for resources as part of a Resource Access Request, and defines the underlying roles which will be requested as part of any Resource Access Request."
Note: This function appends passed data to existing values
fn spec.deny.request.withSuggested_reviewers
withSuggested_reviewers(suggested_reviewers)
"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."
fn spec.deny.request.withSuggested_reviewersMixin
withSuggested_reviewersMixin(suggested_reviewers)
"SuggestedReviewers is a list of reviewer suggestions. These can be teleport usernames, but that is not a requirement."
Note: This function appends passed data to existing values
fn spec.deny.request.withThresholds
withThresholds(thresholds)
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
fn spec.deny.request.withThresholdsMixin
withThresholdsMixin(thresholds)
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
Note: This function appends passed data to existing values
obj spec.deny.request.claims_to_roles
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.deny.request.claims_to_roles.withClaim
withClaim(claim)
"Claim is a claim name."
fn spec.deny.request.claims_to_roles.withRoles
withRoles(roles)
"Roles is a list of static teleport roles to match."
fn spec.deny.request.claims_to_roles.withRolesMixin
withRolesMixin(roles)
"Roles is a list of static teleport roles to match."
Note: This function appends passed data to existing values
fn spec.deny.request.claims_to_roles.withValue
withValue(value)
"Value is a claim value to match."
obj spec.deny.request.kubernetes_resources
"kubernetes_resources can optionally enforce a requester to request only certain kinds of kube resources. Eg: Users can make request to either a resource kind \"kube_cluster\" or any of its subresources like \"namespaces\". This field can be defined such that it prevents a user from requesting \"kube_cluster\" and enforce requesting any of its subresources."
fn spec.deny.request.kubernetes_resources.withKind
withKind(kind)
"kind specifies the Kubernetes Resource type."
obj spec.deny.request.thresholds
"Thresholds is a list of thresholds, one of which must be met in order for reviews to trigger a state-transition. If no thresholds are provided, a default threshold of 1 for approval and denial is used."
fn spec.deny.request.thresholds.withApprove
withApprove(approve)
"Approve is the number of matching approvals needed for state-transition."
fn spec.deny.request.thresholds.withDeny
withDeny(deny)
"Deny is the number of denials needed for state-transition."
fn spec.deny.request.thresholds.withFilter
withFilter(filter)
"Filter is an optional predicate used to determine which reviews count toward this threshold."
fn spec.deny.request.thresholds.withName
withName(name)
"Name is the optional human-readable name of the threshold."
obj spec.deny.require_session_join
"RequireSessionJoin specifies policies for required users to start a session."
fn spec.deny.require_session_join.withCount
withCount(count)
"Count is the amount of people that need to be matched for this policy to be fulfilled."
fn spec.deny.require_session_join.withFilter
withFilter(filter)
"Filter is a predicate that determines what users count towards this policy."
fn spec.deny.require_session_join.withKinds
withKinds(kinds)
"Kinds are the session kinds this policy applies to."
fn spec.deny.require_session_join.withKindsMixin
withKindsMixin(kinds)
"Kinds are the session kinds this policy applies to."
Note: This function appends passed data to existing values
fn spec.deny.require_session_join.withModes
withModes(modes)
"Modes is the list of modes that may be used to fulfill this policy."
fn spec.deny.require_session_join.withModesMixin
withModesMixin(modes)
"Modes is the list of modes that may be used to fulfill this policy."
Note: This function appends passed data to existing values
fn spec.deny.require_session_join.withName
withName(name)
"Name is the name of the policy."
fn spec.deny.require_session_join.withOn_leave
withOn_leave(on_leave)
"OnLeave is the behaviour that's used when the policy is no longer fulfilled for a live session."
obj spec.deny.review_requests
"ReviewRequests defines conditions for submitting access reviews."
fn spec.deny.review_requests.withClaims_to_roles
withClaims_to_roles(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.deny.review_requests.withClaims_to_rolesMixin
withClaims_to_rolesMixin(claims_to_roles)
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
Note: This function appends passed data to existing values
fn spec.deny.review_requests.withPreview_as_roles
withPreview_as_roles(preview_as_roles)
"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."
fn spec.deny.review_requests.withPreview_as_rolesMixin
withPreview_as_rolesMixin(preview_as_roles)
"PreviewAsRoles is a list of extra roles which should apply to a reviewer while they are viewing a Resource Access Request for the purposes of viewing details such as the hostname and labels of requested resources."
Note: This function appends passed data to existing values
fn spec.deny.review_requests.withRoles
withRoles(roles)
"Roles is the name of roles which may be reviewed."
fn spec.deny.review_requests.withRolesMixin
withRolesMixin(roles)
"Roles is the name of roles which may be reviewed."
Note: This function appends passed data to existing values
fn spec.deny.review_requests.withWhere
withWhere(where)
"Where is an optional predicate which further limits which requests are reviewable."
obj spec.deny.review_requests.claims_to_roles
"ClaimsToRoles specifies a mapping from claims (traits) to teleport roles."
fn spec.deny.review_requests.claims_to_roles.withClaim
withClaim(claim)
"Claim is a claim name."
fn spec.deny.review_requests.claims_to_roles.withRoles
withRoles(roles)
"Roles is a list of static teleport roles to match."
fn spec.deny.review_requests.claims_to_roles.withRolesMixin
withRolesMixin(roles)
"Roles is a list of static teleport roles to match."
Note: This function appends passed data to existing values
fn spec.deny.review_requests.claims_to_roles.withValue
withValue(value)
"Value is a claim value to match."
obj spec.deny.rules
"Rules is a list of rules and their access levels. Rules are a high level construct used for access control."
fn spec.deny.rules.withActions
withActions(actions)
"Actions specifies optional actions taken when this rule matches"
fn spec.deny.rules.withActionsMixin
withActionsMixin(actions)
"Actions specifies optional actions taken when this rule matches"
Note: This function appends passed data to existing values
fn spec.deny.rules.withResources
withResources(resources)
"Resources is a list of resources"
fn spec.deny.rules.withResourcesMixin
withResourcesMixin(resources)
"Resources is a list of resources"
Note: This function appends passed data to existing values
fn spec.deny.rules.withVerbs
withVerbs(verbs)
"Verbs is a list of verbs"
fn spec.deny.rules.withVerbsMixin
withVerbsMixin(verbs)
"Verbs is a list of verbs"
Note: This function appends passed data to existing values
fn spec.deny.rules.withWhere
withWhere(where)
"Where specifies optional advanced matcher"
obj spec.deny.spiffe
"SPIFFE is used to allow or deny access to a role holder to generating a SPIFFE SVID."
fn spec.deny.spiffe.withDns_sans
withDns_sans(dns_sans)
"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"
fn spec.deny.spiffe.withDns_sansMixin
withDns_sansMixin(dns_sans)
"DNSSANs specifies matchers for the SPIFFE ID DNS SANs. Each requested DNS SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: .example.com would match foo.example.com"
Note: This function appends passed data to existing values
fn spec.deny.spiffe.withIp_sans
withIp_sans(ip_sans)
"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"
fn spec.deny.spiffe.withIp_sansMixin
withIp_sansMixin(ip_sans)
"IPSANs specifies matchers for the SPIFFE ID IP SANs. Each requested IP SAN is compared against all matchers configured and if any match, the condition is considered to be met. The matchers should be specified using CIDR notation, it supports IPv4 and IPv6. Examples: - 10.0.0.0/24 would match 10.0.0.0 to 10.255.255.255 - 10.0.0.42/32 would match only 10.0.0.42"
Note: This function appends passed data to existing values
fn spec.deny.spiffe.withPath
withPath(path)
"Path specifies a matcher for the SPIFFE ID path. It should not include the trust domain and should start with a leading slash. The matcher by default allows '' to be used to indicate zero or more of any character. Prepend '^' and append '$' to instead switch to matching using the Go regex syntax. Example: - /svc/foo//bar would match /svc/foo/baz/bar - ^\/svc\/foo\/.*\/bar$ would match /svc/foo/baz/bar"
obj spec.options
"Options is for OpenSSH options like agent forwarding."
fn spec.options.withCert_extensions
withCert_extensions(cert_extensions)
"CertExtensions specifies the key/values"
fn spec.options.withCert_extensionsMixin
withCert_extensionsMixin(cert_extensions)
"CertExtensions specifies the key/values"
Note: This function appends passed data to existing values
fn spec.options.withCert_format
withCert_format(cert_format)
"CertificateFormat defines the format of the user certificate to allow compatibility with older versions of OpenSSH."
fn spec.options.withClient_idle_timeout
withClient_idle_timeout(client_idle_timeout)
"ClientIdleTimeout sets disconnect clients on idle timeout behavior, if set to 0 means do not disconnect, otherwise is set to the idle duration."
fn spec.options.withCreate_db_user
withCreate_db_user(create_db_user)
"CreateDatabaseUser enabled automatic database user creation."
fn spec.options.withCreate_db_user_mode
withCreate_db_user_mode(create_db_user_mode)
"CreateDatabaseUserMode allows users to be automatically created on a database when not set to off. 0 is \"unspecified\", 1 is \"off\", 2 is \"keep\", 3 is \"best_effort_drop\"."
fn spec.options.withCreate_desktop_user
withCreate_desktop_user(create_desktop_user)
"CreateDesktopUser allows users to be automatically created on a Windows desktop"
fn spec.options.withCreate_host_user
withCreate_host_user(create_host_user)
"Deprecated: use CreateHostUserMode instead."
fn spec.options.withCreate_host_user_default_shell
withCreate_host_user_default_shell(create_host_user_default_shell)
"CreateHostUserDefaultShell is used to configure the default shell for newly provisioned host users."
fn spec.options.withCreate_host_user_mode
withCreate_host_user_mode(create_host_user_mode)
"CreateHostUserMode allows users to be automatically created on a host when not set to off. 0 is \"unspecified\"; 1 is \"off\"; 2 is \"drop\" (removed for v15 and above), 3 is \"keep\"; 4 is \"insecure-drop\"."
fn spec.options.withDesktop_clipboard
withDesktop_clipboard(desktop_clipboard)
"DesktopClipboard indicates whether clipboard sharing is allowed between the user's workstation and the remote desktop. It defaults to true unless explicitly set to false."
fn spec.options.withDesktop_directory_sharing
withDesktop_directory_sharing(desktop_directory_sharing)
"DesktopDirectorySharing indicates whether directory sharing is allowed between the user's workstation and the remote desktop. It defaults to false unless explicitly set to true."
fn spec.options.withDevice_trust_mode
withDevice_trust_mode(device_trust_mode)
"DeviceTrustMode is the device authorization mode used for the resources associated with the role. See DeviceTrust.Mode."
fn spec.options.withDisconnect_expired_cert
withDisconnect_expired_cert(disconnect_expired_cert)
"DisconnectExpiredCert sets disconnect clients on expired certificates."
fn spec.options.withEnhanced_recording
withEnhanced_recording(enhanced_recording)
"BPF defines what events to record for the BPF-based session recorder."
fn spec.options.withEnhanced_recordingMixin
withEnhanced_recordingMixin(enhanced_recording)
"BPF defines what events to record for the BPF-based session recorder."
Note: This function appends passed data to existing values
fn spec.options.withForward_agent
withForward_agent(forward_agent)
"ForwardAgent is SSH agent forwarding."
fn spec.options.withLock
withLock(lock)
"Lock specifies the locking mode (strict|best_effort) to be applied with the role."
fn spec.options.withMax_connections
withMax_connections(max_connections)
"MaxConnections defines the maximum number of concurrent connections a user may hold."
fn spec.options.withMax_kubernetes_connections
withMax_kubernetes_connections(max_kubernetes_connections)
"MaxKubernetesConnections defines the maximum number of concurrent Kubernetes sessions a user may hold."
fn spec.options.withMax_session_ttl
withMax_session_ttl(max_session_ttl)
"MaxSessionTTL defines how long a SSH session can last for."
fn spec.options.withMax_sessions
withMax_sessions(max_sessions)
"MaxSessions defines the maximum number of concurrent sessions per connection."
fn spec.options.withMfa_verification_interval
withMfa_verification_interval(mfa_verification_interval)
"MFAVerificationInterval optionally defines the maximum duration that can elapse between successive MFA verifications. This variable is used to ensure that users are periodically prompted to verify their identity, enhancing security by preventing prolonged sessions without re-authentication when using tsh proxy * derivatives. It's only effective if the session requires MFA. If not set, defaults to max_session_ttl
."
fn spec.options.withPermit_x11_forwarding
withPermit_x11_forwarding(permit_x11_forwarding)
"PermitX11Forwarding authorizes use of X11 forwarding."
fn spec.options.withPin_source_ip
withPin_source_ip(pin_source_ip)
"PinSourceIP forces the same client IP for certificate generation and usage"
fn spec.options.withPort_forwarding
withPort_forwarding(port_forwarding)
"PortForwarding defines if the certificate will have \"permit-port-forwarding\" in the certificate. PortForwarding is \"yes\" if not set, that's why this is a pointer"
fn spec.options.withRequest_access
withRequest_access(request_access)
"RequestAccess defines the request strategy (optional|note|always) where optional is the default."
fn spec.options.withRequest_prompt
withRequest_prompt(request_prompt)
"RequestPrompt is an optional message which tells users what they aught to request."
fn spec.options.withRequire_session_mfa
withRequire_session_mfa(require_session_mfa)
"RequireMFAType is the type of MFA requirement enforced for this user. 0 is \"OFF\", 1 is \"SESSION\", 2 is \"SESSION_AND_HARDWARE_KEY\", 3 is \"HARDWARE_KEY_TOUCH\", 4 is \"HARDWARE_KEY_PIN\", 5 is \"HARDWARE_KEY_TOUCH_AND_PIN\"."
fn spec.options.withSsh_file_copy
withSsh_file_copy(ssh_file_copy)
"SSHFileCopy indicates whether remote file operations via SCP or SFTP are allowed over an SSH session. It defaults to true unless explicitly set to false."
obj spec.options.cert_extensions
"CertExtensions specifies the key/values"
fn spec.options.cert_extensions.withMode
withMode(mode)
"Mode is the type of extension to be used -- currently critical-option is not supported. 0 is \"extension\"."
fn spec.options.cert_extensions.withName
withName(name)
"Name specifies the key to be used in the cert extension."
fn spec.options.cert_extensions.withType
withType(type)
"Type represents the certificate type being extended, only ssh is supported at this time. 0 is \"ssh\"."
fn spec.options.cert_extensions.withValue
withValue(value)
"Value specifies the value to be used in the cert extension."
obj spec.options.idp
"IDP is a set of options related to accessing IdPs within Teleport. Requires Teleport Enterprise."
obj spec.options.idp.saml
"SAML are options related to the Teleport SAML IdP."
fn spec.options.idp.saml.withEnabled
withEnabled(enabled)
"Enabled is set to true if this option allows access to the Teleport SAML IdP."
obj spec.options.record_session
"RecordDesktopSession indicates whether desktop access sessions should be recorded. It defaults to true unless explicitly set to false."
fn spec.options.record_session.withDefault
withDefault(default)
"Default indicates the default value for the services."
fn spec.options.record_session.withDesktop
withDesktop(desktop)
"Desktop indicates whether desktop sessions should be recorded. It defaults to true unless explicitly set to false."
fn spec.options.record_session.withSsh
withSsh(ssh)
"SSH indicates the session mode used on SSH sessions."