For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
POST /v1/detect/deploy
DetectDeployTime checks if any deployments violate deploy time policies.
Code | Message | Datatype |
---|---|---|
200 |
A successful response. |
|
0 |
An unexpected error response. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
action |
UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT, |
||||
message |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
message |
String |
||||
processes |
List of StorageProcessIndicator |
Enum Values |
---|
UNKNOWN |
SECRETS |
CONFIGMAPS |
CLUSTER_ROLES |
CLUSTER_ROLE_BINDINGS |
NETWORK_POLICIES |
SECURITY_CONTEXT_CONSTRAINTS |
EGRESS_FIREWALLS |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
message |
String |
||||
keyValueAttrs |
|||||
networkFlowInfo |
|||||
type |
GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY, |
||||
time |
Date |
Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future. |
date-time |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
value |
String |
||||
envVarSource |
UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
type |
String |
||||
alerts |
List of StorageAlert |
For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
Enum Values |
---|
UNSET |
RAW |
SECRET_KEY |
CONFIG_MAP_KEY |
FIELD |
RESOURCE_FIELD |
UNKNOWN |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
code |
Integer |
int32 |
|||
message |
String |
||||
details |
List of ProtobufAny |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
value |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
entityType |
UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES, |
||||
deploymentNamespace |
String |
||||
deploymentType |
String |
||||
port |
Integer |
int32 |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
tactic |
String |
||||
techniques |
List of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
level |
UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE, |
||||
serviceName |
String |
||||
serviceId |
String |
||||
serviceClusterIp |
String |
||||
servicePort |
Integer |
int32 |
|||
nodePort |
Integer |
int32 |
|||
externalIps |
List of |
||||
externalHostnames |
List of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
parentUid |
Long |
int64 |
|||
parentExecFilePath |
String |
Any
contains an arbitrary serialized protocol buffer message along with a
URL that describes the type of the serialized message.
Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.
Example 1: Pack and unpack a message in C++.
Foo foo = ...; Any any; any.PackFrom(foo); ... if (any.UnpackTo(&foo)) { ... }
Example 2: Pack and unpack a message in Java.
Foo foo = ...; Any any = Any.pack(foo); ... if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } // or ... if (any.isSameTypeAs(Foo.getDefaultInstance())) { foo = any.unpack(Foo.getDefaultInstance()); }
Example 3: Pack and unpack a message in Python.
foo = Foo(...) any = Any() any.Pack(foo) ... if any.Is(Foo.DESCRIPTOR): any.Unpack(foo) ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...} any, err := anypb.New(foo) if err != nil { ... } ... foo := &pb.Foo{} if err := any.UnmarshalTo(foo); err != nil { ... }
The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".
The JSON representation of an Any
value uses the regular
representation of the deserialized, embedded message, with an
additional field @type
which contains the type URL. Example:
package google.profile; message Person { string first_name = 1; string last_name = 2; }
{ "@type": "type.googleapis.com/google.profile.Person", "firstName": <string>, "lastName": <string> }
If the embedded message type is well-known and has a custom JSON
representation, that representation will be embedded adding a field
value
which holds the custom JSON in addition to the @type
field. Example (for message [google.protobuf.Duration][]):
{ "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" }
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
@type |
String |
A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
user |
String |
||||
role |
String |
||||
type |
String |
||||
level |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
type |
UNCONFINED, RUNTIME_DEFAULT, LOCALHOST, |
||||
localhostProfile |
String |
Next available tag: 24
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
policy |
|||||
lifecycleStage |
DEPLOY, BUILD, RUNTIME, |
||||
clusterId |
String |
||||
clusterName |
String |
||||
namespace |
String |
||||
namespaceId |
String |
||||
deployment |
|||||
image |
|||||
resource |
|||||
violations |
List of AlertViolation |
For run-time phase alert, a maximum of 40 violations are retained. |
|||
processViolation |
|||||
enforcement |
|||||
time |
Date |
date-time |
|||
firstOccurred |
Date |
date-time |
|||
resolvedAt |
Date |
The time at which the alert was resolved. Only set if ViolationState is RESOLVED. |
date-time |
||
state |
ACTIVE, SNOOZED, RESOLVED, ATTEMPTED, |
||||
snoozeTill |
Date |
date-time |
|||
platformComponent |
Boolean |
||||
entityType |
UNSET, DEPLOYMENT, CONTAINER_IMAGE, RESOURCE, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
type |
String |
||||
namespace |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
namespaceId |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
labels |
Map of |
||||
clusterId |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
clusterName |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
containers |
List of AlertDeploymentContainer |
||||
annotations |
Map of |
||||
inactive |
Boolean |
Represents an alert on a kubernetes resource other than a deployment (configmaps, secrets, etc.)
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
resourceType |
UNKNOWN, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS, |
||||
name |
String |
||||
clusterId |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
clusterName |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
namespace |
String |
This field has to be duplicated in Alert for scope management and search. |
|||
namespaceId |
String |
This field has to be duplicated in Alert for scope management and search. |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
config |
|||||
image |
|||||
securityContext |
|||||
volumes |
List of StorageVolume |
||||
ports |
List of StoragePortConfig |
||||
secrets |
List of StorageEmbeddedSecret |
||||
resources |
|||||
name |
String |
||||
livenessProbe |
|||||
readinessProbe |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
env |
List of ContainerConfigEnvironmentConfig |
||||
command |
List of |
||||
args |
List of |
||||
directory |
String |
||||
user |
String |
||||
uid |
String |
int64 |
|||
appArmorProfile |
String |
Next tag: 12
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
|||||
notPullable |
Boolean |
||||
isClusterLocal |
Boolean |
Next available tag: 36
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
||||
hash |
String |
uint64 |
|||
type |
String |
||||
namespace |
String |
||||
namespaceId |
String |
||||
orchestratorComponent |
Boolean |
||||
replicas |
String |
int64 |
|||
labels |
Map of |
||||
podLabels |
Map of |
||||
labelSelector |
|||||
created |
Date |
date-time |
|||
clusterId |
String |
||||
clusterName |
String |
||||
containers |
List of StorageContainer |
||||
annotations |
Map of |
||||
priority |
String |
int64 |
|||
inactive |
Boolean |
||||
imagePullSecrets |
List of |
||||
serviceAccount |
String |
||||
serviceAccountPermissionLevel |
UNSET, NONE, DEFAULT, ELEVATED_IN_NAMESPACE, ELEVATED_CLUSTER_WIDE, CLUSTER_ADMIN, |
||||
automountServiceAccountToken |
Boolean |
||||
hostNetwork |
Boolean |
||||
hostPid |
Boolean |
||||
hostIpc |
Boolean |
||||
runtimeClass |
String |
||||
tolerations |
List of StorageToleration |
||||
ports |
List of StoragePortConfig |
||||
stateTimestamp |
String |
int64 |
|||
riskScore |
Float |
float |
|||
platformComponent |
Boolean |
FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.
Enum Values |
---|
UNSET_ENFORCEMENT |
SCALE_TO_ZERO_ENFORCEMENT |
UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT |
KILL_POD_ENFORCEMENT |
FAIL_BUILD_ENFORCEMENT |
FAIL_KUBE_REQUEST_ENFORCEMENT |
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT |
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
deployment |
|||||
image |
|||||
expiration |
Date |
date-time |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
registry |
String |
||||
remote |
String |
||||
tag |
String |
||||
fullName |
String |
Enum Values |
---|
L4_PROTOCOL_UNKNOWN |
L4_PROTOCOL_TCP |
L4_PROTOCOL_UDP |
L4_PROTOCOL_ICMP |
L4_PROTOCOL_RAW |
L4_PROTOCOL_SCTP |
L4_PROTOCOL_ANY |
Label selector components are joined with logical AND, see https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
Next available tag: 3
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
matchLabels |
Map of |
This is actually a oneof, but we can’t make it one due to backwards compatibility constraints. |
|||
requirements |
List of StorageLabelSelectorRequirement |
Next available tag: 4
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
op |
UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS, |
||||
values |
List of |
INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal entities under a single network graph node
Enum Values |
---|
UNKNOWN_TYPE |
DEPLOYMENT |
INTERNET |
LISTEN_ENDPOINT |
EXTERNAL_SOURCE |
INTERNAL_ENTITIES |
For any update to PermissionLevel, also update: - pkg/searchbasedpolicies/builders/k8s_rbac.go - ui/src/messages/common.js
Enum Values |
---|
UNSET |
NONE |
DEFAULT |
ELEVATED_IN_NAMESPACE |
ELEVATED_CLUSTER_WIDE |
CLUSTER_ADMIN |
Next tag: 28
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
name |
String |
Name of the policy. Must be unique. |
|||
description |
String |
Free-form text description of this policy. |
|||
rationale |
String |
||||
remediation |
String |
Describes how to remediate a violation of this policy. |
|||
disabled |
Boolean |
Toggles whether or not this policy will be executing and actively firing alerts. |
|||
categories |
List of |
List of categories that this policy falls under. Category names must already exist in Central. |
|||
lifecycleStages |
List of StorageLifecycleStage |
Describes which policy lifecylce stages this policy applies to. Choices are DEPLOY, BUILD, and RUNTIME. |
|||
eventSource |
NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT, |
||||
exclusions |
List of StorageExclusion |
Define deployments or images that should be excluded from this policy. |
|||
scope |
List of StorageScope |
Defines clusters, namespaces, and deployments that should be included in this policy. No scopes defined includes everything. |
|||
severity |
UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY, |
||||
enforcementActions |
List of StorageEnforcementAction |
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. Lists the enforcement actions to take when a violation from this policy is identified. Possible value are UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT. |
|||
notifiers |
List of |
List of IDs of the notifiers that should be triggered when a violation from this policy is identified. IDs should be in the form of a UUID and are found through the Central API. |
|||
lastUpdated |
Date |
date-time |
|||
SORTName |
String |
For internal use only. |
|||
SORTLifecycleStage |
String |
For internal use only. |
|||
SORTEnforcement |
Boolean |
For internal use only. |
|||
policyVersion |
String |
||||
policySections |
List of StoragePolicySection |
PolicySections define the violation criteria for this policy. |
|||
mitreAttackVectors |
List of PolicyMitreAttackVectors |
||||
criteriaLocked |
Boolean |
Read-only field. If true, the policy’s criteria fields are rendered read-only. |
|||
mitreVectorsLocked |
Boolean |
Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only. |
|||
isDefault |
Boolean |
Read-only field. Indicates the policy is a default policy if true and a custom policy if false. |
|||
source |
IMPERATIVE, DECLARATIVE, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
fieldName |
String |
Defines which field on a deployment or image this PolicyGroup evaluates. See https://docs.openshift.com/acs/operating/manage-security-policies.html#policy-criteria_manage-security-policies for a complete list of possible values. |
|||
booleanOperator |
OR, AND, |
||||
negate |
Boolean |
Determines if the evaluation of this PolicyGroup is negated. Default to false. |
|||
values |
List of StoragePolicyValue |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
sectionName |
String |
||||
policyGroups |
List of StoragePolicyGroup |
The set of policies groups that make up this section. Each group can be considered an individual criterion. |
Next Available Tag: 6
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
containerPort |
Integer |
int32 |
|||
protocol |
String |
||||
exposure |
UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE, |
||||
exposedPort |
Integer |
int32 |
|||
exposureInfos |
List of PortConfigExposureInfo |
Next available tag: 13
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
||||
deploymentId |
String |
||||
containerName |
String |
||||
podId |
String |
||||
podUid |
String |
||||
signal |
|||||
clusterId |
String |
||||
namespace |
String |
||||
containerStartTime |
Date |
date-time |
|||
imageId |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
id |
String |
A unique UUID for identifying the message We have this here instead of at the top level because we want to have each message to be self contained. |
|||
containerId |
String |
||||
time |
Date |
date-time |
|||
name |
String |
||||
args |
String |
||||
execFilePath |
String |
||||
pid |
Long |
int64 |
|||
uid |
Long |
int64 |
|||
gid |
Long |
int64 |
|||
lineage |
List of |
||||
scraped |
Boolean |
||||
lineageInfo |
List of ProcessSignalLineageInfo |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
cpuCoresRequest |
Float |
float |
|||
cpuCoresLimit |
Float |
float |
|||
memoryMbRequest |
Float |
float |
|||
memoryMbLimit |
Float |
float |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
cluster |
String |
||||
namespace |
String |
||||
label |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
privileged |
Boolean |
||||
selinux |
|||||
dropCapabilities |
List of |
||||
addCapabilities |
List of |
||||
readOnlyRootFilesystem |
Boolean |
||||
seccompProfile |
|||||
allowPrivilegeEscalation |
Boolean |
Enum Values |
---|
UNSET_SEVERITY |
LOW_SEVERITY |
MEDIUM_SEVERITY |
HIGH_SEVERITY |
CRITICAL_SEVERITY |
Enum Values |
---|
UNKNOWN_TAINT_EFFECT |
NO_SCHEDULE_TAINT_EFFECT |
PREFER_NO_SCHEDULE_TAINT_EFFECT |
NO_EXECUTE_TAINT_EFFECT |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
key |
String |
||||
operator |
TOLERATION_OPERATION_UNKNOWN, TOLERATION_OPERATOR_EXISTS, TOLERATION_OPERATOR_EQUAL, |
||||
value |
String |
||||
taintEffect |
UNKNOWN_TAINT_EFFECT, NO_SCHEDULE_TAINT_EFFECT, PREFER_NO_SCHEDULE_TAINT_EFFECT, NO_EXECUTE_TAINT_EFFECT, |
Enum Values |
---|
TOLERATION_OPERATION_UNKNOWN |
TOLERATION_OPERATOR_EXISTS |
TOLERATION_OPERATOR_EQUAL |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
source |
String |
||||
destination |
String |
||||
readOnly |
Boolean |
||||
type |
String |
||||
mountPropagation |
NONE, HOST_TO_CONTAINER, BIDIRECTIONAL, |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
name |
String |
||||
permissionLevel |
String |
||||
appliedNetworkPolicies |
List of |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
deployment |
|||||
noExternalMetadata |
Boolean |
||||
enforcementOnly |
Boolean |
||||
clusterId |
String |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
runs |
List of DeployDetectionResponseRun |
||||
ignoredObjectRefs |
List of |
The reference will be in the format: namespace/name[<group>/<version>, Kind=<kind>]. |
|||
remarks |
List of V1DeployDetectionRemark |
Field Name | Required | Nullable | Type | Description | Format |
---|---|---|---|---|---|
attrs |
List of KeyValueAttrsKeyValueAttr |