github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/globalthreatfeed.go

github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/globalthreatfeed.go (about)

     1  // Copyright (c) 2019,2021 Tigera, Inc. All rights reserved.
     2  
     3  package v3
     4  
     5  import (
     6  	"time"
     7  
     8  	k8sv1 "k8s.io/api/core/v1"
     9  	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    10  )
    11  
    12  const (
    13  	KindGlobalThreatFeed      = "GlobalThreatFeed"
    14  	KindGlobalThreatFeedList  = "GlobalThreatFeedList"
    15  	DefaultPullPeriod         = 24 * time.Hour
    16  	MinPullPeriod             = 5 * time.Minute
    17  	MaxDescriptionLength      = 256
    18  	SecretConfigMapNamePrefix = "globalthreatfeed"
    19  )
    20  
    21  // +genclient
    22  // +genclient:nonNamespaced
    23  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    24  
    25  // GlobalThreatFeed is a source of intel for possible threats to the cluster. This
    26  // object configures how Tigera components communicate with the feed and update
    27  // detection jobs or policy based on the intel.
    28  // +kubebuilder:subresource:status
    29  type GlobalThreatFeed struct {
    30  	metav1.TypeMeta `json:",inline"`
    31  	// Standard object's metadata.
    32  	metav1.ObjectMeta `json:"metadata,omitempty"`
    33  	// Specification of the GlobalThreatFeed.
    34  	Spec   GlobalThreatFeedSpec   `json:"spec,omitempty"`
    35  	Status GlobalThreatFeedStatus `json:"status,omitempty"`
    36  }
    37  
    38  // GlobalThreatFeedSpec contains the specification of a GlobalThreatFeed resource.
    39  type GlobalThreatFeedSpec struct {
    40  	// Content describes the kind of data the data feed provides.
    41  	// +kubebuilder:default=IPSet
    42  	// +optional
    43  	Content ThreatFeedContent `json:"content,omitempty" validate:"omitempty,oneof=IPSet DomainNameSet"`
    44  	// Determines whether the Global Threat Feed is Enabled or Disabled.
    45  	// +kubebuilder:default=Enabled
    46  	// +optional
    47  	Mode *ThreatFeedMode `json:"mode,omitempty" validate:"omitempty,oneof=Enabled Disabled"`
    48  	// Human-readable description of the template.
    49  	// +kubebuilder:validation:MaxLength:=256
    50  	Description string `json:"description,omitempty"`
    51  	// Distinguishes between Builtin Global Threat Feeds and Custom feed types.
    52  	// +kubebuilder:default=Custom
    53  	// +optional
    54  	FeedType         *ThreatFeedType       `json:"feedType,omitempty" validate:"omitempty,oneof=Builtin Custom"`
    55  	GlobalNetworkSet *GlobalNetworkSetSync `json:"globalNetworkSet,omitempty"`
    56  	Pull             *Pull                 `json:"pull,omitempty"`
    57  }
    58  
    59  // +genclient:nonNamespaced
    60  // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
    61  
    62  // GlobalThreatFeedList contains a list of GlobalThreatFeed resources.
    63  type GlobalThreatFeedList struct {
    64  	metav1.TypeMeta `json:",inline"`
    65  	metav1.ListMeta `json:"metadata"`
    66  	Items           []GlobalThreatFeed `json:"items"`
    67  }
    68  
    69  // +kubebuilder:validation:Enum=IPSet;DomainNameSet
    70  type ThreatFeedContent string
    71  
    72  // +kubebuilder:validation:Enum=Enabled;Disabled
    73  type ThreatFeedMode string
    74  
    75  // +kubebuilder:validation:Enum=Builtin;Custom
    76  type ThreatFeedType string
    77  
    78  const (
    79  	ThreatFeedContentIPset         ThreatFeedContent = "IPSet"
    80  	ThreatFeedContentDomainNameSet ThreatFeedContent = "DomainNameSet"
    81  )
    82  
    83  const (
    84  	ThreatFeedModeEnabled  ThreatFeedMode = "Enabled"
    85  	ThreatFeedModeDisabled ThreatFeedMode = "Disabled"
    86  )
    87  
    88  const (
    89  	ThreatFeedTypeBuiltin ThreatFeedType = "Builtin"
    90  	ThreatFeedTypeCustom  ThreatFeedType = "Custom"
    91  )
    92  
    93  type GlobalNetworkSetSync struct {
    94  	Labels map[string]string `json:"labels,omitempty" validate:"labels"`
    95  }
    96  
    97  type Pull struct {
    98  	Period string    `json:"period,omitempty"`
    99  	HTTP   *HTTPPull `json:"http" validate:"required"`
   100  }
   101  
   102  type HTTPPull struct {
   103  	Format  ThreatFeedFormat `json:"format,omitempty" validate:"omitempty"`
   104  	URL     string           `json:"url" validate:"required,url"`
   105  	Headers []HTTPHeader     `json:"headers,omitempty" validate:"dive"`
   106  }
   107  
   108  type ThreatFeedFormat struct {
   109  	NewlineDelimited *ThreatFeedFormatNewlineDelimited `json:"newlineDelimited,omitempty"`
   110  	JSON             *ThreatFeedFormatJSON             `json:"json,omitempty" validate:"omitempty"`
   111  	CSV              *ThreatFeedFormatCSV              `json:"csv,omitempty" validate:"omitempty"`
   112  }
   113  
   114  type ThreatFeedFormatNewlineDelimited struct{}
   115  
   116  type ThreatFeedFormatJSON struct {
   117  	Path string `json:"path,omitempty" validate:"required"`
   118  }
   119  
   120  type ThreatFeedFormatCSV struct {
   121  	FieldNum                    *uint  `json:"fieldNum,omitempty" validate:"required_without=FieldName"`
   122  	FieldName                   string `json:"fieldName,omitempty" validate:"required_without=FieldNum"`
   123  	Header                      bool   `json:"header,omitempty"`
   124  	ColumnDelimiter             string `json:"columnDelimiter,omitempty"`
   125  	CommentDelimiter            string `json:"commentDelimiter,omitempty"`
   126  	RecordSize                  int    `json:"recordSize,omitempty" validate:"omitempty,gt=0"`
   127  	DisableRecordSizeValidation bool   `json:"disableRecordSizeValidation,omitempty"`
   128  }
   129  
   130  const DefaultCSVDelimiter = ','
   131  
   132  type HTTPHeader struct {
   133  	Name      string            `json:"name" validate:"printascii"`
   134  	Value     string            `json:"value,omitempty"`
   135  	ValueFrom *HTTPHeaderSource `json:"valueFrom,omitempty"`
   136  }
   137  
   138  type HTTPHeaderSource struct {
   139  	// Selects a key of a ConfigMap.
   140  	// +optional
   141  	ConfigMapKeyRef *k8sv1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty"`
   142  	// Selects a key of a secret in the pod's namespace
   143  	// +optional
   144  	SecretKeyRef *k8sv1.SecretKeySelector `json:"secretKeyRef,omitempty"`
   145  }
   146  
   147  type GlobalThreatFeedStatus struct {
   148  	// +optional
   149  	LastSuccessfulSync *metav1.Time `json:"lastSuccessfulSync,omitempty"`
   150  	// +optional
   151  	LastSuccessfulSearch *metav1.Time `json:"lastSuccessfulSearch,omitempty"`
   152  	// +optional
   153  	ErrorConditions []ErrorCondition `json:"errorConditions,omitempty"`
   154  }
   155  
   156  type ErrorCondition struct {
   157  	Type    string `json:"type" validate:"required"`
   158  	Message string `json:"message" validate:"required"`
   159  }
   160  
   161  // NewGlobalThreatFeed creates a new (zeroed) GlobalThreatFeed struct with the TypeMetadata initialised to the current
   162  // version.
   163  func NewGlobalThreatFeed() *GlobalThreatFeed {
   164  	return &GlobalThreatFeed{
   165  		TypeMeta: metav1.TypeMeta{
   166  			Kind:       KindGlobalThreatFeed,
   167  			APIVersion: GroupVersionCurrent,
   168  		},
   169  	}
   170  }
   171  
   172  // NewGlobalThreatFeedList creates a new (zeroed) GlobalThreatFeedList struct with the TypeMetadata initialised to the current
   173  // version.
   174  func NewGlobalThreatFeedList() *GlobalThreatFeedList {
   175  	return &GlobalThreatFeedList{
   176  		TypeMeta: metav1.TypeMeta{
   177  			Kind:       KindGlobalThreatFeedList,
   178  			APIVersion: GroupVersionCurrent,
   179  		},
   180  	}
   181  }