github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #46717 from timstclair/audit-proto

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 46967, 46992, 43338, 46717, 46672)

Generate protobuf for the audit API

Add protobuf generation & annotations for the advanced auditing API. We're not using them directly now, but settling on the field numbering will help with some 3rd party integrations.

For kubernetes/features#22

/cc @ihmccreery
This commit is contained in:
Kubernetes Submit Queue 2017-06-05 20:27:48 -07:00 committed by GitHub
commit 5ece6470b3
5 changed files with 2699 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/libs/go2idl/go-to-protobuf/protobuf/cmd.go
View File

@ -97,6 +97,8 @@ func New() *Generator {
`k8s.io/metrics/pkg/apis/metrics/v1alpha1`,
`k8s.io/metrics/pkg/apis/custom_metrics/v1alpha1`,
`k8s.io/kubernetes/pkg/apis/networking/v1`,
`-k8s.io/client-go/pkg/apis/authentication/v1`,
`k8s.io/apiserver/pkg/apis/audit/v1alpha1`,
}, ","),
DropEmbeddedFields: "k8s.io/apimachinery/pkg/apis/meta/v1.TypeMeta",
}

2
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/BUILD
View File

@ -11,6 +11,7 @@ go_library(
name = "go_default_library",
srcs = [
"doc.go",
"generated.pb.go",
"register.go",
"types.generated.go",
"types.go",
@ -20,6 +21,7 @@ go_library(
],
tags = ["automanaged"],
deps = [
"//vendor/github.com/gogo/protobuf/proto:go_default_library",
"//vendor/github.com/ugorji/go/codec:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/conversion:go_default_library",

2458
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.pb.go Normal file
View File

File diff suppressed because it is too large Load Diff

201
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/generated.proto Normal file
View File

@ -0,0 +1,201 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = 'proto2';
package k8s.io.apiserver.pkg.apis.audit.v1alpha1;
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
import "k8s.io/client-go/pkg/apis/authentication/v1/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "v1alpha1";
// Event captures all the information that can be included in an API audit log.
message Event {
// ObjectMeta is included for interoperability with API infrastructure.
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// AuditLevel at which event was generated
optional string level = 2;
// Time the request reached the apiserver.
optional k8s.io.apimachinery.pkg.apis.meta.v1.Time timestamp = 3;
// Unique audit ID, generated for each request.
optional string auditID = 4;
// Stage of the request handling when this event instance was generated.
optional string stage = 5;
// RequestURI is the request URI as sent by the client to a server.
optional string requestURI = 6;
// Verb is the kubernetes verb associated with the request.
// For non-resource requests, this is the lower-cased HTTP method.
optional string verb = 7;
// Authenticated user information.
optional k8s.io.client_go.pkg.apis.authentication.v1.UserInfo user = 8;
// Impersonated user information.
// +optional
optional k8s.io.client_go.pkg.apis.authentication.v1.UserInfo impersonatedUser = 9;
// Source IPs, from where the request originated and intermediate proxies.
// +optional
repeated string sourceIPs = 10;
// Object reference this request is targeted at.
// Does not apply for List-type requests, or non-resource requests.
// +optional
optional ObjectReference objectRef = 11;
// The response status, populated even when the ResponseObject is not a Status type.
// For successful responses, this will only include the Code and StatusSuccess.
// For non-status type error responses, this will be auto-populated with the error Message.
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.Status responseStatus = 12;
// API object from the request, in JSON format. The RequestObject is recorded as-is in the request
// (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
// merging. It is an external versioned object type, and may not be a valid object on its own.
// Omitted for non-resource requests. Only logged at Request Level and higher.
// +optional
optional k8s.io.apimachinery.pkg.runtime.Unknown requestObject = 13;
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
// at Response Level.
// +optional
optional k8s.io.apimachinery.pkg.runtime.Unknown responseObject = 14;
}
// EventList is a list of audit Events.
message EventList {
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
repeated Event items = 2;
}
// GroupResources represents resource kinds in an API group.
message GroupResources {
// Group is the name of the API group that contains the resources.
// The empty string represents the core API group.
// +optional
optional string group = 1;
// Resources is a list of resources within the API group.
// Any empty list implies every resource kind in the API group.
// +optional
repeated string resources = 2;
}
// ObjectReference contains enough information to let you inspect or modify the referred object.
message ObjectReference {
// +optional
optional string resource = 1;
// +optional
optional string namespace = 2;
// +optional
optional string name = 3;
// +optional
optional string uid = 4;
// +optional
optional string apiVersion = 5;
// +optional
optional string resourceVersion = 6;
// +optional
optional string subresource = 7;
}
// Policy defines the configuration of audit logging, and the rules for how different request
// categories are logged.
message Policy {
// ObjectMeta is included for interoperability with API infrastructure.
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Rules specify the audit Level a request should be recorded at.
// A request may match multiple rules, in which case the FIRST matching rule is used.
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
// PolicyRules are strictly ordered.
repeated PolicyRule rules = 2;
}
// PolicyList is a list of audit Policies.
message PolicyList {
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
repeated Policy items = 2;
}
// PolicyRule maps requests based off metadata to an audit Level.
// Requests must match the rules of every field (an intersection of rules).
message PolicyRule {
// The Level that requests matching this rule are recorded at.
optional string level = 1;
// The users (by authenticated user name) this rule applies to.
// An empty list implies every user.
// +optional
repeated string users = 2;
// The user groups this rule applies to. A user is considered matching
// if it is a member of any of the UserGroups.
// An empty list implies every user group.
// +optional
repeated string userGroups = 3;
// The verbs that match this rule.
// An empty list implies every verb.
// +optional
repeated string verbs = 4;
// Resources that this rule matches. An empty list implies all kinds in all API groups.
// +optional
repeated GroupResources resources = 5;
// Namespaces that this rule matches.
// The empty string "" matches non-namespaced resources.
// An empty list implies every namespace.
// +optional
repeated string namespaces = 6;
// NonResourceURLs is a set of URL paths that should be audited.
// *s are allowed, but only as the full, final step in the path.
// Examples:
// "/metrics" - Log requests for apiserver metrics
// "/healthz*" - Log all health checks
// +optional
repeated string nonResourceURLs = 7;
}

72
staging/src/k8s.io/apiserver/pkg/apis/audit/v1alpha1/types.go
View File

@ -71,61 +71,61 @@ type Event struct {
metav1.TypeMeta `json:",inline"`
// ObjectMeta is included for interoperability with API infrastructure.
// +optional
metav1.ObjectMeta `json:"metadata,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// AuditLevel at which event was generated
Level Level `json:"level"`
Level Level `json:"level" protobuf:"bytes,2,opt,name=level,casttype=Level"`
// Time the request reached the apiserver.
Timestamp metav1.Time `json:"timestamp"`
Timestamp metav1.Time `json:"timestamp" protobuf:"bytes,3,opt,name=timestamp"`
// Unique audit ID, generated for each request.
AuditID types.UID `json:"auditID"`
AuditID types.UID `json:"auditID" protobuf:"bytes,4,opt,name=auditID,casttype=k8s.io/apimachinery/pkg/types.UID"`
// Stage of the request handling when this event instance was generated.
Stage Stage `json:"stage"`
Stage Stage `json:"stage" protobuf:"bytes,5,opt,name=stage,casttype=Stage"`
// RequestURI is the request URI as sent by the client to a server.
RequestURI string `json:"requestURI"`
RequestURI string `json:"requestURI" protobuf:"bytes,6,opt,name=requestURI"`
// Verb is the kubernetes verb associated with the request.
// For non-resource requests, this is the lower-cased HTTP method.
Verb string `json:"verb"`
Verb string `json:"verb" protobuf:"bytes,7,opt,name=verb"`
// Authenticated user information.
User authnv1.UserInfo `json:"user"`
User authnv1.UserInfo `json:"user" protobuf:"bytes,8,opt,name=user"`
// Impersonated user information.
// +optional
ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty"`
ImpersonatedUser *authnv1.UserInfo `json:"impersonatedUser,omitempty" protobuf:"bytes,9,opt,name=impersonatedUser"`
// Source IPs, from where the request originated and intermediate proxies.
// +optional
SourceIPs []string `json:"sourceIPs,omitempty"`
SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,10,rep,name=sourceIPs"`
// Object reference this request is targeted at.
// Does not apply for List-type requests, or non-resource requests.
// +optional
ObjectRef *ObjectReference `json:"objectRef,omitempty"`
ObjectRef *ObjectReference `json:"objectRef,omitempty" protobuf:"bytes,11,opt,name=objectRef"`
// The response status, populated even when the ResponseObject is not a Status type.
// For successful responses, this will only include the Code and StatusSuccess.
// For non-status type error responses, this will be auto-populated with the error Message.
// +optional
ResponseStatus *metav1.Status `json:"responseStatus,omitempty"`
ResponseStatus *metav1.Status `json:"responseStatus,omitempty" protobuf:"bytes,12,opt,name=responseStatus"`
// API object from the request, in JSON format. The RequestObject is recorded as-is in the request
// (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
// merging. It is an external versioned object type, and may not be a valid object on its own.
// Omitted for non-resource requests. Only logged at Request Level and higher.
// +optional
RequestObject *runtime.Unknown `json:"requestObject,omitempty"`
RequestObject *runtime.Unknown `json:"requestObject,omitempty" protobuf:"bytes,13,opt,name=requestObject"`
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
// at Response Level.
// +optional
ResponseObject *runtime.Unknown `json:"responseObject,omitempty"`
ResponseObject *runtime.Unknown `json:"responseObject,omitempty" protobuf:"bytes,14,opt,name=responseObject"`
}
// EventList is a list of audit Events.
type EventList struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ListMeta `json:"metadata,omitempty"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []Event `json:"items"`
Items []Event `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// Policy defines the configuration of audit logging, and the rules for how different request
@ -134,44 +134,44 @@ type Policy struct {
metav1.TypeMeta `json:",inline"`
// ObjectMeta is included for interoperability with API infrastructure.
// +optional
metav1.ObjectMeta `json:"metadata,omitempty"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Rules specify the audit Level a request should be recorded at.
// A request may match multiple rules, in which case the FIRST matching rule is used.
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
// PolicyRules are strictly ordered.
Rules []PolicyRule `json:"rules"`
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
}
// PolicyList is a list of audit Policies.
type PolicyList struct {
metav1.TypeMeta `json:",inline"`
// +optional
metav1.ListMeta `json:"metadata,omitempty"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
Items []Policy `json:"items"`
Items []Policy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// PolicyRule maps requests based off metadata to an audit Level.
// Requests must match the rules of every field (an intersection of rules).
type PolicyRule struct {
// The Level that requests matching this rule are recorded at.
Level Level `json:"level"`
Level Level `json:"level" protobuf:"bytes,1,opt,name=level,casttype=Level"`
// The users (by authenticated user name) this rule applies to.
// An empty list implies every user.
// +optional
Users []string `json:"users,omitempty"`
Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"`
// The user groups this rule applies to. A user is considered matching
// if it is a member of any of the UserGroups.
// An empty list implies every user group.
// +optional
UserGroups []string `json:"userGroups,omitempty"`
UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"`
// The verbs that match this rule.
// An empty list implies every verb.
// +optional
Verbs []string `json:"verbs,omitempty"`
Verbs []string `json:"verbs,omitempty" protobuf:"bytes,4,rep,name=verbs"`
// Rules can apply to API resources (such as "pods" or "secrets"),
// non-resource URL paths (such as "/api"), or neither, but not both.
@ -179,12 +179,12 @@ type PolicyRule struct {
// Resources that this rule matches. An empty list implies all kinds in all API groups.
// +optional
Resources []GroupResources `json:"resources,omitempty"`
Resources []GroupResources `json:"resources,omitempty" protobuf:"bytes,5,rep,name=resources"`
// Namespaces that this rule matches.
// The empty string "" matches non-namespaced resources.
// An empty list implies every namespace.
// +optional
Namespaces []string `json:"namespaces,omitempty"`
Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,6,rep,name=namespaces"`
// NonResourceURLs is a set of URL paths that should be audited.
// *s are allowed, but only as the full, final step in the path.
@ -192,7 +192,7 @@ type PolicyRule struct {
// "/metrics" - Log requests for apiserver metrics
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string `json:"nonResourceURLs,omitempty"`
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
}
// GroupResources represents resource kinds in an API group.
@ -200,27 +200,27 @@ type GroupResources struct {
// Group is the name of the API group that contains the resources.
// The empty string represents the core API group.
// +optional
Group string `json:"group,omitempty"`
Group string `json:"group,omitempty" protobuf:"bytes,1,opt,name=group"`
// Resources is a list of resources within the API group.
// Any empty list implies every resource kind in the API group.
// +optional
Resources []string `json:"resources,omitempty"`
Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
}
// ObjectReference contains enough information to let you inspect or modify the referred object.
type ObjectReference struct {
// +optional
Resource string `json:"resource,omitempty"`
Resource string `json:"resource,omitempty" protobuf:"bytes,1,opt,name=resource"`
// +optional
Namespace string `json:"namespace,omitempty"`
Namespace string `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
// +optional
Name string `json:"name,omitempty"`
Name string `json:"name,omitempty" protobuf:"bytes,3,opt,name=name"`
// +optional
UID types.UID `json:"uid,omitempty"`
UID types.UID `json:"uid,omitempty" protobuf:"bytes,4,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
// +optional
APIVersion string `json:"apiVersion,omitempty"`
APIVersion string `json:"apiVersion,omitempty" protobuf:"bytes,5,opt,name=apiVersion"`
// +optional
ResourceVersion string `json:"resourceVersion,omitempty"`
ResourceVersion string `json:"resourceVersion,omitempty" protobuf:"bytes,6,opt,name=resourceVersion"`
// +optional
Subresource string `json:"subresource,omitempty"`
Subresource string `json:"subresource,omitempty" protobuf:"bytes,7,opt,name=subresource"`
}