Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Event ¶
type Event struct { metav1.TypeMeta // AuditLevel at which event was generated Level Level // Time the request reached the apiserver. Timestamp metav1.Time // Unique audit ID, generated for each request. AuditID types.UID // RequestURI is the request URI as sent by the client to a server. RequestURI string // Verb is the kubernetes verb associated with the request. // For non-resource requests, this is identical to HttpMethod. Verb string // Authenticated user information. User UserInfo // Impersonated user information. // +optional Impersonate *UserInfo // Source IP, from where the request originates. // +optional SourceIP string // Object reference this request is targeted at. // Does not apply for List-type requests, or non-resource requests. // +optional ObjectRef *ObjectReference // The response status, populated even when the ResponseObject is not a Status type. // For successful responses, this will only include the Code and StatusSuccess. // For non-status type error responses, this will be auto-populated with the error Message. // +optional ResponseStatus *metav1.Status // API object from the request, in JSON format. The RequestObject is recorded as-is in the request // (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or // merging. It is an external versioned object type, and may not be a valid object on its own. // Omitted for non-resource requests. Only logged at RequestObject Level and higher. // +optional RequestBody string // API object returned in the response, in JSON. The ResponseObject is recorded after conversion // to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged // at ResponseObject Level and higher. // +optional ResponseBody string }
Event captures all the information that can be included in an API audit log.
type GroupKinds ¶
type GroupKinds struct { // Group is the name of the API group that contains the resources. // The empty string represents the core API group. // +optional Group string // Kinds is a list of kinds of resources within the API group. // Any empty list implies every resource kind in the API group. // +optional Kinds []string }
GroupKinds represents resource kinds in an API group.
type Level ¶
type Level string
Level defines the amount of information logged during auditing
const ( // LevelNone disables auditing LevelNone Level = "None" // LevelMetadata provides the basic level of auditing. LevelMetadata Level = "Metadata" // LevelRequest provides Metadata level of auditing, and additionally // logs the request object (does not apply for non-resource requests). LevelRequest Level = "Request" // LevelResponse provides Request level of auditing, and additionally // logs the response object (does not apply for non-resource requests). LevelResponse Level = "Response" )
Valid audit levels
type ObjectReference ¶
type ObjectReference struct { // +optional Kind string // +optional Namespace string // +optional Name string // +optional UID types.UID // +optional APIVersion string // +optional ResourceVersion string }
ObjectReference contains enough information to let you inspect or modify the referred object.
type Policy ¶
type Policy struct { metav1.TypeMeta // Rules specify the audit Level a request should be recorded at. // A request may match multiple rules, in which case the FIRST matching rule is used. // The default audit level is None, but can be overridden by a catch-all rule at the end of the list. Rules []PolicyRule }
Policy defines the configuration of audit logging, and the rules for how different request categories are logged.
type PolicyRule ¶
type PolicyRule struct { // The Level that requests matching this rule are recorded at. Level Level // The users (by authenticated user name) this rule applies to. // An empty list implies every user. // +optional Users []string // The user groups this rule applies to. A user is considered matching // if it is a member of any of the UserGroups. // An empty list implies every user group. // +optional UserGroups []string // The verbs that match this rule. // An empty list implies every verb. // +optional Verbs []string // Resource kinds that this rule matches. An empty list implies all kinds in all API groups. // +optional ResourceKinds []GroupKinds // Namespaces that this rule matches. // The empty string "" matches non-namespaced resources. // An empty list implies every namespace. // +optional Namespaces []string // NonResourceURLs is a set of URL paths that should be audited. // *s are allowed, but only as the full, final step in the path. // Examples: // "/metrics" - Log requests for apiserver metrics // "/healthz*" - Log all health checks // +optional NonResourceURLs []string }
PolicyRule maps requests based off metadata to an audit Level. Requests must match the rules of every field (an intersection of rules).
type UserInfo ¶
type UserInfo struct { // The name that uniquely identifies this user among all active users. Username string // A unique value that identifies this user across time. If this user is // deleted and another user by the same name is added, they will have // different UIDs. UID string // The names of groups this user is a part of. Groups []string // Any additional information provided by the authenticator. Extra map[string]ExtraValue }
UserInfo holds the information about the user needed to implement the user.Info interface.