159 lines
5.0 KiB
Protocol Buffer
159 lines
5.0 KiB
Protocol Buffer
/*
|
|
Copyright The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = 'proto2';
|
|
|
|
package k8s.io.api.auditregistration.v1alpha1;
|
|
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1alpha1";
|
|
|
|
// AuditSink represents a cluster level audit sink
|
|
message AuditSink {
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Spec defines the audit configuration spec
|
|
optional AuditSinkSpec spec = 2;
|
|
}
|
|
|
|
// AuditSinkList is a list of AuditSink items.
|
|
message AuditSinkList {
|
|
// +optional
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// List of audit configurations.
|
|
repeated AuditSink items = 2;
|
|
}
|
|
|
|
// AuditSinkSpec holds the spec for the audit sink
|
|
message AuditSinkSpec {
|
|
// Policy defines the policy for selecting which events should be sent to the webhook
|
|
// required
|
|
optional Policy policy = 1;
|
|
|
|
// Webhook to send events
|
|
// required
|
|
optional Webhook webhook = 2;
|
|
}
|
|
|
|
// Policy defines the configuration of how audit events are logged
|
|
message Policy {
|
|
// The Level that all requests are recorded at.
|
|
// available options: None, Metadata, Request, RequestResponse
|
|
// required
|
|
optional string level = 1;
|
|
|
|
// Stages is a list of stages for which events are created.
|
|
// +optional
|
|
repeated string stages = 2;
|
|
}
|
|
|
|
// ServiceReference holds a reference to Service.legacy.k8s.io
|
|
message ServiceReference {
|
|
// `namespace` is the namespace of the service.
|
|
// Required
|
|
optional string namespace = 1;
|
|
|
|
// `name` is the name of the service.
|
|
// Required
|
|
optional string name = 2;
|
|
|
|
// `path` is an optional URL path which will be sent in any request to
|
|
// this service.
|
|
// +optional
|
|
optional string path = 3;
|
|
}
|
|
|
|
// Webhook holds the configuration of the webhook
|
|
message Webhook {
|
|
// Throttle holds the options for throttling the webhook
|
|
// +optional
|
|
optional WebhookThrottleConfig throttle = 1;
|
|
|
|
// ClientConfig holds the connection parameters for the webhook
|
|
// required
|
|
optional WebhookClientConfig clientConfig = 2;
|
|
}
|
|
|
|
// WebhookClientConfig contains the information to make a connection with the webhook
|
|
message WebhookClientConfig {
|
|
// `url` gives the location of the webhook, in standard URL form
|
|
// (`scheme://host:port/path`). Exactly one of `url` or `service`
|
|
// must be specified.
|
|
//
|
|
// The `host` should not refer to a service running in the cluster; use
|
|
// the `service` field instead. The host might be resolved via external
|
|
// DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
|
|
// in-cluster DNS as that would be a layering violation). `host` may
|
|
// also be an IP address.
|
|
//
|
|
// Please note that using `localhost` or `127.0.0.1` as a `host` is
|
|
// risky unless you take great care to run this webhook on all hosts
|
|
// which run an apiserver which might need to make calls to this
|
|
// webhook. Such installs are likely to be non-portable, i.e., not easy
|
|
// to turn up in a new cluster.
|
|
//
|
|
// The scheme must be "https"; the URL must begin with "https://".
|
|
//
|
|
// A path is optional, and if present may be any string permissible in
|
|
// a URL. You may use the path to pass an arbitrary string to the
|
|
// webhook, for example, a cluster identifier.
|
|
//
|
|
// Attempting to use a user or basic auth e.g. "user:password@" is not
|
|
// allowed. Fragments ("#...") and query parameters ("?...") are not
|
|
// allowed, either.
|
|
//
|
|
// +optional
|
|
optional string url = 1;
|
|
|
|
// `service` is a reference to the service for this webhook. Either
|
|
// `service` or `url` must be specified.
|
|
//
|
|
// If the webhook is running within the cluster, then you should use `service`.
|
|
//
|
|
// Port 443 will be used if it is open, otherwise it is an error.
|
|
//
|
|
// +optional
|
|
optional ServiceReference service = 2;
|
|
|
|
// `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
|
|
// If unspecified, system trust roots on the apiserver are used.
|
|
// +optional
|
|
optional bytes caBundle = 3;
|
|
}
|
|
|
|
// WebhookThrottleConfig holds the configuration for throttling events
|
|
message WebhookThrottleConfig {
|
|
// ThrottleQPS maximum number of batches per second
|
|
// default 10 QPS
|
|
// +optional
|
|
optional int64 qps = 1;
|
|
|
|
// ThrottleBurst is the maximum number of events sent at the same moment
|
|
// default 15 QPS
|
|
// +optional
|
|
optional int64 burst = 2;
|
|
}
|
|
|