--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.16.4 kubectl.kubernetes.io/last-applied-configuration: | {"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{"controller-gen.kubebuilder.io/version":"v0.16.4"},"name":"maasauthpolicies.maas.opendatahub.io"},"spec":{"group":"maas.opendatahub.io","names":{"kind":"MaaSAuthPolicy","listKind":"MaaSAuthPolicyList","plural":"maasauthpolicies","singular":"maasauthpolicy"},"scope":"Namespaced","versions":[{"additionalPrinterColumns":[{"jsonPath":".status.phase","name":"Phase","type":"string"},{"jsonPath":".metadata.creationTimestamp","name":"Age","type":"date"},{"jsonPath":".status.authPolicies[*].name","name":"AuthPolicies","priority":1,"type":"string"}],"name":"v1alpha1","schema":{"openAPIV3Schema":{"description":"MaaSAuthPolicy is the Schema for the maasauthpolicies API","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"description":"MaaSAuthPolicySpec defines the desired state of MaaSAuthPolicy","properties":{"meteringMetadata":{"description":"MeteringMetadata contains billing and tracking information","properties":{"costCenter":{"description":"CostCenter is the cost center for billing attribution","type":"string"},"labels":{"additionalProperties":{"type":"string"},"description":"Labels are additional labels for tracking","type":"object"},"organizationId":{"description":"OrganizationID is the organization identifier for billing","type":"string"}},"type":"object"},"modelRefs":{"description":"ModelRefs is a list of models (by name and namespace) that this policy grants access to","items":{"description":"ModelRef references a MaaSModelRef by name and namespace.","properties":{"name":{"description":"Name is the name of the MaaSModelRef","maxLength":63,"minLength":1,"type":"string"},"namespace":{"description":"Namespace is the namespace where the MaaSModelRef lives","maxLength":63,"minLength":1,"type":"string"}},"required":["name","namespace"],"type":"object"},"minItems":1,"type":"array"},"subjects":{"description":"Subjects defines who has access (OR logic - any match grants access)","properties":{"groups":{"description":"Groups is a list of Kubernetes group names","items":{"description":"GroupReference references a Kubernetes group","properties":{"name":{"description":"Name is the name of the group","type":"string"}},"required":["name"],"type":"object"},"type":"array"},"users":{"description":"Users is a list of Kubernetes user names","items":{"type":"string"},"type":"array"}},"type":"object","x-kubernetes-validations":[{"message":"at least one group or user must be specified in subjects","rule":"size(self.groups) \u003e 0 || size(self.users) \u003e 0"}]}},"required":["modelRefs","subjects"],"type":"object"},"status":{"description":"MaaSAuthPolicyStatus defines the observed state of MaaSAuthPolicy","properties":{"authPolicies":{"description":"AuthPolicies lists the underlying Kuadrant AuthPolicies and their status.","items":{"description":"AuthPolicyRefStatus reports the status of a generated Kuadrant AuthPolicy.\nEmbeds ResourceRefStatus for common fields (Ready, Reason, Message).","properties":{"message":{"description":"Message is a human-readable description of the status","maxLength":1024,"type":"string"},"model":{"description":"Model is the MaaSModelRef name this AuthPolicy targets.","maxLength":63,"minLength":1,"type":"string"},"modelNamespace":{"description":"ModelNamespace is the namespace of the MaaSModelRef.","maxLength":63,"minLength":1,"type":"string"},"name":{"description":"Name of the referenced resource","maxLength":253,"type":"string"},"namespace":{"description":"Namespace of the referenced resource","maxLength":63,"type":"string"},"ready":{"description":"Ready indicates whether the resource is valid and healthy","type":"boolean"},"reason":{"description":"Reason is a machine-readable reason code","enum":["Reconciled","ReconcileFailed","PartialFailure","Valid","NotFound","GetFailed","Accepted","AcceptedEnforced","NotAccepted","Enforced","NotEnforced","BackendNotReady","ConditionsNotFound","Unknown"],"type":"string"}},"required":["model","modelNamespace","name","namespace","ready"],"type":"object"},"type":"array"},"conditions":{"description":"Conditions represent the latest available observations of the policy's state","items":{"description":"Condition contains details for one aspect of the current state of this API Resource.","properties":{"lastTransitionTime":{"description":"lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.","format":"date-time","type":"string"},"message":{"description":"message is a human readable message indicating details about the transition.\nThis may be an empty string.","maxLength":32768,"type":"string"},"observedGeneration":{"description":"observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.","format":"int64","minimum":0,"type":"integer"},"reason":{"description":"reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.","maxLength":1024,"minLength":1,"pattern":"^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown.","enum":["True","False","Unknown"],"type":"string"},"type":{"description":"type of condition in CamelCase or in foo.example.com/CamelCase.","maxLength":316,"pattern":"^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$","type":"string"}},"required":["lastTransitionTime","message","reason","status","type"],"type":"object"},"type":"array"},"phase":{"description":"Phase represents the current phase of the policy","enum":["Pending","Active","Degraded","Failed"],"type":"string"}},"type":"object"}},"type":"object"}},"served":true,"storage":true,"subresources":{"status":{}}}]}} creationTimestamp: "2026-04-22T18:55:14Z" generation: 1 managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-04-22T18:55:14Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:controller-gen.kubebuilder.io/version: {} f:kubectl.kubernetes.io/last-applied-configuration: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:kind: {} f:listKind: {} f:plural: {} f:singular: {} f:scope: {} f:versions: {} manager: kubectl-client-side-apply operation: Update time: "2026-04-22T18:55:14Z" name: maasauthpolicies.maas.opendatahub.io resourceVersion: "21822" uid: f290e593-20ac-4842-85ab-f8f64196fb32 spec: conversion: strategy: None group: maas.opendatahub.io names: kind: MaaSAuthPolicy listKind: MaaSAuthPolicyList plural: maasauthpolicies singular: maasauthpolicy scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .status.phase name: Phase type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - jsonPath: .status.authPolicies[*].name name: AuthPolicies priority: 1 type: string name: v1alpha1 schema: openAPIV3Schema: description: MaaSAuthPolicy is the Schema for the maasauthpolicies API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: MaaSAuthPolicySpec defines the desired state of MaaSAuthPolicy properties: meteringMetadata: description: MeteringMetadata contains billing and tracking information properties: costCenter: description: CostCenter is the cost center for billing attribution type: string labels: additionalProperties: type: string description: Labels are additional labels for tracking type: object organizationId: description: OrganizationID is the organization identifier for billing type: string type: object modelRefs: description: ModelRefs is a list of models (by name and namespace) that this policy grants access to items: description: ModelRef references a MaaSModelRef by name and namespace. properties: name: description: Name is the name of the MaaSModelRef maxLength: 63 minLength: 1 type: string namespace: description: Namespace is the namespace where the MaaSModelRef lives maxLength: 63 minLength: 1 type: string required: - name - namespace type: object minItems: 1 type: array subjects: description: Subjects defines who has access (OR logic - any match grants access) properties: groups: description: Groups is a list of Kubernetes group names items: description: GroupReference references a Kubernetes group properties: name: description: Name is the name of the group type: string required: - name type: object type: array users: description: Users is a list of Kubernetes user names items: type: string type: array type: object x-kubernetes-validations: - message: at least one group or user must be specified in subjects rule: size(self.groups) > 0 || size(self.users) > 0 required: - modelRefs - subjects type: object status: description: MaaSAuthPolicyStatus defines the observed state of MaaSAuthPolicy properties: authPolicies: description: AuthPolicies lists the underlying Kuadrant AuthPolicies and their status. items: description: |- AuthPolicyRefStatus reports the status of a generated Kuadrant AuthPolicy. Embeds ResourceRefStatus for common fields (Ready, Reason, Message). properties: message: description: Message is a human-readable description of the status maxLength: 1024 type: string model: description: Model is the MaaSModelRef name this AuthPolicy targets. maxLength: 63 minLength: 1 type: string modelNamespace: description: ModelNamespace is the namespace of the MaaSModelRef. maxLength: 63 minLength: 1 type: string name: description: Name of the referenced resource maxLength: 253 type: string namespace: description: Namespace of the referenced resource maxLength: 63 type: string ready: description: Ready indicates whether the resource is valid and healthy type: boolean reason: description: Reason is a machine-readable reason code enum: - Reconciled - ReconcileFailed - PartialFailure - Valid - NotFound - GetFailed - Accepted - AcceptedEnforced - NotAccepted - Enforced - NotEnforced - BackendNotReady - ConditionsNotFound - Unknown type: string required: - model - modelNamespace - name - namespace - ready type: object type: array conditions: description: Conditions represent the latest available observations of the policy's state items: description: Condition contains details for one aspect of the current state of this API Resource. properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: type of condition in CamelCase or in foo.example.com/CamelCase. maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object type: array phase: description: Phase represents the current phase of the policy enum: - Pending - Active - Degraded - Failed type: string type: object type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: MaaSAuthPolicy listKind: MaaSAuthPolicyList plural: maasauthpolicies singular: maasauthpolicy conditions: - lastTransitionTime: "2026-04-22T18:55:14Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-04-22T18:55:14Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1alpha1