Reference

CRD reference

Every custom resource telark defines, who owns it, and the spec fields that matter.

telark stores its state as Kubernetes custom resources owned by the exporter service. Discovery and auth never write to the CRD store directly; they go through the exporter's HTTP API. This keeps a single mutation path and lets the exporter serialise writes per-resource using its concurrency locks.

This page summarises every CRD telark defines today.

ApplicationAsResource (erpi.telark/v1alpha1)

The application as seen by telark. Composed from cluster workloads by the discovery service; written to the CRD store by the exporter.

FieldNotes
spec.nameApplication name (derived from discovery grouping).
spec.namespaces[]Namespaces the application spans.
spec.resources[]Workload refs (kind / name / namespace).
spec.changeLog[]History of classified change cycles.
spec.snapshots[]Snapshot records (generation / class / severity / path).
spec.rollbacks[]Rollback entries with status, target generation, audit.
spec.healthCluster-derived health snapshot.
spec.lastForceSyncForce-sync state (phase, requestedAt, completedAt).

Owned by discovery-service (writes via the exporter). The rollback controller in discovery is a separate informer on this CRD that processes pending rollbacks[] entries.

ProtectionPlan (telark group)

The protection-plan custom resource. Persisted by the exporter, mutated by the discovery service's plan handlers.

FieldNotes
spec.id, spec.name, spec.description, spec.severity, spec.priorityIdentity + metadata.
spec.scope.{type, applicationIds, namespaces}Scope.
spec.policies[].{templateID, params}Policy entries.
spec.modeaudit | enforce.
spec.timeMode, spec.timeRange.{startAt, endAt}Schedule.
spec.phase, spec.reasonLifecycle.
spec.renderedPolicies[]Names of Kyverno policies the applier deployed.
spec.participantsIDs[]User / group IDs.
spec.health, spec.healthCheckedAt, spec.healthDetail[]Drift state.
spec.createdAt / createdBy / lastUpdatedAt / lastUpdatedBy / startedAt / startedBy / terminatedAt / terminatedByFull audit trail.

Owned by the discovery service (the controller transitions phases); persisted by the exporter.

User (telark group)

Identity. One record per human or service account.

FieldNotes
spec.idStable identifier.
spec.username, spec.fullname, spec.emailDisplay + lookup.
spec.identity.providerpasskey | oidc-google | ….
spec.assignedRoles[]Role IDs assigned directly.
spec.groupIDs[]Groups the user is a member of.
spec.creationDate, spec.lastUpdateDateAudit.

Owned by the exporter. The auth service reads via the exporter's HTTP API; never writes the CRD itself.

UserPasskey (telark group)

One record per registered WebAuthn authenticator.

FieldNotes
spec.credentialIDWebAuthn credential ID (base64).
spec.userIDOwning user.
spec.publicKeyStored public key.
spec.signCountLast seen signature counter.
spec.deviceMetadataBest-effort device label.
spec.createdAt, spec.lastUsedAtAudit.

Owned by the exporter. Written by the auth-service through the exporter's passkey handler.

UserSession (telark group)

A live user session. telark persists sessions for audit and revocation; the in-memory store is the auth-service's session cache.

FieldNotes
spec.idUUID token.
spec.userIDSession owner.
spec.deviceMetadataCapture of the device that logged in.
spec.expiresAt24h default; configurable.
spec.createdAt, spec.lastSeenAtAudit.

Owned by the exporter. The auth-service cleanup controller prunes expired sessions on a periodic loop.

Role (telark group)

RBAC role. See Concepts → RBAC model for the shape.

FieldNotes
spec.id, spec.name, spec.description, spec.versionIdentity.
spec.type, spec.priority, spec.categoryIDResolution metadata.
spec.scopesAndPermissions[]The substantive permission set.
spec.protectionOptional deletion guard.
spec.validityOptional time-bound activation.
spec.statusactive | deprecated | deleted.
spec.assignedTo.userIDs, spec.assignedTo.groupIDsDirect + group assignments.

Owned by the exporter.

Group (telark group)

A named collection of users.

FieldNotes
spec.id, spec.name, spec.descriptionIdentity.
spec.memberIDs[]User IDs in the group.
spec.assignedRoles[]Role IDs the group inherits.
spec.categoryIDOptional category.
Audit fieldsCreated/updated.

Owned by the exporter.

Category (telark group)

Tagging primitive used to scope roles and groups by domain.

FieldNotes
spec.id, spec.name, spec.scopeIdentity.
spec.typeCategory kind (e.g. roles, groups).
spec.creationDateAudit.

Owned by the exporter.

GlobalConfig (telark group, singleton)

The single cluster-wide configuration resource. Singleton — one per cluster.

FieldNotes
spec.userSettings.themeDashboard theme default.
spec.userSettings.densityUI density default.
spec.userSettings.uiViewSizeDefault page size.
spec.userSettings.fetchIntervalSecondsNotification poll interval.
spec.ai.enabled, spec.ai.provider, spec.ai.apiKeyAI enrichment toggle.
spec.cluster.versionReported cluster version.
spec.excludedNamespaces[]Namespaces hidden from discovery and plans.
spec.snapshots.maxPerAppRetention cap (default 5).
spec.oidc.enabled, spec.oidc.googleClientIDGoogle OIDC switch.

Owned by the exporter. Mutated via the exporter's GlobalConfig patch endpoint from the dashboard's Settings pages.

What this list does not include

  • kyverno.io/v1/Policy — the cluster-side admission policies a protection plan deploys. Owned by the policy engine, not by telark. telark labels every deployed policy with the plan ID and reads them for health and violations.
  • wgpolicyk8s.io/v1alpha2/PolicyReport — the cluster-side violation surface telark reads to power the violations feed. Owned by the policy engine.