CRD reference
Every custom resource telark defines, who owns it, and the spec fields that matter.
telark stores its state as Kubernetes custom resources owned by the exporter service. Discovery and auth never write to the CRD store directly; they go through the exporter's HTTP API. This keeps a single mutation path and lets the exporter serialise writes per-resource using its concurrency locks.
This page summarises every CRD telark defines today.
ApplicationAsResource (erpi.telark/v1alpha1)
The application as seen by telark. Composed from cluster workloads by the discovery service; written to the CRD store by the exporter.
| Field | Notes |
|---|---|
spec.name | Application name (derived from discovery grouping). |
spec.namespaces[] | Namespaces the application spans. |
spec.resources[] | Workload refs (kind / name / namespace). |
spec.changeLog[] | History of classified change cycles. |
spec.snapshots[] | Snapshot records (generation / class / severity / path). |
spec.rollbacks[] | Rollback entries with status, target generation, audit. |
spec.health | Cluster-derived health snapshot. |
spec.lastForceSync | Force-sync state (phase, requestedAt, completedAt). |
Owned by discovery-service (writes via the exporter). The
rollback controller in discovery is a separate informer on
this CRD that processes pending rollbacks[] entries.
ProtectionPlan (telark group)
The protection-plan custom resource. Persisted by the exporter, mutated by the discovery service's plan handlers.
| Field | Notes |
|---|---|
spec.id, spec.name, spec.description, spec.severity, spec.priority | Identity + metadata. |
spec.scope.{type, applicationIds, namespaces} | Scope. |
spec.policies[].{templateID, params} | Policy entries. |
spec.mode | audit | enforce. |
spec.timeMode, spec.timeRange.{startAt, endAt} | Schedule. |
spec.phase, spec.reason | Lifecycle. |
spec.renderedPolicies[] | Names of Kyverno policies the applier deployed. |
spec.participantsIDs[] | User / group IDs. |
spec.health, spec.healthCheckedAt, spec.healthDetail[] | Drift state. |
spec.createdAt / createdBy / lastUpdatedAt / lastUpdatedBy / startedAt / startedBy / terminatedAt / terminatedBy | Full audit trail. |
Owned by the discovery service (the controller transitions phases); persisted by the exporter.
User (telark group)
Identity. One record per human or service account.
| Field | Notes |
|---|---|
spec.id | Stable identifier. |
spec.username, spec.fullname, spec.email | Display + lookup. |
spec.identity.provider | passkey | oidc-google | …. |
spec.assignedRoles[] | Role IDs assigned directly. |
spec.groupIDs[] | Groups the user is a member of. |
spec.creationDate, spec.lastUpdateDate | Audit. |
Owned by the exporter. The auth service reads via the exporter's HTTP API; never writes the CRD itself.
UserPasskey (telark group)
One record per registered WebAuthn authenticator.
| Field | Notes |
|---|---|
spec.credentialID | WebAuthn credential ID (base64). |
spec.userID | Owning user. |
spec.publicKey | Stored public key. |
spec.signCount | Last seen signature counter. |
spec.deviceMetadata | Best-effort device label. |
spec.createdAt, spec.lastUsedAt | Audit. |
Owned by the exporter. Written by the auth-service through the exporter's passkey handler.
UserSession (telark group)
A live user session. telark persists sessions for audit and revocation; the in-memory store is the auth-service's session cache.
| Field | Notes |
|---|---|
spec.id | UUID token. |
spec.userID | Session owner. |
spec.deviceMetadata | Capture of the device that logged in. |
spec.expiresAt | 24h default; configurable. |
spec.createdAt, spec.lastSeenAt | Audit. |
Owned by the exporter. The auth-service cleanup controller prunes expired sessions on a periodic loop.
Role (telark group)
RBAC role. See Concepts → RBAC model for the shape.
| Field | Notes |
|---|---|
spec.id, spec.name, spec.description, spec.version | Identity. |
spec.type, spec.priority, spec.categoryID | Resolution metadata. |
spec.scopesAndPermissions[] | The substantive permission set. |
spec.protection | Optional deletion guard. |
spec.validity | Optional time-bound activation. |
spec.status | active | deprecated | deleted. |
spec.assignedTo.userIDs, spec.assignedTo.groupIDs | Direct + group assignments. |
Owned by the exporter.
Group (telark group)
A named collection of users.
| Field | Notes |
|---|---|
spec.id, spec.name, spec.description | Identity. |
spec.memberIDs[] | User IDs in the group. |
spec.assignedRoles[] | Role IDs the group inherits. |
spec.categoryID | Optional category. |
| Audit fields | Created/updated. |
Owned by the exporter.
Category (telark group)
Tagging primitive used to scope roles and groups by domain.
| Field | Notes |
|---|---|
spec.id, spec.name, spec.scope | Identity. |
spec.type | Category kind (e.g. roles, groups). |
spec.creationDate | Audit. |
Owned by the exporter.
GlobalConfig (telark group, singleton)
The single cluster-wide configuration resource. Singleton — one per cluster.
| Field | Notes |
|---|---|
spec.userSettings.theme | Dashboard theme default. |
spec.userSettings.density | UI density default. |
spec.userSettings.uiViewSize | Default page size. |
spec.userSettings.fetchIntervalSeconds | Notification poll interval. |
spec.ai.enabled, spec.ai.provider, spec.ai.apiKey | AI enrichment toggle. |
spec.cluster.version | Reported cluster version. |
spec.excludedNamespaces[] | Namespaces hidden from discovery and plans. |
spec.snapshots.maxPerApp | Retention cap (default 5). |
spec.oidc.enabled, spec.oidc.googleClientID | Google OIDC switch. |
Owned by the exporter. Mutated via the exporter's GlobalConfig patch endpoint from the dashboard's Settings pages.
What this list does not include
kyverno.io/v1/Policy— the cluster-side admission policies a protection plan deploys. Owned by the policy engine, not by telark. telark labels every deployed policy with the plan ID and reads them for health and violations.wgpolicyk8s.io/v1alpha2/PolicyReport— the cluster-side violation surface telark reads to power the violations feed. Owned by the policy engine.