kubesphere.io/api@v0.0.0-20231107125330-c9a03957060c/auditing/v1alpha1/webhook_types.go (about) 1 /* 2 Copyright 2020 The KubeSphere Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 corev1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 ) 23 24 // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! 25 // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. 26 27 // Receiver config which received the audit alert 28 type Receiver struct { 29 // Receiver name 30 // +optional 31 ReceicerName string `json:"name,omitempty" protobuf:"bytes,8,opt,name=name"` 32 // Receiver type, alertmanager or webhook 33 // +optional 34 ReceiverType string `json:"type,omitempty" protobuf:"bytes,8,opt,name=type"` 35 // ClientConfig holds the connection parameters for the webhook 36 // +optional 37 ReceiverConfig *WebhookClientConfig `json:"config,omitempty" protobuf:"bytes,8,opt,name=config"` 38 } 39 40 type AuditSinkPolicy struct { 41 ArchivingRuleSelector *metav1.LabelSelector `json:"archivingRuleSelector,omitempty" protobuf:"bytes,8,opt,name=archivingRuleSelector"` 42 AlertingRuleSelector *metav1.LabelSelector `json:"alertingRuleSelector,omitempty" protobuf:"bytes,8,opt,name=alertingRuleSelector"` 43 } 44 45 type DynamicAuditConfig struct { 46 // Throttle holds the options for throttling the webhook 47 // +optional 48 Throttle *WebhookThrottleConfig `json:"throttle,omitempty" protobuf:"bytes,18,opt,name=throttle"` 49 // Policy defines the policy for selecting which events should be sent to the webhook 50 // +optional 51 Policy *Policy `json:"policy,omitempty" protobuf:"bytes,18,opt,name=policy"` 52 } 53 54 type Policy struct { 55 // The Level that all requests are recorded at. 56 // available options: None, Metadata, Request, RequestResponse 57 // required 58 Level Level `json:"level" protobuf:"bytes,1,opt,name=level"` 59 60 // Stages is a list of stages for which events are created. 61 // +optional 62 Stages []Stage `json:"stages" protobuf:"bytes,2,opt,name=stages"` 63 } 64 65 type Stage string 66 67 type Level string 68 69 type WebhookThrottleConfig struct { 70 // ThrottleQPS maximum number of batches per second 71 // default 10 QPS 72 // +optional 73 QPS *int64 `json:"qps,omitempty" protobuf:"bytes,1,opt,name=qps"` 74 75 // ThrottleBurst is the maximum number of events sent at the same moment 76 // default 15 QPS 77 // +optional 78 Burst *int64 `json:"burst,omitempty" protobuf:"bytes,2,opt,name=burst"` 79 } 80 81 // WebhookSpec defines the desired state of Webhook 82 type WebhookSpec struct { 83 // INSERT ADDITIONAL SPEC FIELDS - desired state of cluster 84 // Important: Run "make" to regenerate code after modifying this file 85 86 // Number of desired pods. This is a pointer to distinguish between explicit 87 // zero and not specified. Defaults to 1. 88 // +optional 89 Replicas *int32 `json:"replicas,omitempty" protobuf:"varint,1,opt,name=replicas"` 90 // The webhook docker image name. 91 // +optional 92 Image string `json:"image,omitempty" protobuf:"bytes,2,opt,name=image"` 93 // Image pull policy. 94 // One of Always, Never, IfNotPresent. 95 // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. 96 // Cannot be updated. 97 // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images 98 // +optional 99 ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty" protobuf:"bytes,14,opt,name=imagePullPolicy,casttype=PullPolicy"` 100 // ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. 101 // If specified, these secrets will be passed to individual puller implementations for them to use. For example, 102 // in the case of docker, only DockerConfig type secrets are honored. 103 // More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod 104 // +optional 105 // +patchMergeKey=name 106 // +patchStrategy=merge 107 ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,15,rep,name=imagePullSecrets"` 108 // Arguments to the entrypoint.. 109 // It will be appended to the args and replace the default value. 110 // +optional 111 Args []string `json:"args,omitempty" protobuf:"bytes,3,rep,name=args"` 112 // NodeSelector is a selector which must be true for the pod to fit on a node. 113 // Selector which must match a node's labels for the pod to be scheduled on that node. 114 // More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ 115 // +optional 116 NodeSelector map[string]string `json:"nodeSelector,omitempty" protobuf:"bytes,7,rep,name=nodeSelector"` 117 // If specified, the pod's scheduling constraints 118 // +optional 119 Affinity *corev1.Affinity `json:"affinity,omitempty" protobuf:"bytes,18,opt,name=affinity"` 120 // If specified, the pod's tolerations. 121 // +optional 122 Tolerations []corev1.Toleration `json:"tolerations,omitempty" protobuf:"bytes,22,opt,name=tolerations"` 123 // Compute Resources required by this container. 124 // Cannot be updated. 125 // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ 126 // +optional 127 Resources *corev1.ResourceRequirements `json:"resources,omitempty" protobuf:"bytes,8,opt,name=resources"` 128 // Receiver contains the information to make a connection with the alertmanager 129 // +optional 130 Receivers []Receiver `json:"receivers,omitempty" protobuf:"bytes,8,opt,name=receivers"` 131 132 // AuditSinkPolicy is a rule selector, only the rule matched this selector will be taked effect. 133 // +optional 134 *AuditSinkPolicy `json:"auditSinkPolicy,omitempty" protobuf:"bytes,8,opt,name=auditSinkPolicy"` 135 // Rule priority, DEBUG < INFO < WARNING 136 //Audit events will be stored only when the priority of the audit rule 137 // matching the audit event is greater than this. 138 Priority string `json:"priority,omitempty" protobuf:"bytes,8,opt,name=priority"` 139 // Audit type, static or dynamic. 140 AuditType string `json:"auditType,omitempty" protobuf:"bytes,8,opt,name=auditType"` 141 // The Level that all requests are recorded at. 142 // available options: None, Metadata, Request, RequestResponse 143 // default: Metadata 144 // +optional 145 AuditLevel Level `json:"auditLevel" protobuf:"bytes,1,opt,name=auditLevel"` 146 // K8s auditing is enabled or not. 147 K8sAuditingEnabled bool `json:"k8sAuditingEnabled,omitempty" protobuf:"bytes,8,opt,name=priority"` 148 } 149 150 type WebhookClientConfig struct { 151 // `url` gives the location of the webhook, in standard URL form 152 // (`scheme://host:port/path`). Exactly one of `url` or `service` 153 // must be specified. 154 // 155 // The `host` should not refer to a service running in the cluster; use 156 // the `service` field instead. The host might be resolved via external 157 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve 158 // in-cluster DNS as that would be a layering violation). `host` may 159 // also be an IP address. 160 // 161 // Please note that using `localhost` or `127.0.0.1` as a `host` is 162 // risky unless you take great care to run this webhook on all hosts 163 // which run an apiserver which might need to make calls to this 164 // webhook. Such installs are likely to be non-portable, i.e., not easy 165 // to turn up in a new cluster. 166 // 167 // The scheme must be "https"; the URL must begin with "https://". 168 // 169 // A path is optional, and if present may be any string permissible in 170 // a URL. You may use the path to pass an arbitrary string to the 171 // webhook, for example, a cluster identifier. 172 // 173 // Attempting to use a user or basic auth e.g. "user:password@" is not 174 // allowed. Fragments ("#...") and query parameters ("?...") are not 175 // allowed, either. 176 // 177 // +optional 178 URL *string `json:"url,omitempty" protobuf:"bytes,1,opt,name=url"` 179 180 // `service` is a reference to the service for this webhook. Either 181 // `service` or `url` must be specified. 182 // 183 // If the webhook is running within the cluster, then you should use `service`. 184 // 185 // +optional 186 Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,2,opt,name=service"` 187 188 // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. 189 // If unspecified, system trust roots on the apiserver are used. 190 // +optional 191 CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,3,opt,name=caBundle"` 192 } 193 194 // WebhookStatus defines the observed state of Webhook 195 type WebhookStatus struct { 196 // INSERT ADDITIONAL STATUS FIELD - define observed state of cluster 197 // Important: Run "make" to regenerate code after modifying this file 198 } 199 200 // +genclient 201 // +genclient:noStatus 202 // +genclient:nonNamespaced 203 // +kubebuilder:object:root=true 204 // +kubebuilder:object:root=true 205 206 // Webhook is the Schema for the webhooks API 207 type Webhook struct { 208 metav1.TypeMeta `json:",inline"` 209 metav1.ObjectMeta `json:"metadata,omitempty"` 210 211 Spec WebhookSpec `json:"spec,omitempty"` 212 Status WebhookStatus `json:"status,omitempty"` 213 } 214 215 // +kubebuilder:object:root=true 216 // +kubebuilder:object:root=true 217 218 // WebhookList contains a list of Webhook 219 type WebhookList struct { 220 metav1.TypeMeta `json:",inline"` 221 metav1.ListMeta `json:"metadata,omitempty"` 222 Items []Webhook `json:"items"` 223 } 224 225 type ServiceReference struct { 226 // `namespace` is the namespace of the service. 227 // Required 228 Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"` 229 230 // `name` is the name of the service. 231 // Required 232 Name string `json:"name" protobuf:"bytes,2,opt,name=name"` 233 234 // `path` is an optional URL path which will be sent in any request to 235 // this service. 236 // +optional 237 Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"` 238 239 // If specified, the port on the service that hosting webhook. 240 // Default to 443 for backward compatibility. 241 // `port` should be a valid port number (1-65535, inclusive). 242 // +optional 243 Port *int32 `json:"port,omitempty" protobuf:"varint,4,opt,name=port"` 244 } 245 246 func init() { 247 SchemeBuilder.Register(&Webhook{}, &WebhookList{}) 248 } 249 250 const ( 251 // LevelNone disables auditing 252 LevelNone Level = "None" 253 // LevelMetadata provides the basic level of auditing. 254 LevelMetadata Level = "Metadata" 255 // LevelRequest provides Metadata level of auditing, and additionally 256 // logs the request object (does not apply for non-resource requests). 257 LevelRequest Level = "Request" 258 // LevelRequestResponse provides Request level of auditing, and additionally 259 // logs the response object (does not apply for non-resource requests and watches). 260 LevelRequestResponse Level = "RequestResponse" 261 )