-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Added container field to findings attributes
feat: Added kubernetes field to findings attribute. This field is populated only when the container is a kubernetes cluster explicitly PiperOrigin-RevId: 462248767
- Loading branch information
Google APIs
authored and
Copybara-Service
committed
Jul 20, 2022
1 parent
19cfbec
commit dd2b0d2
Showing
6 changed files
with
276 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| syntax = "proto3"; | ||
|
|
||
| package google.cloud.securitycenter.v1; | ||
|
|
||
| import "google/cloud/securitycenter/v1/label.proto"; | ||
|
|
||
| option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; | ||
| option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; | ||
| option java_multiple_files = true; | ||
| option java_outer_classname = "ContainerProto"; | ||
| option java_package = "com.google.cloud.securitycenter.v1"; | ||
| option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; | ||
| option ruby_package = "Google::Cloud::SecurityCenter::V1"; | ||
|
|
||
| // Container associated with the finding. | ||
| message Container { | ||
| // Container name. | ||
| string name = 1; | ||
|
|
||
| // Container image URI provided when configuring a pod/container. | ||
| // May identify a container image version using mutable tags. | ||
| string uri = 2; | ||
|
|
||
| // Optional container image id, when provided by the container runtime. | ||
| // Uniquely identifies the container image launched using a container image | ||
| // digest. | ||
| string image_id = 3; | ||
|
|
||
| // Container labels, as provided by the container runtime. | ||
| repeated Label labels = 4; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,181 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| syntax = "proto3"; | ||
|
|
||
| package google.cloud.securitycenter.v1; | ||
|
|
||
| import "google/cloud/securitycenter/v1/container.proto"; | ||
| import "google/cloud/securitycenter/v1/label.proto"; | ||
|
|
||
| option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; | ||
| option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; | ||
| option java_multiple_files = true; | ||
| option java_outer_classname = "KubernetesProto"; | ||
| option java_package = "com.google.cloud.securitycenter.v1"; | ||
| option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; | ||
| option ruby_package = "Google::Cloud::SecurityCenter::V1"; | ||
|
|
||
| // Kubernetes related attributes. | ||
| message Kubernetes { | ||
| // Kubernetes Pod. | ||
| message Pod { | ||
| // Kubernetes Pod namespace. | ||
| string ns = 1; | ||
|
|
||
| // Kubernetes Pod name. | ||
| string name = 2; | ||
|
|
||
| // Pod labels. For Kubernetes containers, these are applied to the | ||
| // container. | ||
| repeated Label labels = 3; | ||
|
|
||
| // Pod containers associated with this finding, if any. | ||
| repeated Container containers = 4; | ||
| } | ||
|
|
||
| // Kubernetes Nodes associated with the finding. | ||
| message Node { | ||
| // Full Resource name of the Compute Engine VM running the | ||
| // cluster node. | ||
| string name = 1; | ||
| } | ||
|
|
||
| // Provides GKE Node Pool information. | ||
| message NodePool { | ||
| // Kubernetes Node pool name. | ||
| string name = 1; | ||
|
|
||
| // Nodes associated with the finding. | ||
| repeated Node nodes = 2; | ||
| } | ||
|
|
||
| // Kubernetes Role or ClusterRole. | ||
| message Role { | ||
| // Types of Kubernetes roles. | ||
| enum Kind { | ||
| // Role type is not specified. | ||
| KIND_UNSPECIFIED = 0; | ||
|
|
||
| // Kubernetes Role. | ||
| ROLE = 1; | ||
|
|
||
| // Kubernetes ClusterRole. | ||
| CLUSTER_ROLE = 2; | ||
| } | ||
|
|
||
| // Role type. | ||
| Kind kind = 1; | ||
|
|
||
| // Role namespace. | ||
| string ns = 2; | ||
|
|
||
| // Role name. | ||
| string name = 3; | ||
| } | ||
|
|
||
| // Represents a Kubernetes RoleBinding or ClusterRoleBinding. | ||
| message Binding { | ||
| // Namespace for binding. | ||
| string ns = 1; | ||
|
|
||
| // Name for binding. | ||
| string name = 2; | ||
|
|
||
| // The Role or ClusterRole referenced by the binding. | ||
| Role role = 3; | ||
|
|
||
| // Represents the subjects(s) bound to the role. Not always available | ||
| // for PATCH requests. | ||
| repeated Subject subjects = 4; | ||
| } | ||
|
|
||
| // Represents a Kubernetes Subject. | ||
| message Subject { | ||
| // Auth types that can be used for Subject's kind field. | ||
| enum AuthType { | ||
| // Authentication is not specified. | ||
| AUTH_TYPE_UNSPECIFIED = 0; | ||
|
|
||
| // User with valid certificate. | ||
| USER = 1; | ||
|
|
||
| // Users managed by Kubernetes API with credentials stored as Secrets. | ||
| SERVICEACCOUNT = 2; | ||
|
|
||
| // Collection of users. | ||
| GROUP = 3; | ||
| } | ||
|
|
||
| // Authentication type for subject. | ||
| AuthType kind = 1; | ||
|
|
||
| // Namespace for subject. | ||
| string ns = 2; | ||
|
|
||
| // Name for subject. | ||
| string name = 3; | ||
| } | ||
|
|
||
| // Conveys information about a Kubernetes access review (e.g. kubectl auth | ||
| // can-i ...) that was involved in a finding. | ||
| message AccessReview { | ||
| // Group is the API Group of the Resource. "*" means all. | ||
| string group = 1; | ||
|
|
||
| // Namespace of the action being requested. Currently, there is no | ||
| // distinction between no namespace and all namespaces. Both | ||
| // are represented by "" (empty). | ||
| string ns = 2; | ||
|
|
||
| // Name is the name of the resource being requested. Empty means all. | ||
| string name = 3; | ||
|
|
||
| // Resource is the optional resource type requested. "*" means all. | ||
| string resource = 4; | ||
|
|
||
| // Subresource is the optional subresource type. | ||
| string subresource = 5; | ||
|
|
||
| // Verb is a Kubernetes resource API verb, like: get, list, watch, create, | ||
| // update, delete, proxy. "*" means all. | ||
| string verb = 6; | ||
|
|
||
| // Version is the API Version of the Resource. "*" means all. | ||
| string version = 7; | ||
| } | ||
|
|
||
| // Kubernetes Pods associated with the finding. This field will contain Pod | ||
| // records for each container that is owned by a Pod. | ||
| repeated Pod pods = 1; | ||
|
|
||
| // Provides Kubernetes Node information. | ||
| repeated Node nodes = 2; | ||
|
|
||
| // GKE Node Pools associated with the finding. This field will | ||
| // contain NodePool information for each Node, when it is available. | ||
| repeated NodePool node_pools = 3; | ||
|
|
||
| // Provides Kubernetes role information for findings that involve | ||
| // Roles or ClusterRoles. | ||
| repeated Role roles = 4; | ||
|
|
||
| // Provides Kubernetes role binding information for findings that involve | ||
| // RoleBindings or ClusterRoleBindings. | ||
| repeated Binding bindings = 5; | ||
|
|
||
| // Provides information on any Kubernetes access reviews (i.e. privilege | ||
| // checks) relevant to the finding. | ||
| repeated AccessReview access_reviews = 6; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| // Copyright 2022 Google LLC | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| syntax = "proto3"; | ||
|
|
||
| package google.cloud.securitycenter.v1; | ||
|
|
||
| option csharp_namespace = "Google.Cloud.SecurityCenter.V1"; | ||
| option go_package = "google.golang.org/genproto/googleapis/cloud/securitycenter/v1;securitycenter"; | ||
| option java_multiple_files = true; | ||
| option java_outer_classname = "LabelProto"; | ||
| option java_package = "com.google.cloud.securitycenter.v1"; | ||
| option php_namespace = "Google\\Cloud\\SecurityCenter\\V1"; | ||
| option ruby_package = "Google::Cloud::SecurityCenter::V1"; | ||
|
|
||
| // Label represents a generic name=value label. Label has separate name and | ||
| // value fields to support filtering with contains(). | ||
| message Label { | ||
| // Label name. | ||
| string name = 1; | ||
|
|
||
| // Label value. | ||
| string value = 2; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters