milo-os · JoseSzycho · Jun 25, 2026 · Jun 17, 2026 · Jun 17, 2026 · Jun 24, 2026
diff --git a/config/crd/bases/iam/iam.miloapis.com_platformaccesses.yaml b/config/crd/bases/iam/iam.miloapis.com_platformaccesses.yaml
@@ -0,0 +1,175 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.18.0
+    discovery.miloapis.com/parent-contexts: Platform
+  name: platformaccesses.iam.miloapis.com
+spec:
+  group: iam.miloapis.com
+  names:
+    kind: PlatformAccess
+    listKind: PlatformAccessList
+    plural: platformaccesses
+    singular: platformaccess
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.userRef.name
+      name: User
+      type: string
+    - jsonPath: .spec.state
+      name: State
+      type: string
+    - jsonPath: .spec.reason
+      name: Reason
+      type: string
+    - jsonPath: .status.conditions[?(@.type=='Ready')].status
+      name: Ready
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          PlatformAccess is the Schema for the platformaccesses API.
+          It is the single mutable resource governing whether a user can access the platform,
+          replacing UserDeactivation, PlatformAccessApproval, and PlatformAccessRejection.
+          There is at most one PlatformAccess per user; by convention it is named after the user.
+          The UserController derives User.status.accessState from this resource.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PlatformAccessSpec defines the desired access state for a
+              user on the platform.
+            properties:
+              reason:
+                description: Reason is a human-readable explanation for the current
+                  state.
+                type: string
+              state:
+                default: Pending
+                description: |-
+                  State is the desired platform access state for the user.
+                  Valid transitions:
+                    Pending  → Approved  (fraud accepts, or admin approves)
+                    Pending  → Rejected  (fraud or admin rejects)
+                    Approved → Suspended (fraud deactivates, or admin suspends)
+                    Approved → Rejected  (admin disapproves)
+                    Suspended → Approved (admin reactivates)
+                enum:
+                - Pending
+                - Approved
+                - Rejected
+                - Suspended
+                type: string
+              userRef:
+                description: |-
+                  UserRef is a reference to the User this resource governs.
+                  User is a cluster-scoped resource.
+                properties:
+                  name:
+                    description: Name is the name of the User being referenced.
+                    type: string
+                required:
+                - name
+                type: object
+            required:
+            - state
+            - userRef
+            type: object
+          status:
+            description: PlatformAccessStatus defines the observed state of PlatformAccess.
+            properties:
+              conditions:
+                default:
+                - lastTransitionTime: "1970-01-01T00:00:00Z"
+                  message: Waiting for control plane to reconcile
+                  reason: Unknown
+                  status: Unknown
+                  type: Ready
+                description: Conditions represent the latest available observations
+                  of the resource's current state.
+                items:
+                  description: Condition contains details for one aspect of the current
+                    state of this API Resource.
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+            type: object
+        type: object
+    selectableFields:
+    - jsonPath: .spec.userRef.name
+    - jsonPath: .spec.state
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/config/crd/bases/iam/kustomization.yaml b/config/crd/bases/iam/kustomization.yaml
@@ -10,5 +10,6 @@ resources:
 - iam.miloapis.com_userpreferences.yaml
 - iam.miloapis.com_userdeactivations.yaml
 - iam.miloapis.com_platforminvitations.yaml
+- iam.miloapis.com_platformaccesses.yaml
 - iam.miloapis.com_platformaccessapprovals.yaml
 - iam.miloapis.com_platformaccessrejections.yaml
diff --git a/config/protected-resources/iam/kustomization.yaml b/config/protected-resources/iam/kustomization.yaml
@@ -11,6 +11,7 @@ resources:
   - policybinding.yaml
   - userpreference.yaml
   - userdeactivation.yaml
+  - platformaccess.yaml
   - platformaccessapproval.yaml
   - platformaccessrejection.yaml
   - platforminvitation.yaml

diff --git a/config/protected-resources/iam/platformaccess.yaml b/config/protected-resources/iam/platformaccess.yaml
@@ -0,0 +1,18 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: iam.miloapis.com-platformaccess
+spec:
+  serviceRef:
+    name: "iam.miloapis.com"
+  kind: PlatformAccess
+  plural: platformaccesses
+  singular: platformaccess
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
diff --git a/config/roles/iam-platform-accesses-admin.yaml b/config/roles/iam-platform-accesses-admin.yaml
@@ -0,0 +1,11 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: iam-platform-accesses-admin
+  annotations:
+    kubernetes.io/display-name: Platform Access Admin
+    kubernetes.io/description: Full access to platform accesses
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: iam-platform-accesses-editor
diff --git a/config/roles/iam-platform-accesses-editor.yaml b/config/roles/iam-platform-accesses-editor.yaml
@@ -0,0 +1,16 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: iam-platform-accesses-editor
+  annotations:
+    kubernetes.io/display-name: Platform Access Editor
+    kubernetes.io/description: Create, update, and delete platform accesses
+spec:
+  launchStage: Beta
+  inheritedRoles:
+    - name: iam-platform-accesses-reader
+  includedPermissions:
+    - iam.miloapis.com/platformaccesses.create
+    - iam.miloapis.com/platformaccesses.update
+    - iam.miloapis.com/platformaccesses.patch
+    - iam.miloapis.com/platformaccesses.delete
diff --git a/config/roles/iam-platform-accesses-reader.yaml b/config/roles/iam-platform-accesses-reader.yaml
@@ -0,0 +1,13 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: iam-platform-accesses-reader
+  annotations:
+    kubernetes.io/display-name: Platform Access Viewer
+    kubernetes.io/description: View platform accesses
+spec:
+  launchStage: Beta
+  includedPermissions:
+    - iam.miloapis.com/platformaccesses.get
+    - iam.miloapis.com/platformaccesses.list
+    - iam.miloapis.com/platformaccesses.watch
diff --git a/config/roles/kustomization.yaml b/config/roles/kustomization.yaml
@@ -59,6 +59,9 @@ resources:
   - project-admin.yaml
   - iam.miloapis.com-getinvitation.yaml
   - iam.miloapis.com-acceptinvitation.yaml
+  - iam-platform-accesses-reader.yaml
+  - iam-platform-accesses-editor.yaml
+  - iam-platform-accesses-admin.yaml
   - iam-platform-access-approvals-reader.yaml
   - iam-platform-access-approvals-editor.yaml
   - iam-platform-access-approvals-admin.yaml