github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/api/v1/runtime/runtime_agent_api.proto (about) 1 syntax = "proto3"; 2 3 package runtime.v1; 4 5 import "api/google/protobuf/timestamp.proto"; 6 import "api/v1/runtime/common.proto"; 7 8 option go_package = "github.com/castai/kvisord/api/runtime/v1"; 9 10 // RuntimeSecurityAgentAPI is used in kvisord. Should be mirrored. 11 service RuntimeSecurityAgentAPI { 12 rpc GetConfiguration(GetConfigurationRequest) returns (GetConfigurationResponse) {} 13 rpc EventsWriteStream(stream Event) returns (WriteStreamResponse) {} 14 rpc LogsWriteStream(stream LogEvent) returns (WriteStreamResponse) {} 15 rpc ContainerStatsWriteStream(stream ContainerStatsBatch) returns (WriteStreamResponse) {} 16 17 rpc GetSyncState(GetSyncStateRequest) returns (GetSyncStateResponse) {} 18 rpc UpdateSyncState(UpdateSyncStateRequest) returns (UpdateSyncStateResponse) {} 19 20 rpc KubernetesDeltaIngest(stream KubernetesDeltaItem) returns (stream KubernetesDeltaIngestResponse) {} 21 rpc ImageMetadataIngest(ImageMetadata) returns (ImageMetadataIngestResponse) {} 22 rpc KubeBenchReportIngest(KubeBenchReport) returns (KubeBenchReportIngestResponse) {} 23 rpc KubeLinterReportIngest(KubeLinterReport) returns (KubeLinterReportIngestResponse) {} 24 } 25 26 message GetConfigurationRequest { 27 oneof current_config { 28 ControllerConfig controller = 1; 29 AgentConfig agent = 2; 30 } 31 } 32 33 message GetConfigurationResponse { 34 Configuration config = 1; 35 } 36 37 message Configuration {} 38 39 message ControllerConfig { 40 string log_level = 1; 41 string log_rate_interval = 2; 42 int32 log_rate_burst = 3; 43 44 string version = 4; 45 string chart_version = 5; 46 47 string pod_namespace = 6; 48 string pod_name = 7; 49 50 int32 http_listen_port = 8; 51 int32 metrics_http_listen_port = 9; 52 53 string pyroscope_addr = 10; 54 55 CastaiControllerConfig castai_controller = 11; 56 CastaiConfig castai_env = 12; 57 ImageScanConfig image_scan = 13; 58 LinterConfig linter = 14; 59 KubeBenchConfig kube_bench = 15; 60 DeltaConfig delta = 16; 61 JobsCleanupConfig jobs_cleanup = 17; 62 ControllerAgentConfig agent_config = 18; 63 } 64 65 message CastaiControllerConfig { 66 string remote_config_sync_duration = 1; 67 } 68 69 message ImageScanConfig { 70 bool enabled = 1; 71 string castai_secret_ref_name = 2; 72 string scan_interval = 3; 73 string scan_timeout = 4; 74 int64 max_concurrent_scans = 5; 75 string scan_job_image_pull_policy = 6; 76 string mode = 7; 77 string cpu_request = 8; 78 string cpu_limit = 9; 79 string memory_request = 10; 80 string memory_limit = 11; 81 bool profile_enabled = 12; 82 bool phlare_enabled = 13; 83 string private_registry_pull_secret = 14; 84 string service_account = 15; 85 string init_delay = 16; 86 string image_scan_blobs_cache_url = 17; 87 } 88 89 message LinterConfig { 90 bool enabled = 1; 91 string scan_interval = 2; 92 string init_delay = 3; 93 } 94 95 message KubeBenchConfig { 96 bool enabled = 1; 97 bool force = 2; 98 string scan_interval = 3; 99 string job_image_pull_policy = 4; 100 string cloud_provider = 5; 101 string job_namespace = 6; 102 } 103 104 message DeltaConfig { 105 bool enabled = 1; 106 string interval = 2; 107 string initial_deltay = 3; 108 string send_timeout = 4; 109 bool use_compression = 5; 110 } 111 112 message JobsCleanupConfig { 113 string cleanup_interval = 1; 114 string cleanup_job_age = 2; 115 string namespace = 3; 116 } 117 118 message AgentConfig { 119 string log_level = 1; 120 string log_rate_interval = 2; 121 int32 log_rate_burst = 3; 122 string send_logs_level = 4; 123 string version = 5; 124 string btf_path = 6; 125 string pyroscope_addr = 7; 126 string containerd_sock_path = 9; 127 string host_cgroups_dir = 10; 128 int32 metrics_http_listen_port = 12; 129 AgentStateControllerConfig state = 13; 130 int32 ebpf_events_per_cpu_buffer = 14; 131 int32 ebpf_events_output_chan_size = 15; 132 repeated string muted_namespaces = 16; 133 SignatureEngineConfig signature_engine_config = 17; 134 CastaiConfig castai_env = 18; 135 EnricherConfig enricher_config = 19; 136 NetflowConfig netflow = 20; 137 } 138 139 message ControllerAgentConfig { 140 bool enabled = 1; 141 } 142 143 message AgentStateControllerConfig { 144 int32 events_sink_queue_size = 1; 145 string container_stats_scrape_interval = 2; 146 } 147 148 message SOCKS5DetectedSignatureConfig { 149 uint32 cache_size = 1; 150 } 151 152 message SignatureEngineConfig { 153 int32 input_chan_size = 1; 154 int32 output_chan_size = 2; 155 bool tty_detected_signature_enabled = 3; 156 bool socks5_detected_signature_enabled = 4; 157 SOCKS5DetectedSignatureConfig socks5_detected_signature_config = 5; 158 } 159 160 message CastaiConfig { 161 string cluster_id = 1; 162 string api_grpc_addr = 2; 163 bool insecure = 3; 164 } 165 166 message EnricherConfig { 167 bool enable_file_hash_enricher = 1; 168 } 169 170 message NetflowConfig { 171 bool enabled = 1; 172 uint64 sample_submit_interval_seconds = 2; 173 } 174 175 enum EventType { 176 UNKNOWN = 0; 177 EVENT_EXEC = 1; 178 EVENT_DNS = 2; 179 EVENT_TCP_CONNECT = 3; 180 EVENT_TCP_CONNECT_ERROR = 4; 181 EVENT_TCP_LISTEN = 5; 182 EVENT_FILE_CHANGE = 6; 183 EVENT_PROCESS_OOM = 7; 184 EVENT_MAGIC_WRITE = 8; 185 EVENT_SIGNATURE = 9; 186 187 EVENT_ANY = 999; 188 } 189 190 message Event { 191 EventType event_type = 1; 192 uint64 timestamp = 2; // Stored as unix timestamp in nanoseconds. 193 string process_name = 3; 194 string namespace = 4; 195 string pod_name = 5; 196 string container_name = 6; 197 string workload_name = 7; 198 string workload_kind = 13; 199 string pod_uid = 8; 200 string container_id = 9; 201 uint64 cgroup_id = 10; 202 uint32 host_pid = 11; 203 string workload_uid = 12; 204 205 oneof data { 206 v1.Exec exec = 21; 207 v1.DNS dns = 22; 208 v1.File file = 23; 209 v1.Tuple tuple = 24; 210 v1.SignatureEvent signature = 25; 211 v1.Any any = 26; 212 } 213 } 214 215 message WriteStreamResponse {} 216 217 message SendLogsResponse {} 218 219 message ContainerStatsBatch { 220 repeated ContainerStats items = 1; 221 } 222 223 message ContainerStats { 224 string namespace = 1; 225 string pod_name = 2; 226 string container_name = 3; 227 string workload_name = 4; 228 string workload_kind = 7; 229 string pod_uid = 5; 230 string container_id = 6; 231 repeated v1.Stats stats = 21; 232 } 233 234 enum KubernetesDeltaItemEvent { 235 DELTA_ADD = 0; 236 DELTA_UPDATE = 1; 237 DELTA_REMOVE = 2; 238 } 239 240 message KubernetesDeltaItem { 241 KubernetesDeltaItemEvent event = 1; 242 string object_uid = 2; 243 string object_name = 3; 244 string object_namespace = 4; 245 string object_kind = 5; 246 string object_api_version = 6; 247 google.protobuf.Timestamp object_created_at = 7; 248 repeated Container object_containers = 8; 249 string object_owner_uid = 9; 250 map<string, string> object_labels = 10; 251 map<string, string> object_annotations = 11; 252 bytes object_status = 12; 253 bytes object_spec = 13; 254 } 255 256 message Container { 257 string name = 1; 258 string image_name = 2; 259 } 260 261 message KubernetesDeltaIngestResponse {} 262 263 message ImageMetadata { 264 string image_name = 1; 265 string image_id = 2; 266 string image_digest = 3; 267 string architecture = 5; 268 string os_name = 6; 269 google.protobuf.Timestamp created_at = 7; 270 repeated string resource_ids = 8; 271 272 bytes packages = 9; // JSON containing []github.com/aquasecurity/trivy/pkg/fanal/types.BlobInfo type. 273 bytes manifest = 10; // JSON containing github.com/google/go-containerregistry/pkg/v1.Manifest type. 274 bytes index = 11; // JSON containing github.com/google/go-containerregistry/pkg/v1.IndexManifest type. 275 bytes config_file = 12; // JSON containing github.com/google/go-containerregistry/pkg/v1.ConfigFile type. 276 } 277 278 message ImageMetadataIngestResponse {} 279 280 message GetSyncStateRequest { 281 repeated string image_ids = 1; 282 } 283 message GetSyncStateResponse { 284 ImagesSyncState images = 1; 285 } 286 287 message ImagesSyncState { 288 bool full_resync_required = 1; 289 repeated Image images = 2; 290 } 291 292 enum ImageScanStatus { 293 IMAGE_SCAN_STATUS_UNKNOWN = 0; 294 IMAGE_SCAN_STATUS_SCANNED = 1; 295 IMAGE_SCAN_STATUS_PENDING = 2; 296 IMAGE_SCAN_STATUS_SCAN_ERROR = 3; 297 } 298 299 message Image { 300 string id = 1; 301 string name = 2; 302 string architecture = 3; 303 repeated string resource_ids = 4; 304 ImageScanStatus scan_status = 5; 305 string scan_error = 6; 306 } 307 308 message UpdateSyncStateRequest { 309 bool full_snapshot = 1; 310 repeated Image images = 2; 311 } 312 313 message UpdateSyncStateResponse {} 314 315 message KubeBenchReport { 316 repeated KubeBenchControls controls = 1; 317 KubeBenchNode node = 2; 318 } 319 message KubeBenchReportIngestResponse {} 320 321 message KubeBenchNode { 322 string node_name = 1; 323 string resource_uid = 2; 324 } 325 326 message KubeBenchControls { 327 string version = 1; 328 repeated KubeBenchGroup groups = 2; 329 } 330 331 message KubeBenchGroup { 332 repeated KubeBenchCheck checks = 1; 333 } 334 335 message KubeBenchCheck { 336 string id = 1; 337 string text = 2; 338 repeated string test_info = 3; 339 string state = 4; 340 } 341 342 message KubeLinterReport { 343 repeated KubeLinterCheck checks = 1; 344 } 345 message KubeLinterReportIngestResponse {} 346 347 message KubeLinterCheck { 348 string resource_uid = 1; 349 uint64 passed = 2; // Represented as bitmasks of passed checks. 350 uint64 failed = 3; // Represented as bitmasks of failed checks. 351 } 352 353 enum NetflowProtocol { 354 NETFLOW_PROTOCOL_UNKNOWN = 0; 355 NETFLOW_PROTOCOL_TCP = 1; 356 NETFLOW_PROTOCOL_UDP = 2; 357 } 358 359 message Netflow { 360 uint64 start_ts = 1; // Stored as unix timestamp in nanoseconds. 361 uint64 end_ts = 2; // Stored as unix timestamp in nanoseconds. 362 string process_name = 3; 363 string namespace = 4; 364 string pod_name = 5; 365 string container_name = 6; 366 string workload_name = 7; 367 string workload_kind = 8; 368 string zone = 9; 369 bytes addr = 10; 370 uint32 port = 11; 371 NetflowProtocol protocol = 12; 372 repeated NetflowDestination destinations = 14; 373 } 374 375 message NetflowDestination { 376 string namespace = 1; 377 string pod_name = 2; 378 string workload_name = 3; 379 string workload_kind = 4; 380 string zone = 5; 381 string dns_question = 6; 382 bytes addr = 8; 383 uint32 port = 9; 384 uint64 tx_bytes = 10; 385 uint64 rx_bytes = 11; 386 uint64 tx_packets = 12; 387 uint64 rx_packets = 13; 388 }