You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<aid="__codelineno-10-9" name="__codelineno-10-9" href="#__codelineno-10-9"></a><spanclass="w"></span><spanclass="nt">path</span><spanclass="p">:</span><spanclass="w"></span><spanclass="s">"root:api-provider"</span><spanclass="w"></span><spanclass="c1"># path of your api-provider workspace</span>
<p>Furthermore, <code>APIBindings</code> provide the <code>APIExport</code> owner access to additional resources defined in an <code>APIExport</code>'s permission claims list. Permission claims must be accepted by the user explicitly, before this access is granted. The resources can be builtin Kubernetes resources or resources from other <code>APIExports</code>.
4001
-
When an <code>APIExport</code> is changed after workspaces have bound to it, new or changed APIs are automatically propagated to all <code>APIBindings</code>. New permission claims on the other hand are NOT automatically accepted.</p>
4006
+
<p>Furthermore, <code>APIBindings</code> provide the <code>APIExport</code> owner access to additional resources defined in an <code>APIExport</code>'s
4007
+
permission claims list. Permission claims must be accepted by the user explicitly, before this access is granted.
4008
+
The resources can be builtin Kubernetes resources or resources bound with other <code>APIBindings</code>.</p>
4009
+
<divclass="admonition information">
4010
+
<pclass="admonition-title">Information</p>
4011
+
<p>When an <code>APIExport</code> is changed after workspaces have bound to it, new or changed APIs are automatically propagated
4012
+
to all <code>APIBindings</code>. New permission claims on the other hand are NOT automatically accepted.</p>
4013
+
</div>
4002
4014
<p>Returning to our example, we can grant the requested permissions in the <code>APIBinding</code>:</p>
<p>It should be noted that <code>APIBindings</code> do not create <code>CRDs</code> or <code>APIResourceSchemas</code>in the workspace. Instead APIs are directly bound using Kubernetes' internal binding mechanism behind the scenes.</p>
4038
+
<p>It should be noted that <code>APIBindings</code> do not create <code>CRDs</code> or <code>APIResourceSchemas</code> in the workspace.
4039
+
Instead APIs are directly bound using Kubernetes' internal binding mechanism behind the scenes.</p>
4027
4040
<h5id="verbs">Verbs</h5>
4028
4041
<p>Operations allowed on the resources for which permission claims are accepted is defined as the intersection of
4029
4042
the verbs in the APIBinding and the verbs in the appropriate APIExport.</p>
4030
4043
<h5id="selector">Selector</h5>
4031
-
<p><code>APIBindings</code> allow API consumers to scope an API provider's access to claimed resources via the <code>selector</code> field on a permission claim. This means that providers will only be able to see and access those objects matched by the <code>selector</code>.</p>
4044
+
<p><code>APIBindings</code> allow API consumers to scope an API provider's access to claimed resources via the <code>selector</code> field on
4045
+
a permission claim. This means that providers will only be able to see and access those objects matched by
4046
+
the <code>selector</code>.</p>
4047
+
<p>There are two types of selectors at the moment:</p>
4048
+
<ul>
4049
+
<li><code>matchAll</code>: gives the service provider access to all objects of a claimed resource</li>
4050
+
<li>label selector: gives the service provider access only to objects which are satisfying the given label selector</li>
4051
+
</ul>
4052
+
<p>The <code>matchAll</code> selector is shown in the example above.</p>
4053
+
<p>A label selector can be defined using <code>matchLabels</code> or <code>matchExpressions</code>:</p>
4054
+
<ul>
4055
+
<li><code>matchLabels</code> specifies a set of labels (key-value pairs). For the selector to match, <strong>all</strong> of the listed labels
4056
+
must be present on the object.</li>
4057
+
<li><code>matchExpressions</code> specifies a set of expressions that are evaluated against object’s labels. If multiple expressions
4058
+
are specified, <strong>all must evaluate to <code>true</code></strong> for the selector to match.</li>
<p>Currently, only <code>selector.matchAll=true</code> is supported, giving the provider that owns the <code>APIExport</code> full access to all objects of a claimed resource. Additional selectors are planned for upcoming releases.</p>
4082
+
<p>Special attention is needed by the service provider when creating or updating an object via the APIExport Virtual
4083
+
Workspace. If <code>matchLabels</code> is used, the specified labels will be automatically applied to the object that's being
4084
+
applied even if not specified by the service provider. However, that's not the case for <code>matchExpressions</code>,
4085
+
in which case the service provider needs to explicitly specify labels upon applying the object.</p>
4035
4086
</div>
4036
4087
<hr/>
4037
4088
<p>In practice, bound APIs behave similarly to other resources in kcp or Kubernetes. This means you can query for imported APIs using <code>kubectl api-resources</code>. Additionally you can use <code>kubectl explain</code> to get a detailed view on all fields of the API.</p>
<p>Furthermore, you can use the <code>.status.boundResources</code> field to precisely identify which <code>APIResourceSchemas</code> have been imported.</p>
<p>Operations allowed on the resources for which permission claim is accepted is defined as the intersection of the verbs in the <code>APIBinding</code> and the verbs in the <code>APIExport</code>. Verbs in this case are matching the verbs used by the <ahref="https://kubernetes.io/docs/reference/using-api/api-concepts/#api-verbs">Kubernetes API</a>. There is the possibility to further limit the access claim to single resources.</p>
3779
+
<p>PermissionClaims allows for additional selectors, for more details, check out the <ahref="../apis/exporting-apis/#apibinding">APIBindings documentation</a>.</p>
3779
3780
<h2id="dig-deeper-into-apiexports">Dig Deeper into APIExports</h2>
3780
3781
<p>Switching back to the service provider persona:</p>
0 commit comments