1*d5c09012SAndroid Build Coastguard Worker// Copyright 2023 Google LLC 2*d5c09012SAndroid Build Coastguard Worker// 3*d5c09012SAndroid Build Coastguard Worker// Licensed under the Apache License, Version 2.0 (the "License"); 4*d5c09012SAndroid Build Coastguard Worker// you may not use this file except in compliance with the License. 5*d5c09012SAndroid Build Coastguard Worker// You may obtain a copy of the License at 6*d5c09012SAndroid Build Coastguard Worker// 7*d5c09012SAndroid Build Coastguard Worker// http://www.apache.org/licenses/LICENSE-2.0 8*d5c09012SAndroid Build Coastguard Worker// 9*d5c09012SAndroid Build Coastguard Worker// Unless required by applicable law or agreed to in writing, software 10*d5c09012SAndroid Build Coastguard Worker// distributed under the License is distributed on an "AS IS" BASIS, 11*d5c09012SAndroid Build Coastguard Worker// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*d5c09012SAndroid Build Coastguard Worker// See the License for the specific language governing permissions and 13*d5c09012SAndroid Build Coastguard Worker// limitations under the License. 14*d5c09012SAndroid Build Coastguard Worker 15*d5c09012SAndroid Build Coastguard Workersyntax = "proto3"; 16*d5c09012SAndroid Build Coastguard Worker 17*d5c09012SAndroid Build Coastguard Workerpackage google.cloud.securitycenter.v2; 18*d5c09012SAndroid Build Coastguard Worker 19*d5c09012SAndroid Build Coastguard Workerimport "google/cloud/securitycenter/v2/container.proto"; 20*d5c09012SAndroid Build Coastguard Workerimport "google/cloud/securitycenter/v2/label.proto"; 21*d5c09012SAndroid Build Coastguard Worker 22*d5c09012SAndroid Build Coastguard Workeroption csharp_namespace = "Google.Cloud.SecurityCenter.V2"; 23*d5c09012SAndroid Build Coastguard Workeroption go_package = "cloud.google.com/go/securitycenter/apiv2/securitycenterpb;securitycenterpb"; 24*d5c09012SAndroid Build Coastguard Workeroption java_multiple_files = true; 25*d5c09012SAndroid Build Coastguard Workeroption java_outer_classname = "KubernetesProto"; 26*d5c09012SAndroid Build Coastguard Workeroption java_package = "com.google.cloud.securitycenter.v2"; 27*d5c09012SAndroid Build Coastguard Workeroption php_namespace = "Google\\Cloud\\SecurityCenter\\V2"; 28*d5c09012SAndroid Build Coastguard Workeroption ruby_package = "Google::Cloud::SecurityCenter::V2"; 29*d5c09012SAndroid Build Coastguard Worker 30*d5c09012SAndroid Build Coastguard Worker// Kubernetes-related attributes. 31*d5c09012SAndroid Build Coastguard Workermessage Kubernetes { 32*d5c09012SAndroid Build Coastguard Worker // A Kubernetes Pod. 33*d5c09012SAndroid Build Coastguard Worker message Pod { 34*d5c09012SAndroid Build Coastguard Worker // Kubernetes Pod namespace. 35*d5c09012SAndroid Build Coastguard Worker string ns = 1; 36*d5c09012SAndroid Build Coastguard Worker 37*d5c09012SAndroid Build Coastguard Worker // Kubernetes Pod name. 38*d5c09012SAndroid Build Coastguard Worker string name = 2; 39*d5c09012SAndroid Build Coastguard Worker 40*d5c09012SAndroid Build Coastguard Worker // Pod labels. For Kubernetes containers, these are applied to the 41*d5c09012SAndroid Build Coastguard Worker // container. 42*d5c09012SAndroid Build Coastguard Worker repeated Label labels = 3; 43*d5c09012SAndroid Build Coastguard Worker 44*d5c09012SAndroid Build Coastguard Worker // Pod containers associated with this finding, if any. 45*d5c09012SAndroid Build Coastguard Worker repeated Container containers = 4; 46*d5c09012SAndroid Build Coastguard Worker } 47*d5c09012SAndroid Build Coastguard Worker 48*d5c09012SAndroid Build Coastguard Worker // Kubernetes nodes associated with the finding. 49*d5c09012SAndroid Build Coastguard Worker message Node { 50*d5c09012SAndroid Build Coastguard Worker // [Full resource name](https://google.aip.dev/122#full-resource-names) of 51*d5c09012SAndroid Build Coastguard Worker // the Compute Engine VM running the cluster node. 52*d5c09012SAndroid Build Coastguard Worker string name = 1; 53*d5c09012SAndroid Build Coastguard Worker } 54*d5c09012SAndroid Build Coastguard Worker 55*d5c09012SAndroid Build Coastguard Worker // Provides GKE node pool information. 56*d5c09012SAndroid Build Coastguard Worker message NodePool { 57*d5c09012SAndroid Build Coastguard Worker // Kubernetes node pool name. 58*d5c09012SAndroid Build Coastguard Worker string name = 1; 59*d5c09012SAndroid Build Coastguard Worker 60*d5c09012SAndroid Build Coastguard Worker // Nodes associated with the finding. 61*d5c09012SAndroid Build Coastguard Worker repeated Node nodes = 2; 62*d5c09012SAndroid Build Coastguard Worker } 63*d5c09012SAndroid Build Coastguard Worker 64*d5c09012SAndroid Build Coastguard Worker // Kubernetes Role or ClusterRole. 65*d5c09012SAndroid Build Coastguard Worker message Role { 66*d5c09012SAndroid Build Coastguard Worker // Types of Kubernetes roles. 67*d5c09012SAndroid Build Coastguard Worker enum Kind { 68*d5c09012SAndroid Build Coastguard Worker // Role type is not specified. 69*d5c09012SAndroid Build Coastguard Worker KIND_UNSPECIFIED = 0; 70*d5c09012SAndroid Build Coastguard Worker 71*d5c09012SAndroid Build Coastguard Worker // Kubernetes Role. 72*d5c09012SAndroid Build Coastguard Worker ROLE = 1; 73*d5c09012SAndroid Build Coastguard Worker 74*d5c09012SAndroid Build Coastguard Worker // Kubernetes ClusterRole. 75*d5c09012SAndroid Build Coastguard Worker CLUSTER_ROLE = 2; 76*d5c09012SAndroid Build Coastguard Worker } 77*d5c09012SAndroid Build Coastguard Worker 78*d5c09012SAndroid Build Coastguard Worker // Role type. 79*d5c09012SAndroid Build Coastguard Worker Kind kind = 1; 80*d5c09012SAndroid Build Coastguard Worker 81*d5c09012SAndroid Build Coastguard Worker // Role namespace. 82*d5c09012SAndroid Build Coastguard Worker string ns = 2; 83*d5c09012SAndroid Build Coastguard Worker 84*d5c09012SAndroid Build Coastguard Worker // Role name. 85*d5c09012SAndroid Build Coastguard Worker string name = 3; 86*d5c09012SAndroid Build Coastguard Worker } 87*d5c09012SAndroid Build Coastguard Worker 88*d5c09012SAndroid Build Coastguard Worker // Represents a Kubernetes RoleBinding or ClusterRoleBinding. 89*d5c09012SAndroid Build Coastguard Worker message Binding { 90*d5c09012SAndroid Build Coastguard Worker // Namespace for the binding. 91*d5c09012SAndroid Build Coastguard Worker string ns = 1; 92*d5c09012SAndroid Build Coastguard Worker 93*d5c09012SAndroid Build Coastguard Worker // Name for the binding. 94*d5c09012SAndroid Build Coastguard Worker string name = 2; 95*d5c09012SAndroid Build Coastguard Worker 96*d5c09012SAndroid Build Coastguard Worker // The Role or ClusterRole referenced by the binding. 97*d5c09012SAndroid Build Coastguard Worker Role role = 3; 98*d5c09012SAndroid Build Coastguard Worker 99*d5c09012SAndroid Build Coastguard Worker // Represents one or more subjects that are bound to the role. Not always 100*d5c09012SAndroid Build Coastguard Worker // available for PATCH requests. 101*d5c09012SAndroid Build Coastguard Worker repeated Subject subjects = 4; 102*d5c09012SAndroid Build Coastguard Worker } 103*d5c09012SAndroid Build Coastguard Worker 104*d5c09012SAndroid Build Coastguard Worker // Represents a Kubernetes subject. 105*d5c09012SAndroid Build Coastguard Worker message Subject { 106*d5c09012SAndroid Build Coastguard Worker // Auth types that can be used for the subject's kind field. 107*d5c09012SAndroid Build Coastguard Worker enum AuthType { 108*d5c09012SAndroid Build Coastguard Worker // Authentication is not specified. 109*d5c09012SAndroid Build Coastguard Worker AUTH_TYPE_UNSPECIFIED = 0; 110*d5c09012SAndroid Build Coastguard Worker 111*d5c09012SAndroid Build Coastguard Worker // User with valid certificate. 112*d5c09012SAndroid Build Coastguard Worker USER = 1; 113*d5c09012SAndroid Build Coastguard Worker 114*d5c09012SAndroid Build Coastguard Worker // Users managed by Kubernetes API with credentials stored as secrets. 115*d5c09012SAndroid Build Coastguard Worker SERVICEACCOUNT = 2; 116*d5c09012SAndroid Build Coastguard Worker 117*d5c09012SAndroid Build Coastguard Worker // Collection of users. 118*d5c09012SAndroid Build Coastguard Worker GROUP = 3; 119*d5c09012SAndroid Build Coastguard Worker } 120*d5c09012SAndroid Build Coastguard Worker 121*d5c09012SAndroid Build Coastguard Worker // Authentication type for the subject. 122*d5c09012SAndroid Build Coastguard Worker AuthType kind = 1; 123*d5c09012SAndroid Build Coastguard Worker 124*d5c09012SAndroid Build Coastguard Worker // Namespace for the subject. 125*d5c09012SAndroid Build Coastguard Worker string ns = 2; 126*d5c09012SAndroid Build Coastguard Worker 127*d5c09012SAndroid Build Coastguard Worker // Name for the subject. 128*d5c09012SAndroid Build Coastguard Worker string name = 3; 129*d5c09012SAndroid Build Coastguard Worker } 130*d5c09012SAndroid Build Coastguard Worker 131*d5c09012SAndroid Build Coastguard Worker // Conveys information about a Kubernetes access review (such as one returned 132*d5c09012SAndroid Build Coastguard Worker // by a [`kubectl auth 133*d5c09012SAndroid Build Coastguard Worker // can-i`](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access) 134*d5c09012SAndroid Build Coastguard Worker // command) that was involved in a finding. 135*d5c09012SAndroid Build Coastguard Worker message AccessReview { 136*d5c09012SAndroid Build Coastguard Worker // The API group of the resource. "*" means all. 137*d5c09012SAndroid Build Coastguard Worker string group = 1; 138*d5c09012SAndroid Build Coastguard Worker 139*d5c09012SAndroid Build Coastguard Worker // Namespace of the action being requested. Currently, there is no 140*d5c09012SAndroid Build Coastguard Worker // distinction between no namespace and all namespaces. Both 141*d5c09012SAndroid Build Coastguard Worker // are represented by "" (empty). 142*d5c09012SAndroid Build Coastguard Worker string ns = 2; 143*d5c09012SAndroid Build Coastguard Worker 144*d5c09012SAndroid Build Coastguard Worker // The name of the resource being requested. Empty means all. 145*d5c09012SAndroid Build Coastguard Worker string name = 3; 146*d5c09012SAndroid Build Coastguard Worker 147*d5c09012SAndroid Build Coastguard Worker // The optional resource type requested. "*" means all. 148*d5c09012SAndroid Build Coastguard Worker string resource = 4; 149*d5c09012SAndroid Build Coastguard Worker 150*d5c09012SAndroid Build Coastguard Worker // The optional subresource type. 151*d5c09012SAndroid Build Coastguard Worker string subresource = 5; 152*d5c09012SAndroid Build Coastguard Worker 153*d5c09012SAndroid Build Coastguard Worker // A Kubernetes resource API verb, like get, list, watch, create, update, 154*d5c09012SAndroid Build Coastguard Worker // delete, proxy. "*" means all. 155*d5c09012SAndroid Build Coastguard Worker string verb = 6; 156*d5c09012SAndroid Build Coastguard Worker 157*d5c09012SAndroid Build Coastguard Worker // The API version of the resource. "*" means all. 158*d5c09012SAndroid Build Coastguard Worker string version = 7; 159*d5c09012SAndroid Build Coastguard Worker } 160*d5c09012SAndroid Build Coastguard Worker 161*d5c09012SAndroid Build Coastguard Worker // Kubernetes object related to the finding, uniquely identified by GKNN. 162*d5c09012SAndroid Build Coastguard Worker // Used if the object Kind is not one of Pod, Node, NodePool, Binding, or 163*d5c09012SAndroid Build Coastguard Worker // AccessReview. 164*d5c09012SAndroid Build Coastguard Worker message Object { 165*d5c09012SAndroid Build Coastguard Worker // Kubernetes object group, such as "policy.k8s.io/v1". 166*d5c09012SAndroid Build Coastguard Worker string group = 1; 167*d5c09012SAndroid Build Coastguard Worker 168*d5c09012SAndroid Build Coastguard Worker // Kubernetes object kind, such as "Namespace". 169*d5c09012SAndroid Build Coastguard Worker string kind = 2; 170*d5c09012SAndroid Build Coastguard Worker 171*d5c09012SAndroid Build Coastguard Worker // Kubernetes object namespace. Must be a valid DNS label. Named 172*d5c09012SAndroid Build Coastguard Worker // "ns" to avoid collision with C++ namespace keyword. For details see 173*d5c09012SAndroid Build Coastguard Worker // https://kubernetes.io/docs/tasks/administer-cluster/namespaces/. 174*d5c09012SAndroid Build Coastguard Worker string ns = 3; 175*d5c09012SAndroid Build Coastguard Worker 176*d5c09012SAndroid Build Coastguard Worker // Kubernetes object name. For details see 177*d5c09012SAndroid Build Coastguard Worker // https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. 178*d5c09012SAndroid Build Coastguard Worker string name = 4; 179*d5c09012SAndroid Build Coastguard Worker 180*d5c09012SAndroid Build Coastguard Worker // Pod containers associated with this finding, if any. 181*d5c09012SAndroid Build Coastguard Worker repeated Container containers = 5; 182*d5c09012SAndroid Build Coastguard Worker } 183*d5c09012SAndroid Build Coastguard Worker 184*d5c09012SAndroid Build Coastguard Worker // Kubernetes 185*d5c09012SAndroid Build Coastguard Worker // [Pods](https://cloud.google.com/kubernetes-engine/docs/concepts/pod) 186*d5c09012SAndroid Build Coastguard Worker // associated with the finding. This field contains Pod records for each 187*d5c09012SAndroid Build Coastguard Worker // container that is owned by a Pod. 188*d5c09012SAndroid Build Coastguard Worker repeated Pod pods = 1; 189*d5c09012SAndroid Build Coastguard Worker 190*d5c09012SAndroid Build Coastguard Worker // Provides Kubernetes 191*d5c09012SAndroid Build Coastguard Worker // [node](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#nodes) 192*d5c09012SAndroid Build Coastguard Worker // information. 193*d5c09012SAndroid Build Coastguard Worker repeated Node nodes = 2; 194*d5c09012SAndroid Build Coastguard Worker 195*d5c09012SAndroid Build Coastguard Worker // GKE [node 196*d5c09012SAndroid Build Coastguard Worker // pools](https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools) 197*d5c09012SAndroid Build Coastguard Worker // associated with the finding. This field contains node pool information for 198*d5c09012SAndroid Build Coastguard Worker // each node, when it is available. 199*d5c09012SAndroid Build Coastguard Worker repeated NodePool node_pools = 3; 200*d5c09012SAndroid Build Coastguard Worker 201*d5c09012SAndroid Build Coastguard Worker // Provides Kubernetes role information for findings that involve [Roles or 202*d5c09012SAndroid Build Coastguard Worker // ClusterRoles](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control). 203*d5c09012SAndroid Build Coastguard Worker repeated Role roles = 4; 204*d5c09012SAndroid Build Coastguard Worker 205*d5c09012SAndroid Build Coastguard Worker // Provides Kubernetes role binding information for findings that involve 206*d5c09012SAndroid Build Coastguard Worker // [RoleBindings or 207*d5c09012SAndroid Build Coastguard Worker // ClusterRoleBindings](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control). 208*d5c09012SAndroid Build Coastguard Worker repeated Binding bindings = 5; 209*d5c09012SAndroid Build Coastguard Worker 210*d5c09012SAndroid Build Coastguard Worker // Provides information on any Kubernetes access reviews (privilege checks) 211*d5c09012SAndroid Build Coastguard Worker // relevant to the finding. 212*d5c09012SAndroid Build Coastguard Worker repeated AccessReview access_reviews = 6; 213*d5c09012SAndroid Build Coastguard Worker 214*d5c09012SAndroid Build Coastguard Worker // Kubernetes objects related to the finding. 215*d5c09012SAndroid Build Coastguard Worker repeated Object objects = 7; 216*d5c09012SAndroid Build Coastguard Worker} 217