Approval Domain

The Approval domain provides configurable approval workflows for API and event subscriptions. It supports multiple approval strategies, tracks state through a finite state machine, and integrates with the Notification domain to keep all parties informed.

Custom Resources

Approval

Approval is the Schema for the approvals API

Group: approval.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApprovalSpec

Appears in: Approval

ApprovalSpec defines the desired state of Approval

Field	Type	Default	Validation
action	string	unknown	Required
approvedRequest	ApprovedRequest	—	Optional
decider	Decider	—	Optional
decisions	Decisions[]		Required
requester	Requester	—	Required
state	string	Pending	Required, Enum: Pending \| Semigranted \| Granted \| Rejected \| Suspended
strategy	string	Auto	Required, Enum: Auto \| Simple \| FourEyes
target	ApplicationRef	—	Required

ApprovedRequest

Appears in: ApprovalSpec, ApprovalStatus, ApprovalRequestStatus

ApprovedRequest contains the reference to the request that was approved with this approval

Field	Type	Default	Validation
name	string	—	Required
namespace	string	—	Required
uid	string	—	Optional

Decider

Appears in: ApprovalSpec, ApprovalRequestSpec

Decider contains the information about the entity that owns the requested object

Field	Type	Default	Validation
applicationRef	ApplicationRef	—	Optional
teamEmail	string	—	Optional
teamName	string	—	Optional

ApplicationRef

Appears in: Decider, Requester, ApprovalSpec, ApprovalRequestSpec

ApplicationRef is a reference to the application that decides on the approval request

Field	Type	Default	Validation
apiVersion	string	—	Optional
kind	string	—	Optional
name	string	—	Required
namespace	string	—	Required
uid	string	—	Optional

Decisions

Appears in: ApprovalSpec, ApprovalRequestSpec

Decisions contains information about who or what changed this approval

Field	Type	Default	Validation
comment	string	—	Optional
email	string	—	Optional
name	string	—	Required
resultingState	string	—	Required, Enum: Pending \| Semigranted \| Granted \| Rejected \| Suspended \| Expired
timestamp	string	—	Optional, Format: date-time

Requester

Appears in: ApprovalSpec, ApprovalRequestSpec

Requester contains the information about the entity that is requesting access

Field	Type	Default	Validation
applicationRef	ApplicationRef	—	Optional
properties	object	—	Optional
reason	string	—	Required
teamEmail	string	—	Required
teamName	string	—	Required

ApprovalStatus

Appears in: Approval

ApprovalStatus defines the observed state of Approval

Field	Type	Default	Validation
availableTransitions	AvailableTransition[]	—	Optional
conditions	Condition[]	—	Optional
lastState	string	Pending	Optional, Enum: Pending \| Semigranted \| Granted \| Rejected \| Suspended
notificationRefs	ApprovedRequest[]	—	Optional

AvailableTransition

Appears in: ApprovalStatus, ApprovalRequestStatus

Field	Type	Default	Validation
action	string	—	Required
to	string	—	Required

Condition

Appears in: ApprovalStatus, ApprovalRequestStatus

Field	Type	Default	Validation
lastTransitionTime	string	—	Required, Format: date-time
message	string	—	Required, maxLength: 32768
observedGeneration	integer	—	Optional, Format: int64, minimum: 0
reason	string	—	Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status	string	—	Required, Enum: True \| False \| Unknown
type	string	—	Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

ApprovalRequest

ApprovalRequest is the Schema for the approvalrequests API

Group: approval.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ApprovalRequestSpec

Appears in: ApprovalRequest

ApprovalRequestSpec defines the desired state of ApprovalRequest

Field	Type	Default	Validation
action	string	unknown	Required
decider	Decider	—	Optional
decisions	Decisions[]		Required
requester	Requester	—	Required
state	string	Pending	Required, Enum: Pending \| Granted \| Semigranted \| Rejected
strategy	string	Auto	Required, Enum: Auto \| Simple \| FourEyes
target	ApplicationRef	—	Required

ApprovalRequestStatus

Appears in: ApprovalRequest

ApprovalRequestStatus defines the observed state of ApprovalRequest

Field	Type	Default	Validation
approval	ApprovedRequest	—	Required
availableTransitions	AvailableTransition[]	—	Optional
conditions	Condition[]	—	Optional
lastState	string	Pending	Optional, Enum: Pending \| Granted \| Semigranted \| Rejected
notificationRefs	ApprovedRequest[]	—	Optional

Approval Strategies

Auto

The subscription is approved immediately. No human intervention is required.

Created ──▶ Granted

Simple

A single approver from the provider team must grant the request.

Created ──▶ Pending ──▶ Granted
                    └──▶ Rejected

FourEyes

Two separate approvers from the provider team must independently grant the request (dual-control principle).

Created ──▶ Pending ──▶ SemiGranted ──▶ Granted
                    └──▶ Rejected

Trusted Teams

API and event providers can designate specific teams as trusted. When a trusted team subscribes, the approval is granted automatically regardless of the configured strategy. This is useful for pre-authorized internal services.

Notifications

The Approval domain creates Notification resources at key points in the lifecycle:

• Request created — Provider team is notified of a new subscription request
• State changed — Both parties are notified when an approval is granted, rejected, or suspended

Domain Interactions

• API domain — ApiSubscription resources trigger approval creation.
• Event domain — EventSubscription resources trigger approval creation.
• Notification domain — Approval lifecycle events create notifications.

Related Pages

• User Journey: Approvals
• Architecture: API Domain