github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-17 23:57:49 +00:00
Code Issues Projects Releases Wiki Activity

Fix list_type_missing in k8s.io/apiserver

Browse Source
This commit is contained in:
Tim Hockin 2023-11-17 11:46:28 -08:00
parent 18f3941c24
commit eddf65849d
No known key found for this signature in database
4 changed files with 84 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/api-rules/violation_exceptions.list
View File

@ -1,15 +1,3 @@
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Event,SourceIPs
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,ResourceNames
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,GroupResources,Resources
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,OmitStages
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,Policy,Rules
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Namespaces
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,NonResourceURLs
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,OmitStages
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Resources
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,UserGroups
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Users
API rule violation: list_type_missing,k8s.io/apiserver/pkg/apis/audit/v1,PolicyRule,Verbs
API rule violation: list_type_missing,k8s.io/cloud-provider/config/v1alpha1,WebhookConfiguration,Webhooks
API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,GenericControllerManagerConfiguration,Controllers
API rule violation: list_type_missing,k8s.io/controller-manager/config/v1alpha1,LeaderMigrationConfiguration,ControllerLeaders

60
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -52591,6 +52591,11 @@ func schema_pkg_apis_audit_v1_Event(ref common.ReferenceCallback) common.OpenAPI
},
},
"sourceIPs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Source IPs, from where the request originated and intermediate proxies. The source IPs are listed from (in order): 1. X-Forwarded-For request header IPs 2. X-Real-Ip header, if not present in the X-Forwarded-For list 3. The remote address for the connection, if it doesn't match the last\n IP in the list up to here (X-Forwarded-For or X-Real-Ip).\nNote: All but the last IP can be arbitrarily set by the client.",
Type: []string{"array"},
@ -52737,6 +52742,11 @@ func schema_pkg_apis_audit_v1_GroupResources(ref common.ReferenceCallback) commo
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources is a list of resources this rule applies to.\n\nFor example: - `pods` matches pods. - `pods/log` matches the log subresource of pods. - `*` matches all resources and their subresources. - `pods/*` matches all subresources of pods. - `*/scale` matches all scale subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nAn empty list implies all resources and subresources in this API groups apply.",
Type: []string{"array"},
@ -52752,6 +52762,11 @@ func schema_pkg_apis_audit_v1_GroupResources(ref common.ReferenceCallback) commo
},
},
"resourceNames": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "ResourceNames is a list of resource instance names that the policy matches. Using this field requires Resources to be specified. An empty list implies that every instance of the resource is matched.",
Type: []string{"array"},
@ -52864,6 +52879,11 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP
},
},
"rules": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Rules specify the audit Level a request should be recorded at. A request may match multiple rules, in which case the FIRST matching rule is used. The default audit level is None, but can be overridden by a catch-all rule at the end of the list. PolicyRules are strictly ordered.",
Type: []string{"array"},
@ -52878,6 +52898,11 @@ func schema_pkg_apis_audit_v1_Policy(ref common.ReferenceCallback) common.OpenAP
},
},
"omitStages": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "OmitStages is a list of stages for which no events are created. Note that this can also be specified per rule in which case the union of both are omitted.",
Type: []string{"array"},
@ -52973,6 +52998,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"users": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "The users (by authenticated user name) this rule applies to. An empty list implies every user.",
Type: []string{"array"},
@ -52988,6 +53018,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"userGroups": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "The user groups this rule applies to. A user is considered matching if it is a member of any of the UserGroups. An empty list implies every user group.",
Type: []string{"array"},
@ -53003,6 +53038,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"verbs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "The verbs that match this rule. An empty list implies every verb.",
Type: []string{"array"},
@ -53018,6 +53058,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"resources": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Resources that this rule matches. An empty list implies all kinds in all API groups.",
Type: []string{"array"},
@ -53032,6 +53077,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"namespaces": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "Namespaces that this rule matches. The empty string \"\" matches non-namespaced resources. An empty list implies every namespace.",
Type: []string{"array"},
@ -53047,6 +53097,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"nonResourceURLs": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "NonResourceURLs is a set of URL paths that should be audited. `*`s are allowed, but only as the full, final step in the path. Examples: - `/metrics` - Log requests for apiserver metrics - `/healthz*` - Log all health checks",
Type: []string{"array"},
@ -53062,6 +53117,11 @@ func schema_pkg_apis_audit_v1_PolicyRule(ref common.ReferenceCallback) common.Op
},
},
"omitStages": {
VendorExtensible: spec.VendorExtensible{
Extensions: spec.Extensions{
"x-kubernetes-list-type": "atomic",
},
},
SchemaProps: spec.SchemaProps{
Description: "OmitStages is a list of stages for which no events are created. Note that this can also be specified policy wide in which case the union of both are omitted. An empty list means no restrictions will apply.",
Type: []string{"array"},

12
staging/src/k8s.io/apiserver/pkg/apis/audit/v1/generated.proto
View File

@ -62,6 +62,7 @@ message Event {
// IP in the list up to here (X-Forwarded-For or X-Real-Ip).
// Note: All but the last IP can be arbitrarily set by the client.
// +optional
// +listType=atomic
repeated string sourceIPs = 8;
// UserAgent records the user agent string reported by the client.
@ -140,12 +141,14 @@ message GroupResources {
//
// An empty list implies all resources and subresources in this API groups apply.
// +optional
// +listType=atomic
repeated string resources = 2;
// ResourceNames is a list of resource instance names that the policy matches.
// Using this field requires Resources to be specified.
// An empty list implies that every instance of the resource is matched.
// +optional
// +listType=atomic
repeated string resourceNames = 3;
}
@ -190,11 +193,13 @@ message Policy {
// A request may match multiple rules, in which case the FIRST matching rule is used.
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
// PolicyRules are strictly ordered.
// +listType=atomic
repeated PolicyRule rules = 2;
// OmitStages is a list of stages for which no events are created. Note that this can also
// be specified per rule in which case the union of both are omitted.
// +optional
// +listType=atomic
repeated string omitStages = 3;
// OmitManagedFields indicates whether to omit the managed fields of the request
@ -224,27 +229,32 @@ message PolicyRule {
// The users (by authenticated user name) this rule applies to.
// An empty list implies every user.
// +optional
// +listType=atomic
repeated string users = 2;
// The user groups this rule applies to. A user is considered matching
// if it is a member of any of the UserGroups.
// An empty list implies every user group.
// +optional
// +listType=atomic
repeated string userGroups = 3;
// The verbs that match this rule.
// An empty list implies every verb.
// +optional
// +listType=atomic
repeated string verbs = 4;
// Resources that this rule matches. An empty list implies all kinds in all API groups.
// +optional
// +listType=atomic
repeated GroupResources resources = 5;
// Namespaces that this rule matches.
// The empty string "" matches non-namespaced resources.
// An empty list implies every namespace.
// +optional
// +listType=atomic
repeated string namespaces = 6;
// NonResourceURLs is a set of URL paths that should be audited.
@ -253,12 +263,14 @@ message PolicyRule {
// - `/metrics` - Log requests for apiserver metrics
// - `/healthz*` - Log all health checks
// +optional
// +listType=atomic
repeated string nonResourceURLs = 7;
// OmitStages is a list of stages for which no events are created. Note that this can also
// be specified policy wide in which case the union of both are omitted.
// An empty list means no restrictions will apply.
// +optional
// +listType=atomic
repeated string omitStages = 8;
// OmitManagedFields indicates whether to omit the managed fields of the request

12
staging/src/k8s.io/apiserver/pkg/apis/audit/v1/types.go
View File

@ -98,6 +98,7 @@ type Event struct {
// IP in the list up to here (X-Forwarded-For or X-Real-Ip).
// Note: All but the last IP can be arbitrarily set by the client.
// +optional
// +listType=atomic
SourceIPs []string `json:"sourceIPs,omitempty" protobuf:"bytes,8,rep,name=sourceIPs"`
// UserAgent records the user agent string reported by the client.
// Note that the UserAgent is provided by the client, and must not be trusted.
@ -166,11 +167,13 @@ type Policy struct {
// A request may match multiple rules, in which case the FIRST matching rule is used.
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
// PolicyRules are strictly ordered.
// +listType=atomic
Rules []PolicyRule `json:"rules" protobuf:"bytes,2,rep,name=rules"`
// OmitStages is a list of stages for which no events are created. Note that this can also
// be specified per rule in which case the union of both are omitted.
// +optional
// +listType=atomic
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,3,rep,name=omitStages"`
// OmitManagedFields indicates whether to omit the managed fields of the request
@ -203,16 +206,19 @@ type PolicyRule struct {
// The users (by authenticated user name) this rule applies to.
// An empty list implies every user.
// +optional
// +listType=atomic
Users []string `json:"users,omitempty" protobuf:"bytes,2,rep,name=users"`
// The user groups this rule applies to. A user is considered matching
// if it is a member of any of the UserGroups.
// An empty list implies every user group.
// +optional
// +listType=atomic
UserGroups []string `json:"userGroups,omitempty" protobuf:"bytes,3,rep,name=userGroups"`
// The verbs that match this rule.
// An empty list implies every verb.
// +optional
// +listType=atomic
Verbs []string `json:"verbs,omitempty" protobuf:"bytes,4,rep,name=verbs"`
// Rules can apply to API resources (such as "pods" or "secrets"),
@ -221,11 +227,13 @@ type PolicyRule struct {
// Resources that this rule matches. An empty list implies all kinds in all API groups.
// +optional
// +listType=atomic
Resources []GroupResources `json:"resources,omitempty" protobuf:"bytes,5,rep,name=resources"`
// Namespaces that this rule matches.
// The empty string "" matches non-namespaced resources.
// An empty list implies every namespace.
// +optional
// +listType=atomic
Namespaces []string `json:"namespaces,omitempty" protobuf:"bytes,6,rep,name=namespaces"`
// NonResourceURLs is a set of URL paths that should be audited.
@ -234,12 +242,14 @@ type PolicyRule struct {
// - `/metrics` - Log requests for apiserver metrics
// - `/healthz*` - Log all health checks
// +optional
// +listType=atomic
NonResourceURLs []string `json:"nonResourceURLs,omitempty" protobuf:"bytes,7,rep,name=nonResourceURLs"`
// OmitStages is a list of stages for which no events are created. Note that this can also
// be specified policy wide in which case the union of both are omitted.
// An empty list means no restrictions will apply.
// +optional
// +listType=atomic
OmitStages []Stage `json:"omitStages,omitempty" protobuf:"bytes,8,rep,name=omitStages"`
// OmitManagedFields indicates whether to omit the managed fields of the request
@ -274,11 +284,13 @@ type GroupResources struct {
//
// An empty list implies all resources and subresources in this API groups apply.
// +optional
// +listType=atomic
Resources []string `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
// ResourceNames is a list of resource instance names that the policy matches.
// Using this field requires Resources to be specified.
// An empty list implies that every instance of the resource is matched.
// +optional
// +listType=atomic
ResourceNames []string `json:"resourceNames,omitempty" protobuf:"bytes,3,rep,name=resourceNames"`
}