1/* 2Copyright 2018 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17// +k8s:openapi-gen=true 18 19package v1alpha1 20 21import ( 22 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 23) 24 25// Level defines the amount of information logged during auditing 26type Level string 27 28// Valid audit levels 29const ( 30 // LevelNone disables auditing 31 LevelNone Level = "None" 32 // LevelMetadata provides the basic level of auditing. 33 LevelMetadata Level = "Metadata" 34 // LevelRequest provides Metadata level of auditing, and additionally 35 // logs the request object (does not apply for non-resource requests). 36 LevelRequest Level = "Request" 37 // LevelRequestResponse provides Request level of auditing, and additionally 38 // logs the response object (does not apply for non-resource requests and watches). 39 LevelRequestResponse Level = "RequestResponse" 40) 41 42// Stage defines the stages in request handling during which audit events may be generated. 43type Stage string 44 45// Valid audit stages. 46const ( 47 // The stage for events generated after the audit handler receives the request, but before it 48 // is delegated down the handler chain. 49 StageRequestReceived = "RequestReceived" 50 // The stage for events generated after the response headers are sent, but before the response body 51 // is sent. This stage is only generated for long-running requests (e.g. watch). 52 StageResponseStarted = "ResponseStarted" 53 // The stage for events generated after the response body has been completed, and no more bytes 54 // will be sent. 55 StageResponseComplete = "ResponseComplete" 56 // The stage for events generated when a panic occurred. 57 StagePanic = "Panic" 58) 59 60// +genclient 61// +genclient:nonNamespaced 62// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 63 64// AuditSink represents a cluster level audit sink 65type AuditSink struct { 66 metav1.TypeMeta `json:",inline"` 67 // +optional 68 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 69 70 // Spec defines the audit configuration spec 71 Spec AuditSinkSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 72} 73 74// AuditSinkSpec holds the spec for the audit sink 75type AuditSinkSpec struct { 76 // Policy defines the policy for selecting which events should be sent to the webhook 77 // required 78 Policy Policy `json:"policy" protobuf:"bytes,1,opt,name=policy"` 79 80 // Webhook to send events 81 // required 82 Webhook Webhook `json:"webhook" protobuf:"bytes,2,opt,name=webhook"` 83} 84 85// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 86 87// AuditSinkList is a list of AuditSink items. 88type AuditSinkList struct { 89 metav1.TypeMeta `json:",inline"` 90 // +optional 91 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 92 93 // List of audit configurations. 94 Items []AuditSink `json:"items" protobuf:"bytes,2,rep,name=items"` 95} 96 97// Policy defines the configuration of how audit events are logged 98type Policy struct { 99 // The Level that all requests are recorded at. 100 // available options: None, Metadata, Request, RequestResponse 101 // required 102 Level Level `json:"level" protobuf:"bytes,1,opt,name=level"` 103 104 // Stages is a list of stages for which events are created. 105 // +optional 106 Stages []Stage `json:"stages" protobuf:"bytes,2,opt,name=stages"` 107} 108 109// Webhook holds the configuration of the webhook 110type Webhook struct { 111 // Throttle holds the options for throttling the webhook 112 // +optional 113 Throttle *WebhookThrottleConfig `json:"throttle,omitempty" protobuf:"bytes,1,opt,name=throttle"` 114 115 // ClientConfig holds the connection parameters for the webhook 116 // required 117 ClientConfig WebhookClientConfig `json:"clientConfig" protobuf:"bytes,2,opt,name=clientConfig"` 118} 119 120// WebhookThrottleConfig holds the configuration for throttling events 121type WebhookThrottleConfig struct { 122 // ThrottleQPS maximum number of batches per second 123 // default 10 QPS 124 // +optional 125 QPS *int64 `json:"qps,omitempty" protobuf:"bytes,1,opt,name=qps"` 126 127 // ThrottleBurst is the maximum number of events sent at the same moment 128 // default 15 QPS 129 // +optional 130 Burst *int64 `json:"burst,omitempty" protobuf:"bytes,2,opt,name=burst"` 131} 132 133// WebhookClientConfig contains the information to make a connection with the webhook 134type WebhookClientConfig struct { 135 // `url` gives the location of the webhook, in standard URL form 136 // (`scheme://host:port/path`). Exactly one of `url` or `service` 137 // must be specified. 138 // 139 // The `host` should not refer to a service running in the cluster; use 140 // the `service` field instead. The host might be resolved via external 141 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve 142 // in-cluster DNS as that would be a layering violation). `host` may 143 // also be an IP address. 144 // 145 // Please note that using `localhost` or `127.0.0.1` as a `host` is 146 // risky unless you take great care to run this webhook on all hosts 147 // which run an apiserver which might need to make calls to this 148 // webhook. Such installs are likely to be non-portable, i.e., not easy 149 // to turn up in a new cluster. 150 // 151 // The scheme must be "https"; the URL must begin with "https://". 152 // 153 // A path is optional, and if present may be any string permissible in 154 // a URL. You may use the path to pass an arbitrary string to the 155 // webhook, for example, a cluster identifier. 156 // 157 // Attempting to use a user or basic auth e.g. "user:password@" is not 158 // allowed. Fragments ("#...") and query parameters ("?...") are not 159 // allowed, either. 160 // 161 // +optional 162 URL *string `json:"url,omitempty" protobuf:"bytes,1,opt,name=url"` 163 164 // `service` is a reference to the service for this webhook. Either 165 // `service` or `url` must be specified. 166 // 167 // If the webhook is running within the cluster, then you should use `service`. 168 // 169 // +optional 170 Service *ServiceReference `json:"service,omitempty" protobuf:"bytes,2,opt,name=service"` 171 172 // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. 173 // If unspecified, system trust roots on the apiserver are used. 174 // +optional 175 CABundle []byte `json:"caBundle,omitempty" protobuf:"bytes,3,opt,name=caBundle"` 176} 177 178// ServiceReference holds a reference to Service.legacy.k8s.io 179type ServiceReference struct { 180 // `namespace` is the namespace of the service. 181 // Required 182 Namespace string `json:"namespace" protobuf:"bytes,1,opt,name=namespace"` 183 184 // `name` is the name of the service. 185 // Required 186 Name string `json:"name" protobuf:"bytes,2,opt,name=name"` 187 188 // `path` is an optional URL path which will be sent in any request to 189 // this service. 190 // +optional 191 Path *string `json:"path,omitempty" protobuf:"bytes,3,opt,name=path"` 192 193 // If specified, the port on the service that hosting webhook. 194 // Default to 443 for backward compatibility. 195 // `port` should be a valid port number (1-65535, inclusive). 196 // +optional 197 Port *int32 `json:"port,omitempty" protobuf:"varint,4,opt,name=port"` 198} 199