Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Event ¶
type Event struct {
metav1.TypeMeta
// AuditLevel at which event was generated
Level Level
// Time the request reached the apiserver.
Timestamp metav1.Time
// Unique audit ID, generated for each request.
AuditID types.UID
// RequestURI is the request URI as sent by the client to a server.
RequestURI string
// Verb is the kubernetes verb associated with the request.
// For non-resource requests, this is identical to HttpMethod.
Verb string
// Authenticated user information.
User UserInfo
// Impersonated user information.
// +optional
Impersonate *UserInfo
// Source IP, from where the request originates.
// +optional
SourceIP string
// Object reference this request is targeted at.
// Does not apply for List-type requests, or non-resource requests.
// +optional
ObjectRef *ObjectReference
// The response status, populated even when the ResponseObject is not a Status type.
// For successful responses, this will only include the Code and StatusSuccess.
// For non-status type error responses, this will be auto-populated with the error Message.
// +optional
ResponseStatus *metav1.Status
// API object from the request, in JSON format. The RequestObject is recorded as-is in the request
// (possibly re-encoded as JSON), prior to version conversion, defaulting, admission or
// merging. It is an external versioned object type, and may not be a valid object on its own.
// Omitted for non-resource requests. Only logged at RequestObject Level and higher.
// +optional
RequestBody string
// API object returned in the response, in JSON. The ResponseObject is recorded after conversion
// to the external type, and serialized as JSON. Omitted for non-resource requests. Only logged
// at ResponseObject Level and higher.
// +optional
ResponseBody string
}
Event captures all the information that can be included in an API audit log.
type GroupKinds ¶
type GroupKinds struct {
// Group is the name of the API group that contains the resources.
// The empty string represents the core API group.
// +optional
Group string
// Kinds is a list of kinds of resources within the API group.
// Any empty list implies every resource kind in the API group.
// +optional
Kinds []string
}
GroupKinds represents resource kinds in an API group.
type Level ¶
type Level string
Level defines the amount of information logged during auditing
const ( // LevelNone disables auditing LevelNone Level = "None" // LevelMetadata provides the basic level of auditing. LevelMetadata Level = "Metadata" // LevelRequest provides Metadata level of auditing, and additionally // logs the request object (does not apply for non-resource requests). LevelRequest Level = "Request" // LevelResponse provides Request level of auditing, and additionally // logs the response object (does not apply for non-resource requests). LevelResponse Level = "Response" )
Valid audit levels
type ObjectReference ¶
type ObjectReference struct {
// +optional
Kind string
// +optional
Namespace string
// +optional
Name string
// +optional
UID types.UID
// +optional
APIVersion string
// +optional
ResourceVersion string
}
ObjectReference contains enough information to let you inspect or modify the referred object.
type Policy ¶
type Policy struct {
metav1.TypeMeta
// Rules specify the audit Level a request should be recorded at.
// A request may match multiple rules, in which case the FIRST matching rule is used.
// The default audit level is None, but can be overridden by a catch-all rule at the end of the list.
Rules []PolicyRule
}
Policy defines the configuration of audit logging, and the rules for how different request categories are logged.
type PolicyRule ¶
type PolicyRule struct {
// The Level that requests matching this rule are recorded at.
Level Level
// The users (by authenticated user name) this rule applies to.
// An empty list implies every user.
// +optional
Users []string
// The user groups this rule applies to. A user is considered matching
// if it is a member of any of the UserGroups.
// An empty list implies every user group.
// +optional
UserGroups []string
// The verbs that match this rule.
// An empty list implies every verb.
// +optional
Verbs []string
// Resource kinds that this rule matches. An empty list implies all kinds in all API groups.
// +optional
ResourceKinds []GroupKinds
// Namespaces that this rule matches.
// The empty string "" matches non-namespaced resources.
// An empty list implies every namespace.
// +optional
Namespaces []string
// NonResourceURLs is a set of URL paths that should be audited.
// *s are allowed, but only as the full, final step in the path.
// Examples:
// "/metrics" - Log requests for apiserver metrics
// "/healthz*" - Log all health checks
// +optional
NonResourceURLs []string
}
PolicyRule maps requests based off metadata to an audit Level. Requests must match the rules of every field (an intersection of rules).
type UserInfo ¶
type UserInfo struct {
// The name that uniquely identifies this user among all active users.
Username string
// A unique value that identifies this user across time. If this user is
// deleted and another user by the same name is added, they will have
// different UIDs.
UID string
// The names of groups this user is a part of.
Groups []string
// Any additional information provided by the authenticator.
Extra map[string]ExtraValue
}
UserInfo holds the information about the user needed to implement the user.Info interface.
Source Files
Click to show internal directories.
Click to hide internal directories.