xref: /aosp_15_r20/external/googleapis/google/cloud/securitycenter/v2/kubernetes.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.securitycenter.v2;
18
19import "google/cloud/securitycenter/v2/container.proto";
20import "google/cloud/securitycenter/v2/label.proto";
21
22option csharp_namespace = "Google.Cloud.SecurityCenter.V2";
23option go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb";
24option java_multiple_files = true;
25option java_outer_classname = "KubernetesProto";
26option java_package = "com.google.cloud.securitycenter.v2";
27option php_namespace = "Google\\Cloud\\SecurityCenter\\V2";
28option ruby_package = "Google::Cloud::SecurityCenter::V2";
29
30// Kubernetes-related attributes.
31message Kubernetes {
32  // A Kubernetes Pod.
33  message Pod {
34    // Kubernetes Pod namespace.
35    string ns = 1;
36
37    // Kubernetes Pod name.
38    string name = 2;
39
40    // Pod labels.  For Kubernetes containers, these are applied to the
41    // container.
42    repeated Label labels = 3;
43
44    // Pod containers associated with this finding, if any.
45    repeated Container containers = 4;
46  }
47
48  // Kubernetes nodes associated with the finding.
49  message Node {
50    // [Full resource name](https://google.aip.dev/122#full-resource-names) of
51    // the Compute Engine VM running the cluster node.
52    string name = 1;
53  }
54
55  // Provides GKE node pool information.
56  message NodePool {
57    // Kubernetes node pool name.
58    string name = 1;
59
60    // Nodes associated with the finding.
61    repeated Node nodes = 2;
62  }
63
64  // Kubernetes Role or ClusterRole.
65  message Role {
66    // Types of Kubernetes roles.
67    enum Kind {
68      // Role type is not specified.
69      KIND_UNSPECIFIED = 0;
70
71      // Kubernetes Role.
72      ROLE = 1;
73
74      // Kubernetes ClusterRole.
75      CLUSTER_ROLE = 2;
76    }
77
78    // Role type.
79    Kind kind = 1;
80
81    // Role namespace.
82    string ns = 2;
83
84    // Role name.
85    string name = 3;
86  }
87
88  // Represents a Kubernetes RoleBinding or ClusterRoleBinding.
89  message Binding {
90    // Namespace for the binding.
91    string ns = 1;
92
93    // Name for the binding.
94    string name = 2;
95
96    // The Role or ClusterRole referenced by the binding.
97    Role role = 3;
98
99    // Represents one or more subjects that are bound to the role. Not always
100    // available for PATCH requests.
101    repeated Subject subjects = 4;
102  }
103
104  // Represents a Kubernetes subject.
105  message Subject {
106    // Auth types that can be used for the subject's kind field.
107    enum AuthType {
108      // Authentication is not specified.
109      AUTH_TYPE_UNSPECIFIED = 0;
110
111      // User with valid certificate.
112      USER = 1;
113
114      // Users managed by Kubernetes API with credentials stored as secrets.
115      SERVICEACCOUNT = 2;
116
117      // Collection of users.
118      GROUP = 3;
119    }
120
121    // Authentication type for the subject.
122    AuthType kind = 1;
123
124    // Namespace for the subject.
125    string ns = 2;
126
127    // Name for the subject.
128    string name = 3;
129  }
130
131  // Conveys information about a Kubernetes access review (such as one returned
132  // by a [`kubectl auth
133  // can-i`](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access)
134  // command) that was involved in a finding.
135  message AccessReview {
136    // The API group of the resource. "*" means all.
137    string group = 1;
138
139    // Namespace of the action being requested. Currently, there is no
140    // distinction between no namespace and all namespaces.  Both
141    // are represented by "" (empty).
142    string ns = 2;
143
144    // The name of the resource being requested. Empty means all.
145    string name = 3;
146
147    // The optional resource type requested. "*" means all.
148    string resource = 4;
149
150    // The optional subresource type.
151    string subresource = 5;
152
153    // A Kubernetes resource API verb, like get, list, watch, create, update,
154    // delete, proxy. "*" means all.
155    string verb = 6;
156
157    // The API version of the resource. "*" means all.
158    string version = 7;
159  }
160
161  // Kubernetes object related to the finding, uniquely identified by GKNN.
162  // Used if the object Kind is not one of Pod, Node, NodePool, Binding, or
163  // AccessReview.
164  message Object {
165    // Kubernetes object group, such as "policy.k8s.io/v1".
166    string group = 1;
167
168    // Kubernetes object kind, such as "Namespace".
169    string kind = 2;
170
171    // Kubernetes object namespace. Must be a valid DNS label. Named
172    // "ns" to avoid collision with C++ namespace keyword. For details see
173    // https://kubernetes.io/docs/tasks/administer-cluster/namespaces/.
174    string ns = 3;
175
176    // Kubernetes object name. For details see
177    // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/.
178    string name = 4;
179
180    // Pod containers associated with this finding, if any.
181    repeated Container containers = 5;
182  }
183
184  // Kubernetes
185  // [Pods](https://cloud.google.com/kubernetes-engine/docs/concepts/pod)
186  // associated with the finding. This field contains Pod records for each
187  // container that is owned by a Pod.
188  repeated Pod pods = 1;
189
190  // Provides Kubernetes
191  // [node](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#nodes)
192  // information.
193  repeated Node nodes = 2;
194
195  // GKE [node
196  // pools](https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools)
197  // associated with the finding. This field contains node pool information for
198  // each node, when it is available.
199  repeated NodePool node_pools = 3;
200
201  // Provides Kubernetes role information for findings that involve [Roles or
202  // ClusterRoles](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).
203  repeated Role roles = 4;
204
205  // Provides Kubernetes role binding information for findings that involve
206  // [RoleBindings or
207  // ClusterRoleBindings](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).
208  repeated Binding bindings = 5;
209
210  // Provides information on any Kubernetes access reviews (privilege checks)
211  // relevant to the finding.
212  repeated AccessReview access_reviews = 6;
213
214  // Kubernetes objects related to the finding.
215  repeated Object objects = 7;
216}
217