| /* |
| Copyright The Kubernetes Authors. |
| |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| */ |
| |
| |
| // This file was autogenerated by go-to-protobuf. Do not edit it manually! |
| |
| syntax = 'proto2'; |
| |
| package k8s.io.apiserver.pkg.apis.audit.v1alpha1; |
| |
| import "k8s.io/api/authentication/v1/generated.proto"; |
| import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; |
| import "k8s.io/apimachinery/pkg/runtime/generated.proto"; |
| import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; |
| import "k8s.io/apimachinery/pkg/util/intstr/generated.proto"; |
| |
| // Package-wide variables from generator "generated". |
| option go_package = "v1alpha1"; |
| |
| // Event captures all the information that can be included in an API audit log. |
| message Event { |
| // ObjectMeta is included for interoperability with API infrastructure. |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| |
| // AuditLevel at which event was generated |
| optional string level = 2; |
| |
| // Time the request reached the apiserver. |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.Time timestamp = 3; |
| |
| // Unique audit ID, generated for each request. |
| optional string auditID = 4; |
| |
| // Stage of the request handling when this event instance was generated. |
| optional string stage = 5; |
| |
| // RequestURI is the request URI as sent by the client to a server. |
| optional string requestURI = 6; |
| |
| // Verb is the kubernetes verb associated with the request. |
| // For non-resource requests, this is the lower-cased HTTP method. |
| optional string verb = 7; |
| |
| // Authenticated user information. |
| optional k8s.io.api.authentication.v1.UserInfo user = 8; |
| |
| // Impersonated user information. |
| // +optional |
| optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 9; |
| |
| // Source IPs, from where the request originated and intermediate proxies. |
| // +optional |
| repeated string sourceIPs = 10; |
| |
| // Object reference this request is targeted at. |
| // Does not apply for List-type requests, or non-resource requests. |
| // +optional |
| optional ObjectReference objectRef = 11; |
| |
| // The response status, populated even when the ResponseObject is not a Status type. |
| // For successful responses, this will only include the Code and StatusSuccess. |
| // For non-status type error responses, this will be auto-populated with the error Message. |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.Status responseStatus = 12; |
| |
| // API object from the request, in JSON format. The RequestObject is recorded as-is in the request |
| // (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or |
| // merging. It is an external versioned object type, and may not be a valid object on its own. |
| // Omitted for non-resource requests. Only logged at Request Level and higher. |
| // +optional |
| optional k8s.io.apimachinery.pkg.runtime.Unknown requestObject = 13; |
| |
| // API object returned in the response, in JSON. The ResponseObject is recorded after conversion |
| // to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged |
| // at Response Level. |
| // +optional |
| optional k8s.io.apimachinery.pkg.runtime.Unknown responseObject = 14; |
| |
| // Time the request reached the apiserver. |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime requestReceivedTimestamp = 15; |
| |
| // Time the request reached current audit stage. |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime stageTimestamp = 16; |
| |
| // Annotations is an unstructured key value map stored with an audit event that may be set by |
| // plugins invoked in the request serving chain, including authentication, authorization and |
| // admission plugins. Keys should uniquely identify the informing component to avoid name |
| // collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values should be short. Annotations |
| // are included in the Metadata level. |
| // +optional |
| map<string, string> annotations = 17; |
| } |
| |
| // EventList is a list of audit Events. |
| message EventList { |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; |
| |
| repeated Event items = 2; |
| } |
| |
| // GroupResources represents resource kinds in an API group. |
| message GroupResources { |
| // Group is the name of the API group that contains the resources. |
| // The empty string represents the core API group. |
| // +optional |
| optional string group = 1; |
| |
| // Resources is a list of resources this rule applies to. |
| // |
| // For example: |
| // 'pods' matches pods. |
| // 'pods/log' matches the log subresource of pods. |
| // '*' matches all resources and their subresources. |
| // 'pods/*' matches all subresources of pods. |
| // '*/scale' matches all scale subresources. |
| // |
| // If wildcard is present, the validation rule will ensure resources do not |
| // overlap with each other. |
| // |
| // An empty list implies all resources and subresources in this API groups apply. |
| // +optional |
| repeated string resources = 2; |
| |
| // ResourceNames is a list of resource instance names that the policy matches. |
| // Using this field requires Resources to be specified. |
| // An empty list implies that every instance of the resource is matched. |
| // +optional |
| repeated string resourceNames = 3; |
| } |
| |
| // ObjectReference contains enough information to let you inspect or modify the referred object. |
| message ObjectReference { |
| // +optional |
| optional string resource = 1; |
| |
| // +optional |
| optional string namespace = 2; |
| |
| // +optional |
| optional string name = 3; |
| |
| // +optional |
| optional string uid = 4; |
| |
| // +optional |
| optional string apiVersion = 5; |
| |
| // +optional |
| optional string resourceVersion = 6; |
| |
| // +optional |
| optional string subresource = 7; |
| } |
| |
| // Policy defines the configuration of audit logging, and the rules for how different request |
| // categories are logged. |
| message Policy { |
| // ObjectMeta is included for interoperability with API infrastructure. |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; |
| |
| // Rules specify the audit Level a request should be recorded at. |
| // A request may match multiple rules, in which case the FIRST matching rule is used. |
| // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. |
| // PolicyRules are strictly ordered. |
| repeated PolicyRule rules = 2; |
| |
| // OmitStages is a list of stages for which no events are created. Note that this can also |
| // be specified per rule in which case the union of both are omitted. |
| // +optional |
| repeated string omitStages = 3; |
| } |
| |
| // PolicyList is a list of audit Policies. |
| message PolicyList { |
| // +optional |
| optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; |
| |
| repeated Policy items = 2; |
| } |
| |
| // PolicyRule maps requests based off metadata to an audit Level. |
| // Requests must match the rules of every field (an intersection of rules). |
| message PolicyRule { |
| // The Level that requests matching this rule are recorded at. |
| optional string level = 1; |
| |
| // The users (by authenticated user name) this rule applies to. |
| // An empty list implies every user. |
| // +optional |
| repeated string users = 2; |
| |
| // The user groups this rule applies to. A user is considered matching |
| // if it is a member of any of the UserGroups. |
| // An empty list implies every user group. |
| // +optional |
| repeated string userGroups = 3; |
| |
| // The verbs that match this rule. |
| // An empty list implies every verb. |
| // +optional |
| repeated string verbs = 4; |
| |
| // Resources that this rule matches. An empty list implies all kinds in all API groups. |
| // +optional |
| repeated GroupResources resources = 5; |
| |
| // Namespaces that this rule matches. |
| // The empty string "" matches non-namespaced resources. |
| // An empty list implies every namespace. |
| // +optional |
| repeated string namespaces = 6; |
| |
| // NonResourceURLs is a set of URL paths that should be audited. |
| // *s are allowed, but only as the full, final step in the path. |
| // Examples: |
| // "/metrics" - Log requests for apiserver metrics |
| // "/healthz*" - Log all health checks |
| // +optional |
| repeated string nonResourceURLs = 7; |
| |
| // OmitStages is a list of stages for which no events are created. Note that this can also |
| // be specified policy wide in which case the union of both are omitted. |
| // An empty list means no restrictions will apply. |
| // +optional |
| repeated string omitStages = 8; |
| } |
| |