/* Copyright The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ // This file was autogenerated by go-to-protobuf. Do not edit it manually! syntax = "proto2"; package k8s.io.apiserver.pkg.apis.audit.v1beta1; import "k8s.io/api/authentication/v1/generated.proto"; import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; import "k8s.io/apimachinery/pkg/runtime/generated.proto"; import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; // Package-wide variables from generator "generated". option go_package = "v1beta1"; // DEPRECATED - This group version of Event is deprecated by audit.k8s.io/v1/Event. See the release notes for // more information. // Event captures all the information that can be included in an API audit log. message Event { // ObjectMeta is included for interoperability with API infrastructure. // +optional // DEPRECATED: Use StageTimestamp which supports micro second instead of ObjectMeta.CreateTimestamp // and the rest of the object is not used optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // AuditLevel at which event was generated optional string level = 2; // Time the request reached the apiserver. // DEPRECATED: Use RequestReceivedTimestamp which supports micro second instead. optional k8s.io.apimachinery.pkg.apis.meta.v1.Time timestamp = 3; // Unique audit ID, generated for each request. optional string auditID = 4; // Stage of the request handling when this event instance was generated. optional string stage = 5; // RequestURI is the request URI as sent by the client to a server. optional string requestURI = 6; // Verb is the kubernetes verb associated with the request. // For non-resource requests, this is the lower-cased HTTP method. optional string verb = 7; // Authenticated user information. optional k8s.io.api.authentication.v1.UserInfo user = 8; // Impersonated user information. // +optional optional k8s.io.api.authentication.v1.UserInfo impersonatedUser = 9; // Source IPs, from where the request originated and intermediate proxies. // +optional repeated string sourceIPs = 10; // UserAgent records the user agent string reported by the client. // Note that the UserAgent is provided by the client, and must not be trusted. // +optional optional string userAgent = 18; // Object reference this request is targeted at. // Does not apply for List-type requests, or non-resource requests. // +optional optional ObjectReference objectRef = 11; // The response status, populated even when the ResponseObject is not a Status type. // For successful responses, this will only include the Code and StatusSuccess. // For non-status type error responses, this will be auto-populated with the error Message. // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.Status responseStatus = 12; // API object from the request, in JSON format. The RequestObject is recorded as-is in the request // (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or // merging. It is an external versioned object type, and may not be a valid object on its own. // Omitted for non-resource requests. Only logged at Request Level and higher. // +optional optional k8s.io.apimachinery.pkg.runtime.Unknown requestObject = 13; // API object returned in the response, in JSON. The ResponseObject is recorded after conversion // to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged // at Response Level. // +optional optional k8s.io.apimachinery.pkg.runtime.Unknown responseObject = 14; // Time the request reached the apiserver. // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime requestReceivedTimestamp = 15; // Time the request reached current audit stage. // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.MicroTime stageTimestamp = 16; // Annotations is an unstructured key value map stored with an audit event that may be set by // plugins invoked in the request serving chain, including authentication, authorization and // admission plugins. Note that these annotations are for the audit event, and do not correspond // to the metadata.annotations of the submitted object. Keys should uniquely identify the informing // component to avoid name collisions (e.g. podsecuritypolicy.admission.k8s.io/policy). Values // should be short. Annotations are included in the Metadata level. // +optional map annotations = 17; } // EventList is a list of audit Events. message EventList { // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; repeated Event items = 2; } // GroupResources represents resource kinds in an API group. message GroupResources { // Group is the name of the API group that contains the resources. // The empty string represents the core API group. // +optional optional string group = 1; // Resources is a list of resources this rule applies to. // // For example: // 'pods' matches pods. // 'pods/log' matches the log subresource of pods. // '*' matches all resources and their subresources. // 'pods/*' matches all subresources of pods. // '*/scale' matches all scale subresources. // // If wildcard is present, the validation rule will ensure resources do not // overlap with each other. // // An empty list implies all resources and subresources in this API groups apply. // +optional repeated string resources = 2; // ResourceNames is a list of resource instance names that the policy matches. // Using this field requires Resources to be specified. // An empty list implies that every instance of the resource is matched. // +optional repeated string resourceNames = 3; } // ObjectReference contains enough information to let you inspect or modify the referred object. message ObjectReference { // +optional optional string resource = 1; // +optional optional string namespace = 2; // +optional optional string name = 3; // +optional optional string uid = 4; // APIGroup is the name of the API group that contains the referred object. // The empty string represents the core API group. // +optional optional string apiGroup = 5; // APIVersion is the version of the API group that contains the referred object. // +optional optional string apiVersion = 6; // +optional optional string resourceVersion = 7; // +optional optional string subresource = 8; } // DEPRECATED - This group version of Policy is deprecated by audit.k8s.io/v1/Policy. See the release notes for // more information. // Policy defines the configuration of audit logging, and the rules for how different request // categories are logged. message Policy { // ObjectMeta is included for interoperability with API infrastructure. // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Rules specify the audit Level a request should be recorded at. // A request may match multiple rules, in which case the FIRST matching rule is used. // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. // PolicyRules are strictly ordered. repeated PolicyRule rules = 2; // OmitStages is a list of stages for which no events are created. Note that this can also // be specified per rule in which case the union of both are omitted. // +optional repeated string omitStages = 3; } // PolicyList is a list of audit Policies. message PolicyList { // +optional optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; repeated Policy items = 2; } // PolicyRule maps requests based off metadata to an audit Level. // Requests must match the rules of every field (an intersection of rules). message PolicyRule { // The Level that requests matching this rule are recorded at. optional string level = 1; // The users (by authenticated user name) this rule applies to. // An empty list implies every user. // +optional repeated string users = 2; // The user groups this rule applies to. A user is considered matching // if it is a member of any of the UserGroups. // An empty list implies every user group. // +optional repeated string userGroups = 3; // The verbs that match this rule. // An empty list implies every verb. // +optional repeated string verbs = 4; // Resources that this rule matches. An empty list implies all kinds in all API groups. // +optional repeated GroupResources resources = 5; // Namespaces that this rule matches. // The empty string "" matches non-namespaced resources. // An empty list implies every namespace. // +optional repeated string namespaces = 6; // NonResourceURLs is a set of URL paths that should be audited. // *s are allowed, but only as the full, final step in the path. // Examples: // "/metrics" - Log requests for apiserver metrics // "/healthz*" - Log all health checks // +optional repeated string nonResourceURLs = 7; // OmitStages is a list of stages for which no events are created. Note that this can also // be specified policy wide in which case the union of both are omitted. // An empty list means no restrictions will apply. // +optional repeated string omitStages = 8; }