API Reference

Packages

iam.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the iam v1alpha1 API group

Resource Types

Group

Group is the Schema for the groups API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`Group`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`status` GroupStatus

GroupMembership

GroupMembership is the Schema for the groupmemberships API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`GroupMembership`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` GroupMembershipSpec
`status` GroupMembershipStatus

GroupMembershipSpec

GroupMembershipSpec defines the desired state of GroupMembership

Appears in:

GroupMembership

Field	Description	Default	Validation
`userRef` UserReference	UserRef is a reference to the User that is a member of the Group. User is a cluster-scoped resource.		Required: {}
`groupRef` GroupReference	GroupRef is a reference to the Group. Group is a namespaced resource.		Required: {}

GroupMembershipStatus

GroupMembershipStatus defines the observed state of GroupMembership

Appears in:

GroupMembership

Field	Description	Default	Validation
`conditions` Condition array	Conditions represent the latest available observations of an object’s current state.

GroupReference

GroupReference contains information that points to the Group being referenced. Group is a namespaced resource.

Appears in:

GroupMembershipSpec

Field	Description	Default	Validation
`name` string	Name is the name of the Group being referenced.		Required: {}
`namespace` string	Namespace of the referenced Group.		Required: {}

GroupStatus

GroupStatus defines the observed state of Group

Appears in:

Group

Field	Description	Default	Validation
`conditions` Condition array	Conditions represent the latest available observations of an object’s current state.

MachineAccount

MachineAccount is the Schema for the machine accounts API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`MachineAccount`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` MachineAccountSpec
`status` MachineAccountStatus

MachineAccountKey

MachineAccountKey is the Schema for the machineaccountkeys API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`MachineAccountKey`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` MachineAccountKeySpec
`status` MachineAccountKeyStatus

MachineAccountKeySpec

MachineAccountKeySpec defines the desired state of MachineAccountKey

Appears in:

MachineAccountKey

Field	Description	Validation
`machineAccountName` string	MachineAccountName is the name of the MachineAccount that owns this key.	Required: {}
`expirationDate` Time	ExpirationDate is the date and time when the MachineAccountKey will expire. If not specified, the MachineAccountKey will never expire.	Optional: {}
`publicKey` string	PublicKey is the public key of the MachineAccountKey. If not specified, the MachineAccountKey will be created with an auto-generated public key.	Optional: {}

MachineAccountKeyStatus

MachineAccountKeyStatus defines the observed state of MachineAccountKey

Appears in:

MachineAccountKey

Field	Description	Default	Validation
`authProviderKeyId` string	AuthProviderKeyID is the unique identifier for the key in the auth provider. This field is populated by the controller after the key is created in the auth provider. For example, when using Zitadel, a typical value might be: “326102453042806786”
`conditions` Condition array	Conditions provide conditions that represent the current status of the MachineAccountKey.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}

MachineAccountSpec

MachineAccountSpec defines the desired state of MachineAccount

Appears in:

MachineAccount

Field	Description	Default	Validation
`state` string	The state of the machine account. This state can be safely changed as needed. States: - Active: The machine account can be used to authenticate. - Inactive: The machine account is prohibited to be used to authenticate, and revokes all existing sessions.	Active	Enum: [Active Inactive] Optional: {}

MachineAccountStatus

MachineAccountStatus defines the observed state of MachineAccount

Appears in:

MachineAccount

Field	Description	Validation
`email` string	The computed email of the machine account following the pattern: {metadata.name}@{metadata.namespace}.{project.metadata.name}.{global-suffix}
`state` string	State represents the current activation state of the machine account from the auth provider. This field tracks the state from the previous generation and is updated when state changes are successfully propagated to the auth provider. It helps optimize performance by only updating the auth provider when a state change is detected.	Enum: [Active Inactive]
`conditions` Condition array	Conditions provide conditions that represent the current status of the MachineAccount.

ParentResourceRef

ParentResourceRef defines the reference to a parent resource

Appears in:

ProtectedResourceSpec

Field	Description	Default	Validation
`apiGroup` string	APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.		Optional: {}
`kind` string	Kind is the type of resource being referenced.		Required: {}

PolicyBinding

PolicyBinding is the Schema for the policybindings API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`PolicyBinding`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` PolicyBindingSpec
`status` PolicyBindingStatus

PolicyBindingSpec

PolicyBindingSpec defines the desired state of PolicyBinding

Appears in:

PolicyBinding

Field	Description	Validation
`roleRef` RoleReference	RoleRef is a reference to the Role that is being bound. This can be a reference to a Role custom resource.	Required: {}
`subjects` Subject array	Subjects holds references to the objects the role applies to.	MinItems: 1 Required: {}
`resourceSelector` ResourceSelector	ResourceSelector defines which resources the subjects in the policy binding should have the role applied to. Options within this struct are mutually exclusive.	Required: {}

PolicyBindingStatus

PolicyBindingStatus defines the observed state of PolicyBinding

Appears in:

PolicyBinding

Field	Description	Default	Validation
`observedGeneration` integer	ObservedGeneration is the most recent generation observed for this PolicyBinding by the controller.		Optional: {}
`conditions` Condition array	Conditions provide conditions that represent the current status of the PolicyBinding.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}

ProtectedResourceSpec

ProtectedResourceSpec defines the desired state of ProtectedResource

Appears in:

ProtectedResource

Field	Description	Validation
`serviceRef` ServiceReference	ServiceRef references the service definition this protected resource belongs to.	Required: {}
`kind` string	The kind of the resource. This will be in the format `Workload`.	Required: {}
`singular` string	The singular form for the resource type, e.g. ‘workload’. Must follow camelCase format.	Required: {}
`plural` string	The plural form for the resource type, e.g. ‘workloads’. Must follow camelCase format.	Required: {}
`parentResources` ParentResourceRef array	A list of resources that are registered with the platform that may be a parent to the resource. Permissions may be bound to a parent resource so they can be inherited down the resource hierarchy.	Optional: {}
`permissions` string array	A list of permissions that are associated with the resource.	Required: {}

ProtectedResourceStatus

ProtectedResourceStatus defines the observed state of ProtectedResource

Appears in:

ProtectedResource

Field	Description	Default	Validation
`conditions` Condition array	Conditions provide conditions that represent the current status of the ProtectedResource.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}
`observedGeneration` integer	ObservedGeneration is the most recent generation observed for this ProtectedResource. It corresponds to the ProtectedResource’s generation, which is updated on mutation by the API Server.		Optional: {}

ResourceKind

ResourceKind contains enough information to identify a resource type.

Appears in:

ResourceSelector

Field	Description	Default	Validation
`apiGroup` string	APIGroup is the group for the resource type being referenced. If APIGroup is not specified, the specified Kind must be in the core API group.		Optional: {}
`kind` string	Kind is the type of resource being referenced.		Required: {}

ResourceReference

ResourceReference contains enough information to let you identify a specific API resource instance.

Appears in:

ResourceSelector

Field	Description	Validation
`apiGroup` string	APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.	Optional: {}
`kind` string	Kind is the type of resource being referenced.	Required: {}
`name` string	Name is the name of resource being referenced.	Required: {}
`uid` string	UID is the unique identifier of the resource being referenced.	Required: {}
`namespace` string	Namespace is the namespace of resource being referenced. Required for namespace-scoped resources. Omitted for cluster-scoped resources.	Optional: {}

ResourceSelector

ResourceSelector defines which resources the policy binding applies to. Either resourceRef or resourceKind must be specified, but not both.

Appears in:

PolicyBindingSpec

Field	Description	Default	Validation
`resourceRef` ResourceReference	ResourceRef provides a reference to a specific resource instance. Mutually exclusive with resourceKind.		Optional: {}
`resourceKind` ResourceKind	ResourceKind specifies that the policy binding should apply to all resources of a specific kind. Mutually exclusive with resourceRef.		Optional: {}

RoleReference

RoleReference contains information that points to the Role being used

Appears in:

Field	Description	Default	Validation
`name` string	Name is the name of resource being referenced		Required: {}
`namespace` string	Namespace of the referenced Role. If empty, it is assumed to be in the PolicyBinding’s namespace.		Optional: {}

RoleSpec

RoleSpec defines the desired state of Role

Appears in:

Role

Field	Description	Validation
`includedPermissions` string array	The names of the permissions this role grants when bound in an IAM policy. All permissions must be in the format: `\{service\}.\{resource\}.\{action\}` (e.g. compute.workloads.create).	Optional: {}
`launchStage` string	Defines the launch stage of the IAM Role. Must be one of: Early Access, Alpha, Beta, Stable, Deprecated.	Required: {}
`inheritedRoles` ScopedRoleReference array	The list of roles from which this role inherits permissions. Each entry must be a valid role resource name.	Optional: {}

RoleStatus

RoleStatus defines the observed state of Role

Appears in:

Role

Field	Description	Validation
`parent` string	The resource name of the parent the role was created under.	Optional: {}
`conditions` Condition array	Conditions provide conditions that represent the current status of the Role.	Optional: {}
`observedGeneration` integer	ObservedGeneration is the most recent generation observed by the controller.

ScopedRoleReference

ScopedRoleReference defines a reference to another Role, scoped by namespace. This is used for purposes like role inheritance where a simple name and namespace is sufficient to identify the target role.

Appears in:

RoleSpec

Field	Description	Default	Validation
`name` string	Name of the referenced Role.		Required: {}
`namespace` string	Namespace of the referenced Role. If not specified, it defaults to the namespace of the resource containing this reference.		Optional: {}

ServiceReference

ServiceReference holds a reference to a service definition.

Appears in:

ProtectedResourceSpec

Field	Description	Default	Validation
`name` string	Name is the resource name of the service definition.		Required: {}

Subject

Subject contains a reference to the object or user identities a role binding applies to. This can be a User or Group.

Appears in:

PolicyBindingSpec

Field	Description	Validation
`kind` string	Kind of object being referenced. Values defined in Kind constants.	Enum: [User Group] Required: {}
`name` string	Name of the object being referenced. A special group name of “system:authenticated-users” can be used to refer to all authenticated users.	Required: {}
`namespace` string	Namespace of the referenced object. If DNE, then for an SA it refers to the PolicyBinding resource’s namespace. For a User or Group, it is ignored.	Optional: {}
`uid` string	UID of the referenced object. Optional for system groups (groups with names starting with “system:”).	Optional: {}

UserDeactivation

UserDeactivation is the Schema for the userdeactivations API

Field	Description	Default	Validation
`apiVersion` string	`iam.miloapis.com/v1alpha1`
`kind` string	`UserDeactivation`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` UserDeactivationSpec
`status` UserDeactivationStatus

UserDeactivationSpec

UserDeactivationSpec defines the desired state of UserDeactivation

Appears in:

UserDeactivation

Field	Description	Validation
`userRef` UserReference	UserRef is a reference to the User being deactivated. User is a cluster-scoped resource.	Required: {}
`reason` string	Reason is the internal reason for deactivation.	Required: {}
`description` string	Description provides detailed internal description for the deactivation.	Optional: {}
`deactivatedBy` string	DeactivatedBy indicates who initiated the deactivation.	Required: {}

UserDeactivationStatus

UserDeactivationStatus defines the observed state of UserDeactivation

Appears in:

UserDeactivation

Field	Description	Default	Validation
`conditions` Condition array	Conditions represent the latest available observations of an object’s current state.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}

UserInvitationSpec

UserInvitationSpec defines the desired state of UserInvitation

Appears in:

UserInvitation

Field	Description	Validation
`email` string	The email of the user being invited.	Required: {}
`givenName` string	The first name of the user being invited.	Optional: {}
`familyName` string	The last name of the user being invited.	Optional: {}
`roles` RoleReference array	The roles that will be assigned to the user when they accept the invitation.	Optional: {}

UserInvitationStatus

UserInvitationStatus defines the observed state of UserInvitation

Appears in:

UserInvitation

Field	Description	Default	Validation
`conditions` Condition array	Conditions provide conditions that represent the current status of the UserInvitation.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}

UserPreferenceSpec

UserPreferenceSpec defines the desired state of UserPreference

Appears in:

UserPreference

Field	Description	Default	Validation
`userRef` UserReference	Reference to the user these preferences belong to.		Required: {}
`theme` string	The user’s theme preference.	system	Enum: [light dark system] Optional: {}

UserPreferenceStatus

UserPreferenceStatus defines the observed state of UserPreference

Appears in:

UserPreference

Field	Description	Default	Validation
`conditions` Condition array	Conditions provide conditions that represent the current status of the UserPreference.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}

UserReference

UserReference contains information that points to the User being referenced. User is a cluster-scoped resource, so Namespace is not needed.

Appears in:

Field	Description	Default	Validation
`name` string	Name is the name of the User being referenced.		Required: {}

UserSpec

UserSpec defines the desired state of User

Appears in:

User

Field	Description	Validation
`email` string	The email of the user.	Required: {}
`givenName` string	The first name of the user.	Optional: {}
`familyName` string	The last name of the user.	Optional: {}

UserState

Underlying type: string

Appears in:

UserStatus

UserStatus

UserStatus defines the observed state of User

Appears in:

User

Field	Description	Default	Validation
`conditions` Condition array	Conditions provide conditions that represent the current status of the User.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}
`state` UserState	State represents the current activation state of the user account from the auth provider. This field is managed exclusively by the UserDeactivation CRD and cannot be changed directly by the user. When a UserDeactivation resource is created for the user, the user is deactivated in the auth provider; when the UserDeactivation is deleted, the user is reactivated. States: - Active: The user can be used to authenticate. - Inactive: The user is prohibited to be used to authenticate, and revokes all existing sessions.	Active	Enum: [Active Inactive]

networking.datumapis.com/v1alpha

Package v1alpha contains API Schema definitions for the networking v1alpha API group.

Resource Types

DNSVerificationRecord

DNSVerificationRecord represents a DNS record required for verification

Appears in:

DomainVerificationStatus

Field	Description	Default	Validation
`name` string
`type` string
`content` string

Domain

Domain represents a domain name in the Datum system

Field	Description	Default	Validation
`apiVersion` string	`networking.datumapis.com/v1alpha`
`kind` string	`Domain`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` DomainSpec			Required: {}
`status` DomainStatus		{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Verified] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedDNS] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:VerifiedHTTP]] }

DomainSpec

DomainSpec defines the desired state of Domain

Appears in:

Domain

Field	Description	Default	Validation
`domainName` string	DomainName is the fully qualified domain name (FQDN) to be managed		MaxLength: 253 MinLength: 1 Pattern: `^[a-z0-9]([-a-z0-9][a-z0-9])?(\.[a-z0-9]([-a-z0-9][a-z0-9])?)*$` Required: {}

DomainStatus

DomainStatus defines the observed state of Domain

Appears in:

Domain

Field	Description	Default	Validation
`verification` DomainVerificationStatus
`conditions` Condition array

DomainVerificationStatus

DomainVerificationStatus represents the verification status of a domain

Appears in:

DomainStatus

Field	Description	Default	Validation
`dnsRecord` DNSVerificationRecord
`httpToken` HTTPVerificationToken
`nextVerificationAttempt` Time

HTTPProxy

An HTTPProxy builds on top of Gateway API resources to provide a more convenient method to manage simple reverse proxy use cases.

Field	Description	Default	Validation
`apiVersion` string	`networking.datumapis.com/v1alpha`
`kind` string	`HTTPProxy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` HTTPProxySpec	Spec defines the desired state of an HTTPProxy.		Required: {}
`status` HTTPProxyStatus	Status defines the current state of an HTTPProxy.	{ conditions:[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Accepted] map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for controller reason:Pending status:Unknown type:Programmed]] }

HTTPProxyRule

HTTPProxyRule defines semantics for matching an HTTP request based on conditions (matches), processing it (filters), and forwarding the request to backends.

Appears in:

HTTPProxySpec

Field	Description	Default	Validation
`name` SectionName	Name is the name of the route rule. This name MUST be unique within a Route if it is set.
`matches` HTTPRouteMatch array	Matches define conditions used for matching the rule against incoming HTTP requests. Each match is independent, i.e. this rule will be matched if any one of the matches is satisfied. See documentation for the `matches` field in the `HTTPRouteRule` type at https://gateway-api.sigs.k8s.io/reference/spec/#httprouterule	[map[path:map[type:PathPrefix value:/]]]	MaxItems: 64 MinItems: 1
`filters` HTTPRouteFilter array	Filters define the filters that are applied to requests that match this rule. See documentation for the `filters` field in the `HTTPRouteRule` type at https://gateway-api.sigs.k8s.io/reference/spec/#httprouterule		MaxItems: 16
`backends` HTTPProxyRuleBackend array	Backends defines the backend(s) where matching requests should be sent. Note: While this field is a list, only a single element is permitted at this time due to underlying Gateway limitations. Once addressed, MaxItems will be increased to allow for multiple backends on any given route.		MaxItems: 1 MinItems: 0

HTTPProxyRuleBackend

Appears in:

HTTPProxyRule

Field	Description	Default	Validation
`endpoint` string	Endpoint for the backend. Must be a valid URL. Supports http and https protocols, IPs or DNS addresses in the host, custom ports, and paths.		Required: {}
`filters` HTTPRouteFilter array	Filters defined at this level should be executed if and only if the request is being forwarded to the backend defined here.		MaxItems: 16

HTTPProxySpec

HTTPProxySpec defines the desired state of HTTPProxy.

Appears in:

HTTPProxy

Field	Description	Default	Validation
`hostnames` Hostname array	Hostnames defines a set of hostnames that should match against the HTTP Host header to select a HTTPProxy used to process the request. Valid values for Hostnames are determined by RFC 1123 definition of a hostname with 1 notable exception: 1. IPs are not allowed. Hostnames must be verified before being programmed. This is accomplished via the use of `Domain` resources. A hostname is considered verified if any verified `Domain` resource exists in the same namespace where the `spec.domainName` of the resource either exactly matches the hostname, or is a suffix match of the hostname. That means that a Domain with a `spec.domainName` of `example.com` will match a hostname of `test.example.com`, `foo.test.example.com`, and exactly `example.com`, but not a hostname of `test-example.com`. If a `Domain` resource does not exist that matches a hostname, one will automatically be created when the system attempts to program the HTTPProxy. In addition to verifying ownership, hostnames must be unique across the platform. If a hostname is already programmed on another resource, a conflict will be encountered and communicated in the `HostnamesVerified` condition. Hostnames which have been programmed will be listed in the `status.hostnames` field. Any hostname which has not been programmed will be listed in the `message` field of the `HostnamesVerified` condition with an indication as to why it was not programmed. The system may automatically generate and associate hostnames with the HTTPProxy. In such cases, these will be listed in the `status.hostnames` field and do not require additional configuration by the user. Wildcard hostnames are not supported at this time.		MaxItems: 16 Optional: {}
`rules` HTTPProxyRule array	Rules are a list of HTTP matchers, filters and actions.		MaxItems: 16 MinItems: 1 Required: {}

HTTPProxyStatus

HTTPProxyStatus defines the observed state of HTTPProxy.

Appears in:

HTTPProxy

Field	Description	Validation
`addresses` GatewayStatusAddress array	Addresses lists the network addresses that have been bound to the HTTPProxy. This field will not contain custom hostnames defined in the HTTPProxy. See the `hostnames` field	MaxItems: 16
`hostnames` Hostname array	Hostnames lists the hostnames that have been bound to the HTTPProxy. If this list does not match that defined in the HTTPProxy, see the `HostnamesVerified` condition message for details.
`conditions` Condition array	Conditions describe the current conditions of the HTTPProxy.

HTTPVerificationToken

Appears in:

DomainVerificationStatus

Field	Description	Default	Validation
`url` string
`body` string

resourcemanager.miloapis.com/v1alpha1

Resource Types

MemberReference

MemberReference contains information that points to the User being referenced.

Appears in:

OrganizationMembershipSpec

Field	Description	Default	Validation
`name` string	Name is the name of resource being referenced		Required: {}

Organization

Use lowercase for path, which influences plural name. Ensure kind is Organization. Organization is the Schema for the Organizations API

Field	Description	Validation
`apiVersion` string	`resourcemanager.miloapis.com/v1alpha1`
`kind` string	`Organization`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` OrganizationSpec		Required: {}
`status` OrganizationStatus

OrganizationMembership

OrganizationMembership is the Schema for the organizationmemberships API

Field	Description	Default	Validation
`apiVersion` string	`resourcemanager.miloapis.com/v1alpha1`
`kind` string	`OrganizationMembership`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` OrganizationMembershipSpec
`status` OrganizationMembershipStatus

OrganizationMembershipOrganizationStatus

OrganizationMembershipOrganizationStatus defines the observed state of an organization in a membership.

Appears in:

OrganizationMembershipStatus

Field	Description	Default	Validation
`type` string	Type is the type of the organization in the membership.		Optional: {}
`displayName` string	DisplayName is the display name of the organization in the membership.		Optional: {}

OrganizationMembershipSpec

OrganizationMembershipSpec defines the desired state of OrganizationMembership

Appears in:

OrganizationMembership

Field	Description	Default	Validation
`organizationRef` OrganizationReference	OrganizationRef is a reference to the Organization that the user is a member of.		Required: {}
`userRef` MemberReference	UserRef is a reference to the User that is a member of the Organization.		Required: {}

OrganizationMembershipStatus

OrganizationMembershipStatus defines the observed state of OrganizationMembership

Appears in:

OrganizationMembership

Field	Description	Default	Validation
`observedGeneration` integer	ObservedGeneration is the most recent generation observed for this OrganizationMembership by the controller.		Optional: {}
`conditions` Condition array	Conditions provide conditions that represent the current status of the OrganizationMembership.	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]	Optional: {}
`user` OrganizationMembershipUserStatus	User contains information about the user in the membership.		Optional: {}
`organization` OrganizationMembershipOrganizationStatus	Organization contains information about the organization in the membership.		Optional: {}

OrganizationMembershipUserStatus

OrganizationMembershipUserStatus defines the observed state of a user in a membership.

Appears in:

OrganizationMembershipStatus

Field	Description	Validation
`email` string	Email is the email of the user in the membership.	Optional: {}
`givenName` string	GivenName is the given name of the user in the membership.	Optional: {}
`familyName` string	FamilyName is the family name of the user in the membership.	Optional: {}

OrganizationReference

OrganizationReference contains information that points to the Organization being referenced.

Appears in:

OrganizationMembershipSpec

Field	Description	Default	Validation
`name` string	Name is the name of resource being referenced		Required: {}

OrganizationSpec

OrganizationSpec defines the desired state of Organization

Appears in:

Organization

Field	Description	Default	Validation
`type` string	The type of organization.		Enum: [Personal Standard] Required: {}

OrganizationStatus

OrganizationStatus defines the observed state of Organization

Appears in:

Organization

Field	Description	Default	Validation
`observedGeneration` integer	ObservedGeneration is the most recent generation observed for this Organization by the controller.
`conditions` Condition array	Conditions represents the observations of an organization’s current state. Known condition types are: “Ready”	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]

OwnerReference

OwnerReference is a reference to the owner of the project.

Appears in:

ProjectSpec

Field	Description	Default	Validation
`kind` string	Kind is the kind of the resource.		Enum: [Organization] Required: {}
`name` string	Name is the name of the resource.		Required: {}

Project

Project is the Schema for the projects API.

Field	Description	Validation
`apiVersion` string	`resourcemanager.miloapis.com/v1alpha1`
`kind` string	`Project`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ProjectSpec		Required: {}
`status` ProjectStatus

ProjectSpec

ProjectSpec defines the desired state of Project.

Appears in:

Project

Field	Description	Default	Validation
`ownerRef` OwnerReference	OwnerRef is a reference to the owner of the project. Must be a valid resource.		Required: {}

ProjectStatus

ProjectStatus defines the observed state of Project.

Appears in:

Project

Field	Description	Default	Validation
`conditions` Condition array	Represents the observations of a project’s current state. Known condition types are: “Ready”	[map[lastTransitionTime:1970-01-01T00:00:00Z message:Waiting for control plane to reconcile reason:Unknown status:Unknown type:Ready]]

telemetry.miloapis.com/v1alpha1

Package v1alpha1 contains API Schema definitions for the telemetry v1alpha1 API group.

Resource Types

ExportPolicy

Authentication

Configures how the sink will authenticate with the configured endpoint. These options are mutually exclusive.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`basicAuth` BasicAuthAuthentication	Configures the sink to use basic auth to authenticate with the configured endpoint.

BasicAuthAuthentication

Underlying type: struct{SecretRef LocalSecretReference “json:"secretRef"”}

Configures how the sink should use Basic Auth for authenticating with a telemetry endpoint.

Appears in:

Authentication

Batch

Configures the batching behavior the sink will use to batch requests before publishing them to the endpoint.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`timeout` Duration	Batch timeout before sending telemetry. Must be a duration (e.g. 5s).		Required: {}
`maxSize` integer	Maximum number of telemetry entries per batch.		Maximum: 5000 Minimum: 1 Required: {}

ExportPolicy

ExportPolicy is the Schema for the export policy API.

Field	Description	Default	Validation
`apiVersion` string	`telemetry.miloapis.com/v1alpha1`
`kind` string	`ExportPolicy`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` ExportPolicySpec	Describes the expected state of the ExportPolicy’s configuration. The control plane will constantly evaluate the current state of exporters that are deployed and ensure it matches the expected configuration. This field is required when configuring an export policy.
`status` ExportPolicyStatus	Provides information on the current state of the export policy that was observed by the control plane. This will be continuously updated as the control plane monitors exporters.

ExportPolicySpec

ExportPolicySpec defines the desired state of ExportPolicy.

Appears in:

ExportPolicy

Field	Description	Default	Validation
`sources` TelemetrySource array	Defines how the export policy should source telemetry data to publish to the configured sinks. An export policy can define multiple telemetry sources. The export policy will not de-duplicate telemetry data that matches multiple sources.		MaxItems: 20 MinItems: 1 Required: {}
`sinks` TelemetrySink array	Configures how telemetry data should be sent to a third-party telemetry platforms.		MaxItems: 20 MinItems: 1 Required: {}

ExportPolicyStatus

ExportPolicyStatus defines the observed state of ExportPolicy.

Appears in:

ExportPolicy

Field	Description	Default	Validation
`conditions` Condition array	Provides summary status information on the export policy as a whole. Review the sink status information for detailed information on each sink. Known condition types are: “Ready”
`sinks` SinkStatus array	Provides status information on each sink that’s configured.

MetricSource

A metric source configures the metric data that should be exported to the configured sinks. The options below are expected to be mutually exclusive.

Appears in:

TelemetrySource

Field	Description	Default	Validation
`metricsql` string	The MetricSQL option allows to user to provide a metricsql query that can be used to select and filter metric data that should be published by the export policy. Here’s an example of a metricsql query that will publish gateway metrics: `\{service_name=“networking.miloapis.com”, resource_kind="Gateway"\}` See: https://docs.victoriametrics.com/metricsql/

PrometheusRemoteWriteSink

Configures how the sink should send data to a OTLP HTTP endpoint.

Appears in:

SinkTarget

Field	Description	Default	Validation
`authentication` Authentication	Configures how the sink should authenticate with the HTTP endpoint.
`endpoint` string	Configure an HTTP endpoint to use for publishing telemetry data.		Required: {}
`batch` Batch	Configures how telemetry data should be batched before sending to the sink. By default, the sink will batch telemetry data every 5 seconds or when the batch size reaches 500 entries, whichever comes first.	{ maxSize:500 timeout:5s }
`retry` Retry	Configures the export policies’ retry behavior when it fails to send requests to the sink’s endpoint. There’s no guarantees that the export policy will retry until success if the endpoint is not available or configured incorrectly.	{ backoffDuration:5s maxAttempts:3 }

Retry

Configures the retry behavior of the sink when it fails to send telemetry data to the configured endpoint.

Appears in:

PrometheusRemoteWriteSink

Field	Description	Default	Validation
`maxAttempts` integer	Maximum number of attempts before telemetry data should be dropped.		Maximum: 10 Minimum: 1 Required: {}
`backoffDuration` Duration	Backoff duration that should be used to backoff when retrying requests.		Required: {}

SinkStatus

SinkStatus provides status information on the current status of a sink. This can be used to determine whether a sink is configured correctly and is exporting telemetry data.

Appears in:

ExportPolicyStatus

Field	Description	Default	Validation
`name` string	The name of the corresponding sink configuration in the spec of the export policy.
`conditions` Condition array	Provides status information on the current status of the sink. This can be used to determine whether a sink is configured correctly and is exporting telemetry data. Known condition types are: “Ready”

SinkTarget

Configures the target of the telemetry sink. The target defines the protocol that’s used to send telemetry data to the sink. Only one target protocol can be configured per sink.

Appears in:

TelemetrySink

Field	Description	Default	Validation
`prometheusRemoteWrite` PrometheusRemoteWriteSink	Configures the export policy to publish telemetry using the Prometheus Remote Write protocol.

TelemetrySink

Configures how telemetry data should be sent to a third-party platform. As of now there are no guarantees around delivery of telemetry data, especially if the sink’s endpoint is unavailable.

Appears in:

ExportPolicySpec

Field	Description	Validation
`name` string	A name provided to the telemetry sink that’s unique within the export policy.	MaxLength: 63 MinLength: 1 Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` Required: {}
`sources` string array	A list of sources that should be sent to the telemetry sink.	MaxItems: 20 MinItems: 1 Required: {}
`target` SinkTarget	Configures the target of the telemetry sink.	Required: {}

TelemetrySource

Defines how the export policy should source telemetry data from resources on the platform.

Appears in:

ExportPolicySpec

Field	Description	Default	Validation
`name` string	A unique name given to the telemetry source within an export policy. Must be a valid DNS label.		MaxLength: 63 MinLength: 1 Pattern: `^[a-z0-9]([-a-z0-9]*[a-z0-9])?$` Required: {}
`metrics` MetricSource	Configures how the telemetry source should retrieve metric data from the Datum Cloud platform.

Last modified August 19, 2025: Add generated API reference docs, supported by a new task command, using the crd-ref-docs tool. (7ed1f07)