Other API Objects

LimitRange

A limit range provides a mechanism to enforce min/max limits placed on resources in a Kubernetes namespace.

By adding a limit range to your namespace, you can enforce the minimum and maximum amount of CPU and Memory consumed by an individual pod or container.

For CPU and Memory limits, if you specify a max value, but do not specify a min limit in the LimitRange object, the resource can consume CPU/memory resources greater than max value`.

ResourceQuota

Kubernetes can limit both the number of objects created in a namespace, and the total amount of resources requested across objects in a namespace. This facilitates sharing of a single Kubernetes cluster by several teams, each in a namespace, as a mechanism of preventing one team from starving another team of cluster resources.

See Cluster Administrationfor more information on **ResourceQuota**.

Resource

A Kubernetes **Resource** is something that can be requested by, allocated to, or consumed by a pod or container. Examples include memory (RAM), CPU, disk-time, and network bandwidth.

See the Developer Guidefor more information.

Secret

Secrets are storage for sensitive information, such as keys, passwords, and certificates. They are accessible by the intended pod(s), but held separately from their definitions.

PersistentVolume

A persistent volume is an object (**PersistentVolume**) in the infrastructure provisioned by the cluster administrator. Persistent volumes provide durable storage for stateful applications.

PersistentVolumeClaim

A **PersistentVolumeClaim** object is a request for storage by a pod author. Kubernetes matches the claim against the pool of available volumes and binds them together. The claim is then used as a volume by a pod. Kubernetes makes sure the volume is available on the same node as the pod that requires it.

Custom Resources

A custom resource is an extension of the Kubernetes API that extends the API or allows you to introduce your own API into a project or a cluster.

  1. See xref:../../admin_guide/custom_resource_definitions.adoc#admin-guide-custom-resources[Extend the Kubernetes API with Custom Resources].

OAuth Objects

OAuthClient

An **OAuthClient** represents an OAuth client, as described in RFC 6749, section 2.

The following **OAuthClient** objects are automatically created:

openshift-web-console

Client used to request tokens for the web console

openshift-browser-client

Client used to request tokens at /oauth/token/request with a user-agent that can handle interactive logins

openshift-challenging-client

Client used to request tokens with a user-agent that can handle WWW-Authenticate challenges

**OAuthClient** Object Definition

  1. kind: "OAuthClient"
  2. accessTokenMaxAgeSeconds: null (1)
  3. apiVersion: "oauth.openshift.io/v1"
  4. metadata:
  5.   name: "openshift-web-console" (2)
  6.   selflink: "/oapi/v1/oAuthClients/openshift-web-console"
  7.   resourceVersion: "1"
  8.   creationTimestamp: "2015-01-01T01:01:01Z"
  9. respondWithChallenges: false (3)
  10. secret: "45e27750-a8aa-11e4-b2ea-3c970e4b7ffe" (4)
  11. redirectURIs:
  12.   - "https://localhost:8443" (5)
1The lifetime of access tokens in seconds (see the description below).
2The name is used as the client_id parameter in OAuth requests.
3When respondWithChallenges is set to true, unauthenticated requests to /oauth/authorize will result in WWW-Authenticate challenges, if supported by the configured authentication methods.
4The value in the secret parameter is used as the client_secret parameter in an authorization code flow.
5One or more absolute URIs can be placed in the redirectURIs section. The redirect_uri parameter sent with authorization requests must be prefixed by one of the specified redirectURIs.

The accessTokenMaxAgeSeconds value overrides the default accessTokenMaxAgeSeconds value in the master configuration file for individual OAuth clients. Setting this value for a client allows long-lived access tokens for that client without affecting the lifetime of other clients.

  • If null, the default value in the master configuration file is used.

  • If set to 0, the token will not expire.

  • If set to a value greater than 0, tokens issued for that client are given the specified expiration time. For example, accessTokenMaxAgeSeconds: 172800 would cause the token to expire 48 hours after being issued.

OAuthClientAuthorization

An **OAuthClientAuthorization** represents an approval by a **User** for a particular **OAuthClient** to be given an **OAuthAccessToken** with particular scopes.

Creation of **OAuthClientAuthorization** objects is done during an authorization request to the **OAuth** server.

**OAuthClientAuthorization** Object Definition

  1. kind: "OAuthClientAuthorization"
  2. apiVersion: "oauth.openshift.io/v1"
  3. metadata:
  4.   name: "bob:openshift-web-console"
  5.   resourceVersion: "1"
  6.   creationTimestamp: "2015-01-01T01:01:01-00:00"
  7. clientName: "openshift-web-console"
  8. userName: "bob"
  9. userUID: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe"
  10. scopes: []

OAuthAuthorizeToken

An **OAuthAuthorizeToken** represents an **OAuth** authorization code, as described in RFC 6749, section 1.3.1.

An **OAuthAuthorizeToken** is created by a request to the /oauth/authorize endpoint, as described in RFC 6749, section 4.1.1.

An **OAuthAuthorizeToken** can then be used to obtain an **OAuthAccessToken** with a request to the /oauth/token endpoint, as described in RFC 6749, section 4.1.3.

**OAuthAuthorizeToken** Object Definition

  1. kind: "OAuthAuthorizeToken"
  2. apiVersion: "oauth.openshift.io/v1"
  3. metadata:
  4.   name: "MDAwYjM5YjMtMzM1MC00NDY4LTkxODItOTA2OTE2YzE0M2Fj" (1)
  5.   resourceVersion: "1"
  6.   creationTimestamp: "2015-01-01T01:01:01-00:00"
  7. clientName: "openshift-web-console" (2)
  8. expiresIn: 300 (3)
  9. scopes: []
  10. redirectURI: "https://localhost:8443/console/oauth" (4)
  11. userName: "bob" (5)
  12. userUID: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe" (6)
1name represents the token name, used as an authorization code to exchange for an OAuthAccessToken.
2The clientName value is the OAuthClient that requested this token.
3The expiresIn value is the expiration in seconds from the creationTimestamp.
4The redirectURI value is the location where the user was redirected to during the authorization flow that resulted in this token.
5userName represents the name of the User this token allows obtaining an OAuthAccessToken for.
6userUID represents the UID of the User this token allows obtaining an OAuthAccessToken for.

OAuthAccessToken

An **OAuthAccessToken** represents an **OAuth** access token, as described in RFC 6749, section 1.4.

An **OAuthAccessToken** is created by a request to the /oauth/token endpoint, as described in RFC 6749, section 4.1.3.

Access tokens are used as bearer tokens to authenticate to the API.

**OAuthAccessToken** Object Definition

  1. kind: "OAuthAccessToken"
  2. apiVersion: "oauth.openshift.io/v1"
  3. metadata:
  4.   name: "ODliOGE5ZmMtYzczYi00Nzk1LTg4MGEtNzQyZmUxZmUwY2Vh" (1)
  5.   resourceVersion: "1"
  6.   creationTimestamp: "2015-01-01T01:01:02-00:00"
  7. clientName: "openshift-web-console" (2)
  8. expiresIn: 86400 (3)
  9. scopes: []
  10. redirectURI: "https://localhost:8443/console/oauth" (4)
  11. userName: "bob" (5)
  12. userUID: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe" (6)
  13. authorizeToken: "MDAwYjM5YjMtMzM1MC00NDY4LTkxODItOTA2OTE2YzE0M2Fj" (7)
1name is the token name, which is used as a bearer token to authenticate to the API.
2The clientName value is the OAuthClient that requested this token.
3The expiresIn value is the expiration in seconds from the creationTimestamp.
4The redirectURI is where the user was redirected to during the authorization flow that resulted in this token.
5userName represents the User this token allows authentication as.
6userUID represents the User this token allows authentication as.
7authorizeToken is the name of the OAuthAuthorizationToken used to obtain this token, if any.

User Objects

Identity

When a user logs into OKD, they do so using a configured identity provider. This determines the user’s identity, and provides that information to OKD.

OKD then looks for a **UserIdentityMapping** for that **Identity**:

If the identity provider is configured with the lookup mapping method, for example, if you are using an external LDAP system, this automatic mapping is not performed. You must create the mapping manually. For more information, see Lookup Mapping Method.

  • If the **Identity** already exists, but is not mapped to a **User**, login fails.

  • If the **Identity** already exists, and is mapped to a **User**, the user is given an **OAuthAccessToken** for the mapped **User**.

  • If the **Identity** does not exist, an **Identity**, **User**, and **UserIdentityMapping** are created, and the user is given an **OAuthAccessToken** for the mapped **User**.

**Identity** Object Definition

  1. kind: "Identity"
  2. apiVersion: "user.openshift.io/v1"
  3. metadata:
  4.   name: "anypassword:bob" (1)
  5.   uid: "9316ebad-0fde-11e5-97a1-3c970e4b7ffe"
  6.   resourceVersion: "1"
  7.   creationTimestamp: "2015-01-01T01:01:01-00:00"
  8. providerName: "anypassword" (2)
  9. providerUserName: "bob" (3)
  10. user:
  11.   name: "bob" (4)
  12.   uid: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe" (5)
1The identity name must be in the form providerName:providerUserName.
2providerName is the name of the identity provider.
3providerUserName is the name that uniquely represents this identity in the scope of the identity provider.
4The name in the user parameter is the name of the user this identity maps to.
5The uid represents the UID of the user this identity maps to.

User

A **User** represents an actor in the system. Users are granted permissions by adding roles to users or to their groups.

User objects are created automatically on first login, or can be created via the API.

OKD user names containing /, :, and % are not supported.

**User** Object Definition

  1. kind: "User"
  2. apiVersion: "user.openshift.io/v1"
  3. metadata:
  4.   name: "bob" (1)
  5.   uid: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe"
  6.   resourceVersion: "1"
  7.   creationTimestamp: "2015-01-01T01:01:01-00:00"
  8. identities:
  9.   - "anypassword:bob" (2)
  10. fullName: "Bob User" (3)
1name is the user name used when adding roles to a user.
2The values in identities are Identity objects that map to this user. May be null or empty for users that cannot log in.
3The fullName value is an optional display name of user.

UserIdentityMapping

A **UserIdentityMapping** maps an **Identity** to a **User**.

Creating, updating, or deleting a **UserIdentityMapping** modifies the corresponding fields in the **Identity** and **User** objects.

An **Identity** can only map to a single **User**, so logging in as a particular identity unambiguously determines the **User**.

A **User** can have multiple identities mapped to it. This allows multiple login methods to identify the same **User**.

**UserIdentityMapping** Object Definition

  1. kind: "UserIdentityMapping"
  2. apiVersion: "user.openshift.io/v1"
  3. metadata:
  4.   name: "anypassword:bob" (1)
  5.   uid: "9316ebad-0fde-11e5-97a1-3c970e4b7ffe"
  6.   resourceVersion: "1"
  7. identity:
  8.   name: "anypassword:bob"
  9.   uid: "9316ebad-0fde-11e5-97a1-3c970e4b7ffe"
  10. user:
  11.   name: "bob"
  12.   uid: "9311ac33-0fde-11e5-97a1-3c970e4b7ffe"
1UserIdentityMapping name matches the mapped Identity name

Group

A **Group** represents a list of users in the system. Groups are granted permissions by adding roles to users or to their groups.

**Group** Object Definition

  1. kind: "Group"
  2. apiVersion: "user.openshift.io/v1"
  3. metadata:
  4.   name: "developers" (1)
  5.   creationTimestamp: "2015-01-01T01:01:01-00:00"
  6. users:
  7.   - "bob" (2)
1name is the group name used when adding roles to a group.
2The values in users are the names of User objects that are members of this group.