k8s.io/apiserver@v0.31.1/pkg/apis/audit/v1/generated.proto (about) 1 /* 2 Copyright The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 18 // This file was autogenerated by go-to-protobuf. Do not edit it manually! 19 20 syntax = "proto2"; 21 22 package k8s.io.apiserver.pkg.apis.audit.v1; 23 24 import "k8s.io/api/authentication/v1/generated.proto"; 25 import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; 26 import "k8s.io/apimachinery/pkg/runtime/generated.proto"; 27 import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; 28 29 // Package-wide variables from generator "generated". 30 option go_package = "k8s.io/apiserver/pkg/apis/audit/v1"; 31 32 // Event captures all the information that can be included in an API audit log. 33 message Event { 34 // AuditLevel at which event was generated 35 optional string level = 1; 36 37 // Unique audit ID, generated for each request. 38 optional string auditID = 2; 39 40 // Stage of the request handling when this event instance was generated. 41 optional string stage = 3; 42 43 // RequestURI is the request URI as sent by the client to a server. 44 optional string requestURI = 4; 45 46 // Verb is the kubernetes verb associated with the request. 47 // For non-resource requests, this is the lower-cased HTTP method. 48 optional string verb = 5; 49 50 // Authenticated user information. 51 optional .k8s.io.api.authentication.v1.UserInfo user = 6; 52 53 // Impersonated user information. 54 // +optional 55 optional .k8s.io.api.authentication.v1.UserInfo impersonatedUser = 7; 56 57 // Source IPs, from where the request originated and intermediate proxies. 58 // The source IPs are listed from (in order): 59 // 1. X-Forwarded-For request header IPs 60 // 2. X-Real-Ip header, if not present in the X-Forwarded-For list 61 // 3. The remote address for the connection, if it doesn't match the last 62 // IP in the list up to here (X-Forwarded-For or X-Real-Ip). 63 // Note: All but the last IP can be arbitrarily set by the client. 64 // +optional 65 // +listType=atomic 66 repeated string sourceIPs = 8; 67 68 // UserAgent records the user agent string reported by the client. 69 // Note that the UserAgent is provided by the client, and must not be trusted. 70 // +optional 71 optional string userAgent = 16; 72 73 // Object reference this request is targeted at. 74 // Does not apply for List-type requests, or non-resource requests. 75 // +optional 76 optional ObjectReference objectRef = 9; 77 78 // The response status, populated even when the ResponseObject is not a Status type. 79 // For successful responses, this will only include the Code and StatusSuccess. 80 // For non-status type error responses, this will be auto-populated with the error Message. 81 // +optional 82 optional .k8s.io.apimachinery.pkg.apis.meta.v1.Status responseStatus = 10; 83 84 // API object from the request, in JSON format. The RequestObject is recorded as-is in the request 85 // (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or 86 // merging. It is an external versioned object type, and may not be a valid object on its own. 87 // Omitted for non-resource requests. Only logged at Request Level and higher. 88 // +optional 89 optional .k8s.io.apimachinery.pkg.runtime.Unknown requestObject = 11; 90 91 // API object returned in the response, in JSON. The ResponseObject is recorded after conversion 92 // to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged 93 // at Response Level. 94 // +optional 95 optional .k8s.io.apimachinery.pkg.runtime.Unknown responseObject = 12; 96 97 // Time the request reached the apiserver. 98 // +optional 99 optional .k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime requestReceivedTimestamp = 13; 100 101 // Time the request reached current audit stage. 102 // +optional 103 optional .k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime stageTimestamp = 14; 104 105 // Annotations is an unstructured key value map stored with an audit event that may be set by 106 // plugins invoked in the request serving chain, including authentication, authorization and 107 // admission plugins. Note that these annotations are for the audit event, and do not correspond 108 // to the metadata.annotations of the submitted object. Keys should uniquely identify the informing 109 // component to avoid name collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values 110 // should be short. Annotations are included in the Metadata level. 111 // +optional 112 map<string, string> annotations = 15; 113 } 114 115 // EventList is a list of audit Events. 116 message EventList { 117 // +optional 118 optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; 119 120 repeated Event items = 2; 121 } 122 123 // GroupResources represents resource kinds in an API group. 124 message GroupResources { 125 // Group is the name of the API group that contains the resources. 126 // The empty string represents the core API group. 127 // +optional 128 optional string group = 1; 129 130 // Resources is a list of resources this rule applies to. 131 // 132 // For example: 133 // - `pods` matches pods. 134 // - `pods/log` matches the log subresource of pods. 135 // - `*` matches all resources and their subresources. 136 // - `pods/*` matches all subresources of pods. 137 // - `*/scale` matches all scale subresources. 138 // 139 // If wildcard is present, the validation rule will ensure resources do not 140 // overlap with each other. 141 // 142 // An empty list implies all resources and subresources in this API groups apply. 143 // +optional 144 // +listType=atomic 145 repeated string resources = 2; 146 147 // ResourceNames is a list of resource instance names that the policy matches. 148 // Using this field requires Resources to be specified. 149 // An empty list implies that every instance of the resource is matched. 150 // +optional 151 // +listType=atomic 152 repeated string resourceNames = 3; 153 } 154 155 // ObjectReference contains enough information to let you inspect or modify the referred object. 156 message ObjectReference { 157 // +optional 158 optional string resource = 1; 159 160 // +optional 161 optional string namespace = 2; 162 163 // +optional 164 optional string name = 3; 165 166 // +optional 167 optional string uid = 4; 168 169 // APIGroup is the name of the API group that contains the referred object. 170 // The empty string represents the core API group. 171 // +optional 172 optional string apiGroup = 5; 173 174 // APIVersion is the version of the API group that contains the referred object. 175 // +optional 176 optional string apiVersion = 6; 177 178 // +optional 179 optional string resourceVersion = 7; 180 181 // +optional 182 optional string subresource = 8; 183 } 184 185 // Policy defines the configuration of audit logging, and the rules for how different request 186 // categories are logged. 187 message Policy { 188 // ObjectMeta is included for interoperability with API infrastructure. 189 // +optional 190 optional .k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; 191 192 // Rules specify the audit Level a request should be recorded at. 193 // A request may match multiple rules, in which case the FIRST matching rule is used. 194 // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. 195 // PolicyRules are strictly ordered. 196 // +listType=atomic 197 repeated PolicyRule rules = 2; 198 199 // OmitStages is a list of stages for which no events are created. Note that this can also 200 // be specified per rule in which case the union of both are omitted. 201 // +optional 202 // +listType=atomic 203 repeated string omitStages = 3; 204 205 // OmitManagedFields indicates whether to omit the managed fields of the request 206 // and response bodies from being written to the API audit log. 207 // This is used as a global default - a value of 'true' will omit the managed fileds, 208 // otherwise the managed fields will be included in the API audit log. 209 // Note that this can also be specified per rule in which case the value specified 210 // in a rule will override the global default. 211 // +optional 212 optional bool omitManagedFields = 4; 213 } 214 215 // PolicyList is a list of audit Policies. 216 message PolicyList { 217 // +optional 218 optional .k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; 219 220 repeated Policy items = 2; 221 } 222 223 // PolicyRule maps requests based off metadata to an audit Level. 224 // Requests must match the rules of every field (an intersection of rules). 225 message PolicyRule { 226 // The Level that requests matching this rule are recorded at. 227 optional string level = 1; 228 229 // The users (by authenticated user name) this rule applies to. 230 // An empty list implies every user. 231 // +optional 232 // +listType=atomic 233 repeated string users = 2; 234 235 // The user groups this rule applies to. A user is considered matching 236 // if it is a member of any of the UserGroups. 237 // An empty list implies every user group. 238 // +optional 239 // +listType=atomic 240 repeated string userGroups = 3; 241 242 // The verbs that match this rule. 243 // An empty list implies every verb. 244 // +optional 245 // +listType=atomic 246 repeated string verbs = 4; 247 248 // Resources that this rule matches. An empty list implies all kinds in all API groups. 249 // +optional 250 // +listType=atomic 251 repeated GroupResources resources = 5; 252 253 // Namespaces that this rule matches. 254 // The empty string "" matches non-namespaced resources. 255 // An empty list implies every namespace. 256 // +optional 257 // +listType=atomic 258 repeated string namespaces = 6; 259 260 // NonResourceURLs is a set of URL paths that should be audited. 261 // `*`s are allowed, but only as the full, final step in the path. 262 // Examples: 263 // - `/metrics` - Log requests for apiserver metrics 264 // - `/healthz*` - Log all health checks 265 // +optional 266 // +listType=atomic 267 repeated string nonResourceURLs = 7; 268 269 // OmitStages is a list of stages for which no events are created. Note that this can also 270 // be specified policy wide in which case the union of both are omitted. 271 // An empty list means no restrictions will apply. 272 // +optional 273 // +listType=atomic 274 repeated string omitStages = 8; 275 276 // OmitManagedFields indicates whether to omit the managed fields of the request 277 // and response bodies from being written to the API audit log. 278 // - a value of 'true' will drop the managed fields from the API audit log 279 // - a value of 'false' indicates that the managed fileds should be included 280 // in the API audit log 281 // Note that the value, if specified, in this rule will override the global default 282 // If a value is not specified then the global default specified in 283 // Policy.OmitManagedFields will stand. 284 // +optional 285 optional bool omitManagedFields = 9; 286 } 287