×

POST /v1/detect/deploy

DetectDeployTime checks if any deployments violate deploy time policies.

Description

Parameters

Body Parameter

Name Description Required Default Pattern

body

V1DeployDetectionRequest

X

Content Type

  • application/json

Responses

Table 1. HTTP Response Codes
Code Message Datatype

200

A successful response.

V1DeployDetectionResponse

0

An unexpected error response.

GooglerpcStatus

Samples

Common object reference

AlertDeploymentContainer

Field Name Required Nullable Type Description Format

image

StorageContainerImage

name

String

AlertEnforcement

Field Name Required Nullable Type Description Format

action

StorageEnforcementAction

UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT,

message

String

AlertEntityType

Enum Values

UNSET

DEPLOYMENT

CONTAINER_IMAGE

RESOURCE

AlertProcessViolation

Field Name Required Nullable Type Description Format

message

String

processes

List of StorageProcessIndicator

AlertResourceResourceType

Enum Values

UNKNOWN

SECRETS

CONFIGMAPS

CLUSTER_ROLES

CLUSTER_ROLE_BINDINGS

NETWORK_POLICIES

SECURITY_CONTEXT_CONSTRAINTS

EGRESS_FIREWALLS

AlertViolation

Field Name Required Nullable Type Description Format

message

String

keyValueAttrs

ViolationKeyValueAttrs

networkFlowInfo

ViolationNetworkFlowInfo

type

AlertViolationType

GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY,

time

Date

Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future.

date-time

AlertViolationType

Enum Values

GENERIC

K8S_EVENT

NETWORK_FLOW

NETWORK_POLICY

ContainerConfigEnvironmentConfig

Field Name Required Nullable Type Description Format

key

String

value

String

envVarSource

EnvironmentConfigEnvVarSource

UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN,

DeployDetectionResponseRun

Field Name Required Nullable Type Description Format

name

String

type

String

alerts

List of StorageAlert

EnvironmentConfigEnvVarSource

For any update to EnvVarSource, please also update 'ui/src/messages/common.js'
Enum Values

UNSET

RAW

SECRET_KEY

CONFIG_MAP_KEY

FIELD

RESOURCE_FIELD

UNKNOWN

GooglerpcStatus

Field Name Required Nullable Type Description Format

code

Integer

int32

message

String

details

List of ProtobufAny

KeyValueAttrsKeyValueAttr

Field Name Required Nullable Type Description Format

key

String

value

String

NetworkFlowInfoEntity

Field Name Required Nullable Type Description Format

name

String

entityType

StorageNetworkEntityInfoType

UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES,

deploymentNamespace

String

deploymentType

String

port

Integer

int32

PolicyMitreAttackVectors

Field Name Required Nullable Type Description Format

tactic

String

techniques

List of string

PortConfigExposureInfo

Field Name Required Nullable Type Description Format

level

PortConfigExposureLevel

UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,

serviceName

String

serviceId

String

serviceClusterIp

String

servicePort

Integer

int32

nodePort

Integer

int32

externalIps

List of string

externalHostnames

List of string

PortConfigExposureLevel

Enum Values

UNSET

EXTERNAL

NODE

INTERNAL

HOST

ROUTE

ProcessSignalLineageInfo

Field Name Required Nullable Type Description Format

parentUid

Long

int64

parentExecFilePath

String

ProtobufAny

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}
Example 3: Pack and unpack a message in Python.
foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...
Example 4: Pack and unpack a message in Go
foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

JSON representation

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}
{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}
Field Name Required Nullable Type Description Format

@type

String

A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in path/google.protobuf.Duration). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme http, https, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, https is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than http, https (or the empty scheme) might be used with implementation specific semantics.

SeccompProfileProfileType

Enum Values

UNCONFINED

RUNTIME_DEFAULT

LOCALHOST

SecurityContextSELinux

Field Name Required Nullable Type Description Format

user

String

role

String

type

String

level

String

SecurityContextSeccompProfile

Field Name Required Nullable Type Description Format

type

SeccompProfileProfileType

UNCONFINED, RUNTIME_DEFAULT, LOCALHOST,

localhostProfile

String

StorageAlert

Next available tag: 24
Field Name Required Nullable Type Description Format

id

String

policy

StoragePolicy

lifecycleStage

StorageLifecycleStage

DEPLOY, BUILD, RUNTIME,

clusterId

String

clusterName

String

namespace

String

namespaceId

String

deployment

StorageAlertDeployment

image

StorageContainerImage

resource

StorageAlertResource

violations

List of AlertViolation

For run-time phase alert, a maximum of 40 violations are retained.

processViolation

AlertProcessViolation

enforcement

AlertEnforcement

time

Date

date-time

firstOccurred

Date

date-time

resolvedAt

Date

The time at which the alert was resolved. Only set if ViolationState is RESOLVED.

date-time

state

StorageViolationState

ACTIVE, SNOOZED, RESOLVED, ATTEMPTED,

snoozeTill

Date

date-time

platformComponent

Boolean

entityType

AlertEntityType

UNSET, DEPLOYMENT, CONTAINER_IMAGE, RESOURCE,

StorageAlertDeployment

Field Name Required Nullable Type Description Format

id

String

name

String

type

String

namespace

String

This field has to be duplicated in Alert for scope management and search.

namespaceId

String

This field has to be duplicated in Alert for scope management and search.

labels

Map of string

clusterId

String

This field has to be duplicated in Alert for scope management and search.

clusterName

String

This field has to be duplicated in Alert for scope management and search.

containers

List of AlertDeploymentContainer

annotations

Map of string

inactive

Boolean

StorageAlertResource

Represents an alert on a kubernetes resource other than a deployment (configmaps, secrets, etc.)
Field Name Required Nullable Type Description Format

resourceType

AlertResourceResourceType

UNKNOWN, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS,

name

String

clusterId

String

This field has to be duplicated in Alert for scope management and search.

clusterName

String

This field has to be duplicated in Alert for scope management and search.

namespace

String

This field has to be duplicated in Alert for scope management and search.

namespaceId

String

This field has to be duplicated in Alert for scope management and search.

StorageBooleanOperator

Enum Values

OR

AND

StorageContainer

Field Name Required Nullable Type Description Format

id

String

config

StorageContainerConfig

image

StorageContainerImage

securityContext

StorageSecurityContext

volumes

List of StorageVolume

ports

List of StoragePortConfig

secrets

List of StorageEmbeddedSecret

resources

StorageResources

name

String

livenessProbe

StorageLivenessProbe

readinessProbe

StorageReadinessProbe

StorageContainerConfig

Field Name Required Nullable Type Description Format

env

List of ContainerConfigEnvironmentConfig

command

List of string

args

List of string

directory

String

user

String

uid

String

int64

appArmorProfile

String

StorageContainerImage

Next tag: 12
Field Name Required Nullable Type Description Format

id

String

name

StorageImageName

notPullable

Boolean

isClusterLocal

Boolean

StorageDeployment

Next available tag: 36
Field Name Required Nullable Type Description Format

id

String

name

String

hash

String

uint64

type

String

namespace

String

namespaceId

String

orchestratorComponent

Boolean

replicas

String

int64

labels

Map of string

podLabels

Map of string

labelSelector

StorageLabelSelector

created

Date

date-time

clusterId

String

clusterName

String

containers

List of StorageContainer

annotations

Map of string

priority

String

int64

inactive

Boolean

imagePullSecrets

List of string

serviceAccount

String

serviceAccountPermissionLevel

StoragePermissionLevel

UNSET, NONE, DEFAULT, ELEVATED_IN_NAMESPACE, ELEVATED_CLUSTER_WIDE, CLUSTER_ADMIN,

automountServiceAccountToken

Boolean

hostNetwork

Boolean

hostPid

Boolean

hostIpc

Boolean

runtimeClass

String

tolerations

List of StorageToleration

ports

List of StoragePortConfig

stateTimestamp

String

int64

riskScore

Float

float

platformComponent

Boolean

StorageEmbeddedSecret

Field Name Required Nullable Type Description Format

name

String

path

String

StorageEnforcementAction

  • FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.

  • FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.

  • FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.

Enum Values

UNSET_ENFORCEMENT

SCALE_TO_ZERO_ENFORCEMENT

UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT

KILL_POD_ENFORCEMENT

FAIL_BUILD_ENFORCEMENT

FAIL_KUBE_REQUEST_ENFORCEMENT

FAIL_DEPLOYMENT_CREATE_ENFORCEMENT

FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT

StorageEventSource

Enum Values

NOT_APPLICABLE

DEPLOYMENT_EVENT

AUDIT_LOG_EVENT

StorageExclusion

Field Name Required Nullable Type Description Format

name

String

deployment

StorageExclusionDeployment

image

StorageExclusionImage

expiration

Date

date-time

StorageExclusionDeployment

Field Name Required Nullable Type Description Format

name

String

scope

StorageScope

StorageExclusionImage

Field Name Required Nullable Type Description Format

name

String

StorageImageName

Field Name Required Nullable Type Description Format

registry

String

remote

String

tag

String

fullName

String

StorageL4Protocol

Enum Values

L4_PROTOCOL_UNKNOWN

L4_PROTOCOL_TCP

L4_PROTOCOL_UDP

L4_PROTOCOL_ICMP

L4_PROTOCOL_RAW

L4_PROTOCOL_SCTP

L4_PROTOCOL_ANY

StorageLabelSelector

Label selector components are joined with logical AND, see     https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Next available tag: 3

Field Name Required Nullable Type Description Format

matchLabels

Map of string

This is actually a oneof, but we can’t make it one due to backwards compatibility constraints.

requirements

List of StorageLabelSelectorRequirement

StorageLabelSelectorOperator

Enum Values

UNKNOWN

IN

NOT_IN

EXISTS

NOT_EXISTS

StorageLabelSelectorRequirement

Next available tag: 4
Field Name Required Nullable Type Description Format

key

String

op

StorageLabelSelectorOperator

UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS,

values

List of string

StorageLifecycleStage

Enum Values

DEPLOY

BUILD

RUNTIME

StorageLivenessProbe

Field Name Required Nullable Type Description Format

defined

Boolean

StorageNetworkEntityInfoType

  • INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal entities under a single network graph node

Enum Values

UNKNOWN_TYPE

DEPLOYMENT

INTERNET

LISTEN_ENDPOINT

EXTERNAL_SOURCE

INTERNAL_ENTITIES

StoragePermissionLevel

For any update to PermissionLevel, also update: - pkg/searchbasedpolicies/builders/k8s_rbac.go - ui/src/messages/common.js
Enum Values

UNSET

NONE

DEFAULT

ELEVATED_IN_NAMESPACE

ELEVATED_CLUSTER_WIDE

CLUSTER_ADMIN

StoragePolicy

Next tag: 28
Field Name Required Nullable Type Description Format

id

String

name

String

Name of the policy. Must be unique.

description

String

Free-form text description of this policy.

rationale

String

remediation

String

Describes how to remediate a violation of this policy.

disabled

Boolean

Toggles whether or not this policy will be executing and actively firing alerts.

categories

List of string

List of categories that this policy falls under. Category names must already exist in Central.

lifecycleStages

List of StorageLifecycleStage

Describes which policy lifecylce stages this policy applies to. Choices are DEPLOY, BUILD, and RUNTIME.

eventSource

StorageEventSource

NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,

exclusions

List of StorageExclusion

Define deployments or images that should be excluded from this policy.

scope

List of StorageScope

Defines clusters, namespaces, and deployments that should be included in this policy. No scopes defined includes everything.

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

enforcementActions

List of StorageEnforcementAction

FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. Lists the enforcement actions to take when a violation from this policy is identified. Possible value are UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT.

notifiers

List of string

List of IDs of the notifiers that should be triggered when a violation from this policy is identified. IDs should be in the form of a UUID and are found through the Central API.

lastUpdated

Date

date-time

SORTName

String

For internal use only.

SORTLifecycleStage

String

For internal use only.

SORTEnforcement

Boolean

For internal use only.

policyVersion

String

policySections

List of StoragePolicySection

PolicySections define the violation criteria for this policy.

mitreAttackVectors

List of PolicyMitreAttackVectors

criteriaLocked

Boolean

Read-only field. If true, the policy’s criteria fields are rendered read-only.

mitreVectorsLocked

Boolean

Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.

isDefault

Boolean

Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

source

StoragePolicySource

IMPERATIVE, DECLARATIVE,

StoragePolicyGroup

Field Name Required Nullable Type Description Format

fieldName

String

Defines which field on a deployment or image this PolicyGroup evaluates. See https://docs.openshift.com/acs/operating/manage-security-policies.html#policy-criteria_manage-security-policies for a complete list of possible values.

booleanOperator

StorageBooleanOperator

OR, AND,

negate

Boolean

Determines if the evaluation of this PolicyGroup is negated. Default to false.

values

List of StoragePolicyValue

StoragePolicySection

Field Name Required Nullable Type Description Format

sectionName

String

policyGroups

List of StoragePolicyGroup

The set of policies groups that make up this section. Each group can be considered an individual criterion.

StoragePolicySource

Enum Values

IMPERATIVE

DECLARATIVE

StoragePolicyValue

Field Name Required Nullable Type Description Format

value

String

StoragePortConfig

Next Available Tag: 6
Field Name Required Nullable Type Description Format

name

String

containerPort

Integer

int32

protocol

String

exposure

PortConfigExposureLevel

UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,

exposedPort

Integer

int32

exposureInfos

List of PortConfigExposureInfo

StorageProcessIndicator

Next available tag: 13
Field Name Required Nullable Type Description Format

id

String

deploymentId

String

containerName

String

podId

String

podUid

String

signal

StorageProcessSignal

clusterId

String

namespace

String

containerStartTime

Date

date-time

imageId

String

StorageProcessSignal

Field Name Required Nullable Type Description Format

id

String

A unique UUID for identifying the message We have this here instead of at the top level because we want to have each message to be self contained.

containerId

String

time

Date

date-time

name

String

args

String

execFilePath

String

pid

Long

int64

uid

Long

int64

gid

Long

int64

lineage

List of string

scraped

Boolean

lineageInfo

List of ProcessSignalLineageInfo

StorageReadinessProbe

Field Name Required Nullable Type Description Format

defined

Boolean

StorageResources

Field Name Required Nullable Type Description Format

cpuCoresRequest

Float

float

cpuCoresLimit

Float

float

memoryMbRequest

Float

float

memoryMbLimit

Float

float

StorageScope

Field Name Required Nullable Type Description Format

cluster

String

namespace

String

label

StorageScopeLabel

StorageScopeLabel

Field Name Required Nullable Type Description Format

key

String

value

String

StorageSecurityContext

Field Name Required Nullable Type Description Format

privileged

Boolean

selinux

SecurityContextSELinux

dropCapabilities

List of string

addCapabilities

List of string

readOnlyRootFilesystem

Boolean

seccompProfile

SecurityContextSeccompProfile

allowPrivilegeEscalation

Boolean

StorageSeverity

Enum Values

UNSET_SEVERITY

LOW_SEVERITY

MEDIUM_SEVERITY

HIGH_SEVERITY

CRITICAL_SEVERITY

StorageTaintEffect

Enum Values

UNKNOWN_TAINT_EFFECT

NO_SCHEDULE_TAINT_EFFECT

PREFER_NO_SCHEDULE_TAINT_EFFECT

NO_EXECUTE_TAINT_EFFECT

StorageToleration

Field Name Required Nullable Type Description Format

key

String

operator

StorageTolerationOperator

TOLERATION_OPERATION_UNKNOWN, TOLERATION_OPERATOR_EXISTS, TOLERATION_OPERATOR_EQUAL,

value

String

taintEffect

StorageTaintEffect

UNKNOWN_TAINT_EFFECT, NO_SCHEDULE_TAINT_EFFECT, PREFER_NO_SCHEDULE_TAINT_EFFECT, NO_EXECUTE_TAINT_EFFECT,

StorageTolerationOperator

Enum Values

TOLERATION_OPERATION_UNKNOWN

TOLERATION_OPERATOR_EXISTS

TOLERATION_OPERATOR_EQUAL

StorageViolationState

Enum Values

ACTIVE

SNOOZED

RESOLVED

ATTEMPTED

StorageVolume

Field Name Required Nullable Type Description Format

name

String

source

String

destination

String

readOnly

Boolean

type

String

mountPropagation

VolumeMountPropagation

NONE, HOST_TO_CONTAINER, BIDIRECTIONAL,

V1DeployDetectionRemark

Field Name Required Nullable Type Description Format

name

String

permissionLevel

String

appliedNetworkPolicies

List of string

V1DeployDetectionRequest

Field Name Required Nullable Type Description Format

deployment

StorageDeployment

noExternalMetadata

Boolean

enforcementOnly

Boolean

clusterId

String

V1DeployDetectionResponse

Field Name Required Nullable Type Description Format

runs

List of DeployDetectionResponseRun

ignoredObjectRefs

List of string

The reference will be in the format: namespace/name[<group>/<version>, Kind=<kind>].

remarks

List of V1DeployDetectionRemark

ViolationKeyValueAttrs

Field Name Required Nullable Type Description Format

attrs

List of KeyValueAttrsKeyValueAttr

ViolationNetworkFlowInfo

Field Name Required Nullable Type Description Format

protocol

StorageL4Protocol

L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,

source

NetworkFlowInfoEntity

destination

NetworkFlowInfoEntity

VolumeMountPropagation

Enum Values

NONE

HOST_TO_CONTAINER

BIDIRECTIONAL