• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.binaryauthorization.v1beta1;
18
19import "google/protobuf/timestamp.proto";
20
21option cc_enable_arenas = true;
22option csharp_namespace = "Google.Cloud.BinaryAuthorization.V1Beta1";
23option go_package = "cloud.google.com/go/binaryauthorization/apiv1beta1/binaryauthorizationpb;binaryauthorizationpb";
24option java_multiple_files = true;
25option java_outer_classname = "ContinuousValidationLoggingProto";
26option java_package = "com.google.cloud.binaryauthorization.v1beta1";
27option php_namespace = "Google\\Cloud\\BinaryAuthorization\\V1beta1";
28option ruby_package = "Google::Cloud::BinaryAuthorization::V1beta1";
29
30// Represents an auditing event from Continuous Validation.
31message ContinuousValidationEvent {
32  // An auditing event for one Pod.
33  message ContinuousValidationPodEvent {
34    // Audit time policy conformance verdict.
35    enum PolicyConformanceVerdict {
36      // We should always have a verdict. This is an error.
37      POLICY_CONFORMANCE_VERDICT_UNSPECIFIED = 0;
38
39      // The pod violates the policy.
40      VIOLATES_POLICY = 1;
41    }
42
43    // Container image with auditing details.
44    message ImageDetails {
45      // The container type.
46      enum ContainerType {
47        // The container type should always be specified. This is an error.
48        CONTAINER_TYPE_UNSPECIFIED = 0;
49
50        // A regular deployment.
51        CONTAINER = 1;
52
53        // Init container defined as specified at
54        // https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
55        INIT_CONTAINER = 2;
56
57        // Ephemeral container defined as specified at
58        // https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
59        EPHEMERAL_CONTAINER = 3;
60      }
61
62      // Result of the audit.
63      enum AuditResult {
64        // Unspecified result. This is an error.
65        AUDIT_RESULT_UNSPECIFIED = 0;
66
67        // Image is allowed.
68        ALLOW = 1;
69
70        // Image is denied.
71        DENY = 2;
72      }
73
74      message CheckResult {
75        // A scope specifier for check sets.
76        message CheckSetScope {
77          oneof scope {
78            // Matches a single Kubernetes service account, e.g.
79            // 'my-namespace:my-service-account'.
80            // `kubernetes_service_account` scope is always more specific than
81            // `kubernetes_namespace` scope for the same namespace.
82            string kubernetes_service_account = 1;
83
84            // Matches all Kubernetes service accounts in the provided
85            // namespace, unless a more specific `kubernetes_service_account`
86            // scope already matched.
87            string kubernetes_namespace = 2;
88          }
89        }
90
91        // Result of evaluating one check.
92        enum CheckVerdict {
93          // We should always have a verdict. This is an error.
94          CHECK_VERDICT_UNSPECIFIED = 0;
95
96          // The check was successfully evaluated and the image did not satisfy
97          // the check.
98          NON_CONFORMANT = 1;
99        }
100
101        // The index of the check set.
102        string check_set_index = 1;
103
104        // The name of the check set.
105        string check_set_name = 2;
106
107        // The scope of the check set.
108        CheckSetScope check_set_scope = 3;
109
110        // The index of the check.
111        string check_index = 4;
112
113        // The name of the check.
114        string check_name = 5;
115
116        // The type of the check.
117        string check_type = 6;
118
119        // The verdict of this check.
120        CheckVerdict verdict = 7;
121
122        // User-friendly explanation of this check result.
123        string explanation = 8;
124      }
125
126      // The name of the image.
127      string image = 1;
128
129      // The name of the container.
130      string container_name = 5;
131
132      // The container type that this image belongs to.
133      ContainerType container_type = 6;
134
135      // The result of the audit for this image.
136      AuditResult result = 2;
137
138      // Description of the above result.
139      string description = 3;
140
141      // List of check results.
142      repeated CheckResult check_results = 4;
143    }
144
145    // The k8s namespace of the Pod.
146    string pod_namespace = 7;
147
148    // The name of the Pod.
149    string pod = 1;
150
151    // The name of the policy.
152    string policy_name = 8;
153
154    // Deploy time of the Pod from k8s.
155    google.protobuf.Timestamp deploy_time = 2;
156
157    // Termination time of the Pod from k8s, or nothing if still running.
158    google.protobuf.Timestamp end_time = 3;
159
160    // Auditing verdict for this Pod.
161    PolicyConformanceVerdict verdict = 4;
162
163    // List of images with auditing details.
164    repeated ImageDetails images = 5;
165  }
166
167  // An event describing a user-actionable configuration issue that prevents CV
168  // from auditing.
169  message ConfigErrorEvent {
170    // A description of the issue.
171    string description = 1;
172  }
173
174  // Type of CV event.
175  oneof event_type {
176    // Pod event.
177    ContinuousValidationPodEvent pod_event = 1;
178
179    // Config error event.
180    ConfigErrorEvent config_error_event = 4;
181  }
182}
183