Managed Resources
Managed Resources
Primary Managed Output
kleym-operator manages
ClusterSPIFFEID
resources in spire.spiffe.io.
Rendered Field Mapping
| Field | Rendered value |
|---|---|
spec.spiffeIDTemplate | Fully rendered SPIFFE ID. |
spec.podSelector | Validated selector derived from the referenced pool. |
spec.workloadSelectorTemplates | Rendered namespace and service-account safety selectors, pool-derived selectors, and the optional per-objective container-name selector. |
spec.className | Rendered only when kleym-operator is configured with --clusterspiffeid-class-name. When omitted, SPIRE Controller Manager must watch classless resources. |
spec.fallback | false for all managed identities. |
spec.hint | Originating binding reference in the form <namespace>/<binding-name>. |
| JWT-SVID-related fields | Not rendered today. Requires a user story and SPIRE Controller Manager/SPIRE version gate. |
Managed ClusterSPIFFEID objects are labeled with:
kleym.sonda.red/managed-by=kleymkleym.sonda.red/binding-name=<binding-name>kleym.sonda.red/binding-namespace=<binding-namespace>
The controller also uses the finalizer
kleym.sonda.red/inferenceidentitybinding-finalizer to clean up managed
ClusterSPIFFEID objects on deletion.
Naming
Managed ClusterSPIFFEID names are deterministic and derived from:
- the
kleym-operatorcontroller name - binding namespace
- binding name
- rendered mode (
poolorobjective) - a short hash of the SPIFFE ID
That keeps names DNS-safe while allowing the SPIFFE ID to remain the real identity contract.
Other Resources Touched
| Resource | Role |
|---|---|
InferenceIdentityBinding | Source resource for managed output. |
InferencePool | Required selector source resolved from spec.poolRef.name. |
InferenceObjective | Optional objective subject resolved from spec.objectiveRef.name and validated against spec.poolRef. |
ClusterSPIFFEID | Managed output resource written by the reconciler. |
Read And Watch Behavior
The controller:
- watches
InferenceIdentityBinding - watches supported
InferencePoolobjects and maps them back to bindings whosespec.poolRef.namereferences those pools - watches supported
InferenceObjectiveobjects and maps them back to bindings whose optionalspec.objectiveRef.namereferences those objectives
Last updated on