mirror of https://github.com/k3s-io/k3s
251 lines
8.9 KiB
Protocol Buffer
251 lines
8.9 KiB
Protocol Buffer
/*
|
|
Copyright The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = 'proto2';
|
|
|
|
package k8s.io.apiserver.pkg.apis.audit.v1alpha1;
|
|
|
|
import "k8s.io/api/authentication/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1alpha1";
|
|
|
|
// Event captures all the information that can be included in an API audit log.
|
|
message Event {
|
|
// ObjectMeta is included for interoperability with API infrastructure.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// AuditLevel at which event was generated
|
|
optional string level = 2;
|
|
|
|
// Time the request reached the apiserver.
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.Time timestamp = 3;
|
|
|
|
// Unique audit ID, generated for each request.
|
|
optional string auditID = 4;
|
|
|
|
// Stage of the request handling when this event instance was generated.
|
|
optional string stage = 5;
|
|
|
|
// RequestURI is the request URI as sent by the client to a server.
|
|
optional string requestURI = 6;
|
|
|
|
// Verb is the kubernetes verb associated with the request.
|
|
// For non-resource requests, this is the lower-cased HTTP method.
|
|
optional string verb = 7;
|
|
|
|
// Authenticated user information.
|
|
optional k8s.io.api.authentication.v1.UserInfo user = 8;
|
|
|
|
// Impersonated user information.
|
|
// +optional
|
|
optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 9;
|
|
|
|
// Source IPs, from where the request originated and intermediate proxies.
|
|
// +optional
|
|
repeated string sourceIPs = 10;
|
|
|
|
// UserAgent records the user agent string reported by the client.
|
|
// Note that the UserAgent is provided by the client, and must not be trusted.
|
|
// +optional
|
|
optional string userAgent = 18;
|
|
|
|
// Object reference this request is targeted at.
|
|
// Does not apply for List-type requests, or non-resource requests.
|
|
// +optional
|
|
optional ObjectReference objectRef = 11;
|
|
|
|
// The response status, populated even when the ResponseObject is not a Status type.
|
|
// For successful responses, this will only include the Code and StatusSuccess.
|
|
// For non-status type error responses, this will be auto-populated with the error Message.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.Status responseStatus = 12;
|
|
|
|
// API object from the request, in JSON format. The RequestObject is recorded as-is in the request
|
|
// (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
|
|
// merging. It is an external versioned object type, and may not be a valid object on its own.
|
|
// Omitted for non-resource requests. Only logged at Request Level and higher.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.runtime.Unknown requestObject = 13;
|
|
|
|
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
|
|
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
|
|
// at Response Level.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.runtime.Unknown responseObject = 14;
|
|
|
|
// Time the request reached the apiserver.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime requestReceivedTimestamp = 15;
|
|
|
|
// Time the request reached current audit stage.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime stageTimestamp = 16;
|
|
|
|
// Annotations is an unstructured key value map stored with an audit event that may be set by
|
|
// plugins invoked in the request serving chain, including authentication, authorization and
|
|
// admission plugins. Note that these annotations are for the audit event, and do not correspond
|
|
// to the metadata.annotations of the submitted object. Keys should uniquely identify the informing
|
|
// component to avoid name collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values
|
|
// should be short. Annotations are included in the Metadata level.
|
|
// +optional
|
|
map<string, string> annotations = 17;
|
|
}
|
|
|
|
// EventList is a list of audit Events.
|
|
message EventList {
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
repeated Event items = 2;
|
|
}
|
|
|
|
// GroupResources represents resource kinds in an API group.
|
|
message GroupResources {
|
|
// Group is the name of the API group that contains the resources.
|
|
// The empty string represents the core API group.
|
|
// +optional
|
|
optional string group = 1;
|
|
|
|
// Resources is a list of resources this rule applies to.
|
|
//
|
|
// For example:
|
|
// 'pods' matches pods.
|
|
// 'pods/log' matches the log subresource of pods.
|
|
// '*' matches all resources and their subresources.
|
|
// 'pods/*' matches all subresources of pods.
|
|
// '*/scale' matches all scale subresources.
|
|
//
|
|
// If wildcard is present, the validation rule will ensure resources do not
|
|
// overlap with each other.
|
|
//
|
|
// An empty list implies all resources and subresources in this API groups apply.
|
|
// +optional
|
|
repeated string resources = 2;
|
|
|
|
// ResourceNames is a list of resource instance names that the policy matches.
|
|
// Using this field requires Resources to be specified.
|
|
// An empty list implies that every instance of the resource is matched.
|
|
// +optional
|
|
repeated string resourceNames = 3;
|
|
}
|
|
|
|
// ObjectReference contains enough information to let you inspect or modify the referred object.
|
|
message ObjectReference {
|
|
// +optional
|
|
optional string resource = 1;
|
|
|
|
// +optional
|
|
optional string namespace = 2;
|
|
|
|
// +optional
|
|
optional string name = 3;
|
|
|
|
// +optional
|
|
optional string uid = 4;
|
|
|
|
// +optional
|
|
optional string apiVersion = 5;
|
|
|
|
// +optional
|
|
optional string resourceVersion = 6;
|
|
|
|
// +optional
|
|
optional string subresource = 7;
|
|
}
|
|
|
|
// Policy defines the configuration of audit logging, and the rules for how different request
|
|
// categories are logged.
|
|
message Policy {
|
|
// ObjectMeta is included for interoperability with API infrastructure.
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Rules specify the audit Level a request should be recorded at.
|
|
// A request may match multiple rules, in which case the FIRST matching rule is used.
|
|
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
|
|
// PolicyRules are strictly ordered.
|
|
repeated PolicyRule rules = 2;
|
|
|
|
// OmitStages is a list of stages for which no events are created. Note that this can also
|
|
// be specified per rule in which case the union of both are omitted.
|
|
// +optional
|
|
repeated string omitStages = 3;
|
|
}
|
|
|
|
// PolicyList is a list of audit Policies.
|
|
message PolicyList {
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
repeated Policy items = 2;
|
|
}
|
|
|
|
// PolicyRule maps requests based off metadata to an audit Level.
|
|
// Requests must match the rules of every field (an intersection of rules).
|
|
message PolicyRule {
|
|
// The Level that requests matching this rule are recorded at.
|
|
optional string level = 1;
|
|
|
|
// The users (by authenticated user name) this rule applies to.
|
|
// An empty list implies every user.
|
|
// +optional
|
|
repeated string users = 2;
|
|
|
|
// The user groups this rule applies to. A user is considered matching
|
|
// if it is a member of any of the UserGroups.
|
|
// An empty list implies every user group.
|
|
// +optional
|
|
repeated string userGroups = 3;
|
|
|
|
// The verbs that match this rule.
|
|
// An empty list implies every verb.
|
|
// +optional
|
|
repeated string verbs = 4;
|
|
|
|
// Resources that this rule matches. An empty list implies all kinds in all API groups.
|
|
// +optional
|
|
repeated GroupResources resources = 5;
|
|
|
|
// Namespaces that this rule matches.
|
|
// The empty string "" matches non-namespaced resources.
|
|
// An empty list implies every namespace.
|
|
// +optional
|
|
repeated string namespaces = 6;
|
|
|
|
// NonResourceURLs is a set of URL paths that should be audited.
|
|
// *s are allowed, but only as the full, final step in the path.
|
|
// Examples:
|
|
// "/metrics" - Log requests for apiserver metrics
|
|
// "/healthz*" - Log all health checks
|
|
// +optional
|
|
repeated string nonResourceURLs = 7;
|
|
|
|
// OmitStages is a list of stages for which no events are created. Note that this can also
|
|
// be specified policy wide in which case the union of both are omitted.
|
|
// An empty list means no restrictions will apply.
|
|
// +optional
|
|
repeated string omitStages = 8;
|
|
}
|
|
|