diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index b6b62cee..7d5bd781 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -55,6 +55,8 @@ jobs: ROX_PASSWORD=$(cat stackrox/deploy/k8s/central-deploy/password) echo "::add-mask::$ROX_PASSWORD" echo "ROX_PASSWORD=$ROX_PASSWORD" >> $GITHUB_ENV + - name: Wait for scanner to start + run: sleep 120 - name: Add stackrox certificate run: scripts/set-certificates.sh - name: Run tests diff --git a/stackrox-container-image-scanner/api.yaml b/stackrox-container-image-scanner/api.yaml index cb7a5dad..66553f70 100644 --- a/stackrox-container-image-scanner/api.yaml +++ b/stackrox-container-image-scanner/api.yaml @@ -3,12 +3,313 @@ info: title: API Reference version: '1' description: API reference for the StackRox Security Platform - contact: - email: support@stackrox.com - license: - name: All Rights Reserved - url: https://www.stackrox.com/ paths: + /v1/administration/events: + get: + summary: >- + ListAdministrationEvents returns the list of events after filtered by + requested fields. + operationId: AdministrationEventService_ListAdministrationEvents + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListAdministrationEventsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + - name: filter.from + description: >- + Matches events with last_occurred_at after a specific timestamp, + i.e. the lower boundary. + in: query + required: false + schema: + type: string + format: date-time + - name: filter.until + description: >- + Matches events with last_occurred_at before a specific timestamp, + i.e. the upper boundary. + in: query + required: false + schema: + type: string + format: date-time + - name: filter.domain + description: Matches events from a specific domain. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.resourceType + description: Matches events associated with a specific resource type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.type + description: Matches events based on their type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - ADMINISTRATION_EVENT_TYPE_UNKNOWN + - ADMINISTRATION_EVENT_TYPE_GENERIC + - ADMINISTRATION_EVENT_TYPE_LOG_MESSAGE + - name: filter.level + description: Matches events based on their level. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - ADMINISTRATION_EVENT_LEVEL_UNKNOWN + - ADMINISTRATION_EVENT_LEVEL_INFO + - ADMINISTRATION_EVENT_LEVEL_SUCCESS + - ADMINISTRATION_EVENT_LEVEL_WARNING + - ADMINISTRATION_EVENT_LEVEL_ERROR + tags: + - AdministrationEventService + /v1/administration/events/{id}: + get: + summary: GetAdministrationEvent retrieves an event by ID. + operationId: AdministrationEventService_GetAdministrationEvent + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetAdministrationEventResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - AdministrationEventService + /v1/count/administration/events: + get: + summary: >- + CountAdministrationEvents returns the number of events after filtering + by requested fields. + operationId: AdministrationEventService_CountAdministrationEvents + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1CountAdministrationEventsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: filter.from + description: >- + Matches events with last_occurred_at after a specific timestamp, + i.e. the lower boundary. + in: query + required: false + schema: + type: string + format: date-time + - name: filter.until + description: >- + Matches events with last_occurred_at before a specific timestamp, + i.e. the upper boundary. + in: query + required: false + schema: + type: string + format: date-time + - name: filter.domain + description: Matches events from a specific domain. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.resourceType + description: Matches events associated with a specific resource type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.type + description: Matches events based on their type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - ADMINISTRATION_EVENT_TYPE_UNKNOWN + - ADMINISTRATION_EVENT_TYPE_GENERIC + - ADMINISTRATION_EVENT_TYPE_LOG_MESSAGE + - name: filter.level + description: Matches events based on their level. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - ADMINISTRATION_EVENT_LEVEL_UNKNOWN + - ADMINISTRATION_EVENT_LEVEL_INFO + - ADMINISTRATION_EVENT_LEVEL_SUCCESS + - ADMINISTRATION_EVENT_LEVEL_WARNING + - ADMINISTRATION_EVENT_LEVEL_ERROR + tags: + - AdministrationEventService + /v1/administration/usage/secured-units/current: + get: + summary: |- + GetCurrentSecuredUnitsUsage returns the current secured units usage + metrics values. + description: >- + The secured units metrics are collected from all connected clusters + every + + 5 minutes, so the returned result includes data for the connected + + clusters accurate to about these 5 minutes, and potentially some + outdated + + data for the disconnected clusters. + operationId: AdministrationUsageService_GetCurrentSecuredUnitsUsage + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1SecuredUnitsUsageResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - AdministrationUsageService + /v1/administration/usage/secured-units/max: + get: + summary: |- + GetMaxSecuredUnitsUsage returns the maximum, i.e. peak, secured units + usage observed during a given time range, together with the time when + this maximum was aggregated and stored. + description: |- + The usage metrics are continuously collected from all the connected + clusters. The maximum values are kept for some period of time in memory, + and then, periodically, are stored to the database. + The last data from disconnected clusters are taken into account. + operationId: AdministrationUsageService_GetMaxSecuredUnitsUsage + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1MaxSecuredUnitsUsageResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: from + in: query + required: false + schema: + type: string + format: date-time + - name: to + in: query + required: false + schema: + type: string + format: date-time + tags: + - AdministrationUsageService /v1/alerts: get: summary: List returns the slim list version of the alerts. @@ -25,7 +326,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -54,6 +355,22 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - AlertService delete: @@ -70,7 +387,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query.query in: query @@ -99,6 +416,22 @@ paths: required: false schema: type: boolean + - name: query.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: query.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean - name: confirm in: query required: false @@ -122,7 +455,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: @@ -133,7 +466,9 @@ paths: - AlertService /v1/alerts/summary/counts: get: - summary: GetAlertsCounts returns the number of alerts in the requested cluster or category. + summary: >- + GetAlertsCounts returns the number of alerts in the requested cluster or + category. operationId: AlertService_GetAlertsCounts responses: '200': @@ -147,7 +482,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: request.query in: query @@ -176,6 +511,22 @@ paths: required: false schema: type: boolean + - name: request.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: request.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean - name: groupBy in: query required: false @@ -204,7 +555,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -233,6 +584,22 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - AlertService /v1/alerts/summary/timeseries: @@ -251,7 +618,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -280,6 +647,22 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - AlertService /v1/alerts/{id}: @@ -298,7 +681,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -323,7 +706,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -334,38 +717,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1ResolveAlertRequest' - required: true - tags: - - AlertService - /v1/alerts/{id}/snooze: - patch: - summary: SnoozeAlert is deprecated. - operationId: AlertService_SnoozeAlert - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1Empty' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1SnoozeAlertRequest' + $ref: '#/components/schemas/AlertServiceResolveAlertBody' required: true tags: - AlertService @@ -385,7 +737,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -414,6 +766,22 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - AlertService /v1/apitokens: @@ -432,7 +800,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: revoked in: query @@ -457,7 +825,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: @@ -466,6 +834,27 @@ paths: required: true tags: - APITokenService + /v1/apitokens/generate/allowed-roles: + get: + summary: >- + GetAllowedTokenRoles return roles that user is allowed to request for + API token. + operationId: APITokenService_ListAllowedTokenRoles + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListAllowedTokenRolesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - APITokenService /v1/apitokens/revoke/{id}: patch: summary: RevokeToken removes the API token for a given id. @@ -482,7 +871,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -507,7 +896,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -516,6 +905,200 @@ paths: type: string tags: - APITokenService + /v1/auth/m2m: + get: + summary: >- + ListAuthMachineToMachineConfigs lists the available auth machine to + machine configs. + operationId: AuthService_ListAuthMachineToMachineConfigs + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListAuthMachineToMachineConfigResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - AuthService + post: + summary: >- + AddAuthMachineToMachineConfig creates a new auth machine to machine + config. + operationId: AuthService_AddAuthMachineToMachineConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1AddAuthMachineToMachineConfigResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1AddAuthMachineToMachineConfigRequest' + required: true + tags: + - AuthService + /v1/auth/m2m/exchange: + post: + summary: >- + ExchangeAuthMachineToMachineToken exchanges a given identity token for a + Central access token based on + + configured auth machine to machine configs. + operationId: AuthService_ExchangeAuthMachineToMachineToken + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: >- + #/components/schemas/v1ExchangeAuthMachineToMachineTokenResponse + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1ExchangeAuthMachineToMachineTokenRequest' + required: true + tags: + - AuthService + /v1/auth/m2m/{config.id}: + put: + summary: >- + UpdateAuthMachineToMachineConfig updates an existing auth machine to + machine config. + + In case the auth machine to machine config does not exist, a new one + will be created. + operationId: AuthService_UpdateAuthMachineToMachineConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: config.id + description: >- + UUID of the config. + + Note that when adding a machine to machine config, this field should + not be set. + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/AuthServiceUpdateAuthMachineToMachineConfigBody + required: true + tags: + - AuthService + /v1/auth/m2m/{id}: + get: + summary: >- + GetAuthMachineToMachineConfig retrieves the specific auth machine to + machine config. + operationId: AuthService_GetAuthMachineToMachineConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetAuthMachineToMachineConfigResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - AuthService + delete: + summary: >- + DeleteAuthMachineToMachineConfig deletes the specific auth machine to + machine config. + + In case a specified auth machine to machine config does not exist is + deleted, no error will be returned. + operationId: AuthService_DeleteAuthMachineToMachineConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - AuthService + /v1/auth/status: + get: + summary: GetAuthStatus returns the status for the current client. + operationId: AuthService_GetAuthStatus + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1AuthStatus' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - AuthService /v1/authProviders: get: operationId: AuthProviderService_GetAuthProviders @@ -531,7 +1114,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: name in: query @@ -559,9 +1142,13 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageAuthProvider' + content: + application/json: + schema: + $ref: '#/components/schemas/storageAuthProvider' + required: true tags: - AuthProviderService /v1/authProviders/exchangeToken: @@ -579,7 +1166,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: @@ -603,7 +1190,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -626,13 +1213,18 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string + - name: force + in: query + required: false + schema: + type: boolean tags: - AuthProviderService put: @@ -649,7 +1241,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -657,7 +1249,11 @@ paths: schema: type: string requestBody: - $ref: '#/components/requestBodies/storageAuthProvider' + content: + application/json: + schema: + $ref: '#/components/schemas/AuthProviderServicePutAuthProviderBody' + required: true tags: - AuthProviderService patch: @@ -674,7 +1270,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -685,7 +1281,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1UpdateAuthProviderRequest' + $ref: '#/components/schemas/AuthProviderServiceUpdateAuthProviderBody' required: true tags: - AuthProviderService @@ -704,7 +1300,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - AuthProviderService /v1/login/authproviders: @@ -722,27 +1318,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - AuthProviderService - /v1/auth/status: - get: - operationId: AuthService_GetAuthStatus - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1AuthStatus' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - AuthService /v1/externalbackups: get: summary: GetExternalBackups returns all external backup configurations. @@ -759,7 +1337,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - ExternalBackupService post: @@ -777,7 +1355,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: $ref: '#/components/requestBodies/storageExternalBackup' tags: @@ -798,14 +1376,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: $ref: '#/components/requestBodies/storageExternalBackup' tags: - ExternalBackupService /v1/externalbackups/test/updated: post: - summary: TestUpdatedExternalBackup checks if the given external backup is correctly configured, with optional stored credential reconciliation. + summary: >- + TestUpdatedExternalBackup checks if the given external backup is + correctly configured, with optional stored credential reconciliation. operationId: ExternalBackupService_TestUpdatedExternalBackup responses: '200': @@ -819,14 +1399,20 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/v1UpdateExternalBackupRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/v1UpdateExternalBackupRequest' + required: true tags: - ExternalBackupService /v1/externalbackups/{externalBackup.id}: patch: - summary: UpdateExternalBackup modifies a given external backup, with optional stored credential reconciliation. + summary: >- + UpdateExternalBackup modifies a given external backup, with optional + stored credential reconciliation. operationId: ExternalBackupService_UpdateExternalBackup responses: '200': @@ -840,7 +1426,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: externalBackup.id in: path @@ -848,12 +1434,19 @@ paths: schema: type: string requestBody: - $ref: '#/components/requestBodies/v1UpdateExternalBackupRequest' + content: + application/json: + schema: + $ref: >- + #/components/schemas/ExternalBackupServiceUpdateExternalBackupBody + required: true tags: - ExternalBackupService /v1/externalbackups/{id}: get: - summary: GetExternalBackup returns the external backup configuration given its ID. + summary: >- + GetExternalBackup returns the external backup configuration given its + ID. operationId: ExternalBackupService_GetExternalBackup responses: '200': @@ -867,7 +1460,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -877,7 +1470,9 @@ paths: tags: - ExternalBackupService delete: - summary: DeleteExternalBackup removes an external backup configuration given its ID. + summary: >- + DeleteExternalBackup removes an external backup configuration given its + ID. operationId: ExternalBackupService_DeleteExternalBackup responses: '200': @@ -891,7 +1486,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -901,7 +1496,9 @@ paths: tags: - ExternalBackupService post: - summary: TriggerExternalBackup initiates an external backup for the given configuration. + summary: >- + TriggerExternalBackup initiates an external backup for the given + configuration. operationId: ExternalBackupService_TriggerExternalBackup responses: '200': @@ -915,7 +1512,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -925,7 +1522,9 @@ paths: tags: - ExternalBackupService put: - summary: PutExternalBackup modifies a given external backup, without using stored credential reconciliation. + summary: >- + PutExternalBackup modifies a given external backup, without using stored + credential reconciliation. operationId: ExternalBackupService_PutExternalBackup responses: '200': @@ -939,7 +1538,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -947,7 +1546,11 @@ paths: schema: type: string requestBody: - $ref: '#/components/requestBodies/storageExternalBackup' + content: + application/json: + schema: + $ref: '#/components/schemas/ExternalBackupServicePutExternalBackupBody' + required: true tags: - ExternalBackupService /v1/centralhealth/upgradestatus: @@ -965,533 +1568,525 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - CentralHealthService - /v1/cluster-init/ca-config: - get: - operationId: ClusterInitService_GetCAConfig - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetCAConfigResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - ClusterInitService - /v1/cluster-init/init-bundles: + /v1/cloud-sources: get: - operationId: ClusterInitService_GetInitBundles + summary: >- + ListCloudSources returns the list of cloud sources after filtered by + requested fields. + operationId: CloudSourcesService_ListCloudSources responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1InitBundleMetasResponse' + $ref: '#/components/schemas/v1ListCloudSourcesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - tags: - - ClusterInitService + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + - name: filter.names + description: Matches cloud sources based on their name. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.types + description: Matches cloud sources based on their type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - TYPE_UNSPECIFIED + - TYPE_PALADIN_CLOUD + - TYPE_OCM + tags: + - CloudSourcesService post: - operationId: ClusterInitService_GenerateInitBundle + summary: CreateCloudSource creates a cloud source. + operationId: CloudSourcesService_CreateCloudSource responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1InitBundleGenResponse' + $ref: '#/components/schemas/v1CreateCloudSourceResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1InitBundleGenRequest' + $ref: '#/components/schemas/v1CreateCloudSourceRequest' required: true tags: - - ClusterInitService - /v1/cluster-init/init-bundles/revoke: - patch: - summary: |- - RevokeInitBundle deletes cluster init bundle. If this operation impacts any cluster - then its ID should be included in request. - If confirm_impacted_clusters_ids does not match with current impacted clusters - then request will fail with error that includes all impacted clusters. - operationId: ClusterInitService_RevokeInitBundle + - CloudSourcesService + /v1/cloud-sources/test: + post: + summary: TestCloudSource tests a cloud source. + operationId: CloudSourcesService_TestCloudSource responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1InitBundleRevokeResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1InitBundleRevokeRequest' + $ref: '#/components/schemas/v1TestCloudSourceRequest' required: true tags: - - ClusterInitService - /v1/cluster-defaults: - get: - operationId: ClustersService_GetClusterDefaultValues + - CloudSourcesService + /v1/cloud-sources/{cloudSource.id}: + put: + summary: UpdateCloudSource creates or replaces a cloud source. + operationId: CloudSourcesService_UpdateCloudSource responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ClusterDefaultsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: cloudSource.id + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/CloudSourcesServiceUpdateCloudSourceBody' + required: true tags: - - ClustersService - /v1/clusters: + - CloudSourcesService + /v1/cloud-sources/{id}: get: - operationId: ClustersService_GetClusters + summary: GetCloudSource retrieves a cloud source by ID. + operationId: CloudSourcesService_GetCloudSource responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ClustersList' + $ref: '#/components/schemas/v1GetCloudSourceResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false + - name: id + in: path + required: true schema: type: string tags: - - ClustersService - post: - operationId: ClustersService_PostCluster + - CloudSourcesService + delete: + summary: DeleteCloudSource removes a cloud source. + operationId: CloudSourcesService_DeleteCloudSource responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ClusterResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageCluster' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ClustersService - /v1/clusters-env/kernel-support-available: + - CloudSourcesService + /v1/count/cloud-sources: get: - summary: GetKernelSupportAvailable is deprecated in favor of GetClusterDefaultValues. - operationId: ClustersService_GetKernelSupportAvailable + summary: >- + CountCloudSources returns the number of cloud sources after filtering by + requested fields. + operationId: CloudSourcesService_CountCloudSources responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1KernelSupportAvailableResponse' + $ref: '#/components/schemas/v1CountCloudSourcesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: filter.names + description: Matches cloud sources based on their name. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.types + description: Matches cloud sources based on their type. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - TYPE_UNSPECIFIED + - TYPE_PALADIN_CLOUD + - TYPE_OCM tags: - - ClustersService - /v1/clusters/{id}: + - CloudSourcesService + /v1/cluster-init/ca-config: get: - operationId: ClustersService_GetCluster + operationId: ClusterInitService_GetCAConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ClusterResponse' + $ref: '#/components/schemas/v1GetCAConfigResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - ClustersService - delete: - operationId: ClustersService_DeleteCluster + - ClusterInitService + /v1/cluster-init/crs: + get: + operationId: ClusterInitService_GetCRSs responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1CRSMetasResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - ClustersService - put: - operationId: ClustersService_PutCluster + - ClusterInitService + post: + operationId: ClusterInitService_GenerateCRS responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ClusterResponse' + $ref: '#/components/schemas/v1CRSGenResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageCluster' + content: + application/json: + schema: + $ref: '#/components/schemas/v1CRSGenRequest' + required: true tags: - - ClustersService - /v1/complianceManagement/runs: + - ClusterInitService + /v1/cluster-init/crs/revoke: + patch: + summary: RevokeCRSBundle deletes cluster registration secrets. + operationId: ClusterInitService_RevokeCRS + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1CRSRevokeResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1CRSRevokeRequest' + required: true + tags: + - ClusterInitService + /v1/cluster-init/init-bundles: get: - operationId: ComplianceManagementService_GetRecentRuns + operationId: ClusterInitService_GetInitBundles responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetRecentComplianceRunsResponse' + $ref: '#/components/schemas/v1InitBundleMetasResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: query - required: false - schema: - type: string - - name: standardId - in: query - required: false - schema: - type: string - - name: since - in: query - required: false - schema: - type: string - format: date-time + $ref: '#/components/schemas/googlerpcStatus' tags: - - ComplianceManagementService - /v1/compliancemanagement/runs: + - ClusterInitService post: - operationId: ComplianceManagementService_TriggerRuns + operationId: ClusterInitService_GenerateInitBundle responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1TriggerComplianceRunsResponse' + $ref: '#/components/schemas/v1InitBundleGenResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1TriggerComplianceRunsRequest' + $ref: '#/components/schemas/v1InitBundleGenRequest' required: true tags: - - ComplianceManagementService - /v1/compliancemanagement/runstatuses: - get: - operationId: ComplianceManagementService_GetRunStatuses + - ClusterInitService + /v1/cluster-init/init-bundles/revoke: + patch: + summary: >- + RevokeInitBundle deletes cluster init bundle. If this operation impacts + any cluster + + then its ID should be included in request. + + If confirm_impacted_clusters_ids does not match with current impacted + clusters + + then request will fail with error that includes all impacted clusters. + operationId: ClusterInitService_RevokeInitBundle responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetComplianceRunStatusesResponse' + $ref: '#/components/schemas/v1InitBundleRevokeResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: runIds - in: query - required: false - explode: true - schema: - type: array - items: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1InitBundleRevokeRequest' + required: true tags: - - ComplianceManagementService - /v1/compliance/aggregatedresults: + - ClusterInitService + /v1/cluster-defaults: get: - operationId: ComplianceService_GetAggregatedResults + operationId: ClustersService_GetClusterDefaultValues responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageComplianceAggregationResponse' + $ref: '#/components/schemas/v1ClusterDefaultsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: groupBy - in: query - required: false - explode: true - schema: - type: array - items: - type: string - enum: - - UNKNOWN - - STANDARD - - CLUSTER - - CATEGORY - - CONTROL - - NAMESPACE - - NODE - - DEPLOYMENT - - CHECK - - name: unit - in: query - required: false - schema: - type: string - enum: - - UNKNOWN - - STANDARD - - CLUSTER - - CATEGORY - - CONTROL - - NAMESPACE - - NODE - - DEPLOYMENT - - CHECK - default: UNKNOWN - - name: where.query - in: query - required: false - schema: - type: string - - name: where.pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: where.pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: where.pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: where.pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - ComplianceService - /v1/compliance/results: + - ClustersService + /v1/clusters: get: - operationId: ComplianceService_GetComplianceControlResults + operationId: ClustersService_GetClusters responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ComplianceControlResultsResponse' + $ref: '#/components/schemas/v1ClustersList' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query required: false schema: type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean tags: - - ComplianceService - /v1/compliance/runresults: - get: - operationId: ComplianceService_GetRunResults + - ClustersService + post: + operationId: ClustersService_PostCluster responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetComplianceRunResultsResponse' + $ref: '#/components/schemas/v1ClusterResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: query - required: false - schema: - type: string - - name: standardId - in: query - required: false - schema: - type: string - - name: runId - description: |- - Specifies the run ID for which to return results. If empty, the most recent run is returned. - CAVEAT: Setting this field circumvents the results cache on the server-side, which may lead to significantly - increased memory pressure and decreased performance. - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storageCluster' + required: true tags: - - ComplianceService - /v1/compliance/standards: + - ClustersService + /v1/clusters-env/kernel-support-available: get: - operationId: ComplianceService_GetStandards + summary: >- + GetKernelSupportAvailable is deprecated in favor of + GetClusterDefaultValues. + operationId: ClustersService_GetKernelSupportAvailable responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetComplianceStandardsResponse' + $ref: '#/components/schemas/v1KernelSupportAvailableResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - - ComplianceService - /v1/compliance/standards/{id}: + - ClustersService + /v1/clusters/{id}: get: - operationId: ComplianceService_GetStandard + operationId: ClustersService_GetCluster responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetComplianceStandardResponse' + $ref: '#/components/schemas/v1ClusterResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -1499,245 +2094,321 @@ paths: schema: type: string tags: - - ComplianceService - /v1/config: - get: - operationId: ConfigService_GetConfig + - ClustersService + delete: + operationId: ClustersService_DeleteCluster responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageConfig' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ConfigService + - ClustersService put: - operationId: ConfigService_PutConfig + operationId: ClustersService_PutCluster responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageConfig' + $ref: '#/components/schemas/v1ClusterResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1PutConfigRequest' + $ref: '#/components/schemas/ClustersServicePutClusterBody' required: true tags: - - ConfigService - /v1/config/private: + - ClustersService + /v1/complianceManagement/runs: get: - operationId: ConfigService_GetPrivateConfig + operationId: ComplianceManagementService_GetRecentRuns responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePrivateConfig' + $ref: '#/components/schemas/v1GetRecentComplianceRunsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: clusterId + in: query + required: false + schema: + type: string + - name: standardId + in: query + required: false + schema: + type: string + - name: since + in: query + required: false + schema: + type: string + format: date-time tags: - - ConfigService - /v1/config/public: - get: - operationId: ConfigService_GetPublicConfig + - ComplianceManagementService + /v1/compliancemanagement/runs: + post: + operationId: ComplianceManagementService_TriggerRuns responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePublicConfig' + $ref: '#/components/schemas/v1TriggerComplianceRunsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1TriggerComplianceRunsRequest' + required: true tags: - - ConfigService - /v1/credentialexpiry: + - ComplianceManagementService + /v1/compliancemanagement/runstatuses: get: - summary: GetCertExpiry returns information related to the expiry component mTLS certificate. - operationId: CredentialExpiryService_GetCertExpiry + operationId: ComplianceManagementService_GetRunStatuses responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetCertExpiryResponse' + $ref: '#/components/schemas/v1GetComplianceRunStatusesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: component + - name: runIds in: query required: false + explode: true schema: - type: string - enum: - - UNKNOWN - - CENTRAL - - SCANNER - default: UNKNOWN + type: array + items: + type: string + - name: latest + in: query + required: false + schema: + type: boolean tags: - - CredentialExpiryService - /v1/cves/suppress: - patch: - summary: SuppressCVE suppresses cves. - operationId: CVEService_SuppressCVEs + - ComplianceManagementService + /v1/compliance/aggregatedresults: + get: + operationId: ComplianceService_GetAggregatedResults responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/storageComplianceAggregationResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1SuppressCVERequest' - required: true - tags: - - CVEService - /v1/cves/unsuppress: - patch: - summary: UnsuppressCVE unsuppresse s cves. - operationId: CVEService_UnsuppressCVEs - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1Empty' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1UnsuppressCVERequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: groupBy + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - UNKNOWN + - STANDARD + - CLUSTER + - CATEGORY + - CONTROL + - NAMESPACE + - NODE + - DEPLOYMENT + - CHECK + - name: unit + in: query + required: false + schema: + type: string + enum: + - UNKNOWN + - STANDARD + - CLUSTER + - CATEGORY + - CONTROL + - NAMESPACE + - NODE + - DEPLOYMENT + - CHECK + default: UNKNOWN + - name: where.query + in: query + required: false + schema: + type: string + - name: where.pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: where.pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: where.pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: where.pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: where.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: where.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - CVEService - /v1/db/exportcaps: + - ComplianceService + /v1/compliance/runresults: get: - operationId: DBService_GetExportCapabilities - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetDBExportCapabilitiesResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - DBService - /v1/db/interruptrestore/{processId}/{attemptId}: - post: - operationId: DBService_InterruptRestoreProcess + operationId: ComplianceService_GetRunResults responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1InterruptDBRestoreProcessResponse' + $ref: '#/components/schemas/v1GetComplianceRunResultsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: processId - in: path - required: true + - name: clusterId + in: query + required: false schema: type: string - - name: attemptId - in: path - required: true + - name: standardId + in: query + required: false + schema: + type: string + - name: runId + description: >- + Specifies the run ID for which to return results. If empty, the most + recent run is returned. + + CAVEAT: Setting this field circumvents the results cache on the + server-side, which may lead to significantly + increased memory pressure and decreased performance. + in: query + required: false schema: type: string tags: - - DBService - /v1/db/restore: + - ComplianceService + /v1/compliance/standards: get: - operationId: DBService_GetActiveRestoreProcess + operationId: ComplianceService_GetStandards responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetActiveDBRestoreProcessResponse' + $ref: '#/components/schemas/v1GetComplianceStandardsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - - DBService - /v1/db/restore/{id}: - delete: - operationId: DBService_CancelRestoreProcess + - ComplianceService + /v1/compliance/standards/{id}: + get: + operationId: ComplianceService_GetStandard responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetComplianceStandardResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -1745,457 +2416,320 @@ paths: schema: type: string tags: - - DBService - /v1/debug/authz/trace: - get: - summary: Stream authorization traces for all incoming requests. - operationId: DebugService_StreamAuthzTraces + - ComplianceService + patch: + operationId: ComplianceService_UpdateComplianceStandardConfig responses: '200': - description: A successful response.(streaming responses) + description: A successful response. content: application/json: schema: - type: object - properties: - result: - $ref: '#/components/schemas/v1AuthorizationTraceResponse' - error: - $ref: '#/components/schemas/runtimeStreamError' - title: Stream result of v1AuthorizationTraceResponse + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/ComplianceServiceUpdateComplianceStandardConfigBody + required: true tags: - - DebugService - /v1/debug/loglevel: + - ComplianceService + /v1/config: get: - summary: Get the current logging level for StackRox services. - operationId: DebugService_GetLogLevel + operationId: ConfigService_GetConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1LogLevelResponse' + $ref: '#/components/schemas/storageConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: modules - in: query - required: false - explode: true - schema: - type: array - items: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - DebugService - patch: - summary: Set logging level for StackRox services. - operationId: DebugService_SetLogLevel + - ConfigService + put: + operationId: ConfigService_PutConfig responses: '200': description: A successful response. content: application/json: schema: - properties: {} + $ref: '#/components/schemas/storageConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1LogLevelRequest' + $ref: '#/components/schemas/v1PutConfigRequest' required: true tags: - - DebugService - /v1/deployments: + - ConfigService + /v1/config/platformcomponent: get: - summary: ListDeployments returns the list of deployments. - operationId: DeploymentService_ListDeployments + operationId: ConfigService_GetPlatformComponentConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListDeploymentsResponse' + $ref: '#/components/schemas/storagePlatformComponentConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - DeploymentService - /v1/deployments/metadata/labels: - get: - summary: GetLabels returns the labels used by deployments. - operationId: DeploymentService_GetLabels + - ConfigService + put: + operationId: ConfigService_UpdatePlatformComponentConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeploymentLabelsResponse' + $ref: '#/components/schemas/storagePlatformComponentConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1PutPlatformComponentConfigRequest' + required: true tags: - - DeploymentService - /v1/deployments/{id}: + - ConfigService + /v1/config/platformcomponent/rhlp/default: get: - summary: GetDeployment returns a deployment given its ID. - operationId: DeploymentService_GetDeployment + summary: >- + GetDefaultRedHatLayeredProductsRegex returns a static string containing + the default Red Hat Layered Products regex. + operationId: ConfigService_GetDefaultRedHatLayeredProductsRegex responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageDeployment' + $ref: >- + #/components/schemas/v1GetDefaultRedHatLayeredProductsRegexResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - DeploymentService - /v1/deploymentscount: - get: - summary: CountDeployments returns the number of deployments. - operationId: DeploymentService_CountDeployments - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1CountDeploymentsResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean - tags: - - DeploymentService - /v1/deploymentswithprocessinfo: + - ConfigService + /v1/config/private: get: - summary: ListDeploymentsWithProcessInfo returns the list of deployments with process information. - operationId: DeploymentService_ListDeploymentsWithProcessInfo + operationId: ConfigService_GetPrivateConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListDeploymentsWithProcessInfoResponse' + $ref: '#/components/schemas/storagePrivateConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - DeploymentService - /v1/deploymentswithrisk/{id}: + - ConfigService + /v1/config/private/exception/vulnerabilities: get: - summary: GetDeploymentWithRisk returns a deployment and its risk given its ID. - operationId: DeploymentService_GetDeploymentWithRisk + operationId: ConfigService_GetVulnerabilityExceptionConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetDeploymentWithRiskResponse' + $ref: '#/components/schemas/v1GetVulnerabilityExceptionConfigResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - DeploymentService - /v1/detect/build: - post: - summary: DetectBuildTime checks if any images violate build time policies. - operationId: DetectionService_DetectBuildTime + - ConfigService + put: + operationId: ConfigService_UpdateVulnerabilityExceptionConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1BuildDetectionResponse' + $ref: >- + #/components/schemas/v1UpdateVulnerabilityExceptionConfigResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1BuildDetectionRequest' + $ref: '#/components/schemas/v1UpdateVulnerabilityExceptionConfigRequest' required: true tags: - - DetectionService - /v1/detect/deploy: - post: - summary: DetectDeployTime checks if any deployments violate deploy time policies. - operationId: DetectionService_DetectDeployTime + - ConfigService + /v1/config/public: + get: + operationId: ConfigService_GetPublicConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeployDetectionResponse' + $ref: '#/components/schemas/storagePublicConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1DeployDetectionRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' tags: - - DetectionService - /v1/detect/deploy/yaml: - post: - summary: DetectDeployTimeFromYAML checks if the given deployment yaml violates any deploy time policies. - operationId: DetectionService_DetectDeployTimeFromYAML + - ConfigService + /v1/credentialexpiry: + get: + summary: >- + GetCertExpiry returns information related to the expiry component mTLS + certificate. + operationId: CredentialExpiryService_GetCertExpiry responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeployDetectionResponse' + $ref: '#/components/schemas/v1GetCertExpiryResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1DeployYAMLDetectionRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: component + in: query + required: false + schema: + type: string + enum: + - UNKNOWN + - CENTRAL + - SCANNER + - SCANNER_V4 + - CENTRAL_DB + default: UNKNOWN tags: - - DetectionService - /v1/featureflags: - get: - operationId: FeatureFlagService_GetFeatureFlags + - CredentialExpiryService + /v1/clustercves/suppress: + patch: + summary: SuppressCVE suppresses cluster cves. + operationId: ClusterCVEService_SuppressCVEs responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetFeatureFlagsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/v1SuppressCVERequest' tags: - - FeatureFlagService - /v1/group: - get: - operationId: GroupService_GetGroup + - ClusterCVEService + /v1/clustercves/unsuppress: + patch: + summary: UnsuppressCVE unsuppresses cluster cves. + operationId: ClusterCVEService_UnsuppressCVEs responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageGroup' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: authProviderId - in: query - required: false - schema: - type: string - - name: key - in: query - required: false - schema: - type: string - - name: value - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/v1UnsuppressCVERequest' tags: - - GroupService - /v1/groups: - get: - operationId: GroupService_GetGroups + - ClusterCVEService + /v1/imagecves/suppress: + patch: + summary: SuppressCVE suppresses image cves. + operationId: ImageCVEService_SuppressCVEs responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetGroupsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: authProviderId - in: query - required: false - schema: - type: string - - name: key - in: query - required: false - schema: - type: string - - name: value - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/v1SuppressCVERequest' tags: - - GroupService - delete: - operationId: GroupService_DeleteGroup + - ImageCVEService + /v1/imagecves/unsuppress: + patch: + summary: UnsuppressCVE unsuppresses image cves. + operationId: ImageCVEService_UnsuppressCVEs responses: '200': description: A successful response. @@ -2208,27 +2742,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: authProviderId - in: query - required: false - schema: - type: string - - name: key - in: query - required: false - schema: - type: string - - name: value - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/v1UnsuppressCVERequest' tags: - - GroupService - post: - operationId: GroupService_CreateGroup + - ImageCVEService + /v1/nodecves/suppress: + patch: + summary: SuppressCVE suppresses node cves. + operationId: NodeCVEService_SuppressCVEs responses: '200': description: A successful response. @@ -2241,13 +2763,15 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageGroup' + $ref: '#/components/requestBodies/v1SuppressCVERequest' tags: - - GroupService - put: - operationId: GroupService_UpdateGroup + - NodeCVEService + /v1/nodecves/unsuppress: + patch: + summary: UnsuppressCVE unsuppresses node cves. + operationId: NodeCVEService_UnsuppressCVEs responses: '200': description: A successful response. @@ -2260,89 +2784,79 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageGroup' + $ref: '#/components/requestBodies/v1UnsuppressCVERequest' tags: - - GroupService - /v1/groupsbatch: - post: - operationId: GroupService_BatchUpdate + - NodeCVEService + /v1/db/exportcaps: + get: + operationId: DBService_GetExportCapabilities responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetDBExportCapabilitiesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1GroupBatchUpdateRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' tags: - - GroupService - /v1/imageintegrations: - get: - summary: GetImageIntegrations returns all image integrations that match the request filters. - operationId: ImageIntegrationService_GetImageIntegrations + - DBService + /v1/db/interruptrestore/{processId}/{attemptId}: + post: + operationId: DBService_InterruptRestoreProcess responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetImageIntegrationsResponse' + $ref: '#/components/schemas/v1InterruptDBRestoreProcessResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: name - in: query - required: false + - name: processId + in: path + required: true schema: type: string - - name: cluster - in: query - required: false + - name: attemptId + in: path + required: true schema: type: string tags: - - ImageIntegrationService - post: - summary: PostImageIntegration creates a image integration. - operationId: ImageIntegrationService_PostImageIntegration + - DBService + /v1/db/restore: + get: + operationId: DBService_GetActiveRestoreProcess responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageImageIntegration' + $ref: '#/components/schemas/v1GetActiveDBRestoreProcessResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageImageIntegration' + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageIntegrationService - /v1/imageintegrations/test: - post: - summary: TestImageIntegration checks if the given image integration is correctly configured, without using stored credential reconciliation. - operationId: ImageIntegrationService_TestImageIntegration + - DBService + /v1/db/restore/{id}: + delete: + operationId: DBService_CancelRestoreProcess responses: '200': description: A successful response. @@ -2355,15 +2869,44 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageImageIntegration' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ImageIntegrationService - /v1/imageintegrations/test/updated: + - DBService + /v1/debug/authz/trace: + get: + summary: Stream authorization traces for all incoming requests. + operationId: DebugService_StreamAuthzTraces + responses: + '200': + description: A successful response.(streaming responses) + content: + application/json: + schema: + type: object + properties: + result: + $ref: '#/components/schemas/v1AuthorizationTraceResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1AuthorizationTraceResponse + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - DebugService + /v1/debug/db/stats/reset: post: - summary: TestUpdatedImageIntegration checks if the given image integration is correctly configured, with optional stored credential reconciliation. - operationId: ImageIntegrationService_TestUpdatedImageIntegration + summary: Reset database debugging statistics. + operationId: DebugService_ResetDBStats responses: '200': description: A successful response. @@ -2376,307 +2919,340 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/v1UpdateImageIntegrationRequest' + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageIntegrationService - /v1/imageintegrations/{config.id}: - patch: - summary: UpdateImageIntegration modifies a given image integration, with optional stored credential reconciliation. - operationId: ImageIntegrationService_UpdateImageIntegration + - DebugService + /v1/debug/loglevel: + get: + summary: Get the current logging level for StackRox services. + operationId: DebugService_GetLogLevel responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1LogLevelResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: config.id - in: path - required: true + - name: modules + in: query + required: false + explode: true schema: - type: string + type: array + items: + type: string + tags: + - DebugService + patch: + summary: Set logging level for StackRox services. + operationId: DebugService_SetLogLevel + responses: + '200': + description: A successful response. + content: + application/json: + schema: + type: object + properties: {} + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/v1UpdateImageIntegrationRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/v1LogLevelRequest' + required: true tags: - - ImageIntegrationService - /v1/imageintegrations/{id}: + - DebugService + /v1/declarative-config/health: get: - summary: GetImageIntegration returns the image integration given its ID. - operationId: ImageIntegrationService_GetImageIntegration + operationId: DeclarativeConfigHealthService_GetDeclarativeConfigHealths responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageImageIntegration' + $ref: '#/components/schemas/v1GetDeclarativeConfigHealthsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageIntegrationService - delete: - summary: DeleteImageIntegration removes a image integration given its ID. - operationId: ImageIntegrationService_DeleteImageIntegration + - DeclarativeConfigHealthService + /v1/delegatedregistryconfig: + get: + summary: GetConfig returns the current delegated registry configuration + operationId: DelegatedRegistryConfigService_GetConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DelegatedRegistryConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageIntegrationService + - DelegatedRegistryConfigService put: - summary: PutImageIntegration modifies a given image integration, without using stored credential reconciliation. - operationId: ImageIntegrationService_PutImageIntegration + summary: UpdateConfig updates the stored delegated registry configuration + operationId: DelegatedRegistryConfigService_UpdateConfig responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DelegatedRegistryConfig' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageImageIntegration' + content: + application/json: + schema: + $ref: '#/components/schemas/v1DelegatedRegistryConfig' + description: >- + DelegatedRegistryConfig determines if and where scan requests are + delegated to, such as kept in + + central services or sent to particular secured clusters. + required: true tags: - - ImageIntegrationService - /v1/images: + - DelegatedRegistryConfigService + /v1/delegatedregistryconfig/clusters: get: - summary: ListImages returns all the images. - operationId: ImageService_ListImages + summary: >- + GetClusters returns the list of clusters (id + name) and a flag + indicating whether or not + + the cluster is valid for use in the delegated registry config + operationId: DelegatedRegistryConfigService_GetClusters responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListImagesResponse' + $ref: '#/components/schemas/v1DelegatedRegistryClustersResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageService - delete: - summary: DeleteImage removes the images based on a query - operationId: ImageService_DeleteImages + - DelegatedRegistryConfigService + /v1/deployments: + get: + summary: ListDeployments returns the list of deployments. + operationId: DeploymentService_ListDeployments responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeleteImagesResponse' + $ref: '#/components/schemas/v1ListDeploymentsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query.query + - name: query in: query required: false schema: type: string - - name: query.pagination.limit + - name: pagination.limit in: query required: false schema: type: integer format: int32 - - name: query.pagination.offset + - name: pagination.offset in: query required: false schema: type: integer format: int32 - - name: query.pagination.sortOption.field + - name: pagination.sortOption.field in: query required: false schema: type: string - - name: query.pagination.sortOption.reversed + - name: pagination.sortOption.reversed in: query required: false schema: type: boolean - - name: confirm + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct in: query required: false schema: type: boolean tags: - - ImageService - /v1/images/cache/invalidate: + - DeploymentService + /v1/deployments/metadata/labels: get: - summary: InvalidateScanAndRegistryCaches removes the image metadata cache. - operationId: ImageService_InvalidateScanAndRegistryCaches + summary: GetLabels returns the labels used by deployments. + operationId: DeploymentService_GetLabels responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DeploymentLabelsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - - ImageService - /v1/images/scan: - post: - summary: ScanImage scans a single image and returns the result - operationId: ImageService_ScanImage + - DeploymentService + /v1/deployments/{id}: + get: + summary: GetDeployment returns a deployment given its ID. + operationId: DeploymentService_GetDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageImage' + $ref: '#/components/schemas/storageDeployment' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1ScanImageRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ImageService - /v1/images/{id}: + - DeploymentService + /v1/deploymentscount: get: - summary: GetImage returns the image given its ID. - operationId: ImageService_GetImage + summary: CountDeployments returns the number of deployments. + operationId: DeploymentService_CountDeployments responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageImage' + $ref: '#/components/schemas/v1CountDeploymentsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false schema: type: string - - name: includeSnoozed + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed in: query required: false schema: type: boolean - - name: stripDescription + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct in: query required: false schema: type: boolean tags: - - ImageService - /v1/imagescount: + - DeploymentService + /v1/deploymentswithprocessinfo: get: - summary: ListImages returns all the images. - operationId: ImageService_CountImages + summary: >- + ListDeploymentsWithProcessInfo returns the list of deployments with + process information. + operationId: DeploymentService_ListDeploymentsWithProcessInfo responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1CountImagesResponse' + $ref: '#/components/schemas/v1ListDeploymentsWithProcessInfoResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -2705,238 +3281,193 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - ImageService - /v1/watchedimages: + - DeploymentService + /v1/deploymentswithrisk/{id}: get: - summary: |- - GetWatchedImages returns the list of image names that are currently - being watched. - operationId: ImageService_GetWatchedImages + summary: GetDeploymentWithRisk returns a deployment and its risk given its ID. + operationId: DeploymentService_GetDeploymentWithRisk responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetWatchedImagesResponse' + $ref: '#/components/schemas/v1GetDeploymentWithRiskResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ImageService - delete: - summary: |- - UnwatchImage marks an image name to no longer be watched. - It returns successfully if the image is no longer being watched - after the call, irrespective of whether the image was already being watched. - operationId: ImageService_UnwatchImage + - DeploymentService + /v1/export/deployments: + get: + operationId: DeploymentService_ExportDeployments responses: '200': - description: A successful response. + description: A successful response.(streaming responses) content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + type: object + properties: + result: + $ref: '#/components/schemas/v1ExportDeploymentResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1ExportDeploymentResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: name - description: |- - The name of the image to unwatch. - Should match the name of a previously watched image. + - name: timeout + in: query + required: false + schema: + type: integer + format: int32 + - name: query in: query required: false schema: type: string tags: - - ImageService + - DeploymentService + /v1/detect/build: post: - summary: WatchImage marks an image name as to be watched. - operationId: ImageService_WatchImage + summary: DetectBuildTime checks if any images violate build time policies. + operationId: DetectionService_DetectBuildTime responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1WatchImageResponse' + $ref: '#/components/schemas/v1BuildDetectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1WatchImageRequest' + $ref: '#/components/schemas/v1BuildDetectionRequest' required: true tags: - - ImageService - /v1/integrationhealth/externalbackups: - get: - operationId: IntegrationHealthService_GetBackupPlugins - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetIntegrationHealthResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - IntegrationHealthService - /v1/integrationhealth/imageintegrations: - get: - operationId: IntegrationHealthService_GetImageIntegrations - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetIntegrationHealthResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - IntegrationHealthService - /v1/integrationhealth/notifiers: - get: - operationId: IntegrationHealthService_GetNotifiers - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetIntegrationHealthResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - IntegrationHealthService - /v1/integrationhealth/vulndefinitions: - get: - operationId: IntegrationHealthService_GetVulnDefinitionsInfo - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1VulnDefinitionsInfo' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - IntegrationHealthService - /v1/licenses/activekey: - get: - operationId: LicenseService_GetActiveLicenseKey - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetActiveLicenseKeyResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - LicenseService - /v1/licenses/add: + - DetectionService + /v1/detect/deploy: post: - operationId: LicenseService_AddLicense + summary: DetectDeployTime checks if any deployments violate deploy time policies. + operationId: DetectionService_DetectDeployTime responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1AddLicenseResponse' + $ref: '#/components/schemas/v1DeployDetectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1AddLicenseRequest' + $ref: '#/components/schemas/v1DeployDetectionRequest' required: true tags: - - LicenseService - /v1/licenses/expiration: - get: - operationId: LicenseService_GetActiveLicenseExpiration + - DetectionService + /v1/detect/deploy/yaml: + post: + summary: >- + DetectDeployTimeFromYAML checks if the given deployment yaml violates + any deploy time policies. + operationId: DetectionService_DetectDeployTimeFromYAML responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetActiveLicenseExpirationResponse' + $ref: '#/components/schemas/v1DeployDetectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1DeployYAMLDetectionRequest' + required: true tags: - - LicenseService - /v1/licenses/list: + - DetectionService + /v1/count/discovered-clusters: get: - operationId: LicenseService_GetLicenses + summary: >- + CountDiscoveredClusters returns the number of discovered clusters after + filtering by requested fields. + operationId: DiscoveredClustersService_CountDiscoveredClusters responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetLicensesResponse' + $ref: '#/components/schemas/v1CountDiscoveredClustersResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: active + - name: filter.names + description: Matches discovered clusters of specific names. in: query required: false + explode: true schema: - type: boolean - - name: statuses + type: array + items: + type: string + - name: filter.types + description: Matches discovered clusters of specific types. in: query required: false explode: true @@ -2945,174 +3476,312 @@ paths: items: type: string enum: - - UNKNOWN - - VALID - - REVOKED - - NOT_YET_VALID - - EXPIRED - - OTHER - tags: - - LicenseService - /v1/metadata: - get: - operationId: MetadataService_GetMetadata - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1Metadata' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' + - UNSPECIFIED + - AKS + - ARO + - EKS + - GKE + - OCP + - OSD + - ROSA + - name: filter.statuses + description: |- + Matches discovered clusters of specific statuses. + + - STATUS_UNSPECIFIED: The status of the cluster is unknown. May occur if a secured cluster + is missing the metadata for a possible match. + - STATUS_SECURED: The discovered cluster was matched with a secured cluster. + - STATUS_UNSECURED: The discovered cluster was not matched with a secured cluster. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - STATUS_UNSPECIFIED + - STATUS_SECURED + - STATUS_UNSECURED + - name: filter.sourceIds + description: Matches discovered clusters of specific cloud source IDs. + in: query + required: false + explode: true + schema: + type: array + items: + type: string tags: - - MetadataService - /v1/tls-challenge: + - DiscoveredClustersService + /v1/discovered-clusters: get: - operationId: MetadataService_TLSChallenge + summary: >- + ListDiscoveredClusters returns the list of discovered clusters after + filtered by requested fields. + operationId: DiscoveredClustersService_ListDiscoveredClusters responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1TLSChallengeResponse' + $ref: '#/components/schemas/v1ListDiscoveredClustersResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: challengeToken - description: generated challenge token by the service asking for TLS certs. + - name: pagination.limit in: query required: false schema: - type: string - tags: - - MetadataService - /v1/mitreattackvectors: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + - name: filter.names + description: Matches discovered clusters of specific names. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + - name: filter.types + description: Matches discovered clusters of specific types. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - UNSPECIFIED + - AKS + - ARO + - EKS + - GKE + - OCP + - OSD + - ROSA + - name: filter.statuses + description: |- + Matches discovered clusters of specific statuses. + + - STATUS_UNSPECIFIED: The status of the cluster is unknown. May occur if a secured cluster + is missing the metadata for a possible match. + - STATUS_SECURED: The discovered cluster was matched with a secured cluster. + - STATUS_UNSECURED: The discovered cluster was not matched with a secured cluster. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - STATUS_UNSPECIFIED + - STATUS_SECURED + - STATUS_UNSECURED + - name: filter.sourceIds + description: Matches discovered clusters of specific cloud source IDs. + in: query + required: false + explode: true + schema: + type: array + items: + type: string + tags: + - DiscoveredClustersService + /v1/discovered-clusters/{id}: get: - summary: ListMitreAttackVectors returns all MITRE ATT&CK vectors. - operationId: MitreAttackService_ListMitreAttackVectors + summary: GetDiscoveredCluster retrieves a discovered cluster by ID. + operationId: DiscoveredClustersService_GetDiscoveredCluster responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListMitreAttackVectorsResponse' + $ref: '#/components/schemas/v1GetDiscoveredClusterResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - MitreAttackService - /v1/mitreattackvectors/{id}: + - DiscoveredClustersService + /v1/featureflags: get: - summary: GetMitreAttackVector returns the full MITRE ATT&CK vector for a tactic with all its techniques. - operationId: MitreAttackService_GetMitreAttackVector + operationId: FeatureFlagService_GetFeatureFlags responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetMitreVectorResponse' + $ref: '#/components/schemas/v1GetFeatureFlagsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - MitreAttackService - /v1/namespaces: + - FeatureFlagService + /v1/group: get: - operationId: NamespaceService_GetNamespaces + operationId: GroupService_GetGroup responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetNamespacesResponse' + $ref: '#/components/schemas/storageGroup' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query.query + - name: id + description: Unique identifier for group properties and respectively the group. in: query required: false schema: type: string - - name: query.pagination.limit + - name: traits.mutabilityMode in: query required: false schema: - type: integer - format: int32 - - name: query.pagination.offset + type: string + enum: + - ALLOW_MUTATE + - ALLOW_MUTATE_FORCED + default: ALLOW_MUTATE + - name: traits.visibility in: query required: false schema: - type: integer - format: int32 - - name: query.pagination.sortOption.field + type: string + enum: + - VISIBLE + - HIDDEN + default: VISIBLE + - name: traits.origin in: query required: false schema: type: string - - name: query.pagination.sortOption.reversed + enum: + - IMPERATIVE + - DEFAULT + - DECLARATIVE + - DECLARATIVE_ORPHANED + default: IMPERATIVE + - name: authProviderId in: query required: false schema: - type: boolean + type: string + - name: key + in: query + required: false + schema: + type: string + - name: value + in: query + required: false + schema: + type: string tags: - - NamespaceService - /v1/namespaces/{id}: + - GroupService + /v1/groups: get: - operationId: NamespaceService_GetNamespace + operationId: GroupService_GetGroups responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Namespace' + $ref: '#/components/schemas/v1GetGroupsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: + - name: authProviderId + in: query + required: false + schema: + type: string + - name: key + in: query + required: false + schema: + type: string + - name: value + in: query + required: false + schema: + type: string - name: id - in: path - required: true + in: query + required: false schema: type: string tags: - - NamespaceService - /v1/networkbaseline/{deploymentId}/peers: - patch: - operationId: NetworkBaselineService_ModifyBaselineStatusForPeers + - GroupService + delete: + operationId: GroupService_DeleteGroup responses: '200': description: A successful response. @@ -3125,78 +3794,94 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId - in: path - required: true + - name: authProviderId + description: >- + We copy over parameters from storage.GroupProperties for seamless + HTTP API migration. + in: query + required: false schema: type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1ModifyBaselineStatusForPeersRequest' - required: true + - name: key + in: query + required: false + schema: + type: string + - name: value + in: query + required: false + schema: + type: string + - name: id + in: query + required: false + schema: + type: string + - name: force + in: query + required: false + schema: + type: boolean tags: - - NetworkBaselineService - /v1/networkbaseline/{deploymentId}/status: + - GroupService post: - operationId: NetworkBaselineService_GetNetworkBaselineStatusForFlows + operationId: GroupService_CreateGroup responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1NetworkBaselineStatusResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: deploymentId - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1NetworkBaselineStatusRequest' + $ref: '#/components/schemas/storageGroup' + description: 'Group is a GroupProperties : Role mapping.' required: true tags: - - NetworkBaselineService - /v1/networkbaseline/{id}: - get: - operationId: NetworkBaselineService_GetNetworkBaseline + - GroupService + put: + operationId: GroupService_UpdateGroup responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkBaseline' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: force + in: query + required: false schema: - type: string + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storageGroup' + required: true tags: - - NetworkBaselineService - /v1/networkbaseline/{id}/lock: - patch: - operationId: NetworkBaselineService_LockNetworkBaseline + - GroupService + /v1/groupsbatch: + post: + operationId: GroupService_BatchUpdate responses: '200': description: A successful response. @@ -3209,228 +3894,181 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/v1ResourceByID' + content: + application/json: + schema: + $ref: '#/components/schemas/v1GroupBatchUpdateRequest' + required: true tags: - - NetworkBaselineService - /v1/networkbaseline/{id}/unlock: - patch: - operationId: NetworkBaselineService_UnlockNetworkBaseline + - GroupService + /v1/grpc-preferences: + get: + operationId: GRPCPreferencesService_Get responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1Preferences' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string - requestBody: - $ref: '#/components/requestBodies/v1ResourceByID' + $ref: '#/components/schemas/googlerpcStatus' tags: - - NetworkBaselineService - /v1/networkgraph/cluster/{clusterId}: - get: - operationId: NetworkGraphService_GetNetworkGraph + - GRPCPreferencesService + /api/v1/images/sbom: + post: + summary: Generate an SPDX 2.3 SBOM from an image scan. + operationId: GenerateSBOM responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1NetworkGraph' + $ref: '#/components/schemas/SBOM-SPDX23-Document' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true - schema: - type: string - - name: query - in: query - required: false - schema: - type: string - - name: since - in: query - required: false - schema: - type: string - format: date-time - - name: includePorts - in: query - required: false - schema: - type: boolean - - name: scope.query - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/imageSBOMRequest' + required: true tags: - - NetworkGraphService - /v1/networkgraph/cluster/{clusterId}/externalentities: + - ImageService + /v1/imageintegrations: get: - operationId: NetworkGraphService_GetExternalNetworkEntities + summary: >- + GetImageIntegrations returns all image integrations that match the + request filters. + operationId: ImageIntegrationService_GetImageIntegrations responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetExternalNetworkEntitiesResponse' + $ref: '#/components/schemas/v1GetImageIntegrationsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId - in: path - required: true + - name: name + in: query + required: false schema: type: string - - name: query + - name: cluster in: query required: false schema: type: string tags: - - NetworkGraphService + - ImageIntegrationService post: - operationId: NetworkGraphService_CreateExternalNetworkEntity + summary: PostImageIntegration creates a image integration. + operationId: ImageIntegrationService_PostImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkEntity' + $ref: '#/components/schemas/storageImageIntegration' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1CreateNetworkEntityRequest' - required: true + $ref: '#/components/requestBodies/storageImageIntegration' tags: - - NetworkGraphService - /v1/networkgraph/config: - get: - operationId: NetworkGraphService_GetNetworkGraphConfig + - ImageIntegrationService + /v1/imageintegrations/test: + post: + summary: >- + TestImageIntegration checks if the given image integration is correctly + configured, without using stored credential reconciliation. + operationId: ImageIntegrationService_TestImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkGraphConfig' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/storageImageIntegration' tags: - - NetworkGraphService - put: - operationId: NetworkGraphService_PutNetworkGraphConfig + - ImageIntegrationService + /v1/imageintegrations/test/updated: + post: + summary: >- + TestUpdatedImageIntegration checks if the given image integration is + correctly configured, with optional stored credential reconciliation. + operationId: ImageIntegrationService_TestUpdatedImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkGraphConfig' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1PutNetworkGraphConfigRequest' + $ref: '#/components/schemas/v1UpdateImageIntegrationRequest' required: true tags: - - NetworkGraphService - /v1/networkgraph/externalentities/{id}: - delete: - operationId: NetworkGraphService_DeleteExternalNetworkEntity - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1Empty' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string - tags: - - NetworkGraphService + - ImageIntegrationService + /v1/imageintegrations/{config.id}: patch: - operationId: NetworkGraphService_PatchExternalNetworkEntity + summary: >- + UpdateImageIntegration modifies a given image integration, with optional + stored credential reconciliation. + operationId: ImageIntegrationService_UpdateImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkEntity' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: config.id in: path required: true schema: @@ -3439,55 +4077,52 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1PatchNetworkEntityRequest' + $ref: >- + #/components/schemas/ImageIntegrationServiceUpdateImageIntegrationBody required: true tags: - - NetworkGraphService - /v1/networkpolicies: + - ImageIntegrationService + /v1/imageintegrations/{id}: get: - operationId: NetworkPolicyService_GetNetworkPolicies + summary: GetImageIntegration returns the image integration given its ID. + operationId: ImageIntegrationService_GetImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1NetworkPoliciesResponse' + $ref: '#/components/schemas/storageImageIntegration' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId - in: query - required: false - schema: - type: string - - name: deploymentQuery - in: query - required: false + - name: id + in: path + required: true schema: type: string tags: - - NetworkPolicyService - /v1/networkpolicies/allowedpeers/{id}: - get: - operationId: NetworkPolicyService_GetAllowedPeersFromCurrentPolicyForDeployment + - ImageIntegrationService + delete: + summary: DeleteImageIntegration removes a image integration given its ID. + operationId: ImageIntegrationService_DeleteImageIntegration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetAllowedPeersFromCurrentPolicyForDeploymentResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -3495,10 +4130,12 @@ paths: schema: type: string tags: - - NetworkPolicyService - /v1/networkpolicies/apply/deployment/{deploymentId}: - post: - operationId: NetworkPolicyService_ApplyNetworkPolicyYamlForDeployment + - ImageIntegrationService + put: + summary: >- + PutImageIntegration modifies a given image integration, without using + stored credential reconciliation. + operationId: ImageIntegrationService_PutImageIntegration responses: '200': description: A successful response. @@ -3511,9 +4148,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId + - name: id in: path required: true schema: @@ -3522,839 +4159,893 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1ApplyNetworkPolicyYamlForDeploymentRequest' + $ref: >- + #/components/schemas/ImageIntegrationServicePutImageIntegrationBody required: true tags: - - NetworkPolicyService - /v1/networkpolicies/apply/{clusterId}: - post: - operationId: NetworkPolicyService_ApplyNetworkPolicy - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1Empty' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true - schema: - type: string - requestBody: - $ref: '#/components/requestBodies/storageNetworkPolicyModification' - tags: - - NetworkPolicyService - /v1/networkpolicies/baselinecomparison/{id}: + - ImageIntegrationService + /v1/export/images: get: - operationId: NetworkPolicyService_GetDiffFlowsBetweenPolicyAndBaselineForDeployment + operationId: ImageService_ExportImages responses: '200': - description: A successful response. + description: A successful response.(streaming responses) content: application/json: schema: - $ref: '#/components/schemas/v1GetDiffFlowsResponse' + type: object + properties: + result: + $ref: '#/components/schemas/v1ExportImageResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1ExportImageResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: timeout + in: query + required: false + schema: + type: integer + format: int32 + - name: query + in: query + required: false schema: type: string tags: - - NetworkPolicyService - /v1/networkpolicies/cluster/{clusterId}: + - ImageService + /v1/images: get: - operationId: NetworkPolicyService_GetNetworkGraph + summary: ListImages returns all the images that match the input query. + operationId: ImageService_ListImages responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1NetworkGraph' + $ref: '#/components/schemas/v1ListImagesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId - in: path - required: true + - name: query + in: query + required: false schema: type: string - - name: query + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field in: query required: false schema: type: string - - name: includePorts - description: If set to true, include port-level information in the network policy graph. + - name: pagination.sortOption.reversed in: query required: false schema: type: boolean - - name: scope.query + - name: pagination.sortOption.aggregateBy.aggrFunc in: query required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - NetworkPolicyService - /v1/networkpolicies/generate/baseline/{deploymentId}: - post: - operationId: NetworkPolicyService_GetBaselineGeneratedNetworkPolicyForDeployment + - ImageService + delete: + summary: DeleteImage removes the images based on a query + operationId: ImageService_DeleteImages responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetBaselineGeneratedPolicyForDeploymentResponse' + $ref: '#/components/schemas/v1DeleteImagesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId - in: path - required: true + - name: query.query + in: query + required: false schema: type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetBaselineGeneratedPolicyForDeploymentRequest' - required: true - tags: - - NetworkPolicyService - /v1/networkpolicies/generate/{clusterId}: - get: - operationId: NetworkPolicyService_GenerateNetworkPolicies - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GenerateNetworkPoliciesResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true + - name: query.pagination.limit + in: query + required: false schema: - type: string - - name: query + type: integer + format: int32 + - name: query.pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: query.pagination.sortOption.field in: query required: false schema: type: string - - name: deleteExisting + - name: query.pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: query.pagination.sortOption.aggregateBy.aggrFunc in: query required: false schema: type: string enum: - - UNKNOWN - - NONE - - GENERATED_ONLY - - ALL - default: UNKNOWN - - name: networkDataSince + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: query.pagination.sortOption.aggregateBy.distinct in: query required: false schema: - type: string - format: date-time - - name: includePorts + type: boolean + - name: confirm in: query required: false schema: type: boolean tags: - - NetworkPolicyService - /v1/networkpolicies/graph/epoch: + - ImageService + /v1/images/cache/invalidate: get: - operationId: NetworkPolicyService_GetNetworkGraphEpoch + summary: InvalidateScanAndRegistryCaches removes the image metadata cache. + operationId: ImageService_InvalidateScanAndRegistryCaches responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1NetworkGraphEpoch' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NetworkPolicyService - /v1/networkpolicies/simulate/{clusterId}: + - ImageService + /v1/images/scan: post: - operationId: NetworkPolicyService_SimulateNetworkGraph + summary: ScanImage scans a single image and returns the result + operationId: ImageService_ScanImage responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1SimulateNetworkGraphResponse' + $ref: '#/components/schemas/storageImage' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1ScanImageRequest' + required: true + tags: + - ImageService + /v1/images/{id}: + get: + summary: GetImage returns the image given its ID. + operationId: ImageService_GetImage + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageImage' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId + - name: id in: path required: true schema: type: string - - name: query - in: query - required: false - schema: - type: string - - name: includePorts - description: If set to true, include port-level information in the network policy graph. + - name: includeSnoozed in: query required: false schema: type: boolean - - name: includeNodeDiff + - name: stripDescription in: query required: false schema: type: boolean - - name: scope.query - in: query - required: false - schema: - type: string - requestBody: - $ref: '#/components/requestBodies/storageNetworkPolicyModification' tags: - - NetworkPolicyService - /v1/networkpolicies/simulate/{clusterId}/notify: - post: - operationId: NetworkPolicyService_SendNetworkPolicyYAML + - ImageService + /v1/imagescount: + get: + summary: CountImages returns a count of images that match the input query. + operationId: ImageService_CountImages responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1CountImagesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId - in: path - required: true + - name: query + in: query + required: false schema: type: string - - name: notifierIds + - name: pagination.limit in: query required: false - explode: true schema: - type: array - items: - type: string - requestBody: - $ref: '#/components/requestBodies/storageNetworkPolicyModification' + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - NetworkPolicyService - /v1/networkpolicies/undo/deployment/{id}: + - ImageService + /v1/watchedimages: get: - operationId: NetworkPolicyService_GetUndoModificationForDeployment + summary: |- + GetWatchedImages returns the list of image names that are currently + being watched. + operationId: ImageService_GetWatchedImages responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetUndoModificationForDeploymentResponse' + $ref: '#/components/schemas/v1GetWatchedImagesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NetworkPolicyService - /v1/networkpolicies/undo/{clusterId}: - get: - operationId: NetworkPolicyService_GetUndoModification + - ImageService + delete: + summary: >- + UnwatchImage marks an image name to no longer be watched. + + It returns successfully if the image is no longer being watched + + after the call, irrespective of whether the image was already being + watched. + operationId: ImageService_UnwatchImage responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetUndoModificationResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: clusterId - in: path - required: true + - name: name + description: |- + The name of the image to unwatch. + Should match the name of a previously watched image. + in: query + required: false schema: type: string tags: - - NetworkPolicyService - /v1/networkpolicies/undobaselinecomparison/{id}: - get: - operationId: NetworkPolicyService_GetDiffFlowsFromUndoModificationForDeployment + - ImageService + post: + summary: WatchImage marks an image name as to be watched. + operationId: ImageService_WatchImage responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetDiffFlowsResponse' + $ref: '#/components/schemas/v1WatchImageResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1WatchImageRequest' + required: true tags: - - NetworkPolicyService - /v1/networkpolicies/{id}: + - ImageService + /v1/integrationhealth/declarativeconfigs: get: - operationId: NetworkPolicyService_GetNetworkPolicy + operationId: IntegrationHealthService_GetDeclarativeConfigs responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNetworkPolicy' + $ref: '#/components/schemas/v1GetIntegrationHealthResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NetworkPolicyService - /v1/nodes/{clusterId}: + - IntegrationHealthService + /v1/integrationhealth/externalbackups: get: - operationId: NodeService_ListNodes + operationId: IntegrationHealthService_GetBackupPlugins responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListNodesResponse' + $ref: '#/components/schemas/v1GetIntegrationHealthResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NodeService - /v1/nodes/{clusterId}/{nodeId}: + - IntegrationHealthService + /v1/integrationhealth/imageintegrations: get: - operationId: NodeService_GetNode + operationId: IntegrationHealthService_GetImageIntegrations responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNode' + $ref: '#/components/schemas/v1GetIntegrationHealthResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: clusterId - in: path - required: true - schema: - type: string - - name: nodeId - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NodeService - /v1/notifiers: + - IntegrationHealthService + /v1/integrationhealth/notifiers: get: - summary: GetNotifiers returns all notifier configurations that match the request filters. - operationId: NotifierService_GetNotifiers + operationId: IntegrationHealthService_GetNotifiers responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetNotifiersResponse' + $ref: '#/components/schemas/v1GetIntegrationHealthResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: name - in: query - required: false - schema: - type: string - - name: type - in: query - required: false - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - post: - summary: PostNotifier creates a notifier configuration. - operationId: NotifierService_PostNotifier + - IntegrationHealthService + /v1/integrationhealth/vulndefinitions: + get: + operationId: IntegrationHealthService_GetVulnDefinitionsInfo responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNotifier' + $ref: '#/components/schemas/v1VulnDefinitionsInfo' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageNotifier' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: component + in: query + required: false + schema: + type: string + enum: + - SCANNER + - SCANNER_V4 + default: SCANNER tags: - - NotifierService - /v1/notifiers/test: - post: - summary: TestNotifier checks if a notifier is correctly configured. - operationId: NotifierService_TestNotifier + - IntegrationHealthService + /v1/backup/status: + get: + operationId: MetadataService_GetDatabaseBackupStatus responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DatabaseBackupStatus' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageNotifier' + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - /v1/notifiers/test/updated: - post: - summary: TestUpdatedNotifier checks if the given notifier is correctly configured, with optional stored credential reconciliation. - operationId: NotifierService_TestUpdatedNotifier + - MetadataService + /v1/central-capabilities: + get: + operationId: MetadataService_GetCentralCapabilities responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1CentralServicesCapabilities' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/v1UpdateNotifierRequest' + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - /v1/notifiers/{id}: + - MetadataService + /v1/database/status: get: - summary: GetNotifier returns the notifier configuration given its ID. - operationId: NotifierService_GetNotifier + operationId: MetadataService_GetDatabaseStatus responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageNotifier' + $ref: '#/components/schemas/v1DatabaseStatus' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - delete: - summary: DeleteNotifier removes a notifier configuration given its ID. - operationId: NotifierService_DeleteNotifier + - MetadataService + /v1/metadata: + get: + operationId: MetadataService_GetMetadata responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1Metadata' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string - - name: force - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - put: - summary: PutNotifier modifies a given notifier, without using stored credential reconciliation. - operationId: NotifierService_PutNotifier + - MetadataService + /v1/tls-challenge: + get: + summary: TLSChallenge + description: |- + Returns all trusted CAs, i.e., secret/additional-ca and Central's cert + chain. This is necessary if Central is running behind a load balancer + with self-signed certificates. Does not require authentication. + operationId: MetadataService_TLSChallenge responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1TLSChallengeResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: challengeToken + description: generated challenge token by the service asking for TLS certs + in: query + required: false schema: type: string - requestBody: - $ref: '#/components/requestBodies/storageNotifier' tags: - - NotifierService - /v1/notifiers/{notifier.id}: - patch: - summary: UpdateNotifier modifies a given notifier, with optional stored credential reconciliation. - operationId: NotifierService_UpdateNotifier + - MetadataService + /v1/mitreattackvectors: + get: + summary: ListMitreAttackVectors returns all MITRE ATT&CK vectors. + operationId: MitreAttackService_ListMitreAttackVectors responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1ListMitreAttackVectorsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: notifier.id - in: path - required: true - schema: - type: string - requestBody: - $ref: '#/components/requestBodies/v1UpdateNotifierRequest' + $ref: '#/components/schemas/googlerpcStatus' tags: - - NotifierService - /v1/ping: + - MitreAttackService + /v1/mitreattackvectors/{id}: get: - operationId: PingService_Ping + summary: >- + GetMitreAttackVector returns the full MITRE ATT&CK vector for a tactic + with all its techniques. + operationId: MitreAttackService_GetMitreAttackVector responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1PongMessage' + $ref: '#/components/schemas/v1GetMitreVectorResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - PingService - /v1/pods: + - MitreAttackService + /v1/namespaces: get: - summary: GetPods returns the pods. - operationId: PodService_GetPods + operationId: NamespaceService_GetNamespaces responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1PodsResponse' + $ref: '#/components/schemas/v1GetNamespacesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query + - name: query.query in: query required: false schema: type: string - - name: pagination.limit + - name: query.pagination.limit in: query required: false schema: type: integer format: int32 - - name: pagination.offset + - name: query.pagination.offset in: query required: false schema: type: integer format: int32 - - name: pagination.sortOption.field + - name: query.pagination.sortOption.field in: query required: false schema: type: string - - name: pagination.sortOption.reversed + - name: query.pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: query.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: query.pagination.sortOption.aggregateBy.distinct in: query required: false schema: type: boolean tags: - - PodService - /v1/policies: + - NamespaceService + /v1/namespaces/{id}: get: - summary: ListPolicies returns the list of policies. - operationId: PolicyService_ListPolicies + operationId: NamespaceService_GetNamespace responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListPoliciesResponse' + $ref: '#/components/schemas/v1Namespace' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false + - name: id + in: path + required: true schema: type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean tags: - - PolicyService - post: - summary: PostPolicy creates a new policy. - operationId: PolicyService_PostPolicy + - NamespaceService + /v1/networkbaseline/{deploymentId}/peers: + patch: + operationId: NetworkBaselineService_ModifyBaselineStatusForPeers responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePolicy' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: enableStrictValidation - in: query - required: false - schema: - type: boolean + - name: deploymentId + in: path + required: true + schema: + type: string requestBody: - $ref: '#/components/requestBodies/storagePolicy' + content: + application/json: + schema: + $ref: >- + #/components/schemas/NetworkBaselineServiceModifyBaselineStatusForPeersBody + required: true tags: - - PolicyService - /v1/policies/dryrun: + - NetworkBaselineService + /v1/networkbaseline/{deploymentId}/status: post: - summary: DryRunPolicy evaluates the given policy and returns any alerts without creating the policy. - operationId: PolicyService_DryRunPolicy + operationId: NetworkBaselineService_GetNetworkBaselineStatusForFlows responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DryRunResponse' + $ref: '#/components/schemas/v1NetworkBaselineStatusResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: deploymentId + in: path + required: true + schema: + type: string requestBody: - $ref: '#/components/requestBodies/storagePolicy' + content: + application/json: + schema: + $ref: >- + #/components/schemas/NetworkBaselineServiceGetNetworkBaselineStatusForFlowsBody + required: true tags: - - PolicyService - /v1/policies/dryrunjob: - post: - operationId: PolicyService_SubmitDryRunPolicyJob + - NetworkBaselineService + /v1/networkbaseline/{deploymentId}/status/external: + get: + operationId: NetworkBaselineService_GetNetworkBaselineStatusForExternalFlows responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1JobId' + $ref: '#/components/schemas/v1NetworkBaselineExternalStatusResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storagePolicy' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: deploymentId + in: path + required: true + schema: + type: string + - name: query + in: query + required: false + schema: + type: string + - name: since + in: query + required: false + schema: + type: string + format: date-time + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - PolicyService - /v1/policies/dryrunjob/{jobId}: + - NetworkBaselineService + /v1/networkbaseline/{id}: get: - operationId: PolicyService_QueryDryRunJobStatus + operationId: NetworkBaselineService_GetNetworkBaseline responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DryRunJobStatusResponse' + $ref: '#/components/schemas/storageNetworkBaseline' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: jobId + - name: id in: path required: true schema: type: string tags: - - PolicyService - delete: - operationId: PolicyService_CancelDryRunJob + - NetworkBaselineService + /v1/networkbaseline/{id}/lock: + patch: + operationId: NetworkBaselineService_LockNetworkBaseline responses: '200': description: A successful response. @@ -4367,263 +5058,395 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: jobId + - name: id in: path required: true schema: type: string - tags: - - PolicyService - /v1/policies/export: - post: - summary: ExportPolicies takes a list of policy IDs and returns either the entire list of policies or an error message - operationId: PolicyService_ExportPolicies - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/storageExportPoliciesResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1ExportPoliciesRequest' - required: true - tags: - - PolicyService - /v1/policies/from-search: - post: - operationId: PolicyService_PolicyFromSearch - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1PolicyFromSearchResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1PolicyFromSearchRequest' + $ref: >- + #/components/schemas/NetworkBaselineServiceLockNetworkBaselineBody required: true tags: - - PolicyService - /v1/policies/import: - post: - summary: ImportPolicies accepts a list of Policies and returns a list of the policies which could not be imported - operationId: PolicyService_ImportPolicies + - NetworkBaselineService + /v1/networkbaseline/{id}/unlock: + patch: + operationId: NetworkBaselineService_UnlockNetworkBaseline responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ImportPoliciesResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1ImportPoliciesRequest' + $ref: >- + #/components/schemas/NetworkBaselineServiceUnlockNetworkBaselineBody required: true tags: - - PolicyService - /v1/policies/reassess: - post: - summary: ReassessPolicies reevaluates all the policies. - operationId: PolicyService_ReassessPolicies + - NetworkBaselineService + /v1/networkgraph/cluster/{clusterId}: + get: + operationId: NetworkGraphService_GetNetworkGraph responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1NetworkGraph' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: clusterId + in: path + required: true + schema: + type: string + - name: query + in: query + required: false + schema: + type: string + - name: since + in: query + required: false + schema: + type: string + format: date-time + - name: includePorts + in: query + required: false + schema: + type: boolean + - name: scope.query + in: query + required: false + schema: + type: string + - name: includePolicies + in: query + required: false + schema: + type: boolean tags: - - PolicyService - /v1/policies/{id}: + - NetworkGraphService + /v1/networkgraph/cluster/{clusterId}/externalentities: get: - summary: GetPolicy returns the requested policy by ID. - operationId: PolicyService_GetPolicy + operationId: NetworkGraphService_GetExternalNetworkEntities responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePolicy' + $ref: '#/components/schemas/v1GetExternalNetworkEntitiesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId in: path required: true schema: type: string + - name: query + in: query + required: false + schema: + type: string tags: - - PolicyService - delete: - summary: DeletePolicy removes a policy by ID. - operationId: PolicyService_DeletePolicy + - NetworkGraphService + post: + operationId: NetworkGraphService_CreateExternalNetworkEntity responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/storageNetworkEntity' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId in: path required: true schema: type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/NetworkGraphServiceCreateExternalNetworkEntityBody + required: true tags: - - PolicyService - put: - summary: PutPolicy modifies an existing policy. - operationId: PolicyService_PutPolicy + - NetworkGraphService + /v1/networkgraph/cluster/{clusterId}/externalentities/metadata: + get: + operationId: NetworkGraphService_GetExternalNetworkFlowsMetadata responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetExternalNetworkFlowsMetadataResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId in: path required: true schema: type: string - requestBody: - $ref: '#/components/requestBodies/storagePolicy' - tags: - - PolicyService - patch: - summary: PatchPolicy edits an existing policy. - operationId: PolicyService_PatchPolicy - responses: + - name: query + in: query + required: false + schema: + type: string + - name: since + in: query + required: false + schema: + type: string + format: date-time + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - NetworkGraphService + /v1/networkgraph/cluster/{clusterId}/externalentities/{entityId}/flows: + get: + operationId: NetworkGraphService_GetExternalNetworkFlows + responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetExternalNetworkFlowsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId + in: path + required: true + schema: + type: string + - name: entityId in: path required: true schema: type: string + - name: query + in: query + required: false + schema: + type: string + - name: since + in: query + required: false + schema: + type: string + format: date-time + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - NetworkGraphService + /v1/networkgraph/config: + get: + operationId: NetworkGraphService_GetNetworkGraphConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageNetworkGraphConfig' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - NetworkGraphService + put: + operationId: NetworkGraphService_PutNetworkGraphConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageNetworkGraphConfig' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1PatchPolicyRequest' + $ref: '#/components/schemas/v1PutNetworkGraphConfigRequest' required: true tags: - - PolicyService - /v1/policies/{id}/mitrevectors: - get: - summary: GetMitreVectorsForPolicy returns the requested policy by ID. - operationId: PolicyService_GetPolicyMitreVectors + - NetworkGraphService + /v1/networkgraph/externalentities/{id}: + delete: + operationId: NetworkGraphService_DeleteExternalNetworkEntity responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetPolicyMitreVectorsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string - - name: options.excludePolicy - description: If set to true, policy is excluded from the response. - in: query - required: false - schema: - type: boolean tags: - - PolicyService - /v1/policies/{policyId}/notifiers: + - NetworkGraphService patch: - summary: EnableDisablePolicyNotification enables or disables notifications for a policy by ID. - operationId: PolicyService_EnableDisablePolicyNotification + operationId: NetworkGraphService_PatchExternalNetworkEntity responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/storageNetworkEntity' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: policyId + - name: id in: path required: true schema: @@ -4632,58 +5455,73 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1EnableDisablePolicyNotificationRequest' + $ref: >- + #/components/schemas/NetworkGraphServicePatchExternalNetworkEntityBody required: true tags: - - PolicyService - /v1/policyCategories: + - NetworkGraphService + /v1/networkpolicies: get: - summary: GetPolicyCategories returns the policy categories. - operationId: PolicyService_GetPolicyCategories + operationId: NetworkPolicyService_GetNetworkPolicies responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1PolicyCategoriesResponse' + $ref: '#/components/schemas/v1NetworkPoliciesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: clusterId + in: query + required: false + schema: + type: string + - name: deploymentQuery + in: query + required: false + schema: + type: string + - name: namespace + in: query + required: false + schema: + type: string tags: - - PolicyService - /v1/policyCategories/{category}: - delete: - summary: DeletePolicyCategory removes the given policy category. - operationId: PolicyService_DeletePolicyCategory + - NetworkPolicyService + /v1/networkpolicies/allowedpeers/{id}: + get: + operationId: NetworkPolicyService_GetAllowedPeersFromCurrentPolicyForDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: >- + #/components/schemas/v1GetAllowedPeersFromCurrentPolicyForDeploymentResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: category + - name: id in: path required: true schema: type: string tags: - - PolicyService - /v1/policyCategories/{oldCategory}: - put: - summary: RenamePolicyCategory renames the given policy category. - operationId: PolicyService_RenamePolicyCategory + - NetworkPolicyService + /v1/networkpolicies/apply/deployment/{deploymentId}: + post: + operationId: NetworkPolicyService_ApplyNetworkPolicyYamlForDeployment responses: '200': description: A successful response. @@ -4696,9 +5534,9 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: oldCategory + - name: deploymentId in: path required: true schema: @@ -4707,699 +5545,587 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1RenamePolicyCategoryRequest' + $ref: >- + #/components/schemas/NetworkPolicyServiceApplyNetworkPolicyYamlForDeploymentBody required: true tags: - - PolicyService - /v1/probeupload/getexisting: + - NetworkPolicyService + /v1/networkpolicies/apply/{clusterId}: post: - operationId: ProbeUploadService_GetExistingProbes + operationId: NetworkPolicyService_ApplyNetworkPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetExistingProbesResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: clusterId + in: path + required: true + schema: + type: string + requestBody: + $ref: '#/components/requestBodies/storageNetworkPolicyModification' tags: - - ProbeUploadService - /v1/processbaselines: - delete: - summary: '`DeleteProcessBaselines` deletes baselines.' - operationId: ProcessBaselineService_DeleteProcessBaselines + - NetworkPolicyService + /v1/networkpolicies/baselinecomparison/{id}: + get: + operationId: NetworkPolicyService_GetDiffFlowsBetweenPolicyAndBaselineForDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeleteProcessBaselinesResponse' + $ref: '#/components/schemas/v1GetDiffFlowsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false + - name: id + in: path + required: true schema: type: string - - name: confirm - in: query - required: false - schema: - type: boolean tags: - - ProcessBaselineService - put: - summary: |- - `AddToProcessBaselines` adds a list of process - names to each of a list of process baselines. - operationId: ProcessBaselineService_UpdateProcessBaselines + - NetworkPolicyService + /v1/networkpolicies/cluster/{clusterId}: + get: + operationId: NetworkPolicyService_GetNetworkGraph responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UpdateProcessBaselinesResponse' + $ref: '#/components/schemas/v1NetworkGraph' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1UpdateProcessBaselinesRequest' - required: true - tags: - - ProcessBaselineService - /v1/processbaselines/key: - get: - summary: |- - `GetProcessBaselineById` returns the single - process baseline referenced by the given ID. - operationId: ProcessBaselineService_GetProcessBaseline - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/storageProcessBaseline' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: key.deploymentId - description: |- - The idea is for the keys to be flexible. - Only certain combinations of these will be supported. - in: query - required: false + - name: clusterId + in: path + required: true schema: type: string - - name: key.containerName + - name: query in: query required: false schema: type: string - - name: key.clusterId + - name: includePorts + description: >- + If set to true, include port-level information in the network policy + graph. in: query required: false schema: - type: string - - name: key.namespace + type: boolean + - name: scope.query in: query required: false schema: type: string tags: - - ProcessBaselineService - /v1/processbaselines/lock: - put: - summary: |- - `LockProcessBaselines` accepts a list of baseline IDs, locks - those baselines, and returns the updated baseline objects. - operationId: ProcessBaselineService_LockProcessBaselines + - NetworkPolicyService + /v1/networkpolicies/generate/baseline/{deploymentId}: + post: + operationId: NetworkPolicyService_GetBaselineGeneratedNetworkPolicyForDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UpdateProcessBaselinesResponse' + $ref: >- + #/components/schemas/v1GetBaselineGeneratedPolicyForDeploymentResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: deploymentId + in: path + required: true + schema: + type: string requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1LockProcessBaselinesRequest' + $ref: >- + #/components/schemas/NetworkPolicyServiceGetBaselineGeneratedNetworkPolicyForDeploymentBody required: true tags: - - ProcessBaselineService - /v1/processes/deployment/{deploymentId}: + - NetworkPolicyService + /v1/networkpolicies/generate/{clusterId}: get: - summary: GetProcessesByDeployment returns the processes executed in the given deployment. - operationId: ProcessService_GetProcessesByDeployment + operationId: NetworkPolicyService_GenerateNetworkPolicies responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetProcessesResponse' + $ref: '#/components/schemas/v1GenerateNetworkPoliciesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId + - name: clusterId in: path required: true schema: type: string + - name: query + in: query + required: false + schema: + type: string + - name: deleteExisting + description: |2- + - NONE: Do not delete any existing network policies. + - GENERATED_ONLY: Delete any existing *auto-generated* network policies. + - ALL: Delete all existing network policies in the respective namespace. + in: query + required: false + schema: + type: string + enum: + - UNKNOWN + - NONE + - GENERATED_ONLY + - ALL + default: UNKNOWN + - name: networkDataSince + in: query + required: false + schema: + type: string + format: date-time + - name: includePorts + in: query + required: false + schema: + type: boolean tags: - - ProcessService - /v1/processes/deployment/{deploymentId}/grouped: + - NetworkPolicyService + /v1/networkpolicies/graph/epoch: get: - summary: GetGroupedProcessByDeployment returns all the processes executed grouped by deployment. - operationId: ProcessService_GetGroupedProcessByDeployment + operationId: NetworkPolicyService_GetNetworkGraphEpoch responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetGroupedProcessesResponse' + $ref: '#/components/schemas/v1NetworkGraphEpoch' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId - in: path - required: true + - name: clusterId + in: query + required: false schema: type: string tags: - - ProcessService - /v1/processes/deployment/{deploymentId}/grouped/container: - get: - summary: GetGroupedProcessByDeploymentAndContainer returns all the processes executed grouped by deployment and container. - operationId: ProcessService_GetGroupedProcessByDeploymentAndContainer + - NetworkPolicyService + /v1/networkpolicies/simulate/{clusterId}: + post: + operationId: NetworkPolicyService_SimulateNetworkGraph responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetGroupedProcessesWithContainerResponse' + $ref: '#/components/schemas/v1SimulateNetworkGraphResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: deploymentId + - name: clusterId in: path required: true schema: type: string + - name: query + in: query + required: false + schema: + type: string + - name: includePorts + description: >- + If set to true, include port-level information in the network policy + graph. + in: query + required: false + schema: + type: boolean + - name: includeNodeDiff + in: query + required: false + schema: + type: boolean + - name: scope.query + in: query + required: false + schema: + type: string + requestBody: + $ref: '#/components/requestBodies/storageNetworkPolicyModification' tags: - - ProcessService - /v1/processwhitelists: - delete: - summary: DeleteProcessWhitelists deletes whitelists - operationId: ProcessWhitelistService_DeleteProcessWhitelists + - NetworkPolicyService + /v1/networkpolicies/simulate/{clusterId}/notify: + post: + operationId: NetworkPolicyService_SendNetworkPolicyYAML responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DeleteProcessWhitelistsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false + - name: clusterId + in: path + required: true schema: type: string - - name: confirm + - name: notifierIds in: query required: false + explode: true schema: - type: boolean + type: array + items: + type: string + requestBody: + $ref: '#/components/requestBodies/storageNetworkPolicyModification' tags: - - ProcessWhitelistService - put: - summary: AddToProcessWhitelists adds a list of process names to each of a list of process baselines - operationId: ProcessWhitelistService_UpdateProcessWhitelists + - NetworkPolicyService + /v1/networkpolicies/undo/deployment/{id}: + get: + operationId: NetworkPolicyService_GetUndoModificationForDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UpdateProcessWhitelistsResponse' + $ref: >- + #/components/schemas/v1GetUndoModificationForDeploymentResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1UpdateProcessWhitelistsRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ProcessWhitelistService - /v1/processwhitelists/key: + - NetworkPolicyService + /v1/networkpolicies/undo/{clusterId}: get: - summary: GetProcessWhitelistById returns the single process whitelist referenced by the given ID. - operationId: ProcessWhitelistService_GetProcessWhitelist + operationId: NetworkPolicyService_GetUndoModification responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageProcessBaseline' + $ref: '#/components/schemas/v1GetUndoModificationResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: key.deploymentId - description: |- - The idea is for the keys to be flexible. - Only certain combinations of these will be supported. - in: query - required: false - schema: - type: string - - name: key.containerName - in: query - required: false - schema: - type: string - - name: key.clusterId - in: query - required: false + - name: clusterId + in: path + required: true schema: type: string - - name: key.namespace - in: query - required: false + tags: + - NetworkPolicyService + /v1/networkpolicies/undobaselinecomparison/{id}: + get: + operationId: NetworkPolicyService_GetDiffFlowsFromUndoModificationForDeployment + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetDiffFlowsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: type: string tags: - - ProcessWhitelistService - /v1/processwhitelists/lock: - put: - summary: LockProcessWhitelists accepts a list of baseline IDs, locks those baselines, and returns the updated baseline objects - operationId: ProcessWhitelistService_LockProcessWhitelists + - NetworkPolicyService + /v1/networkpolicies/{id}: + get: + operationId: NetworkPolicyService_GetNetworkPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UpdateProcessWhitelistsResponse' + $ref: '#/components/schemas/storageNetworkPolicy' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1LockProcessWhitelistsRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ProcessWhitelistService - /v1/rbac/bindings: + - NetworkPolicyService + /v1/export/nodes: get: - operationId: RbacService_ListRoleBindings + operationId: NodeService_ExportNodes responses: '200': - description: A successful response. + description: A successful response.(streaming responses) content: application/json: schema: - $ref: '#/components/schemas/v1ListRoleBindingsResponse' + type: object + properties: + result: + $ref: '#/components/schemas/v1ExportNodeResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1ExportNodeResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset + - name: timeout in: query required: false schema: type: integer format: int32 - - name: pagination.sortOption.field + - name: query in: query required: false schema: type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean tags: - - RbacService - /v1/rbac/bindings/{id}: + - NodeService + /v1/nodes/{clusterId}: get: - operationId: RbacService_GetRoleBinding + operationId: NodeService_ListNodes responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetRoleBindingResponse' + $ref: '#/components/schemas/v1ListNodesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId in: path required: true schema: type: string tags: - - RbacService - /v1/rbac/roles: - get: - operationId: RbacService_ListRoles - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1ListRolesResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean - tags: - - RbacService - /v1/rbac/roles/{id}: + - NodeService + /v1/nodes/{clusterId}/{nodeId}: get: - operationId: RbacService_GetRole + operationId: NodeService_GetNode responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetRoleResponse' + $ref: '#/components/schemas/storageNode' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: clusterId in: path required: true schema: type: string - tags: - - RbacService - /v1/rbac/subject/{id}: - get: - summary: |- - Subjects served from this API are Groups and Users only. - Id in this case is the Name field, since for users and groups, that is unique, and subjects do not have IDs. - operationId: RbacService_GetSubject - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetSubjectResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id + - name: nodeId in: path required: true schema: type: string tags: - - RbacService - /v1/rbac/subjects: + - NodeService + /v1/notifiers: get: - operationId: RbacService_ListSubjects + summary: GetNotifiers returns all notifier configurations. + operationId: NotifierService_GetNotifiers responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListSubjectsResponse' + $ref: '#/components/schemas/v1GetNotifiersResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' tags: - - RbacService - /v1/report-configurations-count: - get: - summary: CountReportConfigurations returns the number of report configurations. - operationId: ReportConfigurationService_CountReportConfigurations + - NotifierService + post: + summary: PostNotifier creates a notifier configuration. + operationId: NotifierService_PostNotifier responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1CountReportConfigurationsResponse' + $ref: '#/components/schemas/storageNotifier' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/storageNotifier' tags: - - ReportConfigurationService - /v1/report/configurations: - get: - operationId: ReportConfigurationService_GetReportConfigurations + - NotifierService + /v1/notifiers/test: + post: + summary: TestNotifier checks if a notifier is correctly configured. + operationId: NotifierService_TestNotifier responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetReportConfigurationsResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query - in: query - required: false - schema: - type: string - - name: pagination.limit - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.offset - in: query - required: false - schema: - type: integer - format: int32 - - name: pagination.sortOption.field - in: query - required: false - schema: - type: string - - name: pagination.sortOption.reversed - in: query - required: false - schema: - type: boolean + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/storageNotifier' tags: - - ReportConfigurationService + - NotifierService + /v1/notifiers/test/updated: post: - summary: PostReportConfiguration creates a report configuration - operationId: ReportConfigurationService_PostReportConfiguration + summary: >- + TestUpdatedNotifier checks if the given notifier is correctly + configured, with optional stored credential reconciliation. + operationId: NotifierService_TestUpdatedNotifier responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1PostReportConfigurationResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1PostReportConfigurationRequest' + $ref: '#/components/schemas/v1UpdateNotifierRequest' required: true tags: - - ReportConfigurationService - /v1/report/configurations/{id}: + - NotifierService + /v1/notifiers/{id}: get: - operationId: ReportConfigurationService_GetReportConfiguration + summary: GetNotifier returns the notifier configuration given its ID. + operationId: NotifierService_GetNotifier responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetReportConfigurationResponse' + $ref: '#/components/schemas/storageNotifier' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -5407,10 +6133,10 @@ paths: schema: type: string tags: - - ReportConfigurationService + - NotifierService delete: - summary: DeleteReportConfiguration removes a report configuration given its id - operationId: ReportConfigurationService_DeleteReportConfiguration + summary: DeleteNotifier removes a notifier configuration given its ID. + operationId: NotifierService_DeleteNotifier responses: '200': description: A successful response. @@ -5423,18 +6149,25 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string + - name: force + in: query + required: false + schema: + type: boolean tags: - - ReportConfigurationService + - NotifierService put: - summary: UpdateReportConfiguration updates a report configuration - operationId: ReportConfigurationService_UpdateReportConfiguration + summary: >- + PutNotifier modifies a given notifier, without using stored credential + reconciliation. + operationId: NotifierService_PutNotifier responses: '200': description: A successful response. @@ -5447,7 +6180,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -5458,13 +6191,16 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1UpdateReportConfigurationRequest' + $ref: '#/components/schemas/NotifierServicePutNotifierBody' required: true tags: - - ReportConfigurationService - /v1/report/run/{id}: - post: - operationId: ReportService_RunReport + - NotifierService + /v1/notifiers/{notifier.id}: + patch: + summary: >- + UpdateNotifier modifies a given notifier, with optional stored + credential reconciliation. + operationId: NotifierService_UpdateNotifier responses: '200': description: A successful response. @@ -5477,319 +6213,456 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: notifier.id in: path required: true schema: type: string - tags: - - ReportService - /v1/computeeffectiveaccessscope: - post: - summary: ComputeEffectiveAccessScope - description: |- - Returns effective access scope based on the rules in the request. Does - not persist anything; not idempotent due to possible changes to clusters - and namespaces. POST is chosen due to potentially large payload. - - There are advantages in both keeping the response slim and detailed. If - only IDs of selected clusters and namespaces are included, response - latency and processing time are lower but the caller shall overlay the - response with its view of the world which is susceptible to consistency - issues. Listing all clusters and namespaces with related metadata is - convenient for the caller but bloat the message with secondary data. - - We let the caller decide what level of detail they would like to have: - - * Minimal, when only roots of included subtrees are listed by their - IDs. Clusters can be either INCLUDED (its namespaces are included but - are not listed) or PARTIAL (at least one namespace is explicitly - included). Namespaces can only be INCLUDED. - - * Standard [default], when all known clusters and namespaces are listed - with their IDs and names. Clusters can be INCLUDED (all its - namespaces are explicitly listed as INCLUDED), PARTIAL (all its - namespaces are explicitly listed, some as INCLUDED and some as - EXCLUDED), and EXCLUDED (all its namespaces are explicitly listed as - EXCLUDED). Namespaces can be either INCLUDED or EXCLUDED. - - * High, when every cluster and namespace is augmented with metadata. - operationId: RoleService_ComputeEffectiveAccessScope - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/storageEffectiveAccessScope' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: detail - in: query - required: false - schema: - type: string - enum: - - STANDARD - - MINIMAL - - HIGH - default: STANDARD requestBody: content: application/json: schema: - $ref: '#/components/schemas/ComputeEffectiveAccessScopeRequestPayload' + $ref: '#/components/schemas/NotifierServiceUpdateNotifierBody' required: true tags: - - RoleService - /v1/mypermissions: + - NotifierService + /v1/ping: get: - operationId: RoleService_GetMyPermissions + operationId: PingService_Ping responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetPermissionsResponse' + $ref: '#/components/schemas/v1PongMessage' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' tags: - - RoleService - /v1/permissionsets: + - PingService + /v1/export/pods: get: - operationId: RoleService_ListPermissionSets + operationId: PodService_ExportPods responses: '200': - description: A successful response. + description: A successful response.(streaming responses) content: application/json: schema: - $ref: '#/components/schemas/v1ListPermissionSetsResponse' + type: object + properties: + result: + $ref: '#/components/schemas/v1ExportPodResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1ExportPodResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: timeout + in: query + required: false + schema: + type: integer + format: int32 + - name: query + in: query + required: false + schema: + type: string tags: - - RoleService - post: - summary: PostPermissionSet - description: PermissionSet.id is disallowed in request and set in response. - operationId: RoleService_PostPermissionSet + - PodService + /v1/pods: + get: + summary: GetPods returns the pods. + operationId: PodService_GetPods responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePermissionSet' + $ref: '#/components/schemas/v1PodsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storagePermissionSet' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - RoleService - /v1/permissionsets/{id}: + - PodService + /v1/policycategories: get: - operationId: RoleService_GetPermissionSet + summary: GetPolicyCategories returns the list of policy categories + operationId: PolicyCategoryService_GetPolicyCategories responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storagePermissionSet' + $ref: '#/components/schemas/v1GetPolicyCategoriesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - RoleService - delete: - operationId: RoleService_DeletePermissionSet + - PolicyCategoryService + post: + summary: PostPolicyCategory creates a new policy category + operationId: PolicyCategoryService_PostPolicyCategory responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1PolicyCategory' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1PolicyCategory' + required: true tags: - - RoleService + - PolicyCategoryService put: - operationId: RoleService_PutPermissionSet + summary: RenamePolicyCategory renames the given policy category. + operationId: PolicyCategoryService_RenamePolicyCategory responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1PolicyCategory' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - description: id is generated and cannot be changed. - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storagePermissionSet' + content: + application/json: + schema: + $ref: '#/components/schemas/v1RenamePolicyCategoryRequest' + required: true tags: - - RoleService - /v1/resources: + - PolicyCategoryService + /v1/policycategories/{id}: get: - operationId: RoleService_GetResources + summary: GetPolicyCategory returns the requested policy category by ID. + operationId: PolicyCategoryService_GetPolicyCategory responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetResourcesResponse' + $ref: '#/components/schemas/v1PolicyCategory' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - RoleService - /v1/roles: - get: - operationId: RoleService_GetRoles + - PolicyCategoryService + delete: + summary: DeletePolicyCategory removes the given policy category. + operationId: PolicyCategoryService_DeletePolicyCategory responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetRolesResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - RoleService - /v1/roles/{id}: + - PolicyCategoryService + /v1/policies: get: - operationId: RoleService_GetRole + summary: ListPolicies returns the list of policies. + operationId: PolicyService_ListPolicies responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageRole' + $ref: '#/components/schemas/v1ListPoliciesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - RoleService - delete: - operationId: RoleService_DeleteRole + - PolicyService + post: + summary: PostPolicy creates a new policy. + operationId: PolicyService_PostPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/storagePolicy' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: enableStrictValidation + in: query + required: false schema: - type: string + type: boolean + requestBody: + $ref: '#/components/requestBodies/storagePolicy' tags: - - RoleService - /v1/roles/{name}: + - PolicyService + /v1/policies/dryrun: post: - operationId: RoleService_CreateRole + summary: >- + DryRunPolicy evaluates the given policy and returns any alerts without + creating the policy. + operationId: PolicyService_DryRunPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DryRunResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/storagePolicy' + tags: + - PolicyService + /v1/policies/dryrunjob: + post: + operationId: PolicyService_SubmitDryRunPolicyJob + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1JobId' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + $ref: '#/components/requestBodies/storagePolicy' + tags: + - PolicyService + /v1/policies/dryrunjob/{jobId}: + get: + operationId: PolicyService_QueryDryRunJobStatus + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1DryRunJobStatusResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: name + - name: jobId in: path required: true schema: type: string - requestBody: - $ref: '#/components/requestBodies/storageRole' tags: - - RoleService - put: - operationId: RoleService_UpdateRole + - PolicyService + delete: + operationId: PolicyService_CancelDryRunJob responses: '200': description: A successful response. @@ -5802,73 +6675,129 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: name - description: '`name` and `description` are provided by the user and can be changed.' + - name: jobId in: path required: true schema: type: string + tags: + - PolicyService + /v1/policies/export: + post: + summary: >- + ExportPolicies takes a list of policy IDs and returns either the entire + list of policies or an error message + operationId: PolicyService_ExportPolicies + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageExportPoliciesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageRole' + content: + application/json: + schema: + $ref: '#/components/schemas/v1ExportPoliciesRequest' + required: true tags: - - RoleService - /v1/simpleaccessscopes: - get: - operationId: RoleService_ListSimpleAccessScopes + - PolicyService + /v1/policies/from-search: + post: + operationId: PolicyService_PolicyFromSearch responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListSimpleAccessScopesResponse' + $ref: '#/components/schemas/v1PolicyFromSearchResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1PolicyFromSearchRequest' + required: true tags: - - RoleService + - PolicyService + /v1/policies/import: post: - summary: PostSimpleAccessScope - description: SimpleAccessScope.id is disallowed in request and set in response. - operationId: RoleService_PostSimpleAccessScope + summary: >- + ImportPolicies accepts a list of Policies and returns a list of the + policies which could not be imported + operationId: PolicyService_ImportPolicies responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageSimpleAccessScope' + $ref: '#/components/schemas/v1ImportPoliciesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/storageSimpleAccessScope' + content: + application/json: + schema: + $ref: '#/components/schemas/v1ImportPoliciesRequest' + required: true tags: - - RoleService - /v1/simpleaccessscopes/{id}: + - PolicyService + /v1/policies/reassess: + post: + summary: ReassessPolicies reevaluates all the policies. + operationId: PolicyService_ReassessPolicies + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - PolicyService + /v1/policies/{id}: get: - operationId: RoleService_GetSimpleAccessScope + summary: GetPolicy returns the requested policy by ID. + operationId: PolicyService_GetPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageSimpleAccessScope' + $ref: '#/components/schemas/storagePolicy' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -5876,9 +6805,10 @@ paths: schema: type: string tags: - - RoleService + - PolicyService delete: - operationId: RoleService_DeleteSimpleAccessScope + summary: DeletePolicy removes a policy by ID. + operationId: PolicyService_DeletePolicy responses: '200': description: A successful response. @@ -5891,7 +6821,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -5899,9 +6829,10 @@ paths: schema: type: string tags: - - RoleService + - PolicyService put: - operationId: RoleService_PutSimpleAccessScope + summary: PutPolicy modifies an existing policy. + operationId: PolicyService_PutPolicy responses: '200': description: A successful response. @@ -5914,421 +6845,313 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id - description: '`id` is generated and cannot be changed.' in: path required: true schema: type: string requestBody: - $ref: '#/components/requestBodies/storageSimpleAccessScope' + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyServicePutPolicyBody' + required: true tags: - - RoleService - /v1/scopedaccessctrl/config: - post: - summary: AddAuthzPluginConfig creates a scoped access control plugin. - operationId: ScopedAccessControlService_AddAuthzPluginConfig + - PolicyService + patch: + summary: PatchPolicy edits an existing policy. + operationId: PolicyService_PatchPolicy responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageAuthzPluginConfig' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: updatePassword - description: When false, use the stored credentials of an existing scoped access control configuration given its ID. - in: query - required: false + - name: id + in: path + required: true schema: - type: boolean + type: string requestBody: - $ref: '#/components/requestBodies/storageAuthzPluginConfig' + content: + application/json: + schema: + $ref: '#/components/schemas/PolicyServicePatchPolicyBody' + required: true tags: - - ScopedAccessControlService - /v1/scopedaccessctrl/config/{config.id}: - put: - summary: UpdateAuthzPluginConfig modifies a scoped access control plugin. - operationId: ScopedAccessControlService_UpdateAuthzPluginConfig + - PolicyService + /v1/policies/{id}/mitrevectors: + get: + summary: GetMitreVectorsForPolicy returns the requested policy by ID. + operationId: PolicyService_GetPolicyMitreVectors responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageAuthzPluginConfig' + $ref: '#/components/schemas/v1GetPolicyMitreVectorsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: config.id + - name: id in: path required: true schema: type: string - - name: updatePassword - description: When false, use the stored credentials of an existing scoped access control configuration given its ID. + - name: options.excludePolicy + description: If set to true, policy is excluded from the response. in: query required: false schema: type: boolean - requestBody: - $ref: '#/components/requestBodies/storageAuthzPluginConfig' tags: - - ScopedAccessControlService + - PolicyService + /v1/policies/{policyId}/notifiers: patch: - summary: UpdateAuthzPluginConfig modifies a scoped access control plugin. - operationId: ScopedAccessControlService_UpdateAuthzPluginConfig2 + summary: >- + EnableDisablePolicyNotification enables or disables notifications for a + policy by ID. + operationId: PolicyService_EnableDisablePolicyNotification responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageAuthzPluginConfig' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: config.id + - name: policyId in: path required: true schema: type: string requestBody: - $ref: '#/components/requestBodies/v1UpsertAuthzPluginConfigRequest' + content: + application/json: + schema: + $ref: >- + #/components/schemas/PolicyServiceEnableDisablePolicyNotificationBody + required: true tags: - - ScopedAccessControlService - /v1/scopedaccessctrl/config/{id}: - delete: - summary: DeleteAuthzPluginConfig removes a scoped access control plugin. - operationId: ScopedAccessControlService_DeleteAuthzPluginConfig + - PolicyService + /v1/policyCategories: + get: + summary: GetPolicyCategories returns the policy categories. + operationId: PolicyService_GetPolicyCategories responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1PolicyCategoriesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - ScopedAccessControlService - /v1/scopedaccessctrl/configs: - get: - summary: GetAuthzPluginConfigs returns all scoped access control plugins. - operationId: ScopedAccessControlService_GetAuthzPluginConfigs + - PolicyService + /v1/probeupload/getexisting: + post: + operationId: ProbeUploadService_GetExistingProbes responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetAuthzPluginConfigsResponse' + $ref: '#/components/schemas/v1GetExistingProbesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: filesToCheck + in: query + required: false + explode: true + schema: + type: array + items: + type: string tags: - - ScopedAccessControlService - /v1/scopedaccessctrl/test: - post: - summary: DryRunAuthzPluginConfig checks if the given scoped access control plugin is correctly configured. - operationId: ScopedAccessControlService_DryRunAuthzPluginConfig + - ProbeUploadService + /v1/processbaselines: + delete: + summary: '`DeleteProcessBaselines` deletes baselines.' + operationId: ProcessBaselineService_DeleteProcessBaselines responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1DeleteProcessBaselinesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: updatePassword - description: When false, use the stored credentials of an existing scoped access control configuration given its ID. + - name: query + in: query + required: false + schema: + type: string + - name: confirm in: query required: false schema: type: boolean - requestBody: - $ref: '#/components/requestBodies/storageAuthzPluginConfig' tags: - - ScopedAccessControlService - /v1/scopedaccessctrl/test/updated: - post: - summary: DryRunAuthzPluginConfig checks if the given scoped access control plugin is correctly configured. - operationId: ScopedAccessControlService_DryRunAuthzPluginConfig2 + - ProcessBaselineService + put: + summary: |- + `AddToProcessBaselines` adds a list of process + names to each of a list of process baselines. + operationId: ProcessBaselineService_UpdateProcessBaselines responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1UpdateProcessBaselinesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: - $ref: '#/components/requestBodies/v1UpsertAuthzPluginConfigRequest' + content: + application/json: + schema: + $ref: '#/components/schemas/v1UpdateProcessBaselinesRequest' + required: true tags: - - ScopedAccessControlService - /v1/search: + - ProcessBaselineService + /v1/processbaselines/key: get: - operationId: SearchService_Search + summary: |- + `GetProcessBaselineById` returns the single + process baseline referenced by the given ID. + operationId: ProcessBaselineService_GetProcessBaseline responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1SearchResponse' + $ref: '#/components/schemas/storageProcessBaseline' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query + - name: key.deploymentId + description: |- + The idea is for the keys to be flexible. + Only certain combinations of these will be supported. in: query required: false schema: type: string - - name: categories + - name: key.containerName in: query required: false - explode: true schema: - type: array - items: - type: string - enum: - - SEARCH_UNSET - - ALERTS - - IMAGES - - IMAGE_COMPONENTS - - IMAGE_VULN_EDGE - - IMAGE_COMPONENT_EDGE - - POLICIES - - DEPLOYMENTS - - ACTIVE_COMPONENT - - PODS - - SECRETS - - PROCESS_INDICATORS - - COMPLIANCE - - CLUSTERS - - NAMESPACES - - NODES - - NODE_VULN_EDGE - - NODE_COMPONENT_EDGE - - COMPLIANCE_STANDARD - - COMPLIANCE_CONTROL_GROUP - - COMPLIANCE_CONTROL - - SERVICE_ACCOUNTS - - ROLES - - ROLEBINDINGS - - REPORT_CONFIGURATIONS - - PROCESS_BASELINES - - SUBJECTS - - RISKS - - VULNERABILITIES - - CLUSTER_VULNERABILITIES - - IMAGE_VULNERABILITIES - - NODE_VULNERABILITIES - - COMPONENT_VULN_EDGE - - CLUSTER_VULN_EDGE - - NETWORK_ENTITY - - VULN_REQUEST - tags: - - SearchService - /v1/search/autocomplete: - get: - operationId: SearchService_Autocomplete - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1AutocompleteResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: query + type: string + - name: key.clusterId in: query required: false schema: type: string - - name: categories + - name: key.namespace in: query required: false - explode: true schema: - type: array - items: - type: string - enum: - - SEARCH_UNSET - - ALERTS - - IMAGES - - IMAGE_COMPONENTS - - IMAGE_VULN_EDGE - - IMAGE_COMPONENT_EDGE - - POLICIES - - DEPLOYMENTS - - ACTIVE_COMPONENT - - PODS - - SECRETS - - PROCESS_INDICATORS - - COMPLIANCE - - CLUSTERS - - NAMESPACES - - NODES - - NODE_VULN_EDGE - - NODE_COMPONENT_EDGE - - COMPLIANCE_STANDARD - - COMPLIANCE_CONTROL_GROUP - - COMPLIANCE_CONTROL - - SERVICE_ACCOUNTS - - ROLES - - ROLEBINDINGS - - REPORT_CONFIGURATIONS - - PROCESS_BASELINES - - SUBJECTS - - RISKS - - VULNERABILITIES - - CLUSTER_VULNERABILITIES - - IMAGE_VULNERABILITIES - - NODE_VULNERABILITIES - - COMPONENT_VULN_EDGE - - CLUSTER_VULN_EDGE - - NETWORK_ENTITY - - VULN_REQUEST + type: string tags: - - SearchService - /v1/search/metadata/options: - get: - operationId: SearchService_Options + - ProcessBaselineService + /v1/processbaselines/lock: + put: + summary: |- + `LockProcessBaselines` accepts a list of baseline IDs, locks + those baselines, and returns the updated baseline objects. + operationId: ProcessBaselineService_LockProcessBaselines responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1SearchOptionsResponse' + $ref: '#/components/schemas/v1UpdateProcessBaselinesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: categories - in: query - required: false - explode: true - schema: - type: array - items: - type: string - enum: - - SEARCH_UNSET - - ALERTS - - IMAGES - - IMAGE_COMPONENTS - - IMAGE_VULN_EDGE - - IMAGE_COMPONENT_EDGE - - POLICIES - - DEPLOYMENTS - - ACTIVE_COMPONENT - - PODS - - SECRETS - - PROCESS_INDICATORS - - COMPLIANCE - - CLUSTERS - - NAMESPACES - - NODES - - NODE_VULN_EDGE - - NODE_COMPONENT_EDGE - - COMPLIANCE_STANDARD - - COMPLIANCE_CONTROL_GROUP - - COMPLIANCE_CONTROL - - SERVICE_ACCOUNTS - - ROLES - - ROLEBINDINGS - - REPORT_CONFIGURATIONS - - PROCESS_BASELINES - - SUBJECTS - - RISKS - - VULNERABILITIES - - CLUSTER_VULNERABILITIES - - IMAGE_VULNERABILITIES - - NODE_VULNERABILITIES - - COMPONENT_VULN_EDGE - - CLUSTER_VULN_EDGE - - NETWORK_ENTITY - - VULN_REQUEST + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1LockProcessBaselinesRequest' + required: true tags: - - SearchService - /v1/secrets: + - ProcessBaselineService + /v1/listening_endpoints/deployment/{deploymentId}: get: - summary: ListSecrets returns the list of secrets. - operationId: SecretService_ListSecrets + summary: >- + GetListeningEndpoints returns the listening endpoints and the processes + that opened them for a given deployment + operationId: ListeningEndpointsService_GetListeningEndpoints responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListSecretsResponse' + $ref: '#/components/schemas/v1GetProcessesListeningOnPortsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query - in: query - required: false + - name: deploymentId + in: path + required: true schema: type: string - name: pagination.limit @@ -6353,50 +7176,41 @@ paths: required: false schema: type: boolean - tags: - - SecretService - /v1/secrets/{id}: - get: - summary: GetSecret returns a secret given its ID. - operationId: SecretService_GetSecret - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/storageSecret' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - SecretService - /v1/secretscount: + - ListeningEndpointsService + /v1/processcount: get: - summary: CountSecrets returns the number of secrets. - operationId: SecretService_CountSecrets + summary: CountProcesses returns the count of processes. + operationId: ProcessService_CountProcesses responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1CountSecretsResponse' + $ref: '#/components/schemas/v1CountProcessesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -6425,113 +7239,122 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - SecretService - /v1/sensorupgrades/cluster/{id}: - post: - operationId: SensorUpgradeService_TriggerSensorUpgrade + - ProcessService + /v1/processes/deployment/{deploymentId}: + get: + summary: >- + GetProcessesByDeployment returns the processes executed in the given + deployment. + operationId: ProcessService_GetProcessesByDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetProcessesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: deploymentId in: path required: true schema: type: string tags: - - SensorUpgradeService - /v1/sensorupgrades/config: + - ProcessService + /v1/processes/deployment/{deploymentId}/grouped: get: - operationId: SensorUpgradeService_GetSensorUpgradeConfig - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1GetSensorUpgradeConfigResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - SensorUpgradeService - post: - operationId: SensorUpgradeService_UpdateSensorUpgradeConfig + summary: >- + GetGroupedProcessByDeployment returns all the processes executed grouped + by deployment. + operationId: ProcessService_GetGroupedProcessByDeployment responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetGroupedProcessesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1UpdateSensorUpgradeConfigRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: deploymentId + in: path + required: true + schema: + type: string tags: - - SensorUpgradeService - /v1/sensorupgrades/rotateclustercerts/{id}: - post: - operationId: SensorUpgradeService_TriggerSensorCertRotation + - ProcessService + /v1/processes/deployment/{deploymentId}/grouped/container: + get: + summary: >- + GetGroupedProcessByDeploymentAndContainer returns all the processes + executed grouped by deployment and container. + operationId: ProcessService_GetGroupedProcessByDeploymentAndContainer responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: >- + #/components/schemas/v1GetGroupedProcessesWithContainerResponse default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id + - name: deploymentId in: path required: true schema: type: string tags: - - SensorUpgradeService - /v1/serviceaccounts: + - ProcessService + /v1/rbac/bindings: get: - operationId: ServiceAccountService_ListServiceAccounts + operationId: RbacService_ListRoleBindings responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListServiceAccountResponse' + $ref: '#/components/schemas/v1ListRoleBindingsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: query in: query @@ -6560,24 +7383,40 @@ paths: required: false schema: type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - ServiceAccountService - /v1/serviceaccounts/{id}: + - RbacService + /v1/rbac/bindings/{id}: get: - operationId: ServiceAccountService_GetServiceAccount + operationId: RbacService_GetRoleBinding responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetServiceAccountResponse' + $ref: '#/components/schemas/v1GetRoleBindingResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -6585,426 +7424,637 @@ paths: schema: type: string tags: - - ServiceAccountService - /v1/authorities: + - RbacService + /v1/rbac/roles: get: - summary: GetAuthorities returns the authorities currently in use. - operationId: ServiceIdentityService_GetAuthorities + operationId: RbacService_ListRoles responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Authorities' + $ref: '#/components/schemas/v1ListRolesResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - ServiceIdentityService - /v1/serviceIdentities: + - RbacService + /v1/rbac/roles/{id}: get: - operationId: ServiceIdentityService_GetServiceIdentities - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1ServiceIdentityResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - ServiceIdentityService - post: - summary: |- - CreateServiceIdentity creates a new key pair and certificate. - The key and certificate are not retained and can never be retrieved again. - operationId: ServiceIdentityService_CreateServiceIdentity + operationId: RbacService_GetRole responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1CreateServiceIdentityResponse' + $ref: '#/components/schemas/v1GetRoleResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1CreateServiceIdentityRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - ServiceIdentityService - /v1/signatureintegrations: + - RbacService + /v1/rbac/subject/{id}: get: - operationId: SignatureIntegrationService_ListSignatureIntegrations - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/v1ListSignatureIntegrationsResponse' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - SignatureIntegrationService - post: - summary: |- - Integration id should not be set. - Returns signature integration with id filled. - operationId: SignatureIntegrationService_PostSignatureIntegration + summary: >- + Subjects served from this API are Groups and Users only. + + Id in this case is the Name field, since for users and groups, that is + unique, and subjects do not have IDs. + operationId: RbacService_GetSubject responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageSignatureIntegration' + $ref: '#/components/schemas/v1GetSubjectResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - $ref: '#/components/requestBodies/storageSignatureIntegration' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - SignatureIntegrationService - /v1/signatureintegrations/{id}: + - RbacService + /v1/rbac/subjects: get: - operationId: SignatureIntegrationService_GetSignatureIntegration + operationId: RbacService_ListSubjects responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageSignatureIntegration' + $ref: '#/components/schemas/v1ListSubjectsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - SignatureIntegrationService - delete: - operationId: SignatureIntegrationService_DeleteSignatureIntegration + - RbacService + /v1/report-configurations-count: + get: + summary: CountReportConfigurations returns the number of report configurations. + operationId: ReportConfigurationService_CountReportConfigurations responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1CountReportConfigurationsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false schema: type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - SignatureIntegrationService - put: - operationId: SignatureIntegrationService_PutSignatureIntegration + - ReportConfigurationService + /v1/report/configurations: + get: + operationId: ReportConfigurationService_GetReportConfigurations responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1Empty' + $ref: '#/components/schemas/v1GetReportConfigurationsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: query + in: query + required: false schema: type: string - requestBody: - $ref: '#/components/requestBodies/storageSignatureIntegration' + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - SignatureIntegrationService - /v1/summary/counts: - get: - operationId: SummaryService_GetSummaryCounts + - ReportConfigurationService + post: + summary: PostReportConfiguration creates a report configuration + operationId: ReportConfigurationService_PostReportConfiguration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1SummaryCountsResponse' + $ref: '#/components/schemas/v1PostReportConfigurationResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1PostReportConfigurationRequest' + required: true tags: - - SummaryService - /v1/telemetry/configure: + - ReportConfigurationService + /v1/report/configurations/{id}: get: - operationId: TelemetryService_GetTelemetryConfiguration - responses: - '200': - description: A successful response. - content: - application/json: - schema: - $ref: '#/components/schemas/storageTelemetryConfiguration' - default: - description: An unexpected error response. - content: - application/json: - schema: - $ref: '#/components/schemas/runtimeError' - tags: - - TelemetryService - put: - operationId: TelemetryService_ConfigureTelemetry + operationId: ReportConfigurationService_GetReportConfiguration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageTelemetryConfiguration' + $ref: '#/components/schemas/v1GetReportConfigurationResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1ConfigureTelemetryRequest' - required: true + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - TelemetryService - /v1/users: - get: - operationId: UserService_GetUsers + - ReportConfigurationService + delete: + summary: DeleteReportConfiguration removes a report configuration given its id + operationId: ReportConfigurationService_DeleteReportConfiguration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetUsersResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - UserService - /v1/users/{id}: - get: - operationId: UserService_GetUser + - ReportConfigurationService + put: + summary: UpdateReportConfiguration updates a report configuration + operationId: ReportConfigurationService_UpdateReportConfiguration responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/storageUser' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/ReportConfigurationServiceUpdateReportConfigurationBody + required: true tags: - - UserService - /v1/usersattributes: - get: - operationId: UserService_GetUsersAttributes + - ReportConfigurationService + /v1/report/run/{id}: + post: + operationId: ReportService_RunReport responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetUsersAttributesResponse' + $ref: '#/components/schemas/v1Empty' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string tags: - - UserService - /v1/cve/requests: + - ReportService + /v1/collections: get: - summary: ListVulnerabilityRequests returns the list of vulnerability requests. - operationId: VulnerabilityRequestService_ListVulnerabilityRequests + operationId: CollectionService_ListCollections responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ListVulnerabilityRequestsResponse' + $ref: '#/components/schemas/v1ListCollectionsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: query + - name: query.query in: query required: false schema: type: string - - name: pagination.limit + - name: query.pagination.limit in: query required: false schema: type: integer format: int32 - - name: pagination.offset + - name: query.pagination.offset in: query required: false schema: type: integer format: int32 - - name: pagination.sortOption.field + - name: query.pagination.sortOption.field in: query required: false schema: type: string - - name: pagination.sortOption.reversed + - name: query.pagination.sortOption.reversed in: query required: false schema: type: boolean - tags: - - VulnerabilityRequestService - /v1/cve/requests/defer: - post: - summary: DeferVulnerability starts the deferral process for the specified vulnerability. - operationId: VulnerabilityRequestService_DeferVulnerability - responses: - '200': - description: A successful response. - content: + - name: query.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: query.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - CollectionService + post: + operationId: CollectionService_CreateCollection + responses: + '200': + description: A successful response. + content: application/json: schema: - $ref: '#/components/schemas/v1DeferVulnResponse' + $ref: '#/components/schemas/v1CreateCollectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1DeferVulnRequest' + $ref: '#/components/schemas/v1CreateCollectionRequest' required: true tags: - - VulnerabilityRequestService - /v1/cve/requests/false-positive: + - CollectionService + /v1/collections/dryrun: post: - summary: FalsePositiveVulnerability starts the process to mark the specified vulnerability as false-positive. - operationId: VulnerabilityRequestService_FalsePositiveVulnerability + operationId: CollectionService_DryRunCollection responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1FalsePositiveVulnResponse' + $ref: '#/components/schemas/v1DryRunCollectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1FalsePositiveVulnRequest' + $ref: '#/components/schemas/v1DryRunCollectionRequest' required: true tags: - - VulnerabilityRequestService - /v1/cve/requests/{id}: + - CollectionService + /v1/collections/selectors: get: - summary: GetVulnerabilityRequest returns the requested vulnerability request by ID. - operationId: VulnerabilityRequestService_GetVulnerabilityRequest + operationId: CollectionService_ListCollectionSelectors responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1GetVulnerabilityRequestResponse' + $ref: '#/components/schemas/v1ListCollectionSelectorsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - CollectionService + /v1/collections/{id}: + get: + operationId: CollectionService_GetCollection + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetCollectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string + - name: options.withMatches + in: query + required: false + schema: + type: boolean + - name: options.filterQuery.query + in: query + required: false + schema: + type: string + - name: options.filterQuery.pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: options.filterQuery.pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: options.filterQuery.pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: options.filterQuery.pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: options.filterQuery.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: options.filterQuery.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean tags: - - VulnerabilityRequestService + - CollectionService delete: - summary: DeleteVulnerabilityRequest deletes a vulnerability request. - operationId: VulnerabilityRequestService_DeleteVulnerabilityRequest + operationId: CollectionService_DeleteCollection responses: '200': description: A successful response. @@ -7017,7 +8067,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -7025,26 +8075,22 @@ paths: schema: type: string tags: - - VulnerabilityRequestService - /v1/cve/requests/{id}/approve: - post: - summary: |- - ApproveVulnRequest approve a vulnerability request. If it is an unwatch vulnerability request then the - associated vulnerabilities are not watched in workflows such as policy detection, risk, etc. - operationId: VulnerabilityRequestService_ApproveVulnerabilityRequest + - CollectionService + patch: + operationId: CollectionService_UpdateCollection responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1ApproveVulnRequestResponse' + $ref: '#/components/schemas/v1UpdateCollectionResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path @@ -7055,154 +8101,2029 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/v1ApproveVulnRequest' + $ref: '#/components/schemas/CollectionServiceUpdateCollectionBody' required: true tags: - - VulnerabilityRequestService - /v1/cve/requests/{id}/deny: + - CollectionService + /v1/collectionscount: + get: + operationId: CollectionService_GetCollectionCount + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetCollectionCountResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query.query + in: query + required: false + schema: + type: string + - name: query.pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: query.pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: query.pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: query.pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: query.pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: query.pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - CollectionService + /v1/computeeffectiveaccessscope: post: - summary: DenyVulnRequest denies a vulnerability request. - operationId: VulnerabilityRequestService_DenyVulnerabilityRequest + summary: ComputeEffectiveAccessScope + description: |- + Returns effective access scope based on the rules in the request. Does + not persist anything; not idempotent due to possible changes to clusters + and namespaces. POST is chosen due to potentially large payload. + + There are advantages in both keeping the response slim and detailed. If + only IDs of selected clusters and namespaces are included, response + latency and processing time are lower but the caller shall overlay the + response with its view of the world which is susceptible to consistency + issues. Listing all clusters and namespaces with related metadata is + convenient for the caller but bloat the message with secondary data. + + We let the caller decide what level of detail they would like to have: + + - Minimal, when only roots of included subtrees are listed by their + IDs. Clusters can be either INCLUDED (its namespaces are included but + are not listed) or PARTIAL (at least one namespace is explicitly + included). Namespaces can only be INCLUDED. + + - Standard [default], when all known clusters and namespaces are listed + with their IDs and names. Clusters can be INCLUDED (all its + namespaces are explicitly listed as INCLUDED), PARTIAL (all its + namespaces are explicitly listed, some as INCLUDED and some as + EXCLUDED), and EXCLUDED (all its namespaces are explicitly listed as + EXCLUDED). Namespaces can be either INCLUDED or EXCLUDED. + + - High, when every cluster and namespace is augmented with metadata. + operationId: RoleService_ComputeEffectiveAccessScope responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1DenyVulnRequestResponse' + $ref: '#/components/schemas/storageEffectiveAccessScope' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - - name: id - in: path - required: true + - name: detail + in: query + required: false schema: type: string + enum: + - STANDARD + - MINIMAL + - HIGH + default: STANDARD requestBody: content: application/json: schema: - $ref: '#/components/schemas/v1DenyVulnRequest' + $ref: '#/components/schemas/ComputeEffectiveAccessScopeRequestPayload' required: true tags: - - VulnerabilityRequestService - /v1/cve/requests/{id}/undo: - post: - summary: UndoVulnerabilityRequest undoes a vulnerability request. - operationId: VulnerabilityRequestService_UndoVulnerabilityRequest + - RoleService + /v1/mypermissions: + get: + operationId: RoleService_GetMyPermissions responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UndoVulnRequestResponse' + $ref: '#/components/schemas/v1GetPermissionsResponse' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' - parameters: - - name: id - in: path - required: true - schema: - type: string + $ref: '#/components/schemas/googlerpcStatus' tags: - - VulnerabilityRequestService - /v1/cve/requests/{id}/update: + - RoleService + /v1/permissionsets: + get: + operationId: RoleService_ListPermissionSets + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListPermissionSetsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - RoleService post: - summary: UpdateVulnerabilityRequest updates an existing vulnerability request. Currently only deferral expiration time can be updated. - operationId: VulnerabilityRequestService_UpdateVulnerabilityRequest + summary: PostPermissionSet + description: PermissionSet.id is disallowed in request and set in response. + operationId: RoleService_PostPermissionSet responses: '200': description: A successful response. content: application/json: schema: - $ref: '#/components/schemas/v1UpdateVulnRequestResponse' + $ref: '#/components/schemas/storagePermissionSet' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storagePermissionSet' + description: This encodes a set of permissions for StackRox resources. + required: true + tags: + - RoleService + /v1/permissionsets/{id}: + get: + operationId: RoleService_GetPermissionSet + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storagePermissionSet' default: description: An unexpected error response. content: application/json: schema: - $ref: '#/components/schemas/runtimeError' + $ref: '#/components/schemas/googlerpcStatus' parameters: - name: id in: path required: true schema: type: string - requestBody: - content: - application/json: - schema: - $ref: '#/components/schemas/v1UpdateVulnRequest' - required: true tags: - - VulnerabilityRequestService -servers: - - url: https://staging.demo.stackrox.com -components: - requestBodies: - storageGroup: - content: - application/json: + - RoleService + delete: + operationId: RoleService_DeletePermissionSet + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - RoleService + put: + operationId: RoleService_PutPermissionSet + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + description: id is generated and cannot be changed. + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RoleServicePutPermissionSetBody' + required: true + tags: + - RoleService + /v1/resources: + get: + operationId: RoleService_GetResources + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetResourcesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - RoleService + /v1/roles: + get: + operationId: RoleService_GetRoles + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetRolesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - RoleService + /v1/roles/{id}: + get: + operationId: RoleService_GetRole + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageRole' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - RoleService + delete: + operationId: RoleService_DeleteRole + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - RoleService + /v1/roles/{name}: + post: + operationId: RoleService_CreateRole + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: name + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storageRole' + required: true + tags: + - RoleService + put: + operationId: RoleService_UpdateRole + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: name + description: >- + `name` and `description` are provided by the user and can be + changed. + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RoleServiceUpdateRoleBody' + required: true + tags: + - RoleService + /v1/sac/clusters: + get: + summary: GetClustersForPermissions + description: >- + Returns the list of cluster ID and cluster name pairs that have at least + read allowed + + by the scope of the requesting user for the list of requested + permissions. + + Effective access scopes are only considered for input permissions that + have + + cluster scope or narrower (i.e. global permissions from the input are + ignored). + + + If the input only contains permissions at global level, the output will + be an empty list. + + + If no permission is given in input, all clusters allowed by the + requester scope for + + any permission with cluster scope or narrower will be part of the + response. + operationId: RoleService_GetClustersForPermissions + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetClustersForPermissionsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + - name: permissions + in: query + required: false + explode: true + schema: + type: array + items: + type: string + tags: + - RoleService + /v1/sac/clusters/{clusterId}/namespaces: + get: + summary: GetNamespacesForClusterAndPermissions + description: >- + Returns the list of namespace ID and namespace name pairs that belong to + the requested + + cluster and for which the user has at least read access granted for the + list of + + requested permissions that have namespace scope or narrower (i.e. global + and cluster + + permissions from the input are ignored). + + + If the input only contains permissions at global or cluster level, the + output will be + + an empty list. + + + If no permission is given in input, all namespaces allowed by the + requester scope for + + any permission with namespace scope or narrower will be part of the + response. + operationId: RoleService_GetNamespacesForClusterAndPermissions + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: >- + #/components/schemas/v1GetNamespacesForClusterAndPermissionsResponse + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: clusterId + in: path + required: true + schema: + type: string + - name: permissions + in: query + required: false + explode: true + schema: + type: array + items: + type: string + tags: + - RoleService + /v1/simpleaccessscopes: + get: + operationId: RoleService_ListSimpleAccessScopes + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListSimpleAccessScopesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - RoleService + post: + summary: PostSimpleAccessScope + description: SimpleAccessScope.id is disallowed in request and set in response. + operationId: RoleService_PostSimpleAccessScope + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageSimpleAccessScope' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storageSimpleAccessScope' + description: >- + Simple access scope is a (simple) selection criteria for scoped + resources. + + It does *not* allow multi-component AND-rules nor set operations on + names. + required: true + tags: + - RoleService + /v1/simpleaccessscopes/{id}: + get: + operationId: RoleService_GetSimpleAccessScope + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageSimpleAccessScope' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - RoleService + delete: + operationId: RoleService_DeleteSimpleAccessScope + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - RoleService + put: + operationId: RoleService_PutSimpleAccessScope + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + description: '`id` is generated and cannot be changed.' + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/RoleServicePutSimpleAccessScopeBody' + required: true + tags: + - RoleService + /v1/search: + get: + operationId: SearchService_Search + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1SearchResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: categories + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - SEARCH_UNSET + - ALERTS + - IMAGES + - IMAGE_COMPONENTS + - IMAGE_VULN_EDGE + - IMAGE_COMPONENT_EDGE + - POLICIES + - DEPLOYMENTS + - ACTIVE_COMPONENT + - PODS + - SECRETS + - PROCESS_INDICATORS + - COMPLIANCE + - CLUSTERS + - NAMESPACES + - NODES + - NODE_COMPONENTS + - NODE_VULN_EDGE + - NODE_COMPONENT_EDGE + - NODE_COMPONENT_CVE_EDGE + - COMPLIANCE_STANDARD + - COMPLIANCE_CONTROL_GROUP + - COMPLIANCE_CONTROL + - SERVICE_ACCOUNTS + - ROLES + - ROLEBINDINGS + - REPORT_CONFIGURATIONS + - PROCESS_BASELINES + - SUBJECTS + - RISKS + - VULNERABILITIES + - CLUSTER_VULNERABILITIES + - IMAGE_VULNERABILITIES + - NODE_VULNERABILITIES + - COMPONENT_VULN_EDGE + - CLUSTER_VULN_EDGE + - NETWORK_ENTITY + - VULN_REQUEST + - NETWORK_BASELINE + - NETWORK_POLICIES + - PROCESS_BASELINE_RESULTS + - COMPLIANCE_METADATA + - COMPLIANCE_RESULTS + - COMPLIANCE_DOMAIN + - CLUSTER_HEALTH + - POLICY_CATEGORIES + - IMAGE_INTEGRATIONS + - COLLECTIONS + - POLICY_CATEGORY_EDGE + - PROCESS_LISTENING_ON_PORT + - API_TOKEN + - REPORT_METADATA + - REPORT_SNAPSHOT + - COMPLIANCE_INTEGRATIONS + - COMPLIANCE_SCAN_CONFIG + - COMPLIANCE_SCAN + - COMPLIANCE_CHECK_RESULTS + - BLOB + - ADMINISTRATION_EVENTS + - COMPLIANCE_SCAN_CONFIG_STATUS + - ADMINISTRATION_USAGE + - COMPLIANCE_PROFILES + - COMPLIANCE_RULES + - COMPLIANCE_SCAN_SETTING_BINDINGS + - COMPLIANCE_SUITES + - CLOUD_SOURCES + - DISCOVERED_CLUSTERS + - COMPLIANCE_REMEDIATIONS + - COMPLIANCE_BENCHMARKS + - AUTH_PROVIDERS + - COMPLIANCE_REPORT_SNAPSHOT + - IMAGE_COMPONENTS_V2 + - IMAGE_VULNERABILITIES_V2 + tags: + - SearchService + /v1/search/autocomplete: + get: + operationId: SearchService_Autocomplete + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1AutocompleteResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: categories + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - SEARCH_UNSET + - ALERTS + - IMAGES + - IMAGE_COMPONENTS + - IMAGE_VULN_EDGE + - IMAGE_COMPONENT_EDGE + - POLICIES + - DEPLOYMENTS + - ACTIVE_COMPONENT + - PODS + - SECRETS + - PROCESS_INDICATORS + - COMPLIANCE + - CLUSTERS + - NAMESPACES + - NODES + - NODE_COMPONENTS + - NODE_VULN_EDGE + - NODE_COMPONENT_EDGE + - NODE_COMPONENT_CVE_EDGE + - COMPLIANCE_STANDARD + - COMPLIANCE_CONTROL_GROUP + - COMPLIANCE_CONTROL + - SERVICE_ACCOUNTS + - ROLES + - ROLEBINDINGS + - REPORT_CONFIGURATIONS + - PROCESS_BASELINES + - SUBJECTS + - RISKS + - VULNERABILITIES + - CLUSTER_VULNERABILITIES + - IMAGE_VULNERABILITIES + - NODE_VULNERABILITIES + - COMPONENT_VULN_EDGE + - CLUSTER_VULN_EDGE + - NETWORK_ENTITY + - VULN_REQUEST + - NETWORK_BASELINE + - NETWORK_POLICIES + - PROCESS_BASELINE_RESULTS + - COMPLIANCE_METADATA + - COMPLIANCE_RESULTS + - COMPLIANCE_DOMAIN + - CLUSTER_HEALTH + - POLICY_CATEGORIES + - IMAGE_INTEGRATIONS + - COLLECTIONS + - POLICY_CATEGORY_EDGE + - PROCESS_LISTENING_ON_PORT + - API_TOKEN + - REPORT_METADATA + - REPORT_SNAPSHOT + - COMPLIANCE_INTEGRATIONS + - COMPLIANCE_SCAN_CONFIG + - COMPLIANCE_SCAN + - COMPLIANCE_CHECK_RESULTS + - BLOB + - ADMINISTRATION_EVENTS + - COMPLIANCE_SCAN_CONFIG_STATUS + - ADMINISTRATION_USAGE + - COMPLIANCE_PROFILES + - COMPLIANCE_RULES + - COMPLIANCE_SCAN_SETTING_BINDINGS + - COMPLIANCE_SUITES + - CLOUD_SOURCES + - DISCOVERED_CLUSTERS + - COMPLIANCE_REMEDIATIONS + - COMPLIANCE_BENCHMARKS + - AUTH_PROVIDERS + - COMPLIANCE_REPORT_SNAPSHOT + - IMAGE_COMPONENTS_V2 + - IMAGE_VULNERABILITIES_V2 + tags: + - SearchService + /v1/search/metadata/options: + get: + operationId: SearchService_Options + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1SearchOptionsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: categories + in: query + required: false + explode: true + schema: + type: array + items: + type: string + enum: + - SEARCH_UNSET + - ALERTS + - IMAGES + - IMAGE_COMPONENTS + - IMAGE_VULN_EDGE + - IMAGE_COMPONENT_EDGE + - POLICIES + - DEPLOYMENTS + - ACTIVE_COMPONENT + - PODS + - SECRETS + - PROCESS_INDICATORS + - COMPLIANCE + - CLUSTERS + - NAMESPACES + - NODES + - NODE_COMPONENTS + - NODE_VULN_EDGE + - NODE_COMPONENT_EDGE + - NODE_COMPONENT_CVE_EDGE + - COMPLIANCE_STANDARD + - COMPLIANCE_CONTROL_GROUP + - COMPLIANCE_CONTROL + - SERVICE_ACCOUNTS + - ROLES + - ROLEBINDINGS + - REPORT_CONFIGURATIONS + - PROCESS_BASELINES + - SUBJECTS + - RISKS + - VULNERABILITIES + - CLUSTER_VULNERABILITIES + - IMAGE_VULNERABILITIES + - NODE_VULNERABILITIES + - COMPONENT_VULN_EDGE + - CLUSTER_VULN_EDGE + - NETWORK_ENTITY + - VULN_REQUEST + - NETWORK_BASELINE + - NETWORK_POLICIES + - PROCESS_BASELINE_RESULTS + - COMPLIANCE_METADATA + - COMPLIANCE_RESULTS + - COMPLIANCE_DOMAIN + - CLUSTER_HEALTH + - POLICY_CATEGORIES + - IMAGE_INTEGRATIONS + - COLLECTIONS + - POLICY_CATEGORY_EDGE + - PROCESS_LISTENING_ON_PORT + - API_TOKEN + - REPORT_METADATA + - REPORT_SNAPSHOT + - COMPLIANCE_INTEGRATIONS + - COMPLIANCE_SCAN_CONFIG + - COMPLIANCE_SCAN + - COMPLIANCE_CHECK_RESULTS + - BLOB + - ADMINISTRATION_EVENTS + - COMPLIANCE_SCAN_CONFIG_STATUS + - ADMINISTRATION_USAGE + - COMPLIANCE_PROFILES + - COMPLIANCE_RULES + - COMPLIANCE_SCAN_SETTING_BINDINGS + - COMPLIANCE_SUITES + - CLOUD_SOURCES + - DISCOVERED_CLUSTERS + - COMPLIANCE_REMEDIATIONS + - COMPLIANCE_BENCHMARKS + - AUTH_PROVIDERS + - COMPLIANCE_REPORT_SNAPSHOT + - IMAGE_COMPONENTS_V2 + - IMAGE_VULNERABILITIES_V2 + tags: + - SearchService + /v1/secrets: + get: + summary: ListSecrets returns the list of secrets. + operationId: SecretService_ListSecrets + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListSecretsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - SecretService + /v1/secrets/{id}: + get: + summary: GetSecret returns a secret given its ID. + operationId: SecretService_GetSecret + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageSecret' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - SecretService + /v1/secretscount: + get: + summary: CountSecrets returns the number of secrets. + operationId: SecretService_CountSecrets + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1CountSecretsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - SecretService + /v1/sensorupgrades/cluster/{id}: + post: + operationId: SensorUpgradeService_TriggerSensorUpgrade + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - SensorUpgradeService + /v1/sensorupgrades/config: + get: + operationId: SensorUpgradeService_GetSensorUpgradeConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetSensorUpgradeConfigResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - SensorUpgradeService + post: + operationId: SensorUpgradeService_UpdateSensorUpgradeConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1UpdateSensorUpgradeConfigRequest' + required: true + tags: + - SensorUpgradeService + /v1/sensorupgrades/rotateclustercerts/{id}: + post: + operationId: SensorUpgradeService_TriggerSensorCertRotation + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - SensorUpgradeService + /v1/serviceaccounts: + get: + operationId: ServiceAccountService_ListServiceAccounts + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListServiceAccountResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false + schema: + type: boolean + tags: + - ServiceAccountService + /v1/serviceaccounts/{id}: + get: + operationId: ServiceAccountService_GetServiceAccount + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetServiceAccountResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - ServiceAccountService + /v1/authorities: + get: + summary: GetAuthorities returns the authorities currently in use. + operationId: ServiceIdentityService_GetAuthorities + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Authorities' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - ServiceIdentityService + /v1/serviceIdentities: + get: + operationId: ServiceIdentityService_GetServiceIdentities + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ServiceIdentityResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - ServiceIdentityService + post: + summary: >- + CreateServiceIdentity creates a new key pair and certificate. + + The key and certificate are not retained and can never be retrieved + again. + operationId: ServiceIdentityService_CreateServiceIdentity + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1CreateServiceIdentityResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1CreateServiceIdentityRequest' + required: true + tags: + - ServiceIdentityService + /v1/signatureintegrations: + get: + operationId: SignatureIntegrationService_ListSignatureIntegrations + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListSignatureIntegrationsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - SignatureIntegrationService + post: + summary: |- + Integration id should not be set. + Returns signature integration with id filled. + operationId: SignatureIntegrationService_PostSignatureIntegration + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageSignatureIntegration' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/storageSignatureIntegration' + required: true + tags: + - SignatureIntegrationService + /v1/signatureintegrations/{id}: + get: + operationId: SignatureIntegrationService_GetSignatureIntegration + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageSignatureIntegration' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - SignatureIntegrationService + delete: + operationId: SignatureIntegrationService_DeleteSignatureIntegration + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - SignatureIntegrationService + put: + operationId: SignatureIntegrationService_PutSignatureIntegration + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/SignatureIntegrationServicePutSignatureIntegrationBody + required: true + tags: + - SignatureIntegrationService + /v1/telemetry/config: + get: + operationId: TelemetryService_GetConfig + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/centralTelemetryConfig' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - TelemetryService + /v1/telemetry/config/reload: + post: + operationId: TelemetryService_PostConfigReload + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - TelemetryService + /v1/telemetry/configure: + get: + operationId: TelemetryService_GetTelemetryConfiguration + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageTelemetryConfiguration' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - TelemetryService + put: + operationId: TelemetryService_ConfigureTelemetry + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageTelemetryConfiguration' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1ConfigureTelemetryRequest' + required: true + tags: + - TelemetryService + /v1/users: + get: + operationId: UserService_GetUsers + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetUsersResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - UserService + /v1/users/{id}: + get: + operationId: UserService_GetUser + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/storageUser' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + tags: + - UserService + /v1/usersattributes: + get: + operationId: UserService_GetUsersAttributes + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetUsersAttributesResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + tags: + - UserService + /v1/cve/requests: + get: + summary: ListVulnerabilityRequests returns the list of vulnerability requests. + operationId: VulnerabilityRequestService_ListVulnerabilityRequests + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ListVulnerabilityRequestsResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: query + in: query + required: false + schema: + type: string + - name: pagination.limit + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.offset + in: query + required: false + schema: + type: integer + format: int32 + - name: pagination.sortOption.field + in: query + required: false + schema: + type: string + - name: pagination.sortOption.reversed + in: query + required: false + schema: + type: boolean + - name: pagination.sortOption.aggregateBy.aggrFunc + in: query + required: false + schema: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + - name: pagination.sortOption.aggregateBy.distinct + in: query + required: false schema: - $ref: '#/components/schemas/storageGroup' - required: true - v1UpsertAuthzPluginConfigRequest: - content: - application/json: + type: boolean + tags: + - VulnerabilityRequestService + /v1/cve/requests/defer: + post: + summary: >- + DeferVulnerability starts the deferral process for the specified + vulnerability. + operationId: VulnerabilityRequestService_DeferVulnerability + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1DeferVulnResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1DeferVulnRequest' + required: true + tags: + - VulnerabilityRequestService + /v1/cve/requests/false-positive: + post: + summary: >- + FalsePositiveVulnerability starts the process to mark the specified + vulnerability as false-positive. + operationId: VulnerabilityRequestService_FalsePositiveVulnerability + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1FalsePositiveVulnResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/v1FalsePositiveVulnRequest' + required: true + tags: + - VulnerabilityRequestService + /v1/cve/requests/{id}: + get: + summary: >- + GetVulnerabilityRequest returns the requested vulnerability request by + ID. + operationId: VulnerabilityRequestService_GetVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1GetVulnerabilityRequestResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: - $ref: '#/components/schemas/v1UpsertAuthzPluginConfigRequest' - required: true - v1ResourceByID: - content: - application/json: + type: string + tags: + - VulnerabilityRequestService + delete: + summary: DeleteVulnerabilityRequest deletes a vulnerability request. + operationId: VulnerabilityRequestService_DeleteVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1Empty' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: - $ref: '#/components/schemas/v1ResourceByID' - required: true - storageNetworkPolicyModification: - content: - application/json: + type: string + tags: + - VulnerabilityRequestService + /v1/cve/requests/{id}/approve: + post: + summary: >- + ApproveVulnRequest approve a vulnerability request. If it is an unwatch + vulnerability request then the + + associated vulnerabilities are not watched in workflows such as policy + detection, risk, etc. + operationId: VulnerabilityRequestService_ApproveVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1ApproveVulnRequestResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: - $ref: '#/components/schemas/storageNetworkPolicyModification' - required: true - v1UpdateNotifierRequest: - content: - application/json: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/VulnerabilityRequestServiceApproveVulnerabilityRequestBody + required: true + tags: + - VulnerabilityRequestService + /v1/cve/requests/{id}/deny: + post: + summary: DenyVulnRequest denies a vulnerability request. + operationId: VulnerabilityRequestService_DenyVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1DenyVulnRequestResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: - $ref: '#/components/schemas/v1UpdateNotifierRequest' - required: true - storageAuthzPluginConfig: - content: - application/json: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/VulnerabilityRequestServiceDenyVulnerabilityRequestBody + required: true + tags: + - VulnerabilityRequestService + /v1/cve/requests/{id}/undo: + post: + summary: UndoVulnerabilityRequest undoes a vulnerability request. + operationId: VulnerabilityRequestService_UndoVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1UndoVulnRequestResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true schema: - $ref: '#/components/schemas/storageAuthzPluginConfig' - required: true - storageRole: - content: - application/json: + type: string + tags: + - VulnerabilityRequestService + /v1/cve/requests/{id}/update: + post: + summary: >- + UpdateVulnerabilityRequest updates an existing vulnerability request. + Currently only deferral expiration time can be updated. + operationId: VulnerabilityRequestService_UpdateVulnerabilityRequest + responses: + '200': + description: A successful response. + content: + application/json: + schema: + $ref: '#/components/schemas/v1UpdateVulnRequestResponse' + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: id + in: path + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: >- + #/components/schemas/VulnerabilityRequestServiceUpdateVulnerabilityRequestBody + required: true + tags: + - VulnerabilityRequestService + /v1/export/vuln-mgmt/workloads: + get: + summary: >- + Streams vulnerability data upon request. Each entry consists of a + deployment and the associated container images. + description: |- + The response is structured as: + {"result": {"deployment": {...}, "images": [...]}} + ... + {"result": {"deployment": {...}, "images": [...]}} + operationId: VulnMgmtService_VulnMgmtExportWorkloads + responses: + '200': + description: A successful response.(streaming responses) + content: + application/json: + schema: + type: object + properties: + result: + $ref: '#/components/schemas/v1VulnMgmtExportWorkloadsResponse' + error: + $ref: '#/components/schemas/googlerpcStatus' + title: Stream result of v1VulnMgmtExportWorkloadsResponse + default: + description: An unexpected error response. + content: + application/json: + schema: + $ref: '#/components/schemas/googlerpcStatus' + parameters: + - name: timeout + description: Request timeout in seconds. + in: query + required: false + schema: + type: integer + format: int32 + - name: query + description: >- + Query to constrain the deployments for which vulnerability data is + returned. + + The queries contain pairs of `Search Option:Value` separated by `+` + signs. + + For HTTP requests the query should be quoted. For example + + > curl + "$ROX_ENDPOINT/v1/export/vuln-mgmt/workloads?query=Deployment%3Ascanner%2BNamespace%3Astackrox" + + queries vulnerability data for all scanner deployments in the + stackrox namespace. + + See https://docs.openshift.com/acs/operating/search-filter.html for + more information. + in: query + required: false schema: - $ref: '#/components/schemas/storageRole' - required: true - v1UpdateExternalBackupRequest: + type: string + tags: + - VulnMgmtService +tags: + - name: VulnMgmtService +servers: + - url: https://staging.demo.stackrox.com +components: + requestBodies: + storageNetworkPolicyModification: content: application/json: schema: - $ref: '#/components/schemas/v1UpdateExternalBackupRequest' + $ref: '#/components/schemas/storageNetworkPolicyModification' required: true - storageSignatureIntegration: + v1SuppressCVERequest: content: application/json: schema: - $ref: '#/components/schemas/storageSignatureIntegration' + $ref: '#/components/schemas/v1SuppressCVERequest' required: true storageImageIntegration: content: @@ -7210,35 +10131,17 @@ components: schema: $ref: '#/components/schemas/storageImageIntegration' required: true - storageSimpleAccessScope: - content: - application/json: - schema: - $ref: '#/components/schemas/storageSimpleAccessScope' - required: true - storageAuthProvider: - content: - application/json: - schema: - $ref: '#/components/schemas/storageAuthProvider' - required: true storageExternalBackup: content: application/json: schema: $ref: '#/components/schemas/storageExternalBackup' required: true - storageCluster: - content: - application/json: - schema: - $ref: '#/components/schemas/storageCluster' - required: true - v1UpdateImageIntegrationRequest: + v1UnsuppressCVERequest: content: application/json: schema: - $ref: '#/components/schemas/v1UpdateImageIntegrationRequest' + $ref: '#/components/schemas/v1UnsuppressCVERequest' required: true storageNotifier: content: @@ -7252,246 +10155,54 @@ components: schema: $ref: '#/components/schemas/storagePolicy' required: true - storagePermissionSet: - content: - application/json: - schema: - $ref: '#/components/schemas/storagePermissionSet' - required: true schemas: - AlertDeploymentContainer: - type: object - properties: - image: - $ref: '#/components/schemas/storageContainerImage' - name: - type: string - AlertEnforcement: - type: object - properties: - action: - $ref: '#/components/schemas/storageEnforcementAction' - message: - type: string - AlertGroupAlertCounts: - type: object - properties: - severity: - $ref: '#/components/schemas/storageSeverity' - count: - type: string - format: int64 - AlertProcessViolation: - type: object - properties: - message: - type: string - processes: - type: array - items: - $ref: '#/components/schemas/storageProcessIndicator' - AlertResource: - type: object - properties: - resourceType: - $ref: '#/components/schemas/AlertResourceResourceType' - name: - type: string - clusterId: - type: string - clusterName: - type: string - namespace: - type: string - namespaceId: - type: string - title: Represents an alert on a kubernetes resource (configmaps, secrets, etc.) - AlertResourceResourceType: - type: string - enum: - - UNKNOWN - - SECRETS - - CONFIGMAPS - default: UNKNOWN - AlertViolation: - type: object - properties: - message: - type: string - keyValueAttrs: - $ref: '#/components/schemas/ViolationKeyValueAttrs' - networkFlowInfo: - $ref: '#/components/schemas/ViolationNetworkFlowInfo' - type: - $ref: '#/components/schemas/AlertViolationType' - time: - type: string - format: date-time - description: |- - Indicates violation time. This field differs from top-level field 'time' which represents last time the alert - occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes - event violations, but may not be limited to it in future. - AlertViolationType: - type: string - enum: - - GENERIC - - K8S_EVENT - - NETWORK_FLOW - - NETWORK_POLICY - default: GENERIC - ClusterAlertsAlertEvents: - type: object - properties: - severity: - $ref: '#/components/schemas/storageSeverity' - events: - type: array - items: - $ref: '#/components/schemas/v1AlertEvent' - EnvironmentConfigEnvVarSource: - type: string - enum: - - UNSET - - RAW - - SECRET_KEY - - CONFIG_MAP_KEY - - FIELD - - RESOURCE_FIELD - - UNKNOWN - default: UNSET - title: For any update to EnvVarSource, please also update 'ui/src/messages/common.js' - GetAlertTimeseriesResponseClusterAlerts: - type: object - properties: - cluster: - type: string - severities: - type: array - items: - $ref: '#/components/schemas/ClusterAlertsAlertEvents' - GetAlertsCountsRequestRequestGroup: - type: string - enum: - - UNSET - - CATEGORY - - CLUSTER - default: UNSET - GetAlertsCountsResponseAlertGroup: - type: object - properties: - group: - type: string - counts: - type: array - items: - $ref: '#/components/schemas/AlertGroupAlertCounts' - KeyValueAttrsKeyValueAttr: - type: object - properties: - key: - type: string - value: - type: string - ListAlertCommonEntityInfo: - type: object - properties: - clusterName: - type: string - namespace: - type: string - clusterId: - type: string - namespaceId: - type: string - resourceType: - $ref: '#/components/schemas/storageListAlertResourceType' - description: Fields common to all entities that an alert might belong to. - ListAlertPolicyDevFields: - type: object - properties: - SORTName: - type: string - ListAlertResourceEntity: - type: object - properties: - name: - type: string - NetworkFlowInfoEntity: + googlerpcStatus: type: object properties: - name: - type: string - entityType: - $ref: '#/components/schemas/storageNetworkEntityInfoType' - deploymentNamespace: - type: string - deploymentType: - type: string - port: + code: type: integer format: int32 - PolicyMitreAttackVectors: - type: object - properties: - tactic: - type: string - techniques: - type: array - items: - type: string - PortConfigExposureLevel: - type: string - enum: - - UNSET - - EXTERNAL - - NODE - - INTERNAL - - HOST - - ROUTE - default: UNSET - ProcessSignalLineageInfo: - type: object - properties: - parentUid: - type: integer - format: int64 - parentExecFilePath: + message: type: string - ViolationKeyValueAttrs: - type: object - properties: - attrs: + details: type: array items: - $ref: '#/components/schemas/KeyValueAttrsKeyValueAttr' - ViolationNetworkFlowInfo: - type: object - properties: - protocol: - $ref: '#/components/schemas/storageL4Protocol' - source: - $ref: '#/components/schemas/NetworkFlowInfoEntity' - destination: - $ref: '#/components/schemas/NetworkFlowInfoEntity' + $ref: '#/components/schemas/protobufAny' protobufAny: type: object properties: - typeUrl: + '@type': type: string - description: |- - A URL/resource name that uniquely identifies the type of the serialized + description: >- + A URL/resource name that uniquely identifies the type of the + serialized + protocol buffer message. This string must contain at least + one "/" character. The last segment of the URL's path must represent + the fully qualified name of the type (as in - `path/google.protobuf.Duration`). The name should be in a canonical form + + `path/google.protobuf.Duration`). The name should be in a canonical + form + (e.g., leading "." is not accepted). - In practice, teams usually precompile into the binary all types that they - expect it to use in the context of Any. However, for URLs which use the - scheme `http`, `https`, or no scheme, one can optionally set up a type + + In practice, teams usually precompile into the binary all types that + they + + expect it to use in the context of Any. However, for URLs which use + the + + scheme `http`, `https`, or no scheme, one can optionally set up a + type + server that maps type URLs to message definitions as follows: + * If no scheme is provided, `https` is assumed. + * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the @@ -7501,22 +10212,31 @@ components: breaking changes.) Note: this functionality is not currently available in the official + protobuf release, and it is not used for type URLs beginning with - type.googleapis.com. + + type.googleapis.com. As of May 2023, there are no widely used type + server + + implementations and no plans to implement one. + Schemes other than `http`, `https` (or the empty scheme) might be + used with implementation specific semantics. - value: - type: string - format: byte - description: Must be a valid serialized protocol buffer of the above specified type. - description: |- - `Any` contains an arbitrary serialized protocol buffer message along with a + additionalProperties: {} + description: >- + `Any` contains an arbitrary serialized protocol buffer message along + with a + URL that describes the type of the serialized message. + Protobuf library provides support to pack/unpack Any values in the form + of utility functions or additional generated methods of the Any type. + Example 1: Pack and unpack a message in C++. Foo foo = ...; @@ -7535,6 +10255,10 @@ components: if (any.is(Foo.class)) { foo = any.unpack(Foo.class); } + // or ... + if (any.isSameTypeAs(Foo.getDefaultInstance())) { + foo = any.unpack(Foo.getDefaultInstance()); + } Example 3: Pack and unpack a message in Python. @@ -7560,16 +10284,24 @@ components: } The pack methods provided by protobuf library will by default use + 'type.googleapis.com/full.type.name' as the type URL and the unpack + methods only use the fully qualified type name after the last '/' + in the type URL, for example "foo.bar.com/x/y.z" will yield type + name "y.z". JSON + ==== + The JSON representation of an `Any` value uses the regular + representation of the deserialized, embedded message, with an + additional field `@type` which contains the type URL. Example: package google.profile; @@ -7585,1471 +10317,2049 @@ components: } If the embedded message type is well-known and has a custom JSON + representation, that representation will be embedded adding a field + `value` which holds the custom JSON in addition to the `@type` + field. Example (for message [google.protobuf.Duration][]): { "@type": "type.googleapis.com/google.protobuf.Duration", "value": "1.212s" } - runtimeError: - type: object - properties: - error: - type: string - code: - type: integer - format: int32 - message: - type: string - details: - type: array - items: - $ref: '#/components/schemas/protobufAny' - storageAlert: + v1AdministrationEvent: type: object properties: id: type: string - policy: - $ref: '#/components/schemas/storagePolicy' - lifecycleStage: - $ref: '#/components/schemas/storageLifecycleStage' - clusterId: - type: string - clusterName: + description: UUID of the event. + type: + $ref: '#/components/schemas/v1AdministrationEventType' + level: + $ref: '#/components/schemas/v1AdministrationEventLevel' + message: type: string - namespace: + description: >- + Message associated with the event. The message may include detailed + information + + for this particular event. + hint: type: string - namespaceId: + description: >- + Hint associated with the event. The hint may include different + information based + + on the type of event. It can include instructions to resolve an + event, or + + informational hints. + domain: type: string - deployment: - $ref: '#/components/schemas/storageAlertDeployment' - image: - $ref: '#/components/schemas/storageContainerImage' + description: >- + Domain associated with the event. An event's domain outlines the + feature domain where + + the event was created from. As an example, this might be "Image + Scanning". + + In case of events that cannot be tied to a specific domain, this + will be "General". resource: - $ref: '#/components/schemas/AlertResource' - violations: - type: array - items: - $ref: '#/components/schemas/AlertViolation' - description: For run-time phase alert, a maximum of 40 violations are retained. - processViolation: - $ref: '#/components/schemas/AlertProcessViolation' - enforcement: - $ref: '#/components/schemas/AlertEnforcement' - time: - type: string - format: date-time - firstOccurred: + $ref: '#/components/schemas/v1AdministrationEventResource' + numOccurrences: type: string - format: date-time - resolvedAt: + format: int64 + description: >- + Occurrences associated with the event. When events may occur + multiple times, the + + occurrences track the amount. + lastOccurredAt: type: string format: date-time - description: The time at which the alert was resolved. Only set if ViolationState is RESOLVED. - state: - $ref: '#/components/schemas/storageViolationState' - snoozeTill: + description: Specifies the time when the event has last occurred. + createdAt: type: string format: date-time - tags: - type: array - items: - type: string - storageAlertDeployment: - type: object - properties: - id: - type: string - name: - type: string - type: - type: string - namespace: - type: string - namespaceId: - type: string - labels: - type: object - additionalProperties: - type: string - clusterId: - type: string - clusterName: - type: string - containers: - type: array - items: - $ref: '#/components/schemas/AlertDeploymentContainer' - annotations: - type: object - additionalProperties: - type: string - inactive: - type: boolean - storageBooleanOperator: - type: string - enum: - - OR - - AND - default: OR - storageComparator: + description: Specifies the time when the event has been created. + description: >- + AdministrationEvents are administrative events emitted by Central. They + are used to create + + transparency for users for asynchronous, background tasks. Events are + part of Central's + + system health view. + v1AdministrationEventLevel: type: string enum: - - LESS_THAN - - LESS_THAN_OR_EQUALS - - EQUALS - - GREATER_THAN_OR_EQUALS - - GREATER_THAN - default: LESS_THAN - storageComponent: + - ADMINISTRATION_EVENT_LEVEL_UNKNOWN + - ADMINISTRATION_EVENT_LEVEL_INFO + - ADMINISTRATION_EVENT_LEVEL_SUCCESS + - ADMINISTRATION_EVENT_LEVEL_WARNING + - ADMINISTRATION_EVENT_LEVEL_ERROR + default: ADMINISTRATION_EVENT_LEVEL_UNKNOWN + description: AdministrationEventLevel exposes the different levels of events. + v1AdministrationEventResource: type: object properties: - name: - type: string - version: + type: type: string - storageContainerImage: - type: object - properties: + description: >- + Resource type associated with the event. An event may refer to an + underlying resource + + such as a particular image. In that case, the resource type will be + filled here. id: type: string + description: >- + Resource ID associated with the event. If an event refers to an + underlying resource, + + the resource ID identifies the underlying resource. The resource ID + is not guaranteed + + to be set, depending on the context of the administration event. name: - $ref: '#/components/schemas/storageImageName' - notPullable: - type: boolean - isClusterLocal: - type: boolean - title: 'Next tag: 12' - storageDockerfileLineRuleField: - type: object - properties: - instruction: - type: string - value: type: string - storageEnforcementAction: - type: string - enum: - - UNSET_ENFORCEMENT - - SCALE_TO_ZERO_ENFORCEMENT - - UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT - - KILL_POD_ENFORCEMENT - - FAIL_BUILD_ENFORCEMENT - - FAIL_KUBE_REQUEST_ENFORCEMENT - - FAIL_DEPLOYMENT_CREATE_ENFORCEMENT - - FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT - default: UNSET_ENFORCEMENT - description: |2- - - FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. - - FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates. - - FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. - storageEventSource: + description: >- + Resource name associated with the event. If an event refers to an + underlying resource, + + the resource name identifies the underlying resource. The resource + name is not guaranteed + + to be set, depending on the context of the administration event. + description: >- + Resource holds all information about the resource associated with the + event. + v1AdministrationEventType: type: string enum: - - NOT_APPLICABLE - - DEPLOYMENT_EVENT - - AUDIT_LOG_EVENT - default: NOT_APPLICABLE - storageExclusion: + - ADMINISTRATION_EVENT_TYPE_UNKNOWN + - ADMINISTRATION_EVENT_TYPE_GENERIC + - ADMINISTRATION_EVENT_TYPE_LOG_MESSAGE + default: ADMINISTRATION_EVENT_TYPE_UNKNOWN + description: AdministrationEventType exposes the different types of events. + v1AdministrationEventsFilter: type: object properties: - name: - type: string - deployment: - $ref: '#/components/schemas/storageExclusionDeployment' - image: - $ref: '#/components/schemas/storageExclusionImage' - expiration: + from: type: string format: date-time - storageExclusionDeployment: - type: object - properties: - name: - type: string - scope: - $ref: '#/components/schemas/storageScope' - storageExclusionImage: - type: object - properties: - name: + description: >- + Matches events with last_occurred_at after a specific timestamp, + i.e. the lower boundary. + until: type: string - storageHostMountPolicy: + format: date-time + description: >- + Matches events with last_occurred_at before a specific timestamp, + i.e. the upper boundary. + domain: + type: array + items: + type: string + description: Matches events from a specific domain. + resourceType: + type: array + items: + type: string + description: Matches events associated with a specific resource type. + type: + type: array + items: + $ref: '#/components/schemas/v1AdministrationEventType' + description: Matches events based on their type. + level: + type: array + items: + $ref: '#/components/schemas/v1AdministrationEventLevel' + description: Matches events based on their level. + v1AggregateBy: type: object properties: - readOnly: + aggrFunc: + $ref: '#/components/schemas/v1Aggregation' + distinct: type: boolean - storageImageName: - type: object - properties: - registry: - type: string - remote: - type: string - tag: - type: string - fullName: - type: string - storageImageNamePolicy: + v1Aggregation: + type: string + enum: + - UNSET + - COUNT + - MIN + - MAX + default: UNSET + v1CountAdministrationEventsResponse: type: object properties: - registry: - type: string - remote: - type: string - tag: - type: string - storageKeyValuePolicy: + count: + type: integer + format: int32 + description: The total number of events after filtering and deduplication. + v1GetAdministrationEventResponse: type: object - properties: - key: - type: string - value: - type: string - envVarSource: - $ref: '#/components/schemas/EnvironmentConfigEnvVarSource' - storageL4Protocol: - type: string - enum: - - L4_PROTOCOL_UNKNOWN - - L4_PROTOCOL_TCP - - L4_PROTOCOL_UDP - - L4_PROTOCOL_ICMP - - L4_PROTOCOL_RAW - - L4_PROTOCOL_SCTP - - L4_PROTOCOL_ANY - default: L4_PROTOCOL_UNKNOWN - storageLifecycleStage: - type: string - enum: - - DEPLOY - - BUILD - - RUNTIME - default: DEPLOY - storageListAlert: + properties: + event: + $ref: '#/components/schemas/v1AdministrationEvent' + v1ListAdministrationEventsResponse: type: object properties: - id: - type: string - lifecycleStage: - $ref: '#/components/schemas/storageLifecycleStage' - time: - type: string - format: date-time - policy: - $ref: '#/components/schemas/storageListAlertPolicy' - state: - $ref: '#/components/schemas/storageViolationState' - enforcementCount: + events: + type: array + items: + $ref: '#/components/schemas/v1AdministrationEvent' + v1Pagination: + type: object + properties: + limit: type: integer format: int32 - tags: + offset: + type: integer + format: int32 + sortOption: + $ref: '#/components/schemas/v1SortOption' + sortOptions: type: array items: - type: string - enforcementAction: - $ref: '#/components/schemas/storageEnforcementAction' - commonEntityInfo: - $ref: '#/components/schemas/ListAlertCommonEntityInfo' - deployment: - $ref: '#/components/schemas/storageListAlertDeployment' - resource: - $ref: '#/components/schemas/ListAlertResourceEntity' - storageListAlertDeployment: + $ref: '#/components/schemas/v1SortOption' + description: >- + This field is under development. It is not supported on any REST + APIs. + v1SortOption: type: object properties: - id: - type: string - name: + field: type: string - clusterName: + reversed: + type: boolean + aggregateBy: + $ref: '#/components/schemas/v1AggregateBy' + v1MaxSecuredUnitsUsageResponse: + type: object + properties: + maxNodesAt: type: string - description: This field is deprecated and can be found in CommonEntityInfo. It will be removed from here in a future release. - namespace: + format: date-time + maxNodes: type: string - description: This field is deprecated and can be found in CommonEntityInfo. It will be removed from here in a future release. - clusterId: + format: int64 + maxCpuUnitsAt: type: string - description: This field is deprecated and can be found in CommonEntityInfo. It will be removed from here in a future release. - inactive: - type: boolean - namespaceId: + format: date-time + maxCpuUnits: type: string - description: This field is deprecated and can be found in CommonEntityInfo. It will be removed from here in a future release. - storageListAlertPolicy: + format: int64 + description: >- + MaxSecuredUnitsUsageResponse holds the maximum values of the secured + nodes + + and CPU Units (as reported by Kubernetes) with the time at which these + + values were aggregated, with the aggregation period accuracy (1h). + v1SecuredUnitsUsageResponse: type: object properties: - id: + numNodes: + type: string + format: int64 + numCpuUnits: type: string + format: int64 + description: |- + SecuredUnitsUsageResponse holds the values of the currently observable + administration usage metrics. + AlertDeploymentContainer: + type: object + properties: + image: + $ref: '#/components/schemas/storageContainerImage' name: type: string + AlertEnforcement: + type: object + properties: + action: + $ref: '#/components/schemas/storageEnforcementAction' + message: + type: string + AlertEntityType: + type: string + enum: + - UNSET + - DEPLOYMENT + - CONTAINER_IMAGE + - RESOURCE + default: UNSET + AlertGroupAlertCounts: + type: object + properties: severity: $ref: '#/components/schemas/storageSeverity' - description: + count: type: string - categories: + format: int64 + AlertProcessViolation: + type: object + properties: + message: + type: string + processes: type: array items: - type: string - developerInternalFields: - $ref: '#/components/schemas/ListAlertPolicyDevFields' - storageListAlertResourceType: + $ref: '#/components/schemas/storageProcessIndicator' + AlertResourceResourceType: type: string enum: - - DEPLOYMENT + - UNKNOWN - SECRETS - CONFIGMAPS - default: DEPLOYMENT - title: |- - A special ListAlert-only enumeration of all resource types. Unlike Alert.Resource.ResourceType this also includes deployment as a type - This must be kept in sync with Alert.Resource.ResourceType (excluding the deployment value) - storageNetworkEntityInfoType: - type: string - enum: - - UNKNOWN_TYPE - - DEPLOYMENT - - INTERNET - - LISTEN_ENDPOINT - - EXTERNAL_SOURCE - default: UNKNOWN_TYPE - storageNumericalPolicy: - type: object - properties: - op: - $ref: '#/components/schemas/storageComparator' - value: - type: number - format: float - storagePermissionLevel: - type: string - enum: - - UNSET - - NONE - - DEFAULT - - ELEVATED_IN_NAMESPACE - - ELEVATED_CLUSTER_WIDE - - CLUSTER_ADMIN - default: UNSET - title: |- - For any update to PermissionLevel, also update: - - pkg/searchbasedpolicies/builders/k8s_rbac.go - - ui/src/messages/common.js - storagePermissionPolicy: + - CLUSTER_ROLES + - CLUSTER_ROLE_BINDINGS + - NETWORK_POLICIES + - SECURITY_CONTEXT_CONSTRAINTS + - EGRESS_FIREWALLS + default: UNKNOWN + AlertServiceResolveAlertBody: type: object properties: - permissionLevel: - $ref: '#/components/schemas/storagePermissionLevel' - description: K8S RBAC Permission level configuration. - storagePolicy: + whitelist: + type: boolean + addToBaseline: + type: boolean + AlertViolation: type: object properties: - id: - type: string - name: - type: string - description: - type: string - rationale: + message: type: string - remediation: + keyValueAttrs: + $ref: '#/components/schemas/ViolationKeyValueAttrs' + networkFlowInfo: + $ref: '#/components/schemas/ViolationNetworkFlowInfo' + type: + $ref: '#/components/schemas/AlertViolationType' + time: type: string - disabled: - type: boolean - categories: - type: array - items: - type: string - fields: - $ref: '#/components/schemas/storagePolicyFields' - lifecycleStages: - type: array - items: - $ref: '#/components/schemas/storageLifecycleStage' - eventSource: - $ref: '#/components/schemas/storageEventSource' - whitelists: - type: array - items: - $ref: '#/components/schemas/storageExclusion' - exclusions: - type: array - items: - $ref: '#/components/schemas/storageExclusion' - scope: - type: array - items: - $ref: '#/components/schemas/storageScope' + format: date-time + description: >- + Indicates violation time. This field differs from top-level field + 'time' which represents last time the alert + + occurred in case of multiple occurrences of the policy alert. As of + 55.0, this field is set only for kubernetes + + event violations, but may not be limited to it in future. + AlertViolationType: + type: string + enum: + - GENERIC + - K8S_EVENT + - NETWORK_FLOW + - NETWORK_POLICY + default: GENERIC + ClusterAlertsAlertEvents: + type: object + properties: severity: $ref: '#/components/schemas/storageSeverity' - enforcementActions: - type: array - items: - $ref: '#/components/schemas/storageEnforcementAction' - description: |- - FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. - FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. - FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. - notifiers: + events: type: array items: - type: string - lastUpdated: - type: string - format: date-time - SORTName: - type: string - description: For internal use only. - SORTLifecycleStage: - type: string - description: For internal use only. - SORTEnforcement: - type: boolean - description: For internal use only. - policyVersion: + $ref: '#/components/schemas/v1AlertEvent' + GetAlertTimeseriesResponseClusterAlerts: + type: object + properties: + cluster: type: string - policySections: + severities: type: array items: - $ref: '#/components/schemas/storagePolicySection' - mitreAttackVectors: + $ref: '#/components/schemas/ClusterAlertsAlertEvents' + GetAlertsCountsRequestRequestGroup: + type: string + enum: + - UNSET + - CATEGORY + - CLUSTER + default: UNSET + GetAlertsCountsResponseAlertGroup: + type: object + properties: + group: + type: string + counts: type: array items: - $ref: '#/components/schemas/PolicyMitreAttackVectors' - criteriaLocked: - type: boolean - description: Read-only field. If true, the policy's criteria fields are rendered read-only. - mitreVectorsLocked: - type: boolean - description: Read-only field. If true, the policy's MITRE ATT&CK fields are rendered read-only. - isDefault: - type: boolean - description: Read-only field. Indicates the policy is a default policy if true and a custom policy if false. - storagePolicyFields: + $ref: '#/components/schemas/AlertGroupAlertCounts' + KeyValueAttrsKeyValueAttr: type: object properties: - imageName: - $ref: '#/components/schemas/storageImageNamePolicy' - imageAgeDays: - type: string - format: int64 - lineRule: - $ref: '#/components/schemas/storageDockerfileLineRuleField' - cvss: - $ref: '#/components/schemas/storageNumericalPolicy' - cve: + key: type: string - component: - $ref: '#/components/schemas/storageComponent' - scanAgeDays: + value: type: string - format: int64 - noScanExists: - type: boolean - env: - $ref: '#/components/schemas/storageKeyValuePolicy' - command: + ListAlertCommonEntityInfo: + type: object + properties: + clusterName: type: string - args: + namespace: type: string - directory: + clusterId: type: string - user: + namespaceId: type: string - volumePolicy: - $ref: '#/components/schemas/storageVolumePolicy' - portPolicy: - $ref: '#/components/schemas/storagePortPolicy' - requiredLabel: - $ref: '#/components/schemas/storageKeyValuePolicy' - requiredAnnotation: - $ref: '#/components/schemas/storageKeyValuePolicy' - disallowedAnnotation: - $ref: '#/components/schemas/storageKeyValuePolicy' - privileged: - type: boolean - dropCapabilities: - type: array - items: - type: string - addCapabilities: - type: array - items: - type: string - containerResourcePolicy: - $ref: '#/components/schemas/storageResourcePolicy' - processPolicy: - $ref: '#/components/schemas/storageProcessPolicy' - readOnlyRootFs: - type: boolean - fixedBy: + resourceType: + $ref: '#/components/schemas/storageListAlertResourceType' + description: Fields common to all entities that an alert might belong to. + ListAlertPolicyDevFields: + type: object + properties: + SORTName: type: string - portExposurePolicy: - $ref: '#/components/schemas/storagePortExposurePolicy' - permissionPolicy: - $ref: '#/components/schemas/storagePermissionPolicy' - hostMountPolicy: - $ref: '#/components/schemas/storageHostMountPolicy' - whitelistEnabled: - type: boolean - requiredImageLabel: - $ref: '#/components/schemas/storageKeyValuePolicy' - disallowedImageLabel: - $ref: '#/components/schemas/storageKeyValuePolicy' - imageSignatureVerifiedBy: - type: string - title: 'Next Available Tag: 29' - storagePolicyGroup: + ListAlertResourceEntity: type: object properties: - fieldName: + name: type: string - booleanOperator: - $ref: '#/components/schemas/storageBooleanOperator' - negate: - type: boolean - values: - type: array - items: - $ref: '#/components/schemas/storagePolicyValue' - storagePolicySection: + NetworkFlowInfoEntity: type: object properties: - sectionName: + name: type: string - policyGroups: + entityType: + $ref: '#/components/schemas/storageNetworkEntityInfoType' + deploymentNamespace: + type: string + deploymentType: + type: string + port: + type: integer + format: int32 + PolicyMitreAttackVectors: + type: object + properties: + tactic: + type: string + techniques: type: array items: - $ref: '#/components/schemas/storagePolicyGroup' - storagePolicyValue: + type: string + ProcessSignalLineageInfo: type: object properties: - value: + parentUid: + type: integer + format: int64 + parentExecFilePath: type: string - storagePortExposurePolicy: + ViolationKeyValueAttrs: type: object properties: - exposureLevels: + attrs: type: array items: - $ref: '#/components/schemas/PortConfigExposureLevel' - storagePortPolicy: + $ref: '#/components/schemas/KeyValueAttrsKeyValueAttr' + ViolationNetworkFlowInfo: type: object properties: - port: - type: integer - format: int32 protocol: - type: string - storageProcessIndicator: + $ref: '#/components/schemas/storageL4Protocol' + source: + $ref: '#/components/schemas/NetworkFlowInfoEntity' + destination: + $ref: '#/components/schemas/NetworkFlowInfoEntity' + storageAlert: type: object properties: id: type: string - title: A unique uuid for the Indicator message - deploymentId: - type: string - containerName: + policy: + $ref: '#/components/schemas/storagePolicy' + lifecycleStage: + $ref: '#/components/schemas/storageLifecycleStage' + clusterId: type: string - podId: + clusterName: type: string - title: Pod name - podUid: + namespace: type: string - signal: - $ref: '#/components/schemas/storageProcessSignal' - clusterId: + namespaceId: type: string - namespace: + deployment: + $ref: '#/components/schemas/storageAlertDeployment' + image: + $ref: '#/components/schemas/storageContainerImage' + resource: + $ref: '#/components/schemas/storageAlertResource' + violations: + type: array + items: + $ref: '#/components/schemas/AlertViolation' + description: For run-time phase alert, a maximum of 40 violations are retained. + processViolation: + $ref: '#/components/schemas/AlertProcessViolation' + enforcement: + $ref: '#/components/schemas/AlertEnforcement' + time: type: string - containerStartTime: + format: date-time + firstOccurred: type: string format: date-time - imageId: + resolvedAt: type: string - title: 'Next available tag: 13' - storageProcessPolicy: + format: date-time + description: >- + The time at which the alert was resolved. Only set if ViolationState + is RESOLVED. + state: + $ref: '#/components/schemas/storageViolationState' + platformComponent: + type: boolean + entityType: + $ref: '#/components/schemas/AlertEntityType' + title: 'Next available tag: 24' + storageAlertDeployment: type: object properties: + id: + type: string name: type: string - args: + type: type: string - ancestor: + namespace: type: string - uid: + description: >- + This field has to be duplicated in Alert for scope management and + search. + namespaceId: type: string - storageProcessSignal: + description: >- + This field has to be duplicated in Alert for scope management and + search. + labels: + type: object + additionalProperties: + type: string + clusterId: + type: string + description: >- + This field has to be duplicated in Alert for scope management and + search. + clusterName: + type: string + description: >- + This field has to be duplicated in Alert for scope management and + search. + containers: + type: array + items: + $ref: '#/components/schemas/AlertDeploymentContainer' + annotations: + type: object + additionalProperties: + type: string + inactive: + type: boolean + storageAlertResource: type: object properties: - id: + resourceType: + $ref: '#/components/schemas/AlertResourceResourceType' + name: type: string - description: |- - A unique UUID for identifying the message - We have this here instead of at the top level - because we want to have each message to be - self contained. - containerId: + clusterId: type: string - title: ID of container associated with this process - time: + description: >- + This field has to be duplicated in Alert for scope management and + search. + clusterName: type: string - format: date-time - title: Process creation time - name: + description: >- + This field has to be duplicated in Alert for scope management and + search. + namespace: type: string - title: Process name - args: + description: >- + This field has to be duplicated in Alert for scope management and + search. + namespaceId: type: string - title: Process arguments - execFilePath: + description: >- + This field has to be duplicated in Alert for scope management and + search. + title: >- + Represents an alert on a kubernetes resource other than a deployment + (configmaps, secrets, etc.) + storageBooleanOperator: + type: string + enum: + - OR + - AND + default: OR + storageContainerImage: + type: object + properties: + id: type: string - title: Process executable file path - pid: - type: integer - format: int64 - title: Host process ID - uid: - type: integer - format: int64 - title: Real user ID - gid: - type: integer - format: int64 - title: Real group ID - lineage: - type: array - items: - type: string - title: Process Lineage - scraped: + name: + $ref: '#/components/schemas/storageImageName' + notPullable: type: boolean - title: Signal origin - lineageInfo: - type: array - items: - $ref: '#/components/schemas/ProcessSignalLineageInfo' - title: Process LineageInfo - storageResourcePolicy: + isClusterLocal: + type: boolean + title: 'Next tag: 12' + storageEnforcementAction: + type: string + enum: + - UNSET_ENFORCEMENT + - SCALE_TO_ZERO_ENFORCEMENT + - UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT + - KILL_POD_ENFORCEMENT + - FAIL_BUILD_ENFORCEMENT + - FAIL_KUBE_REQUEST_ENFORCEMENT + - FAIL_DEPLOYMENT_CREATE_ENFORCEMENT + - FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT + default: UNSET_ENFORCEMENT + description: |2- + - FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. + - FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates. + - FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. + storageEventSource: + type: string + enum: + - NOT_APPLICABLE + - DEPLOYMENT_EVENT + - AUDIT_LOG_EVENT + default: NOT_APPLICABLE + storageExclusion: + type: object + properties: + name: + type: string + deployment: + $ref: '#/components/schemas/storageExclusionDeployment' + image: + $ref: '#/components/schemas/storageExclusionImage' + expiration: + type: string + format: date-time + storageExclusionDeployment: type: object properties: - cpuResourceRequest: - $ref: '#/components/schemas/storageNumericalPolicy' - cpuResourceLimit: - $ref: '#/components/schemas/storageNumericalPolicy' - memoryResourceRequest: - $ref: '#/components/schemas/storageNumericalPolicy' - memoryResourceLimit: - $ref: '#/components/schemas/storageNumericalPolicy' - storageScope: + name: + type: string + scope: + $ref: '#/components/schemas/storageScope' + storageExclusionImage: type: object properties: - cluster: - type: string - namespace: + name: type: string - label: - $ref: '#/components/schemas/storageScopeLabel' - storageScopeLabel: + storageImageName: type: object properties: - key: + registry: type: string - value: + remote: type: string - storageSeverity: + tag: + type: string + fullName: + type: string + storageL4Protocol: type: string enum: - - UNSET_SEVERITY - - LOW_SEVERITY - - MEDIUM_SEVERITY - - HIGH_SEVERITY - - CRITICAL_SEVERITY - default: UNSET_SEVERITY - storageViolationState: + - L4_PROTOCOL_UNKNOWN + - L4_PROTOCOL_TCP + - L4_PROTOCOL_UDP + - L4_PROTOCOL_ICMP + - L4_PROTOCOL_RAW + - L4_PROTOCOL_SCTP + - L4_PROTOCOL_ANY + default: L4_PROTOCOL_UNKNOWN + storageLifecycleStage: type: string enum: - - ACTIVE - - SNOOZED - - RESOLVED - - ATTEMPTED - default: ACTIVE - storageVolumePolicy: + - DEPLOY + - BUILD + - RUNTIME + default: DEPLOY + storageListAlert: type: object properties: - name: - type: string - source: - type: string - destination: - type: string - readOnly: - type: boolean - type: + id: type: string - v1AlertEvent: - type: object - properties: + lifecycleStage: + $ref: '#/components/schemas/storageLifecycleStage' time: type: string - format: int64 - type: - $ref: '#/components/schemas/v1Type' - id: - type: string - v1CountAlertsResponse: - type: object - properties: - count: - type: integer - format: int32 - v1DeleteAlertsResponse: - type: object - properties: - numDeleted: - type: integer - format: int64 - dryRun: - type: boolean - v1Empty: - type: object - v1GetAlertTimeseriesResponse: - type: object - properties: - clusters: - type: array - items: - $ref: '#/components/schemas/GetAlertTimeseriesResponseClusterAlerts' - v1GetAlertsCountsResponse: - type: object - properties: - groups: - type: array - items: - $ref: '#/components/schemas/GetAlertsCountsResponseAlertGroup' - v1GetAlertsGroupResponse: - type: object - properties: - alertsByPolicies: - type: array - items: - $ref: '#/components/schemas/v1GetAlertsGroupResponsePolicyGroup' - v1GetAlertsGroupResponsePolicyGroup: - type: object - properties: + format: date-time policy: $ref: '#/components/schemas/storageListAlertPolicy' - numAlerts: - type: string - format: int64 - v1ListAlertsRequest: - type: object - properties: - query: - type: string - pagination: - $ref: '#/components/schemas/v1Pagination' - v1ListAlertsResponse: - type: object - properties: - alerts: - type: array - items: - $ref: '#/components/schemas/storageListAlert' - v1Pagination: - type: object - properties: - limit: - type: integer - format: int32 - offset: + state: + $ref: '#/components/schemas/storageViolationState' + enforcementCount: type: integer format: int32 - sortOption: - $ref: '#/components/schemas/v1SortOption' - v1RawQuery: - type: object - properties: - query: - type: string - pagination: - $ref: '#/components/schemas/v1Pagination' - description: |- - RawQuery represents the search query string. - The format of the query string is ":+:+..." - For example: - To search for deployments named "central" and "sensor" in the namespace "stackrox", the query string would be - "Deployment:central,sensor+Namespace:stackrox" - RawQuery is used in ListAPIs to search for a particular object. - v1ResolveAlertRequest: + enforcementAction: + $ref: '#/components/schemas/storageEnforcementAction' + commonEntityInfo: + $ref: '#/components/schemas/ListAlertCommonEntityInfo' + deployment: + $ref: '#/components/schemas/storageListAlertDeployment' + resource: + $ref: '#/components/schemas/ListAlertResourceEntity' + storageListAlertDeployment: type: object properties: id: type: string - whitelist: - type: boolean - addToBaseline: + name: + type: string + clusterName: + type: string + description: >- + This field is deprecated and can be found in CommonEntityInfo. It + will be removed from here in a future release. + + + This field has moved to CommonEntityInfo + namespace: + type: string + description: >- + This field is deprecated and can be found in CommonEntityInfo. It + will be removed from here in a future release. + + + This field has moved to CommonEntityInfo + clusterId: + type: string + description: >- + This field is deprecated and can be found in CommonEntityInfo. It + will be removed from here in a future release. + + + This field has moved to CommonEntityInfo + inactive: type: boolean - v1ResolveAlertsRequest: - type: object - properties: - query: + namespaceId: + type: string + description: >- + This field is deprecated and can be found in CommonEntityInfo. It + will be removed from here in a future release. + + + This field has moved to CommonEntityInfo + deploymentType: type: string - v1SnoozeAlertRequest: + storageListAlertPolicy: type: object properties: id: type: string - snoozeTill: + name: type: string - format: date-time - v1SortOption: - type: object - properties: - field: + severity: + $ref: '#/components/schemas/storageSeverity' + description: type: string - reversed: - type: boolean - v1Type: + categories: + type: array + items: + type: string + developerInternalFields: + $ref: '#/components/schemas/ListAlertPolicyDevFields' + storageListAlertResourceType: type: string enum: - - CREATED - - REMOVED - default: CREATED - storageTokenMetadata: + - DEPLOYMENT + - SECRETS + - CONFIGMAPS + - CLUSTER_ROLES + - CLUSTER_ROLE_BINDINGS + - NETWORK_POLICIES + - SECURITY_CONTEXT_CONSTRAINTS + - EGRESS_FIREWALLS + default: DEPLOYMENT + title: >- + A special ListAlert-only enumeration of all resource types. Unlike + Alert.Resource.ResourceType this also includes deployment as a type + + This must be kept in sync with Alert.Resource.ResourceType (excluding + the deployment value) + storageNetworkEntityInfoType: + type: string + enum: + - UNKNOWN_TYPE + - DEPLOYMENT + - INTERNET + - LISTEN_ENDPOINT + - EXTERNAL_SOURCE + - INTERNAL_ENTITIES + default: UNKNOWN_TYPE + title: >- + - INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal + entities under a single network graph node + storagePolicy: type: object properties: id: type: string name: type: string - roles: + description: Name of the policy. Must be unique. + description: + type: string + description: Free-form text description of this policy. + rationale: + type: string + remediation: + type: string + description: Describes how to remediate a violation of this policy. + disabled: + type: boolean + description: >- + Toggles whether or not this policy will be executing and actively + firing alerts. + categories: + type: array + items: + type: string + description: >- + List of categories that this policy falls under. Category names + must already exist in Central. + lifecycleStages: + type: array + items: + $ref: '#/components/schemas/storageLifecycleStage' + description: >- + Describes which policy lifecylce stages this policy applies to. + Choices are DEPLOY, BUILD, and RUNTIME. + eventSource: + $ref: '#/components/schemas/storageEventSource' + exclusions: + type: array + items: + $ref: '#/components/schemas/storageExclusion' + description: >- + Define deployments or images that should be excluded from this + policy. + scope: + type: array + items: + $ref: '#/components/schemas/storageScope' + description: >- + Defines clusters, namespaces, and deployments that should be + included in this policy. No scopes defined includes everything. + severity: + $ref: '#/components/schemas/storageSeverity' + enforcementActions: + type: array + items: + $ref: '#/components/schemas/storageEnforcementAction' + description: >- + FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission + control webhook is configured to enforce on object creates/updates. + + FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control + webhook is enabled to listen on exec and port-forward events. + + FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission + control webhook is configured to enforce on object updates. + + Lists the enforcement actions to take when a violation from this + policy is identified. Possible value are UNSET_ENFORCEMENT, + SCALE_TO_ZERO_ENFORCEMENT, + UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, + FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, + FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. + FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT. + notifiers: type: array items: type: string - issuedAt: + description: >- + List of IDs of the notifiers that should be triggered when a + violation from this policy is identified. IDs should be in the form + of a UUID and are found through the Central API. + lastUpdated: type: string format: date-time - expiration: + SORTName: type: string - format: date-time - revoked: + description: For internal use only. + SORTLifecycleStage: + type: string + description: For internal use only. + SORTEnforcement: type: boolean - role: + description: For internal use only. + policyVersion: type: string - v1GenerateTokenRequest: + policySections: + type: array + items: + $ref: '#/components/schemas/storagePolicySection' + description: PolicySections define the violation criteria for this policy. + mitreAttackVectors: + type: array + items: + $ref: '#/components/schemas/PolicyMitreAttackVectors' + criteriaLocked: + type: boolean + description: >- + Read-only field. If true, the policy's criteria fields are rendered + read-only. + mitreVectorsLocked: + type: boolean + description: >- + Read-only field. If true, the policy's MITRE ATT&CK fields are + rendered read-only. + isDefault: + type: boolean + description: >- + Read-only field. Indicates the policy is a default policy if true + and a custom policy if false. + source: + $ref: '#/components/schemas/storagePolicySource' + title: 'Next tag: 28' + storagePolicyGroup: type: object properties: - name: - type: string - role: + fieldName: type: string - roles: + description: >- + Defines which field on a deployment or image this PolicyGroup + evaluates. See + https://docs.openshift.com/acs/operating/manage-security-policies.html#policy-criteria_manage-security-policies + for a complete list of possible values. + booleanOperator: + $ref: '#/components/schemas/storageBooleanOperator' + negate: + type: boolean + description: >- + Determines if the evaluation of this PolicyGroup is negated. + Default to false. + values: type: array items: - type: string - v1GenerateTokenResponse: + $ref: '#/components/schemas/storagePolicyValue' + title: List of values for the specified field + storagePolicySection: type: object properties: - token: + sectionName: type: string - metadata: - $ref: '#/components/schemas/storageTokenMetadata' - v1GetAPITokensResponse: - type: object - properties: - tokens: + policyGroups: type: array items: - $ref: '#/components/schemas/storageTokenMetadata' - AvailableProviderTypesResponseAuthProviderType: + $ref: '#/components/schemas/storagePolicyGroup' + description: >- + The set of policies groups that make up this section. Each group + can be considered an individual criterion. + storagePolicySource: + type: string + enum: + - IMPERATIVE + - DECLARATIVE + default: IMPERATIVE + storagePolicyValue: type: object properties: - type: + value: type: string - suggestedAttributes: - type: array - items: - type: string - GetLoginAuthProvidersResponseLoginAuthProvider: + storageProcessIndicator: type: object properties: id: type: string - name: + title: A unique UUID for the Indicator message + deploymentId: type: string - type: + containerName: type: string - loginUrl: + podId: type: string - UserInfoResourceToAccess: - type: object - properties: - resourceToAccess: - type: object - additionalProperties: - $ref: '#/components/schemas/storageAccess' - description: |- - ResourceToAccess represents a collection of permissions. It is wire - compatible with the old format of storage.Role and replaces it in - places where only aggregated permissions are required. - storageAccess: - type: string - enum: - - NO_ACCESS - - READ_ACCESS - - READ_WRITE_ACCESS - default: NO_ACCESS - storageAuthProvider: + title: Pod name + podUid: + type: string + signal: + $ref: '#/components/schemas/storageProcessSignal' + clusterId: + type: string + namespace: + type: string + containerStartTime: + type: string + format: date-time + imageId: + type: string + title: 'Next available tag: 13' + storageProcessSignal: type: object properties: id: type: string - name: + description: |- + A unique UUID for identifying the message + We have this here instead of at the top level + because we want to have each message to be + self contained. + containerId: type: string - type: + title: ID of container associated with this process + time: type: string - uiEndpoint: + format: date-time + title: Process creation time + name: type: string - enabled: - type: boolean - config: - type: object - additionalProperties: - type: string - loginUrl: + title: Process name + args: type: string - description: The login URL will be provided by the backend, and may not be specified in a request. - validated: - type: boolean - extraUiEndpoints: + title: Process arguments + execFilePath: + type: string + title: Process executable file path + pid: + type: integer + format: int64 + title: Host process ID + uid: + type: integer + format: int64 + title: Real user ID + gid: + type: integer + format: int64 + title: Real group ID + lineage: type: array items: type: string - description: |- - UI endpoints which to allow in addition to `ui_endpoint`. I.e., if a login request - is coming from any of these, the auth request will use these for the callback URL, - not ui_endpoint. - active: + title: Process Lineage + scraped: type: boolean - title: 'Next Tag: 9' - storageServiceIdentity: + title: Signal origin + lineageInfo: + type: array + items: + $ref: '#/components/schemas/ProcessSignalLineageInfo' + title: Process LineageInfo + storageScope: type: object properties: - serial: + cluster: type: string - format: int64 - serialStr: + namespace: type: string - id: + label: + $ref: '#/components/schemas/storageScopeLabel' + storageScopeLabel: + type: object + properties: + key: type: string - type: - $ref: '#/components/schemas/storageServiceType' - initBundleId: + value: type: string - storageServiceType: + storageSeverity: type: string enum: - - UNKNOWN_SERVICE - - SENSOR_SERVICE - - CENTRAL_SERVICE - - REMOTE_SERVICE - - COLLECTOR_SERVICE - - MONITORING_UI_SERVICE - - MONITORING_DB_SERVICE - - MONITORING_CLIENT_SERVICE - - BENCHMARK_SERVICE - - SCANNER_SERVICE - - SCANNER_DB_SERVICE - - ADMISSION_CONTROL_SERVICE - default: UNKNOWN_SERVICE - storageUserInfo: + - UNSET_SEVERITY + - LOW_SEVERITY + - MEDIUM_SEVERITY + - HIGH_SEVERITY + - CRITICAL_SEVERITY + default: UNSET_SEVERITY + storageViolationState: + type: string + enum: + - ACTIVE + - RESOLVED + - ATTEMPTED + default: ACTIVE + v1AlertEvent: type: object properties: - username: + time: type: string - friendlyName: + format: int64 + type: + $ref: '#/components/schemas/v1Type' + id: type: string - permissions: - $ref: '#/components/schemas/UserInfoResourceToAccess' - roles: - type: array - items: - $ref: '#/components/schemas/storageUserInfoRole' - storageUserInfoRole: + v1CountAlertsResponse: type: object properties: - name: - type: string - resourceToAccess: - type: object - additionalProperties: - $ref: '#/components/schemas/storageAccess' - description: |- - Role is wire compatible with the old format of storage.Role and - hence only includes role name and associated permissions. - v1AuthStatus: + count: + type: integer + format: int32 + v1DeleteAlertsResponse: + type: object + properties: + numDeleted: + type: integer + format: int64 + dryRun: + type: boolean + v1Empty: + type: object + v1GetAlertTimeseriesResponse: type: object properties: - userId: - type: string - serviceId: - $ref: '#/components/schemas/storageServiceIdentity' - expires: - type: string - format: date-time - refreshUrl: - type: string - authProvider: - $ref: '#/components/schemas/storageAuthProvider' - userInfo: - $ref: '#/components/schemas/storageUserInfo' - userAttributes: + clusters: type: array items: - $ref: '#/components/schemas/v1UserAttribute' - v1AvailableProviderTypesResponse: + $ref: '#/components/schemas/GetAlertTimeseriesResponseClusterAlerts' + v1GetAlertsCountsResponse: type: object properties: - authProviderTypes: + groups: type: array items: - $ref: '#/components/schemas/AvailableProviderTypesResponseAuthProviderType' - v1ExchangeTokenRequest: + $ref: '#/components/schemas/GetAlertsCountsResponseAlertGroup' + v1GetAlertsGroupResponse: type: object properties: - externalToken: - type: string - description: The external authentication token. The server will mask the value of this credential in responses and logs. - type: - type: string - state: - type: string - v1ExchangeTokenResponse: + alertsByPolicies: + type: array + items: + $ref: '#/components/schemas/v1GetAlertsGroupResponsePolicyGroup' + v1GetAlertsGroupResponsePolicyGroup: type: object properties: - token: + policy: + $ref: '#/components/schemas/storageListAlertPolicy' + numAlerts: type: string - clientState: + format: int64 + v1ListAlertsRequest: + type: object + properties: + query: type: string - test: - type: boolean - user: - $ref: '#/components/schemas/v1AuthStatus' - v1GetAuthProvidersResponse: + pagination: + $ref: '#/components/schemas/v1Pagination' + v1ListAlertsResponse: type: object properties: - authProviders: + alerts: type: array items: - $ref: '#/components/schemas/storageAuthProvider' - v1GetLoginAuthProvidersResponse: + $ref: '#/components/schemas/storageListAlert' + v1RawQuery: type: object properties: - authProviders: - type: array - items: - $ref: '#/components/schemas/GetLoginAuthProvidersResponseLoginAuthProvider' - v1UpdateAuthProviderRequest: + query: + type: string + pagination: + $ref: '#/components/schemas/v1Pagination' + description: >- + RawQuery represents the search query string. + + The format of the query string is ":+:+..." + + For example: + + To search for deployments named "central" and "sensor" in the namespace + "stackrox", the query string would be + + "Deployment:central,sensor+Namespace:stackrox" + + RawQuery is used in ListAPIs to search for a particular object. + v1ResolveAlertsRequest: + type: object + properties: + query: + type: string + v1Type: + type: string + enum: + - CREATED + - REMOVED + default: CREATED + storageTokenMetadata: type: object properties: id: type: string name: type: string - enabled: + roles: + type: array + items: + type: string + issuedAt: + type: string + format: date-time + expiration: + type: string + format: date-time + revoked: type: boolean - v1UserAttribute: + role: + type: string + title: 'Next available tag: 8' + v1GenerateTokenRequest: type: object properties: - key: + name: type: string - values: + role: + type: string + roles: type: array items: type: string - ScheduleDaysOfMonth: + expiration: + type: string + format: date-time + v1GenerateTokenResponse: type: object properties: - days: - type: array - items: - type: integer - format: int32 - title: 1 for 1st, 2 for 2nd .... 31 for 31st - ScheduleDaysOfWeek: + token: + type: string + metadata: + $ref: '#/components/schemas/storageTokenMetadata' + v1GetAPITokensResponse: type: object properties: - days: + tokens: type: array items: - type: integer - format: int32 - title: Sunday = 0, Monday = 1, .... Saturday = 6 - ScheduleIntervalType: - type: string - enum: - - UNSET - - DAILY - - WEEKLY - - MONTHLY - default: UNSET - ScheduleWeeklyInterval: + $ref: '#/components/schemas/storageTokenMetadata' + v1ListAllowedTokenRolesResponse: type: object properties: - day: - type: integer - format: int32 - storageExternalBackup: + roleNames: + type: array + items: + type: string + AuthMachineToMachineConfigMapping: type: object properties: - id: + key: type: string - name: + description: A key within the identity token's claim value to use. + valueExpression: type: string - type: + description: >- + A regular expression that will be evaluated against values of the + identity token claim + + identified by the specified key. + + This regular expressions is in RE2 format, see more here: + + https://github.com/google/re2/wiki/Syntax. + role: type: string - schedule: - $ref: '#/components/schemas/storageSchedule' - backupsToKeep: - type: integer - format: int32 - s3: - $ref: '#/components/schemas/storageS3Config' - gcs: - $ref: '#/components/schemas/storageGCSConfig' - includeCertificates: - type: boolean - storageGCSConfig: + description: >- + The role which should be issued when the key and value match for a + particular identity token. + description: >- + Mappings map an identity token's claim values to a specific role within + Central. + AuthProviderRequiredAttribute: type: object properties: - bucket: + attributeKey: type: string - serviceAccount: - type: string - description: The service account for the storage integration. The server will mask the value of this credential in responses and logs. - objectPrefix: + attributeValue: type: string - useWorkloadId: - type: boolean - storageS3Config: + description: >- + RequiredAttribute allows to specify a set of attributes which ALL are + required to be returned + + by the auth provider. + + If any attribute is missing within the external claims of the token + issued by Central, the + + authentication request to this IdP is considered failed. + AuthServiceUpdateAuthMachineToMachineConfigBody: + type: object + properties: + config: + type: object + properties: + type: + $ref: '#/components/schemas/v1AuthMachineToMachineConfigType' + tokenExpirationDuration: + type: string + description: >- + Sets the expiration of the token returned from the + ExchangeAuthMachineToMachineToken API call. + + Possible valid time units are: s, m, h. + + The maximum allowed expiration duration is 24h. + + As an example: 2h45m. + + For additional information on the validation of the duration, + see: + + https://pkg.go.dev/time#ParseDuration. + mappings: + type: array + items: + $ref: '#/components/schemas/AuthMachineToMachineConfigMapping' + description: >- + At least one mapping is required to resolve to a valid role for + the access token to be successfully generated. + issuer: + type: string + description: >- + The issuer of the related OIDC provider issuing the ID tokens to + exchange. + + + Must be non-empty string containing URL when type is GENERIC. + + In case of GitHub actions, this must be empty or set to + https://token.actions.githubusercontent.com. + + + Issuer is a unique key, therefore there may be at most one + GITHUB_ACTIONS config, and each + + GENERIC config must have a distinct issuer. + description: >- + AuthMachineToMachineConfig determines rules for exchanging an + identity token from a third party with + + a Central access token. The M2M stands for machine to machine, as + this is the intended use-case + + for the config. + TraitsMutabilityMode: + type: string + enum: + - ALLOW_MUTATE + - ALLOW_MUTATE_FORCED + default: ALLOW_MUTATE + description: >- + EXPERIMENTAL. + + NOTE: Please refer from using MutabilityMode for the time being. It will + be replaced in the future (ROX-14276). + + MutabilityMode specifies whether and how an object can be modified. + Default + + is ALLOW_MUTATE and means there are no modification restrictions; this + is equivalent + + to the absence of MutabilityMode specification. ALLOW_MUTATE_FORCED + forbids all + + modifying operations except object removal with force bit on. + + + Be careful when changing the state of this field. For example, modifying + an + + object from ALLOW_MUTATE to ALLOW_MUTATE_FORCED is allowed but will + prohibit any further + + changes to it, including modifying it back to ALLOW_MUTATE. + TraitsOrigin: + type: string + enum: + - IMPERATIVE + - DEFAULT + - DECLARATIVE + - DECLARATIVE_ORPHANED + default: IMPERATIVE + description: >- + Origin specifies the origin of an object. + + Objects can have four different origins: + + - IMPERATIVE: the object was created via the API. This is assumed by + default. + + - DEFAULT: the object is a default object, such as default roles, access + scopes etc. + + - DECLARATIVE: the object is created via declarative configuration. + + - DECLARATIVE_ORPHANED: the object is created via declarative + configuration and then unsuccessfully deleted(for example, because it is + referenced by another object) + + Based on the origin, different rules apply to the objects. + + Objects with the DECLARATIVE origin are not allowed to be modified via + API, only via declarative configuration. + + Additionally, they may not reference objects with the IMPERATIVE origin. + + Objects with the DEFAULT origin are not allowed to be modified via + either API or declarative configuration. + + They may be referenced by all other objects. + + Objects with the IMPERATIVE origin are allowed to be modified via API, + not via declarative configuration. + + They may reference all other objects. + + Objects with the DECLARATIVE_ORPHANED origin are not allowed to be + modified via either API or declarative configuration. + + DECLARATIVE_ORPHANED resource can become DECLARATIVE again if it is + redefined in declarative configuration. + + Objects with this origin will be cleaned up from the system immediately + after they are not referenced by other resources anymore. + + They may be referenced by all other objects. + TraitsVisibility: + type: string + enum: + - VISIBLE + - HIDDEN + default: VISIBLE + description: >- + EXPERIMENTAL. + + visibility allows to specify whether the object should be visible for + certain APIs. + UserInfoResourceToAccess: + type: object + properties: + resourceToAccess: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAccess' + description: |- + ResourceToAccess represents a collection of permissions. It is wire + compatible with the old format of storage.Role and replaces it in + places where only aggregated permissions are required. + storageAccess: + type: string + enum: + - NO_ACCESS + - READ_ACCESS + - READ_WRITE_ACCESS + default: NO_ACCESS + storageAuthProvider: type: object properties: - bucket: - type: string - useIam: - type: boolean - accessKeyId: + id: type: string - description: The access key ID for the storage integration. The server will mask the value of this credential in responses and logs. - secretAccessKey: + name: type: string - description: The secret access key for the storage integration. The server will mask the value of this credential in responses and logs. - region: + type: type: string - objectPrefix: + uiEndpoint: type: string - endpoint: + enabled: + type: boolean + config: + type: object + additionalProperties: + type: string + description: >- + Config holds auth provider specific configuration. Each + configuration options + + are different based on the given auth provider type. + + OIDC: + + - "issuer": the OIDC issuer according to + https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. + + - "client_id": the client ID according to + https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. + + - "client_secret": the client secret according to + https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. + + - "do_not_use_client_secret": set to "true" if you want to create a + configuration with only + a client ID and no client secret. + - "mode": the OIDC callback mode, choosing from "fragment", "post", + or "query". + + - "disable_offline_access_scope": set to "true" if no offline tokens + shall be issued. + + - "extra_scopes": a space-delimited string of additional scopes to + request in addition to "openid profile email" + according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. + + OpenShift Auth: supports no extra configuration options. + + + User PKI: + + - "keys": the trusted certificates PEM encoded. + + + SAML: + + - "sp_issuer": the service provider issuer according to + https://datatracker.ietf.org/doc/html/rfc7522#section-3. + + - "idp_metadata_url": the metadata URL according to + https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. + + - "idp_issuer": the IdP issuer. + + - "idp_cert_pem": the cert PEM encoded for the IdP endpoint. + + - "idp_sso_url": the IdP SSO URL. + + - "idp_nameid_format": the IdP name ID format. + + + IAP: + + - "audience": the audience to use. + loginUrl: type: string - storageSchedule: - type: object - properties: - intervalType: - $ref: '#/components/schemas/ScheduleIntervalType' - hour: - type: integer - format: int32 - minute: - type: integer - format: int32 - weekly: - $ref: '#/components/schemas/ScheduleWeeklyInterval' - daysOfWeek: - $ref: '#/components/schemas/ScheduleDaysOfWeek' - daysOfMonth: - $ref: '#/components/schemas/ScheduleDaysOfMonth' - v1GetExternalBackupsResponse: - type: object - properties: - externalBackups: + description: >- + The login URL will be provided by the backend, and may not be + specified in a request. + validated: + type: boolean + extraUiEndpoints: type: array items: - $ref: '#/components/schemas/storageExternalBackup' - v1UpdateExternalBackupRequest: - type: object - properties: - externalBackup: - $ref: '#/components/schemas/storageExternalBackup' - updatePassword: + type: string + description: >- + UI endpoints which to allow in addition to `ui_endpoint`. I.e., if a + login request + + is coming from any of these, the auth request will use these for the + callback URL, + + not ui_endpoint. + active: type: boolean - description: When false, use the stored credentials of an existing external backup configuration given its ID. - v1CentralUpgradeStatus: + requiredAttributes: + type: array + items: + $ref: '#/components/schemas/AuthProviderRequiredAttribute' + traits: + $ref: '#/components/schemas/storageTraits' + claimMappings: + type: object + additionalProperties: + type: string + description: >- + Specifies claims from IdP token that will be copied to Rox token + attributes. + + + Each key in this map contains a path in IdP token we want to map. + Path is separated by "." symbol. + + For example, if IdP token payload looks like: + + + + { + + "a": { + + "b" : "c", + + "d": true, + + "e": [ "val1", "val2", "val3" ], + + "f": [ true, false, false ], + + "g": 123.0, + + "h": [ 1, 2, 3] + + } + + } + + + + then "a.b" would be a valid key and "a.z" is not. + + + We support the following types of claims: + + * string(path "a.b") + + * bool(path "a.d") + + * string array(path "a.e") + + * bool array (path "a.f.") + + + We do NOT support the following types of claims: + + * complex claims(path "a") + + * float/integer claims(path "a.g") + + * float/integer array claims(path "a.h") + + + Each value in this map contains a Rox token attribute name we want + to add claim to. + + If, for example, value is "groups", claim would be found in + "external_user.Attributes.groups" in token. + + + Note: we only support this feature for OIDC auth provider. + lastUpdated: + type: string + format: date-time + description: >- + Last updated indicates the last time the auth provider has been + updated. + + + In case there have been tokens issued by an auth provider _before_ + this timestamp, they will be considered + + invalid. Subsequently, all clients will have to re-issue their + tokens (either by refreshing or by an additional + + login attempt). + description: 'Next Tag: 15.' + storageServiceIdentity: type: object properties: - version: - type: string - title: Current Central Version - forceRollbackTo: - type: string - description: The version of previous replica in Central. This is the version we can force rollback to. - canRollbackAfterUpgrade: - type: boolean - description: If true, we can rollback to the current version if an upgrade failed. - spaceRequiredForRollbackAfterUpgrade: + serialStr: type: string - format: int64 - title: Current disk space stats for upgrade - spaceAvailableForRollbackAfterUpgrade: + title: The serial number in decimal representation. + serial: type: string format: int64 - v1GetUpgradeStatusResponse: - type: object - properties: - upgradeStatus: - $ref: '#/components/schemas/v1CentralUpgradeStatus' - InitBundleMetaImpactedCluster: - type: object - properties: - name: - type: string id: type: string - InitBundleRevokeResponseInitBundleRevocationError: + type: + $ref: '#/components/schemas/storageServiceType' + initBundleId: + type: string + storageServiceType: + type: string + enum: + - UNKNOWN_SERVICE + - SENSOR_SERVICE + - CENTRAL_SERVICE + - CENTRAL_DB_SERVICE + - REMOTE_SERVICE + - COLLECTOR_SERVICE + - MONITORING_UI_SERVICE + - MONITORING_DB_SERVICE + - MONITORING_CLIENT_SERVICE + - BENCHMARK_SERVICE + - SCANNER_SERVICE + - SCANNER_DB_SERVICE + - ADMISSION_CONTROL_SERVICE + - SCANNER_V4_INDEXER_SERVICE + - SCANNER_V4_MATCHER_SERVICE + - SCANNER_V4_DB_SERVICE + - SCANNER_V4_SERVICE + - REGISTRANT_SERVICE + default: UNKNOWN_SERVICE + description: '- SCANNER_V4_SERVICE: This is used when Scanner V4 is run in combo-mode.' + title: 'Next available tag: 18' + storageTraits: type: object properties: - id: - type: string - error: - type: string - impactedClusters: - type: array - items: - $ref: '#/components/schemas/InitBundleMetaImpactedCluster' - storageUser: + mutabilityMode: + $ref: '#/components/schemas/TraitsMutabilityMode' + visibility: + $ref: '#/components/schemas/TraitsVisibility' + origin: + $ref: '#/components/schemas/TraitsOrigin' + storageUserInfo: type: object properties: - id: + username: type: string - authProviderId: + friendlyName: type: string - attributes: + permissions: + $ref: '#/components/schemas/UserInfoResourceToAccess' + roles: type: array items: - $ref: '#/components/schemas/storageUserAttribute' - description: User is an object that allows us to track the roles a user is tied to, and how they logged in. - storageUserAttribute: + $ref: '#/components/schemas/storageUserInfoRole' + storageUserInfoRole: type: object properties: - key: - type: string - value: + name: type: string - v1GetCAConfigResponse: + resourceToAccess: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAccess' + description: |- + Role is wire compatible with the old format of storage.Role and + hence only includes role name and associated permissions. + v1AddAuthMachineToMachineConfigRequest: type: object properties: - helmValuesBundle: - type: string - format: byte - v1InitBundleGenRequest: + config: + $ref: '#/components/schemas/v1AuthMachineToMachineConfig' + v1AddAuthMachineToMachineConfigResponse: type: object properties: - name: - type: string - v1InitBundleGenResponse: + config: + $ref: '#/components/schemas/v1AuthMachineToMachineConfig' + v1AuthMachineToMachineConfig: type: object properties: - meta: - $ref: '#/components/schemas/v1InitBundleMeta' - helmValuesBundle: + id: type: string - format: byte - kubectlBundle: + description: >- + UUID of the config. + + Note that when adding a machine to machine config, this field should + not be set. + type: + $ref: '#/components/schemas/v1AuthMachineToMachineConfigType' + tokenExpirationDuration: type: string - format: byte - v1InitBundleMeta: + description: >- + Sets the expiration of the token returned from the + ExchangeAuthMachineToMachineToken API call. + + Possible valid time units are: s, m, h. + + The maximum allowed expiration duration is 24h. + + As an example: 2h45m. + + For additional information on the validation of the duration, see: + + https://pkg.go.dev/time#ParseDuration. + mappings: + type: array + items: + $ref: '#/components/schemas/AuthMachineToMachineConfigMapping' + description: >- + At least one mapping is required to resolve to a valid role for the + access token to be successfully generated. + issuer: + type: string + description: >- + The issuer of the related OIDC provider issuing the ID tokens to + exchange. + + + Must be non-empty string containing URL when type is GENERIC. + + In case of GitHub actions, this must be empty or set to + https://token.actions.githubusercontent.com. + + + Issuer is a unique key, therefore there may be at most one + GITHUB_ACTIONS config, and each + + GENERIC config must have a distinct issuer. + description: >- + AuthMachineToMachineConfig determines rules for exchanging an identity + token from a third party with + + a Central access token. The M2M stands for machine to machine, as this + is the intended use-case + + for the config. + v1AuthMachineToMachineConfigType: + type: string + enum: + - GENERIC + - GITHUB_ACTIONS + - KUBE_SERVICE_ACCOUNT + default: GENERIC + description: >- + The type of the auth machine to machine config. + + Currently supports GitHub actions or any other generic OIDC provider to + use for verifying and + + exchanging the token. + v1AuthStatus: type: object properties: - id: + userId: + type: string + serviceId: + $ref: '#/components/schemas/storageServiceIdentity' + expires: type: string - name: + format: date-time + refreshUrl: type: string - impactedClusters: + authProvider: + $ref: '#/components/schemas/storageAuthProvider' + userInfo: + $ref: '#/components/schemas/storageUserInfo' + userAttributes: type: array items: - $ref: '#/components/schemas/InitBundleMetaImpactedCluster' - createdAt: + $ref: '#/components/schemas/v1UserAttribute' + idpToken: type: string - format: date-time - createdBy: - $ref: '#/components/schemas/storageUser' - expiresAt: + description: >- + Token returned to ACS by the underlying identity provider. This + field is set only in a few, + + specific contexts. Do not rely on this field being present in the + response. + v1ExchangeAuthMachineToMachineTokenRequest: + type: object + properties: + idToken: type: string - format: date-time - v1InitBundleMetasResponse: + description: Identity token that is supposed to be exchanged. + v1ExchangeAuthMachineToMachineTokenResponse: type: object properties: - items: - type: array - items: - $ref: '#/components/schemas/v1InitBundleMeta' - v1InitBundleRevokeRequest: + accessToken: + type: string + description: The exchanged access token. + v1GetAuthMachineToMachineConfigResponse: type: object properties: - ids: - type: array - items: - type: string - confirmImpactedClustersIds: - type: array - items: - type: string - v1InitBundleRevokeResponse: + config: + $ref: '#/components/schemas/v1AuthMachineToMachineConfig' + v1ListAuthMachineToMachineConfigResponse: type: object properties: - initBundleRevocationErrors: + configs: type: array items: - $ref: '#/components/schemas/InitBundleRevokeResponseInitBundleRevocationError' - initBundleRevokedIds: + $ref: '#/components/schemas/v1AuthMachineToMachineConfig' + v1UserAttribute: + type: object + properties: + key: + type: string + values: type: array items: type: string - ClusterHealthStatusHealthStatusLabel: - type: string - enum: - - UNINITIALIZED - - UNAVAILABLE - - UNHEALTHY - - DEGRADED - - HEALTHY - default: UNINITIALIZED - title: '- UNAVAILABLE: Only collector can have unavailable status' - ClusterUpgradeStatusUpgradability: - type: string - enum: - - UNSET - - UP_TO_DATE - - MANUAL_UPGRADE_REQUIRED - - AUTO_UPGRADE_POSSIBLE - - SENSOR_VERSION_HIGHER - default: UNSET - description: |2- - - SENSOR_VERSION_HIGHER: SENSOR_VERSION_HIGHER occurs when we detect that the sensor - is running a newer version than this Central. This is unexpected, - but can occur depending on the patches a customer does. - In this case, we will NOT automatically "upgrade" the sensor, - since that would be a downgrade, even if the autoupgrade setting is - on. The user will be allowed to manually trigger the upgrade, but they are - strongly discouraged from doing so without upgrading Central first, since this - is an unsupported configuration. - ClusterUpgradeStatusUpgradeProcessStatus: + AuthProviderServicePutAuthProviderBody: type: object properties: - active: - type: boolean - id: - type: string - targetVersion: + name: type: string - upgraderImage: + type: type: string - initiatedAt: + uiEndpoint: type: string - format: date-time - progress: - $ref: '#/components/schemas/storageUpgradeProgress' - type: - $ref: '#/components/schemas/UpgradeProcessStatusUpgradeProcessType' - UpgradeProcessStatusUpgradeProcessType: - type: string - enum: - - UPGRADE - - CERT_ROTATION - default: UPGRADE - description: |2- - - UPGRADE: UPGRADE represents a sensor version upgrade. - - CERT_ROTATION: CERT_ROTATION represents an upgrade process that only rotates the TLS certs - used by the cluster, without changing anything else. - UpgradeProgressUpgradeState: - type: string - enum: - - UPGRADE_INITIALIZING - - UPGRADER_LAUNCHING - - UPGRADER_LAUNCHED - - PRE_FLIGHT_CHECKS_COMPLETE - - UPGRADE_OPERATIONS_DONE - - UPGRADE_COMPLETE - - UPGRADE_INITIALIZATION_ERROR - - PRE_FLIGHT_CHECKS_FAILED - - UPGRADE_ERROR_ROLLING_BACK - - UPGRADE_ERROR_ROLLED_BACK - - UPGRADE_ERROR_ROLLBACK_FAILED - - UPGRADE_ERROR_UNKNOWN - - UPGRADE_TIMED_OUT - default: UPGRADE_INITIALIZING - description: |2- - - UPGRADER_LAUNCHING: In-progress states. - - UPGRADE_COMPLETE: The success state. - PLEASE NUMBER ALL IN-PROGRESS STATES ABOVE THIS - AND ALL ERROR STATES BELOW THIS. - - UPGRADE_INITIALIZATION_ERROR: Error states. - storageAWSProviderMetadata: - type: object - properties: - accountId: + enabled: + type: boolean + config: + type: object + additionalProperties: + type: string + description: >- + Config holds auth provider specific configuration. Each + configuration options + + are different based on the given auth provider type. + + OIDC: + + - "issuer": the OIDC issuer according to + https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. + + - "client_id": the client ID according to + https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. + + - "client_secret": the client secret according to + https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. + + - "do_not_use_client_secret": set to "true" if you want to create a + configuration with only + a client ID and no client secret. + - "mode": the OIDC callback mode, choosing from "fragment", "post", + or "query". + + - "disable_offline_access_scope": set to "true" if no offline tokens + shall be issued. + + - "extra_scopes": a space-delimited string of additional scopes to + request in addition to "openid profile email" + according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. + + OpenShift Auth: supports no extra configuration options. + + + User PKI: + + - "keys": the trusted certificates PEM encoded. + + + SAML: + + - "sp_issuer": the service provider issuer according to + https://datatracker.ietf.org/doc/html/rfc7522#section-3. + + - "idp_metadata_url": the metadata URL according to + https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. + + - "idp_issuer": the IdP issuer. + + - "idp_cert_pem": the cert PEM encoded for the IdP endpoint. + + - "idp_sso_url": the IdP SSO URL. + + - "idp_nameid_format": the IdP name ID format. + + + IAP: + + - "audience": the audience to use. + loginUrl: type: string - storageAdmissionControlHealthInfo: - type: object - properties: - totalDesiredPods: - type: integer - format: int32 - totalReadyPods: - type: integer - format: int32 - statusErrors: + description: >- + The login URL will be provided by the backend, and may not be + specified in a request. + validated: + type: boolean + extraUiEndpoints: type: array items: type: string - description: Collection of errors that occurred while trying to obtain admission control health info. - description: |- - AdmissionControlHealthInfo carries data about admission control deployment but does not include admission control health status - derived from this data. - Aggregated admission control health status is not included because it is derived in central and not in the component that - first reports AdmissionControlHealthInfo (sensor). - storageAdmissionControllerConfig: - type: object - properties: - enabled: - type: boolean - timeoutSeconds: - type: integer - format: int32 - scanInline: - type: boolean - disableBypass: - type: boolean - enforceOnUpdates: + description: >- + UI endpoints which to allow in addition to `ui_endpoint`. I.e., if a + login request + + is coming from any of these, the auth request will use these for the + callback URL, + + not ui_endpoint. + active: type: boolean - storageAuditLogFileState: - type: object - properties: - collectLogsSince: + requiredAttributes: + type: array + items: + $ref: '#/components/schemas/AuthProviderRequiredAttribute' + traits: + $ref: '#/components/schemas/storageTraits' + claimMappings: + type: object + additionalProperties: + type: string + description: >- + Specifies claims from IdP token that will be copied to Rox token + attributes. + + + Each key in this map contains a path in IdP token we want to map. + Path is separated by "." symbol. + + For example, if IdP token payload looks like: + + + + { + + "a": { + + "b" : "c", + + "d": true, + + "e": [ "val1", "val2", "val3" ], + + "f": [ true, false, false ], + + "g": 123.0, + + "h": [ 1, 2, 3] + + } + + } + + + + then "a.b" would be a valid key and "a.z" is not. + + + We support the following types of claims: + + * string(path "a.b") + + * bool(path "a.d") + + * string array(path "a.e") + + * bool array (path "a.f.") + + + We do NOT support the following types of claims: + + * complex claims(path "a") + + * float/integer claims(path "a.g") + + * float/integer array claims(path "a.h") + + + Each value in this map contains a Rox token attribute name we want + to add claim to. + + If, for example, value is "groups", claim would be found in + "external_user.Attributes.groups" in token. + + + Note: we only support this feature for OIDC auth provider. + lastUpdated: type: string format: date-time - lastAuditId: + description: >- + Last updated indicates the last time the auth provider has been + updated. + + + In case there have been tokens issued by an auth provider _before_ + this timestamp, they will be considered + + invalid. Subsequently, all clients will have to re-issue their + tokens (either by refreshing or by an additional + + login attempt). + description: 'Next Tag: 15.' + AuthProviderServiceUpdateAuthProviderBody: + type: object + properties: + name: type: string - title: |- - AuditLogFileState tracks the last audit log event timestamp and ID that was collected by Compliance - For internal use only - storageAzureProviderMetadata: + enabled: + type: boolean + AvailableProviderTypesResponseAuthProviderType: type: object properties: - subscriptionId: + type: type: string - storageCluster: + suggestedAttributes: + type: array + items: + type: string + GetLoginAuthProvidersResponseLoginAuthProvider: type: object properties: id: @@ -9057,1333 +12367,1574 @@ components: name: type: string type: - $ref: '#/components/schemas/storageClusterType' - labels: - type: object - additionalProperties: - type: string - mainImage: - type: string - collectorImage: - type: string - centralApiEndpoint: - type: string - runtimeSupport: - type: boolean - collectionMethod: - $ref: '#/components/schemas/storageCollectionMethod' - admissionController: - type: boolean - admissionControllerUpdates: - type: boolean - admissionControllerEvents: - type: boolean - status: - $ref: '#/components/schemas/storageClusterStatus' - dynamicConfig: - $ref: '#/components/schemas/storageDynamicClusterConfig' - tolerationsConfig: - $ref: '#/components/schemas/storageTolerationsConfig' - priority: type: string - format: int64 - healthStatus: - $ref: '#/components/schemas/storageClusterHealthStatus' - slimCollector: - type: boolean - helmConfig: - $ref: '#/components/schemas/storageCompleteClusterConfig' - mostRecentSensorId: - $ref: '#/components/schemas/storageSensorDeploymentIdentification' - auditLogState: - type: object - additionalProperties: - $ref: '#/components/schemas/storageAuditLogFileState' - description: For internal use only. - initBundleId: + loginUrl: type: string - managedBy: - $ref: '#/components/schemas/storageManagerType' - storageClusterCertExpiryStatus: + v1AvailableProviderTypesResponse: type: object properties: - sensorCertExpiry: + authProviderTypes: + type: array + items: + $ref: >- + #/components/schemas/AvailableProviderTypesResponseAuthProviderType + v1ExchangeTokenRequest: + type: object + properties: + externalToken: type: string - format: date-time - sensorCertNotBefore: + description: >- + The external authentication token. The server will mask the value of + this credential in responses and logs. + type: type: string - format: date-time - storageClusterHealthStatus: + state: + type: string + v1ExchangeTokenResponse: type: object properties: - id: + token: type: string - collectorHealthInfo: - $ref: '#/components/schemas/storageCollectorHealthInfo' - admissionControlHealthInfo: - $ref: '#/components/schemas/storageAdmissionControlHealthInfo' - sensorHealthStatus: - $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' - collectorHealthStatus: - $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' - overallHealthStatus: - $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' - admissionControlHealthStatus: - $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' - lastContact: + clientState: type: string - format: date-time - title: |- - For sensors not having health capability, this will be filled with gRPC connection poll. Otherwise, - this timestamp will be updated by central pipeline when message is processed - healthInfoComplete: + test: type: boolean - title: To track cases such as when sensor is healthy, but collector status data is unavailable because the sensor is on an old version - storageClusterStatus: + user: + $ref: '#/components/schemas/v1AuthStatus' + v1GetAuthProvidersResponse: type: object properties: - sensorVersion: - type: string - DEPRECATEDLastContact: - type: string - format: date-time - description: This field has been deprecated starting release 49.0. Use healthStatus.lastContact instead. - providerMetadata: - $ref: '#/components/schemas/storageProviderMetadata' - orchestratorMetadata: - $ref: '#/components/schemas/storageOrchestratorMetadata' - upgradeStatus: - $ref: '#/components/schemas/storageClusterUpgradeStatus' - certExpiryStatus: - $ref: '#/components/schemas/storageClusterCertExpiryStatus' - storageClusterType: - type: string - enum: - - GENERIC_CLUSTER - - KUBERNETES_CLUSTER - - OPENSHIFT_CLUSTER - - OPENSHIFT4_CLUSTER - default: GENERIC_CLUSTER - storageClusterUpgradeStatus: + authProviders: + type: array + items: + $ref: '#/components/schemas/storageAuthProvider' + v1GetLoginAuthProvidersResponse: type: object properties: - upgradability: - $ref: '#/components/schemas/ClusterUpgradeStatusUpgradability' - upgradabilityStatusReason: - type: string - mostRecentProcess: - $ref: '#/components/schemas/ClusterUpgradeStatusUpgradeProcessStatus' - storageCollectionMethod: - type: string - enum: - - UNSET_COLLECTION - - NO_COLLECTION - - KERNEL_MODULE - - EBPF - default: UNSET_COLLECTION - storageCollectorHealthInfo: + authProviders: + type: array + items: + $ref: >- + #/components/schemas/GetLoginAuthProvidersResponseLoginAuthProvider + ExternalBackupServicePutExternalBackupBody: type: object properties: - version: + name: type: string - title: This is the version of the collector deamonset as returned by k8s API - totalDesiredPods: - type: integer - format: int32 - totalReadyPods: - type: integer - format: int32 - totalRegisteredNodes: + type: + type: string + schedule: + $ref: '#/components/schemas/storageSchedule' + backupsToKeep: type: integer format: int32 - statusErrors: - type: array - items: - type: string - description: Collection of errors that occurred while trying to obtain collector health info. - description: |- - CollectorHealthInfo carries data about collector deployment but does not include collector health status derived from this data. - Aggregated collector health status is not included because it is derived in central and not in the component that - first reports CollectorHealthInfo (sensor). - storageCompleteClusterConfig: + s3: + $ref: '#/components/schemas/storageS3Config' + gcs: + $ref: '#/components/schemas/storageGCSConfig' + s3compatible: + $ref: '#/components/schemas/storageS3Compatible' + includeCertificates: + type: boolean + title: 'Next available tag: 10' + ExternalBackupServiceUpdateExternalBackupBody: type: object properties: - dynamicConfig: - $ref: '#/components/schemas/storageDynamicClusterConfig' - staticConfig: - $ref: '#/components/schemas/storageStaticClusterConfig' - configFingerprint: - type: string - clusterLabels: + externalBackup: type: object - additionalProperties: - type: string - description: |- - Encodes a complete cluster configuration minus ID/Name identifiers - including static and dynamic settings. - storageDynamicClusterConfig: + properties: + name: + type: string + type: + type: string + schedule: + $ref: '#/components/schemas/storageSchedule' + backupsToKeep: + type: integer + format: int32 + s3: + $ref: '#/components/schemas/storageS3Config' + gcs: + $ref: '#/components/schemas/storageGCSConfig' + s3compatible: + $ref: '#/components/schemas/storageS3Compatible' + includeCertificates: + type: boolean + title: 'Next available tag: 10' + updatePassword: + type: boolean + description: >- + When false, use the stored credentials of an existing external + backup configuration given its ID. + ScheduleDaysOfMonth: type: object properties: - admissionControllerConfig: - $ref: '#/components/schemas/storageAdmissionControllerConfig' - registryOverride: - type: string - disableAuditLogs: - type: boolean - storageGoogleProviderMetadata: + days: + type: array + items: + type: integer + format: int32 + title: 1 for 1st, 2 for 2nd .... 31 for 31st + ScheduleDaysOfWeek: type: object properties: - project: - type: string - clusterName: - type: string - storageManagerType: + days: + type: array + items: + type: integer + format: int32 + title: Sunday = 0, Monday = 1, .... Saturday = 6 + ScheduleIntervalType: type: string enum: - - MANAGER_TYPE_UNKNOWN - - MANAGER_TYPE_MANUAL - - MANAGER_TYPE_HELM_CHART - - MANAGER_TYPE_KUBERNETES_OPERATOR - default: MANAGER_TYPE_UNKNOWN - storageOrchestratorMetadata: + - UNSET + - DAILY + - WEEKLY + - MONTHLY + default: UNSET + ScheduleWeeklyInterval: type: object properties: - version: - type: string - openshiftVersion: - type: string - buildDate: - type: string - format: date-time - apiVersions: - type: array - items: - type: string - storageProviderMetadata: + day: + type: integer + format: int32 + storageExternalBackup: type: object properties: - region: + id: type: string - zone: + name: type: string - google: - $ref: '#/components/schemas/storageGoogleProviderMetadata' - aws: - $ref: '#/components/schemas/storageAWSProviderMetadata' - azure: - $ref: '#/components/schemas/storageAzureProviderMetadata' - verified: + type: + type: string + schedule: + $ref: '#/components/schemas/storageSchedule' + backupsToKeep: + type: integer + format: int32 + s3: + $ref: '#/components/schemas/storageS3Config' + gcs: + $ref: '#/components/schemas/storageGCSConfig' + s3compatible: + $ref: '#/components/schemas/storageS3Compatible' + includeCertificates: type: boolean - storageSensorDeploymentIdentification: + title: 'Next available tag: 10' + storageGCSConfig: type: object properties: - systemNamespaceId: + bucket: type: string - defaultNamespaceId: + serviceAccount: type: string - appNamespace: + description: >- + The service account for the storage integration. The server will + mask the value of this credential in responses and logs. + objectPrefix: type: string - appNamespaceId: + useWorkloadId: + type: boolean + storageS3Compatible: + type: object + properties: + bucket: type: string - appServiceaccountId: + accessKeyId: type: string - k8sNodeName: + description: >- + The access key ID to use. The server will mask the value of this + credential in responses and logs. + secretAccessKey: type: string - description: |- - StackRoxDeploymentIdentification aims at uniquely identifying a StackRox Sensor deployment. It is used to determine - whether a sensor connection comes from a sensor pod that has restarted or was recreated (possibly after a network - partition), or from a deployment in a different namespace or cluster. - storageStaticClusterConfig: - type: object - properties: - type: - $ref: '#/components/schemas/storageClusterType' - mainImage: + description: >- + The secret access key to use. The server will mask the value of this + credential in responses and logs. + region: type: string - centralApiEndpoint: + objectPrefix: type: string - collectionMethod: - $ref: '#/components/schemas/storageCollectionMethod' - collectorImage: + endpoint: type: string - admissionController: - type: boolean - admissionControllerUpdates: - type: boolean - tolerationsConfig: - $ref: '#/components/schemas/storageTolerationsConfig' - slimCollector: - type: boolean - admissionControllerEvents: - type: boolean - storageTolerationsConfig: + urlStyle: + $ref: '#/components/schemas/storageS3URLStyle' + description: >- + S3Compatible configures the backup integration with an S3 compatible + storage provider. + + S3 compatible is intended for non-AWS providers. For AWS S3 use + S3Config. + storageS3Config: type: object properties: - disabled: + bucket: + type: string + useIam: type: boolean - storageUpgradeProgress: - type: object - properties: - upgradeState: - $ref: '#/components/schemas/UpgradeProgressUpgradeState' - upgradeStatusDetail: + accessKeyId: type: string - since: + description: >- + The access key ID for the storage integration. The server will mask + the value of this credential in responses and logs. + secretAccessKey: type: string - format: date-time - v1ClusterDefaultsResponse: - type: object - properties: - mainImageRepository: + description: >- + The secret access key for the storage integration. The server will + mask the value of this credential in responses and logs. + region: type: string - collectorImageRepository: + objectPrefix: type: string - kernelSupportAvailable: - type: boolean - v1ClusterResponse: + endpoint: + type: string + description: S3Config configures the backup integration with AWS S3. + storageS3URLStyle: + type: string + enum: + - S3_URL_STYLE_UNSPECIFIED + - S3_URL_STYLE_VIRTUAL_HOSTED + - S3_URL_STYLE_PATH + default: S3_URL_STYLE_UNSPECIFIED + storageSchedule: type: object properties: - cluster: - $ref: '#/components/schemas/storageCluster' - v1ClustersList: + intervalType: + $ref: '#/components/schemas/ScheduleIntervalType' + hour: + type: integer + format: int32 + minute: + type: integer + format: int32 + weekly: + $ref: '#/components/schemas/ScheduleWeeklyInterval' + daysOfWeek: + $ref: '#/components/schemas/ScheduleDaysOfWeek' + daysOfMonth: + $ref: '#/components/schemas/ScheduleDaysOfMonth' + v1GetExternalBackupsResponse: type: object properties: - clusters: + externalBackups: type: array items: - $ref: '#/components/schemas/storageCluster' - v1KernelSupportAvailableResponse: + $ref: '#/components/schemas/storageExternalBackup' + v1UpdateExternalBackupRequest: type: object properties: - kernelSupportAvailable: + externalBackup: + $ref: '#/components/schemas/storageExternalBackup' + updatePassword: type: boolean - v1ComplianceRun: + description: >- + When false, use the stored credentials of an existing external + backup configuration given its ID. + v1CentralUpgradeStatus: type: object properties: - id: - type: string - clusterId: + version: type: string - standardId: + title: Current Central Version + forceRollbackTo: type: string - scheduleId: + description: >- + The version of previous clone in Central. This is the version we can + force rollback to. + canRollbackAfterUpgrade: + type: boolean + description: >- + If true, we can rollback to the current version if an upgrade + failed. + spaceRequiredForRollbackAfterUpgrade: type: string - startTime: + format: int64 + title: Current disk space stats for upgrade + spaceAvailableForRollbackAfterUpgrade: type: string - format: date-time - finishTime: + format: int64 + v1GetUpgradeStatusResponse: + type: object + properties: + upgradeStatus: + $ref: '#/components/schemas/v1CentralUpgradeStatus' + CloudSourcesServiceUpdateCloudSourceBody: + type: object + properties: + cloudSource: + type: object + properties: + name: + type: string + type: + $ref: '#/components/schemas/v1CloudSourceType' + credentials: + $ref: '#/components/schemas/v1CloudSourceCredentials' + skipTestIntegration: + type: boolean + paladinCloud: + $ref: '#/components/schemas/v1PaladinCloudConfig' + ocm: + $ref: '#/components/schemas/v1OCMConfig' + description: |- + CloudSource is an integration which provides a source for discovered + clusters. + updateCredentials: + type: boolean + description: |- + If true, cloud_source must include valid credentials. + If false, the resource must already exist and + credentials in cloud_source are ignored. + v1CloudSource: + type: object + properties: + id: type: string - format: date-time - state: - $ref: '#/components/schemas/v1ComplianceRunState' - errorMessage: + name: type: string - v1ComplianceRunSelection: + type: + $ref: '#/components/schemas/v1CloudSourceType' + credentials: + $ref: '#/components/schemas/v1CloudSourceCredentials' + skipTestIntegration: + type: boolean + paladinCloud: + $ref: '#/components/schemas/v1PaladinCloudConfig' + ocm: + $ref: '#/components/schemas/v1OCMConfig' + description: |- + CloudSource is an integration which provides a source for discovered + clusters. + v1CloudSourceCredentials: type: object properties: - clusterId: + secret: type: string - description: The ID of the cluster. "*" means "all clusters". - standardId: + description: Used for single-valued authentication via long-lived tokens. + clientId: type: string - description: The ID of the compliance standard. "*" means "all standards". - v1ComplianceRunState: + description: Used for client authentication in combination with client_secret. + clientSecret: + type: string + description: Used for client authentication in combination with client_id. + v1CloudSourceType: type: string enum: - - INVALID - - READY - - STARTED - - WAIT_FOR_DATA - - EVALUTING_CHECKS - - FINISHED - default: INVALID - v1GetComplianceRunStatusesResponse: + - TYPE_UNSPECIFIED + - TYPE_PALADIN_CLOUD + - TYPE_OCM + default: TYPE_UNSPECIFIED + v1CloudSourcesFilter: type: object properties: - invalidRunIds: + names: type: array items: type: string - runs: + description: Matches cloud sources based on their name. + types: type: array items: - $ref: '#/components/schemas/v1ComplianceRun' - v1GetRecentComplianceRunsResponse: + $ref: '#/components/schemas/v1CloudSourceType' + description: Matches cloud sources based on their type. + v1CountCloudSourcesResponse: type: object properties: - complianceRuns: - type: array - items: - $ref: '#/components/schemas/v1ComplianceRun' - v1TriggerComplianceRunsRequest: + count: + type: integer + format: int32 + v1CreateCloudSourceRequest: type: object properties: - selection: - $ref: '#/components/schemas/v1ComplianceRunSelection' - v1TriggerComplianceRunsResponse: + cloudSource: + $ref: '#/components/schemas/v1CloudSource' + v1CreateCloudSourceResponse: type: object properties: - startedRuns: + cloudSource: + $ref: '#/components/schemas/v1CloudSource' + v1GetCloudSourceResponse: + type: object + properties: + cloudSource: + $ref: '#/components/schemas/v1CloudSource' + v1ListCloudSourcesResponse: + type: object + properties: + cloudSources: type: array items: - $ref: '#/components/schemas/v1ComplianceRun' - CVSSV2AccessComplexity: - type: string - enum: - - ACCESS_HIGH - - ACCESS_MEDIUM - - ACCESS_LOW - default: ACCESS_HIGH - CVSSV2Authentication: - type: string - enum: - - AUTH_MULTIPLE - - AUTH_SINGLE - - AUTH_NONE - default: AUTH_MULTIPLE - CVSSV3Complexity: - type: string - enum: - - COMPLEXITY_LOW - - COMPLEXITY_HIGH - default: COMPLEXITY_LOW - CVSSV3Privileges: - type: string - enum: - - PRIVILEGE_NONE - - PRIVILEGE_LOW - - PRIVILEGE_HIGH - default: PRIVILEGE_NONE - CVSSV3UserInteraction: - type: string - enum: - - UI_NONE - - UI_REQUIRED - default: UI_NONE - ComplianceAggregationAggregationKey: + $ref: '#/components/schemas/v1CloudSource' + v1OCMConfig: + type: object + properties: + endpoint: + type: string + title: |- + Endpoint to the OpenShift API server. Https is assumed if no + protocol is specified. Example: https://api.openshift.com + description: >- + OCMConfig provides information required to fetch discovered clusters + from + + the OpenShift cluster manager. + v1PaladinCloudConfig: + type: object + properties: + endpoint: + type: string + title: |- + Endpoint to the Paladin Cloud API server. Https is assumed if no + protocol is specified. Example: https://apiqa.paladincloud.io + description: |- + PaladinCloudConfig provides information required to fetch discovered + clusters from Paladin Cloud. + v1TestCloudSourceRequest: + type: object + properties: + cloudSource: + $ref: '#/components/schemas/v1CloudSource' + updateCredentials: + type: boolean + description: |- + If true, cloud_source must include valid credentials. + If false, the resource must already exist and + credentials in cloud_source are ignored. + CRSRevokeResponseCRSRevocationError: type: object properties: - scope: - $ref: '#/components/schemas/storageComplianceAggregationScope' id: type: string - title: 'Next available tag: 3' - ComplianceAggregationSource: + error: + type: string + InitBundleMetaImpactedCluster: type: object properties: - clusterId: + name: type: string - standardId: + id: type: string - successfulRun: - $ref: '#/components/schemas/storageComplianceRunMetadata' - failedRuns: + InitBundleRevokeResponseInitBundleRevocationError: + type: object + properties: + id: + type: string + error: + type: string + impactedClusters: type: array items: - $ref: '#/components/schemas/storageComplianceRunMetadata' - title: 'Next available tag: 5' - ComplianceResourceClusterName: + $ref: '#/components/schemas/InitBundleMetaImpactedCluster' + storageUser: type: object properties: id: type: string - name: + authProviderId: + type: string + attributes: + type: array + items: + $ref: '#/components/schemas/storageUserAttribute' + idpToken: type: string - ComplianceResourceDeploymentName: + description: >- + User is an object that allows us to track the roles a user is tied to, + and how they logged in. + storageUserAttribute: type: object properties: - cluster: - $ref: '#/components/schemas/ComplianceResourceClusterName' - id: + key: + type: string + value: type: string + v1CRSGenRequest: + type: object + properties: name: type: string - namespace: + v1CRSGenResponse: + type: object + properties: + meta: + $ref: '#/components/schemas/v1CRSMeta' + crs: type: string - ComplianceResourceNodeName: + format: byte + v1CRSMeta: type: object properties: - cluster: - $ref: '#/components/schemas/ComplianceResourceClusterName' id: type: string name: type: string - ComplianceResultValueEvidence: + createdAt: + type: string + format: date-time + createdBy: + $ref: '#/components/schemas/storageUser' + expiresAt: + type: string + format: date-time + v1CRSMetasResponse: type: object properties: - state: - $ref: '#/components/schemas/storageComplianceState' - message: + items: + type: array + items: + $ref: '#/components/schemas/v1CRSMeta' + v1CRSRevokeRequest: + type: object + properties: + ids: + type: array + items: + type: string + v1CRSRevokeResponse: + type: object + properties: + crsRevocationErrors: + type: array + items: + $ref: '#/components/schemas/CRSRevokeResponseCRSRevocationError' + revokedIds: + type: array + items: + type: string + v1GetCAConfigResponse: + type: object + properties: + helmValuesBundle: type: string - messageId: - type: integer - format: int32 - ComplianceRunResultsEntityResults: + format: byte + v1InitBundleGenRequest: type: object properties: - controlResults: - type: object - additionalProperties: - $ref: '#/components/schemas/storageComplianceResultValue' - ContainerConfigEnvironmentConfig: + name: + type: string + v1InitBundleGenResponse: type: object properties: - key: + meta: + $ref: '#/components/schemas/v1InitBundleMeta' + helmValuesBundle: type: string - value: + format: byte + kubectlBundle: type: string - envVarSource: - $ref: '#/components/schemas/EnvironmentConfigEnvVarSource' - EmbeddedVulnerabilityVulnerabilityType: - type: string - enum: - - UNKNOWN_VULNERABILITY - - IMAGE_VULNERABILITY - - K8S_VULNERABILITY - - ISTIO_VULNERABILITY - - NODE_VULNERABILITY - - OPENSHIFT_VULNERABILITY - default: UNKNOWN_VULNERABILITY - PortConfigExposureInfo: + format: byte + v1InitBundleMeta: type: object properties: - level: - $ref: '#/components/schemas/PortConfigExposureLevel' - serviceName: + id: type: string - title: only set if level is not HOST - serviceId: + name: type: string - serviceClusterIp: + impactedClusters: + type: array + items: + $ref: '#/components/schemas/InitBundleMetaImpactedCluster' + createdAt: type: string - servicePort: - type: integer - format: int32 - nodePort: - type: integer - format: int32 - title: only set if level is HOST, NODE, EXTERNAL or ROUTE - externalIps: + format: date-time + createdBy: + $ref: '#/components/schemas/storageUser' + expiresAt: + type: string + format: date-time + v1InitBundleMetasResponse: + type: object + properties: + items: + type: array + items: + $ref: '#/components/schemas/v1InitBundleMeta' + v1InitBundleRevokeRequest: + type: object + properties: + ids: type: array items: type: string - title: only set if level is EXTERNAL - externalHostnames: + confirmImpactedClustersIds: type: array items: type: string - title: only set if level is EXTERNAL or ROUTE - SeccompProfileProfileType: + v1InitBundleRevokeResponse: + type: object + properties: + initBundleRevocationErrors: + type: array + items: + $ref: >- + #/components/schemas/InitBundleRevokeResponseInitBundleRevocationError + initBundleRevokedIds: + type: array + items: + type: string + ClusterHealthStatusHealthStatusLabel: type: string enum: - - UNCONFINED - - RUNTIME_DEFAULT - - LOCALHOST - default: UNCONFINED - SecurityContextSELinux: + - UNINITIALIZED + - UNAVAILABLE + - UNHEALTHY + - DEGRADED + - HEALTHY + default: UNINITIALIZED + title: '- UNAVAILABLE: Only collector can have unavailable status' + ClusterUpgradeStatusUpgradability: + type: string + enum: + - UNSET + - UP_TO_DATE + - MANUAL_UPGRADE_REQUIRED + - AUTO_UPGRADE_POSSIBLE + - SENSOR_VERSION_HIGHER + default: UNSET + description: >2- + - SENSOR_VERSION_HIGHER: SENSOR_VERSION_HIGHER occurs when we detect that the sensor + is running a newer version than this Central. This is unexpected, + + but can occur depending on the patches a customer does. + + In this case, we will NOT automatically "upgrade" the sensor, + + since that would be a downgrade, even if the autoupgrade setting is + + on. The user will be allowed to manually trigger the upgrade, but they + are + + strongly discouraged from doing so without upgrading Central first, + since this + + is an unsupported configuration. + ClusterUpgradeStatusUpgradeProcessStatus: type: object properties: - user: - type: string - role: - type: string - type: + active: + type: boolean + id: type: string - level: + targetVersion: type: string - SecurityContextSeccompProfile: - type: object - properties: - type: - $ref: '#/components/schemas/SeccompProfileProfileType' - localhostProfile: + title: only relevant if type == Upgrade + upgraderImage: type: string - VolumeMountPropagation: - type: string - enum: - - NONE - - HOST_TO_CONTAINER - - BIDIRECTIONAL - default: NONE - storageCVSSV2: - type: object - properties: - vector: + initiatedAt: type: string - attackVector: - $ref: '#/components/schemas/storageCVSSV2AttackVector' - accessComplexity: - $ref: '#/components/schemas/CVSSV2AccessComplexity' - authentication: - $ref: '#/components/schemas/CVSSV2Authentication' - confidentiality: - $ref: '#/components/schemas/storageCVSSV2Impact' - integrity: - $ref: '#/components/schemas/storageCVSSV2Impact' - availability: - $ref: '#/components/schemas/storageCVSSV2Impact' - exploitabilityScore: - type: number - format: float - impactScore: - type: number - format: float - score: - type: number - format: float - severity: - $ref: '#/components/schemas/storageCVSSV2Severity' - storageCVSSV2AttackVector: - type: string - enum: - - ATTACK_LOCAL - - ATTACK_ADJACENT - - ATTACK_NETWORK - default: ATTACK_LOCAL - storageCVSSV2Impact: - type: string - enum: - - IMPACT_NONE - - IMPACT_PARTIAL - - IMPACT_COMPLETE - default: IMPACT_NONE - storageCVSSV2Severity: - type: string - enum: - - UNKNOWN - - LOW - - MEDIUM - - HIGH - default: UNKNOWN - storageCVSSV3: + format: date-time + progress: + $ref: '#/components/schemas/storageUpgradeProgress' + type: + $ref: '#/components/schemas/UpgradeProcessStatusUpgradeProcessType' + ClustersServicePutClusterBody: type: object properties: - vector: + name: type: string - exploitabilityScore: - type: number - format: float - impactScore: - type: number - format: float - attackVector: - $ref: '#/components/schemas/storageCVSSV3AttackVector' - attackComplexity: - $ref: '#/components/schemas/CVSSV3Complexity' - privilegesRequired: - $ref: '#/components/schemas/CVSSV3Privileges' - userInteraction: - $ref: '#/components/schemas/CVSSV3UserInteraction' - scope: - $ref: '#/components/schemas/storageCVSSV3Scope' - confidentiality: - $ref: '#/components/schemas/storageCVSSV3Impact' - integrity: - $ref: '#/components/schemas/storageCVSSV3Impact' - availability: - $ref: '#/components/schemas/storageCVSSV3Impact' - score: - type: number - format: float - severity: - $ref: '#/components/schemas/storageCVSSV3Severity' - storageCVSSV3AttackVector: - type: string - enum: - - ATTACK_LOCAL - - ATTACK_ADJACENT - - ATTACK_NETWORK - - ATTACK_PHYSICAL - default: ATTACK_LOCAL - storageCVSSV3Impact: - type: string - enum: - - IMPACT_NONE - - IMPACT_LOW - - IMPACT_HIGH - default: IMPACT_NONE - storageCVSSV3Scope: + type: + $ref: '#/components/schemas/storageClusterType' + labels: + type: object + additionalProperties: + type: string + mainImage: + type: string + collectorImage: + type: string + centralApiEndpoint: + type: string + runtimeSupport: + type: boolean + collectionMethod: + $ref: '#/components/schemas/storageCollectionMethod' + admissionController: + type: boolean + admissionControllerUpdates: + type: boolean + admissionControllerEvents: + type: boolean + status: + $ref: '#/components/schemas/storageClusterStatus' + dynamicConfig: + $ref: '#/components/schemas/storageDynamicClusterConfig' + tolerationsConfig: + $ref: '#/components/schemas/storageTolerationsConfig' + priority: + type: string + format: int64 + healthStatus: + $ref: '#/components/schemas/storageClusterHealthStatus' + slimCollector: + type: boolean + helmConfig: + $ref: '#/components/schemas/storageCompleteClusterConfig' + mostRecentSensorId: + $ref: '#/components/schemas/storageSensorDeploymentIdentification' + auditLogState: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAuditLogFileState' + description: For internal use only. + initBundleId: + type: string + managedBy: + $ref: '#/components/schemas/storageManagerType' + sensorCapabilities: + type: array + items: + type: string + UpgradeProcessStatusUpgradeProcessType: type: string enum: - - UNCHANGED - - CHANGED - default: UNCHANGED - storageCVSSV3Severity: + - UPGRADE + - CERT_ROTATION + default: UPGRADE + description: |2- + - UPGRADE: UPGRADE represents a sensor version upgrade. + - CERT_ROTATION: CERT_ROTATION represents an upgrade process that only rotates the TLS certs + used by the cluster, without changing anything else. + UpgradeProgressUpgradeState: type: string enum: - - UNKNOWN - - NONE - - LOW - - MEDIUM - - HIGH - - CRITICAL - default: UNKNOWN - storageComplianceAggregationResponse: + - UPGRADE_INITIALIZING + - UPGRADER_LAUNCHING + - UPGRADER_LAUNCHED + - PRE_FLIGHT_CHECKS_COMPLETE + - UPGRADE_OPERATIONS_DONE + - UPGRADE_COMPLETE + - UPGRADE_INITIALIZATION_ERROR + - PRE_FLIGHT_CHECKS_FAILED + - UPGRADE_ERROR_ROLLING_BACK + - UPGRADE_ERROR_ROLLED_BACK + - UPGRADE_ERROR_ROLLBACK_FAILED + - UPGRADE_ERROR_UNKNOWN + - UPGRADE_TIMED_OUT + default: UPGRADE_INITIALIZING + description: |2- + - UPGRADER_LAUNCHING: In-progress states. + - UPGRADE_COMPLETE: The success state. + PLEASE NUMBER ALL IN-PROGRESS STATES ABOVE THIS + AND ALL ERROR STATES BELOW THIS. + - UPGRADE_INITIALIZATION_ERROR: Error states. + storageAWSProviderMetadata: type: object properties: - results: - type: array - items: - $ref: '#/components/schemas/storageComplianceAggregationResult' - sources: - type: array - items: - $ref: '#/components/schemas/ComplianceAggregationSource' - errorMessage: + accountId: type: string - title: 'Next available tag: 3' - storageComplianceAggregationResult: + storageAdmissionControlHealthInfo: type: object properties: - aggregationKeys: - type: array - items: - $ref: '#/components/schemas/ComplianceAggregationAggregationKey' - unit: - $ref: '#/components/schemas/storageComplianceAggregationScope' - numPassing: + totalDesiredPods: type: integer format: int32 - numFailing: + totalReadyPods: type: integer format: int32 - numSkipped: + statusErrors: + type: array + items: + type: string + description: >- + Collection of errors that occurred while trying to obtain admission + control health info. + description: >- + AdmissionControlHealthInfo carries data about admission control + deployment but does not include admission control health status + + derived from this data. + + Aggregated admission control health status is not included because it is + derived in central and not in the component that + + first reports AdmissionControlHealthInfo (sensor). + + + The following fields are made optional/nullable because there can be + errors when trying to obtain them and + the default value of 0 might be confusing with the actual value 0. In case an error happens when trying to obtain + a certain field, it will be absent (instead of having the default value). + storageAdmissionControllerConfig: + type: object + properties: + enabled: + type: boolean + timeoutSeconds: type: integer format: int32 - title: 'Next available tag: 5' - storageComplianceAggregationScope: - type: string - enum: - - UNKNOWN - - STANDARD - - CLUSTER - - CATEGORY - - CONTROL - - NAMESPACE - - NODE - - DEPLOYMENT - - CHECK - default: UNKNOWN - storageComplianceControlResult: + scanInline: + type: boolean + disableBypass: + type: boolean + enforceOnUpdates: + type: boolean + storageAuditLogFileState: type: object properties: - resource: - $ref: '#/components/schemas/storageComplianceResource' - controlId: + collectLogsSince: type: string - value: - $ref: '#/components/schemas/storageComplianceResultValue' - storageComplianceDomain: + format: date-time + lastAuditId: + type: string + title: Previously received audit id. May be empty + title: >- + AuditLogFileState tracks the last audit log event timestamp and ID that + was collected by Compliance + + For internal use only + storageAzureProviderMetadata: + type: object + properties: + subscriptionId: + type: string + storageCluster: type: object properties: id: type: string - cluster: - $ref: '#/components/schemas/storageCluster' - nodes: + name: + type: string + type: + $ref: '#/components/schemas/storageClusterType' + labels: type: object additionalProperties: - $ref: '#/components/schemas/storageNode' - deployments: + type: string + mainImage: + type: string + collectorImage: + type: string + centralApiEndpoint: + type: string + runtimeSupport: + type: boolean + collectionMethod: + $ref: '#/components/schemas/storageCollectionMethod' + admissionController: + type: boolean + admissionControllerUpdates: + type: boolean + admissionControllerEvents: + type: boolean + status: + $ref: '#/components/schemas/storageClusterStatus' + dynamicConfig: + $ref: '#/components/schemas/storageDynamicClusterConfig' + tolerationsConfig: + $ref: '#/components/schemas/storageTolerationsConfig' + priority: + type: string + format: int64 + healthStatus: + $ref: '#/components/schemas/storageClusterHealthStatus' + slimCollector: + type: boolean + helmConfig: + $ref: '#/components/schemas/storageCompleteClusterConfig' + mostRecentSensorId: + $ref: '#/components/schemas/storageSensorDeploymentIdentification' + auditLogState: type: object additionalProperties: - $ref: '#/components/schemas/storageDeployment' - title: 'Next available tag: 5' - storageComplianceResource: - type: object - properties: - cluster: - $ref: '#/components/schemas/ComplianceResourceClusterName' - deployment: - $ref: '#/components/schemas/ComplianceResourceDeploymentName' - node: - $ref: '#/components/schemas/ComplianceResourceNodeName' - image: - $ref: '#/components/schemas/storageImageName' - storageComplianceResultValue: - type: object - properties: - evidence: + $ref: '#/components/schemas/storageAuditLogFileState' + description: For internal use only. + initBundleId: + type: string + managedBy: + $ref: '#/components/schemas/storageManagerType' + sensorCapabilities: type: array items: - $ref: '#/components/schemas/ComplianceResultValueEvidence' - overallState: - $ref: '#/components/schemas/storageComplianceState' - storageComplianceRunMetadata: + type: string + storageClusterCertExpiryStatus: type: object properties: - runId: - type: string - standardId: - type: string - clusterId: - type: string - startTimestamp: + sensorCertExpiry: type: string format: date-time - finishTimestamp: + sensorCertNotBefore: type: string format: date-time - success: - type: boolean - errorMessage: + storageClusterHealthStatus: + type: object + properties: + id: type: string - domainId: + collectorHealthInfo: + $ref: '#/components/schemas/storageCollectorHealthInfo' + admissionControlHealthInfo: + $ref: '#/components/schemas/storageAdmissionControlHealthInfo' + scannerHealthInfo: + $ref: '#/components/schemas/storageScannerHealthInfo' + sensorHealthStatus: + $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' + collectorHealthStatus: + $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' + overallHealthStatus: + $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' + admissionControlHealthStatus: + $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' + scannerHealthStatus: + $ref: '#/components/schemas/ClusterHealthStatusHealthStatusLabel' + lastContact: type: string - title: 'Next available tag: 5' - storageComplianceRunResults: + format: date-time + description: >- + For sensors not having health capability, this will be filled with + gRPC connection poll. Otherwise, + + this timestamp will be updated by central pipeline when message is + processed. + + + Note: we use this setting to guard against a specific attack vector + during CRS-based cluster registration. + + Assuming that a CRS was used to register a cluster A and the CRS is + leaked, an attacker shall not be able + + to re-run the CRS-flow which would then equip the attacker with a + certificate & key issued to the cluster A. + + As countermeasure we only allow re-running the CRS-flow only as long + as the last_contact field is empty, + + indicating that the legit cluster A's sensor has not yet connected + with the CRS-issued service certificates. + healthInfoComplete: + type: boolean + title: >- + To track cases such as when sensor is healthy, but collector status + data is unavailable because the sensor is on an old version + storageClusterMetadata: type: object properties: - domain: - $ref: '#/components/schemas/storageComplianceDomain' - runMetadata: - $ref: '#/components/schemas/storageComplianceRunMetadata' - clusterResults: - $ref: '#/components/schemas/ComplianceRunResultsEntityResults' - nodeResults: - type: object - additionalProperties: - $ref: '#/components/schemas/ComplianceRunResultsEntityResults' - deploymentResults: - type: object - additionalProperties: - $ref: '#/components/schemas/ComplianceRunResultsEntityResults' - machineConfigResults: - type: object - additionalProperties: - $ref: '#/components/schemas/ComplianceRunResultsEntityResults' - title: 'Next available tag: 6' - storageComplianceState: + type: + $ref: '#/components/schemas/storageClusterMetadataType' + name: + type: string + description: >- + Name represents the name under which the cluster is registered with + the + + cloud provider. In case of self managed OpenShift it is the name + chosen + + by the OpenShift installer. + id: + type: string + description: >- + Id represents a unique ID under which the cluster is registered with + the + + cloud provider. Not all cluster types have an id. For all OpenShift + + clusters, this is the Red Hat `cluster_id` registered with OCM. + description: >- + ClusterMetadata contains metadata information about the cluster + infrastructure. + storageClusterMetadataType: type: string enum: - - COMPLIANCE_STATE_UNKNOWN - - COMPLIANCE_STATE_SKIP - - COMPLIANCE_STATE_NOTE - - COMPLIANCE_STATE_SUCCESS - - COMPLIANCE_STATE_FAILURE - - COMPLIANCE_STATE_ERROR - default: COMPLIANCE_STATE_UNKNOWN - storageContainer: + - UNSPECIFIED + - AKS + - ARO + - EKS + - GKE + - OCP + - OSD + - ROSA + default: UNSPECIFIED + storageClusterStatus: type: object properties: - id: + sensorVersion: type: string - config: - $ref: '#/components/schemas/storageContainerConfig' - image: - $ref: '#/components/schemas/storageContainerImage' - securityContext: - $ref: '#/components/schemas/storageSecurityContext' - volumes: - type: array - items: - $ref: '#/components/schemas/storageVolume' - ports: - type: array - items: - $ref: '#/components/schemas/storagePortConfig' - secrets: - type: array - items: - $ref: '#/components/schemas/storageEmbeddedSecret' - resources: - $ref: '#/components/schemas/storageResources' - name: + DEPRECATEDLastContact: type: string - livenessProbe: - $ref: '#/components/schemas/storageLivenessProbe' - readinessProbe: - $ref: '#/components/schemas/storageReadinessProbe' - storageContainerConfig: + format: date-time + description: >- + This field has been deprecated starting release 49.0. Use + healthStatus.lastContact instead. + providerMetadata: + $ref: '#/components/schemas/storageProviderMetadata' + orchestratorMetadata: + $ref: '#/components/schemas/storageOrchestratorMetadata' + upgradeStatus: + $ref: '#/components/schemas/storageClusterUpgradeStatus' + certExpiryStatus: + $ref: '#/components/schemas/storageClusterCertExpiryStatus' + storageClusterType: + type: string + enum: + - GENERIC_CLUSTER + - KUBERNETES_CLUSTER + - OPENSHIFT_CLUSTER + - OPENSHIFT4_CLUSTER + default: GENERIC_CLUSTER + storageClusterUpgradeStatus: type: object properties: - env: - type: array - items: - $ref: '#/components/schemas/ContainerConfigEnvironmentConfig' - command: - type: array - items: - type: string - args: - type: array - items: - type: string - directory: - type: string - user: - type: string - uid: - type: string - format: int64 - appArmorProfile: + upgradability: + $ref: '#/components/schemas/ClusterUpgradeStatusUpgradability' + upgradabilityStatusReason: type: string - storageContainerRuntime: + mostRecentProcess: + $ref: '#/components/schemas/ClusterUpgradeStatusUpgradeProcessStatus' + storageCollectionMethod: type: string enum: - - UNKNOWN_CONTAINER_RUNTIME - - DOCKER_CONTAINER_RUNTIME - - CRIO_CONTAINER_RUNTIME - default: UNKNOWN_CONTAINER_RUNTIME - storageContainerRuntimeInfo: + - UNSET_COLLECTION + - NO_COLLECTION + - KERNEL_MODULE + - EBPF + - CORE_BPF + default: UNSET_COLLECTION + storageCollectorHealthInfo: type: object properties: - type: - $ref: '#/components/schemas/storageContainerRuntime' version: type: string - storageDeployment: + title: >- + This is the version of the collector deamonset as returned by k8s + API + totalDesiredPods: + type: integer + format: int32 + totalReadyPods: + type: integer + format: int32 + totalRegisteredNodes: + type: integer + format: int32 + statusErrors: + type: array + items: + type: string + description: >- + Collection of errors that occurred while trying to obtain collector + health info. + description: >- + CollectorHealthInfo carries data about collector deployment but does not + include collector health status derived from this data. + + Aggregated collector health status is not included because it is derived + in central and not in the component that + + first reports CollectorHealthInfo (sensor). + storageCompleteClusterConfig: type: object properties: - id: - type: string - name: - type: string - hash: - type: string - format: uint64 - type: - type: string - namespace: - type: string - namespaceId: - type: string - orchestratorComponent: - type: boolean - replicas: - type: string - format: int64 - labels: - type: object - additionalProperties: - type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' - podLabels: - type: object - additionalProperties: - type: string - labelSelector: - $ref: '#/components/schemas/storageLabelSelector' - created: - type: string - format: date-time - clusterId: - type: string - clusterName: + dynamicConfig: + $ref: '#/components/schemas/storageDynamicClusterConfig' + staticConfig: + $ref: '#/components/schemas/storageStaticClusterConfig' + configFingerprint: type: string - containers: - type: array - items: - $ref: '#/components/schemas/storageContainer' - annotations: + clusterLabels: type: object additionalProperties: type: string - priority: + description: |- + Encodes a complete cluster configuration minus ID/Name identifiers + including static and dynamic settings. + storageDynamicClusterConfig: + type: object + properties: + admissionControllerConfig: + $ref: '#/components/schemas/storageAdmissionControllerConfig' + registryOverride: type: string - format: int64 - inactive: + disableAuditLogs: type: boolean - imagePullSecrets: - type: array - items: - type: string - serviceAccount: + description: >- + The difference between Static and Dynamic cluster config is that Dynamic + values are sent over the Central to Sensor gRPC connection. This has the + benefit of allowing for "hot reloading" of values without restarting + Secured cluster components. + storageGoogleProviderMetadata: + type: object + properties: + project: type: string - serviceAccountPermissionLevel: - $ref: '#/components/schemas/storagePermissionLevel' - automountServiceAccountToken: - type: boolean - hostNetwork: - type: boolean - hostPid: - type: boolean - hostIpc: - type: boolean - runtimeClass: + clusterName: type: string - tolerations: - type: array - items: - $ref: '#/components/schemas/storageToleration' - ports: - type: array - items: - $ref: '#/components/schemas/storagePortConfig' - stateTimestamp: + description: Deprecated in favor of providerMetadata.cluster.name. + storageManagerType: + type: string + enum: + - MANAGER_TYPE_UNKNOWN + - MANAGER_TYPE_MANUAL + - MANAGER_TYPE_HELM_CHART + - MANAGER_TYPE_KUBERNETES_OPERATOR + default: MANAGER_TYPE_UNKNOWN + storageOrchestratorMetadata: + type: object + properties: + version: type: string - format: int64 - riskScore: - type: number - format: float - processTags: + openshiftVersion: + type: string + buildDate: + type: string + format: date-time + apiVersions: type: array items: type: string - title: 'Next available tag: 35' - storageEmbeddedNodeScanComponent: + storageProviderMetadata: type: object properties: - name: + region: type: string - version: + zone: type: string - vulns: + google: + $ref: '#/components/schemas/storageGoogleProviderMetadata' + aws: + $ref: '#/components/schemas/storageAWSProviderMetadata' + azure: + $ref: '#/components/schemas/storageAzureProviderMetadata' + verified: + type: boolean + cluster: + $ref: '#/components/schemas/storageClusterMetadata' + storageScannerHealthInfo: + type: object + properties: + totalDesiredAnalyzerPods: + type: integer + format: int32 + totalReadyAnalyzerPods: + type: integer + format: int32 + totalDesiredDbPods: + type: integer + format: int32 + totalReadyDbPods: + type: integer + format: int32 + statusErrors: type: array items: - $ref: '#/components/schemas/storageEmbeddedVulnerability' - priority: - type: string - format: int64 - topCvss: - type: number - format: float - riskScore: - type: number - format: float - storageEmbeddedSecret: + type: string + description: >- + Collection of errors that occurred while trying to obtain scanner + health info. + description: >- + ScannerHealthInfo represents health info of a scanner instance that is + deployed on a secured cluster (so called "local scanner"). + + When the scanner is deployed on a central cluster, the following message + is NOT used. + + ScannerHealthInfo carries data about scanner deployment but does not + include scanner health status + + derived from this data. + + Aggregated scanner health status is not included because it is derived + in central and not in the component that + + first reports ScannerHealthInfo (sensor). + + + The following fields are made optional/nullable because there can be + errors when trying to obtain them and + the default value of 0 might be confusing with the actual value 0. In case an error happens when trying to obtain + a certain field, it will be absent (instead of having the default value). + storageSensorDeploymentIdentification: type: object properties: - name: + systemNamespaceId: type: string - path: + defaultNamespaceId: type: string - storageEmbeddedVulnerability: + appNamespace: + type: string + appNamespaceId: + type: string + appServiceaccountId: + type: string + k8sNodeName: + type: string + description: >- + StackRoxDeploymentIdentification aims at uniquely identifying a StackRox + Sensor deployment. It is used to determine + + whether a sensor connection comes from a sensor pod that has restarted + or was recreated (possibly after a network + + partition), or from a deployment in a different namespace or cluster. + storageStaticClusterConfig: type: object properties: - cve: + type: + $ref: '#/components/schemas/storageClusterType' + mainImage: type: string - cvss: - type: number - format: float - summary: + centralApiEndpoint: type: string - link: + collectionMethod: + $ref: '#/components/schemas/storageCollectionMethod' + collectorImage: type: string - fixedBy: + admissionController: + type: boolean + admissionControllerUpdates: + type: boolean + tolerationsConfig: + $ref: '#/components/schemas/storageTolerationsConfig' + slimCollector: + type: boolean + admissionControllerEvents: + type: boolean + description: >- + The difference between Static and Dynamic cluster config is that Static + values are not sent over the Central to Sensor gRPC connection. They are + used, for example, to generate manifests that can be used to set up the + Secured Cluster's k8s components. They are *not* dynamically reloaded. + storageTolerationsConfig: + type: object + properties: + disabled: + type: boolean + storageUpgradeProgress: + type: object + properties: + upgradeState: + $ref: '#/components/schemas/UpgradeProgressUpgradeState' + upgradeStatusDetail: type: string - scoreVersion: - $ref: '#/components/schemas/storageEmbeddedVulnerabilityScoreVersion' - cvssV2: - $ref: '#/components/schemas/storageCVSSV2' - cvssV3: - $ref: '#/components/schemas/storageCVSSV3' - publishedOn: + since: type: string format: date-time - lastModified: + v1ClusterDefaultsResponse: + type: object + properties: + mainImageRepository: type: string - format: date-time - vulnerabilityType: - $ref: '#/components/schemas/EmbeddedVulnerabilityVulnerabilityType' - vulnerabilityTypes: + collectorImageRepository: + type: string + kernelSupportAvailable: + type: boolean + v1ClusterResponse: + type: object + properties: + cluster: + $ref: '#/components/schemas/storageCluster' + clusterRetentionInfo: + $ref: '#/components/schemas/v1DecommissionedClusterRetentionInfo' + v1ClustersList: + type: object + properties: + clusters: type: array items: - $ref: '#/components/schemas/EmbeddedVulnerabilityVulnerabilityType' - suppressed: + $ref: '#/components/schemas/storageCluster' + clusterIdToRetentionInfo: + type: object + additionalProperties: + $ref: '#/components/schemas/v1DecommissionedClusterRetentionInfo' + title: Maps 'UNHEALTHY' clusters' IDs to their retention info + v1DecommissionedClusterRetentionInfo: + type: object + properties: + isExcluded: type: boolean - suppressActivation: + title: indicates whether a cluster is protected from deletion + daysUntilDeletion: + type: integer + format: int32 + title: >- + days after which cluster will be deleted if sensor health remains + UNHEALTHY + title: 'next available tag: 3' + v1KernelSupportAvailableResponse: + type: object + properties: + kernelSupportAvailable: + type: boolean + v1ComplianceRun: + type: object + properties: + id: type: string - format: date-time - suppressExpiry: + clusterId: type: string - format: date-time - firstSystemOccurrence: + standardId: type: string - format: date-time - description: Time when the CVE was first seen in the system. - firstImageOccurrence: + startTime: type: string format: date-time - description: Time when the CVE was first seen in the image. - firstNodeOccurrence: + finishTime: type: string format: date-time - description: Time when the CVE was first seen in the node. - severity: - $ref: '#/components/schemas/storageVulnerabilitySeverity' state: - $ref: '#/components/schemas/storageVulnerabilityState' - title: 'Next Tag: 21' - storageEmbeddedVulnerabilityScoreVersion: - type: string - enum: - - V2 - - V3 - default: V2 - storageLabelSelector: + $ref: '#/components/schemas/v1ComplianceRunState' + errorMessage: + type: string + v1ComplianceRunSelection: + type: object + properties: + clusterId: + type: string + description: The ID of the cluster. "*" means "all clusters". + standardId: + type: string + description: The ID of the compliance standard. "*" means "all standards". + v1ComplianceRunState: + type: string + enum: + - INVALID + - READY + - STARTED + - WAIT_FOR_DATA + - EVALUTING_CHECKS + - FINISHED + default: INVALID + v1GetComplianceRunStatusesResponse: type: object properties: - matchLabels: - type: object - additionalProperties: + invalidRunIds: + type: array + items: type: string - description: |- - This is actually a oneof, but we can't make it one due to backwards - compatibility constraints. - requirements: + runs: type: array items: - $ref: '#/components/schemas/storageLabelSelectorRequirement' - description: 'Next available tag: 3' - title: |- - Label selector components are joined with logical AND, see - https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ - storageLabelSelectorOperator: - type: string - enum: - - UNKNOWN - - IN - - NOT_IN - - EXISTS - - NOT_EXISTS - default: UNKNOWN - storageLabelSelectorRequirement: + $ref: '#/components/schemas/v1ComplianceRun' + v1GetRecentComplianceRunsResponse: type: object properties: - key: - type: string - op: - $ref: '#/components/schemas/storageLabelSelectorOperator' - values: + complianceRuns: type: array items: - type: string - title: 'Next available tag: 4' - storageLivenessProbe: + $ref: '#/components/schemas/v1ComplianceRun' + v1TriggerComplianceRunsRequest: type: object properties: - defined: - type: boolean - storageNode: + selection: + $ref: '#/components/schemas/v1ComplianceRunSelection' + v1TriggerComplianceRunsResponse: type: object properties: - id: - type: string - description: A unique ID identifying this node. - name: - type: string - description: The (host)name of the node. Might or might not be the same as ID. - taints: + startedRuns: type: array items: - $ref: '#/components/schemas/storageTaint' - title: Taints on the host - clusterId: + $ref: '#/components/schemas/v1ComplianceRun' + ComplianceAggregationAggregationKey: + type: object + properties: + scope: + $ref: '#/components/schemas/storageComplianceAggregationScope' + id: type: string - clusterName: + title: 'Next available tag: 3' + ComplianceResultValueEvidence: + type: object + properties: + state: + $ref: '#/components/schemas/storageComplianceState' + message: type: string - labels: - type: object - additionalProperties: - type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' - annotations: + messageId: + type: integer + format: int32 + ComplianceRunResultsEntityResults: + type: object + properties: + controlResults: type: object additionalProperties: - type: string - joinedAt: - type: string - format: date-time - title: When the cluster reported the node was added - internalIpAddresses: + $ref: '#/components/schemas/storageComplianceResultValue' + ComplianceServiceUpdateComplianceStandardConfigBody: + type: object + properties: + hideScanResults: + type: boolean + storageComplianceAggregationResponse: + type: object + properties: + results: type: array items: - type: string - title: node internal IP addresses - externalIpAddresses: + $ref: '#/components/schemas/storageComplianceAggregationResult' + sources: type: array items: - type: string - title: node external IP addresses - containerRuntimeVersion: - type: string - title: From NodeInfo - containerRuntime: - $ref: '#/components/schemas/storageContainerRuntimeInfo' - kernelVersion: - type: string - operatingSystem: - type: string - description: 'From NodeInfo. Operating system reported by the node (ex: linux).' - osImage: - type: string - description: From NodeInfo. OS image reported by the node from /etc/os-release. - kubeletVersion: - type: string - kubeProxyVersion: - type: string - lastUpdated: - type: string - format: date-time - k8sUpdated: + $ref: '#/components/schemas/storageComplianceAggregationSource' + errorMessage: type: string - format: date-time - description: Time we received an update from Kubernetes. - scan: - $ref: '#/components/schemas/storageNodeScan' - components: + title: 'Next available tag: 3' + storageComplianceAggregationResult: + type: object + properties: + aggregationKeys: + type: array + items: + $ref: '#/components/schemas/ComplianceAggregationAggregationKey' + unit: + $ref: '#/components/schemas/storageComplianceAggregationScope' + numPassing: type: integer format: int32 - cves: + numFailing: type: integer format: int32 - fixableCves: + numSkipped: type: integer format: int32 - priority: - type: string - format: int64 - riskScore: - type: number - format: float - topCvss: - type: number - format: float - title: |- - Node represents information about a node in the cluster. - next available tag: 27 - storageNodeScan: + title: 'Next available tag: 5' + storageComplianceAggregationScope: + type: string + enum: + - UNKNOWN + - STANDARD + - CLUSTER + - CATEGORY + - CONTROL + - NAMESPACE + - NODE + - DEPLOYMENT + - CHECK + default: UNKNOWN + storageComplianceAggregationSource: type: object properties: - scanTime: + clusterId: type: string - format: date-time - operatingSystem: + standardId: type: string - components: + successfulRun: + $ref: '#/components/schemas/storageComplianceRunMetadata' + failedRuns: type: array items: - $ref: '#/components/schemas/storageEmbeddedNodeScanComponent' - storagePortConfig: + $ref: '#/components/schemas/storageComplianceRunMetadata' + title: 'Next available tag: 5' + storageComplianceDomain: type: object properties: - name: - type: string - containerPort: - type: integer - format: int32 - protocol: + id: type: string - exposure: - $ref: '#/components/schemas/PortConfigExposureLevel' - exposedPort: - type: integer - format: int32 - exposureInfos: - type: array - items: - $ref: '#/components/schemas/PortConfigExposureInfo' - title: 'Next Available Tag: 6' - storageReadinessProbe: - type: object - properties: - defined: - type: boolean - storageResources: - type: object - properties: - cpuCoresRequest: - type: number - format: float - cpuCoresLimit: - type: number - format: float - memoryMbRequest: - type: number - format: float - memoryMbLimit: - type: number - format: float - storageSecurityContext: - type: object - properties: - privileged: - type: boolean - selinux: - $ref: '#/components/schemas/SecurityContextSELinux' - dropCapabilities: - type: array - items: - type: string - addCapabilities: - type: array - items: - type: string - readOnlyRootFilesystem: - type: boolean - seccompProfile: - $ref: '#/components/schemas/SecurityContextSeccompProfile' - allowPrivilegeEscalation: - type: boolean - storageTaint: + cluster: + $ref: '#/components/schemas/storageComplianceDomainCluster' + nodes: + type: object + additionalProperties: + $ref: '#/components/schemas/storageComplianceDomainNode' + deployments: + type: object + additionalProperties: + $ref: '#/components/schemas/storageComplianceDomainDeployment' + title: 'Next available tag: 5' + storageComplianceDomainCluster: type: object properties: - key: + id: type: string - value: + name: type: string - taintEffect: - $ref: '#/components/schemas/storageTaintEffect' - storageTaintEffect: - type: string - enum: - - UNKNOWN_TAINT_EFFECT - - NO_SCHEDULE_TAINT_EFFECT - - PREFER_NO_SCHEDULE_TAINT_EFFECT - - NO_EXECUTE_TAINT_EFFECT - default: UNKNOWN_TAINT_EFFECT - storageToleration: + title: >- + These must mirror the tags _exactly_ in cluster.proto for backwards + compatibility + storageComplianceDomainDeployment: type: object properties: - key: + id: type: string - operator: - $ref: '#/components/schemas/storageTolerationOperator' - value: + name: type: string - taintEffect: - $ref: '#/components/schemas/storageTaintEffect' - storageTolerationOperator: - type: string - enum: - - TOLERATION_OPERATION_UNKNOWN - - TOLERATION_OPERATOR_EXISTS - - TOLERATION_OPERATOR_EQUAL - default: TOLERATION_OPERATION_UNKNOWN - storageVolume: + type: + type: string + namespace: + type: string + namespaceId: + type: string + clusterId: + type: string + clusterName: + type: string + title: >- + This must mirror the tags _exactly_ in deployment.proto for backwards + compatibility + storageComplianceDomainNode: type: object properties: + id: + type: string name: type: string - source: + clusterId: type: string - destination: + clusterName: type: string - readOnly: + title: >- + These must mirror the tags _exactly_ in node.proto for backwards + compatibility + storageComplianceResultValue: + type: object + properties: + evidence: + type: array + items: + $ref: '#/components/schemas/ComplianceResultValueEvidence' + overallState: + $ref: '#/components/schemas/storageComplianceState' + storageComplianceRunMetadata: + type: object + properties: + runId: + type: string + standardId: + type: string + clusterId: + type: string + startTimestamp: + type: string + format: date-time + finishTimestamp: + type: string + format: date-time + success: type: boolean - type: + errorMessage: type: string - mountPropagation: - $ref: '#/components/schemas/VolumeMountPropagation' - storageVulnerabilitySeverity: - type: string - enum: - - UNKNOWN_VULNERABILITY_SEVERITY - - LOW_VULNERABILITY_SEVERITY - - MODERATE_VULNERABILITY_SEVERITY - - IMPORTANT_VULNERABILITY_SEVERITY - - CRITICAL_VULNERABILITY_SEVERITY - default: UNKNOWN_VULNERABILITY_SEVERITY - storageVulnerabilityState: + domainId: + type: string + title: 'Next available tag: 5' + storageComplianceRunResults: + type: object + properties: + domain: + $ref: '#/components/schemas/storageComplianceDomain' + runMetadata: + $ref: '#/components/schemas/storageComplianceRunMetadata' + clusterResults: + $ref: '#/components/schemas/ComplianceRunResultsEntityResults' + nodeResults: + type: object + additionalProperties: + $ref: '#/components/schemas/ComplianceRunResultsEntityResults' + deploymentResults: + type: object + additionalProperties: + $ref: '#/components/schemas/ComplianceRunResultsEntityResults' + machineConfigResults: + type: object + additionalProperties: + $ref: '#/components/schemas/ComplianceRunResultsEntityResults' + title: 'Next available tag: 6' + storageComplianceState: type: string enum: - - OBSERVED - - DEFERRED - - FALSE_POSITIVE - default: OBSERVED - description: VulnerabilityState indicates if vulnerability is being observed or deferred(/suppressed). By default, it vulnerabilities are observed. + - COMPLIANCE_STATE_UNKNOWN + - COMPLIANCE_STATE_SKIP + - COMPLIANCE_STATE_NOTE + - COMPLIANCE_STATE_SUCCESS + - COMPLIANCE_STATE_FAILURE + - COMPLIANCE_STATE_ERROR + default: COMPLIANCE_STATE_UNKNOWN v1ComplianceControl: type: object properties: @@ -10415,13 +13966,6 @@ components: numImplementedChecks: type: integer format: int32 - v1ComplianceControlResultsResponse: - type: object - properties: - results: - type: array - items: - $ref: '#/components/schemas/storageComplianceControlResult' v1ComplianceStandard: type: object properties: @@ -10453,6 +13997,8 @@ components: $ref: '#/components/schemas/v1ComplianceStandardMetadataScope' dynamic: type: boolean + hideScanResults: + type: boolean v1ComplianceStandardMetadataScope: type: string enum: @@ -10491,6 +14037,24 @@ components: - MEDIUM - LARGE default: UNSET + PlatformComponentConfigRule: + type: object + properties: + name: + type: string + namespaceRule: + $ref: '#/components/schemas/RuleNamespaceRule' + RuleNamespaceRule: + type: object + properties: + regex: + type: string + storageAdministrationEventsConfig: + type: object + properties: + retentionDurationDays: + type: integer + format: int64 storageAlertRetentionConfig: type: object properties: @@ -10500,13 +14064,18 @@ components: deletedRuntimeRetentionDurationDays: type: integer format: int32 - description: This runtime alert retention configuration takes precedence after `allRuntimeRetentionDurationDays`. + description: >- + This runtime alert retention configuration takes precedence after + `allRuntimeRetentionDurationDays`. allRuntimeRetentionDurationDays: type: integer format: int32 - description: |- - This runtime alert retention configuration has highest precedence. All runtime alerts, including attempted - alerts and deleted deployment alerts, are deleted even if respective retention is longer. + description: >- + This runtime alert retention configuration has highest precedence. + All runtime alerts, including attempted + + alerts and deleted deployment alerts, are deleted even if respective + retention is longer. attemptedDeployRetentionDurationDays: type: integer format: int32 @@ -10534,6 +14103,33 @@ components: $ref: '#/components/schemas/storagePublicConfig' privateConfig: $ref: '#/components/schemas/storagePrivateConfig' + platformComponentConfig: + $ref: '#/components/schemas/storagePlatformComponentConfig' + storageDayOption: + type: object + properties: + numDays: + type: integer + format: int64 + enabled: + type: boolean + storageDecommissionedClusterRetentionConfig: + type: object + properties: + retentionDurationDays: + type: integer + format: int32 + ignoreClusterLabels: + type: object + additionalProperties: + type: string + lastUpdated: + type: string + format: date-time + createdAt: + type: string + format: date-time + title: 'next available tag: 5' storageLoginNotice: type: object properties: @@ -10541,6 +14137,15 @@ components: type: boolean text: type: string + storagePlatformComponentConfig: + type: object + properties: + rules: + type: array + items: + $ref: '#/components/schemas/PlatformComponentConfigRule' + needsReevaluation: + type: boolean storagePrivateConfig: type: object properties: @@ -10556,7 +14161,15 @@ components: expiredVulnReqRetentionDurationDays: type: integer format: int32 - title: 'next available tag: 5' + decommissionedClusterRetention: + $ref: '#/components/schemas/storageDecommissionedClusterRetentionConfig' + reportRetentionConfig: + $ref: '#/components/schemas/storageReportRetentionConfig' + vulnerabilityExceptionConfig: + $ref: '#/components/schemas/storageVulnerabilityExceptionConfig' + administrationEventsConfig: + $ref: '#/components/schemas/storageAdministrationEventsConfig' + title: next available tag:9 storagePublicConfig: type: object properties: @@ -10566,17 +14179,143 @@ components: $ref: '#/components/schemas/storageBannerConfig' footer: $ref: '#/components/schemas/storageBannerConfig' + telemetry: + $ref: '#/components/schemas/storageTelemetryConfiguration' + storageReportRetentionConfig: + type: object + properties: + historyRetentionDurationDays: + type: integer + format: int64 + downloadableReportRetentionDays: + type: integer + format: int64 + downloadableReportGlobalRetentionBytes: + type: integer + format: int64 + title: 'next available tag: 4' + storageTelemetryConfiguration: + type: object + properties: + enabled: + type: boolean + lastSetTime: + type: string + format: date-time + storageVulnerabilityExceptionConfig: + type: object + properties: + expiryOptions: + $ref: >- + #/components/schemas/storageVulnerabilityExceptionConfigExpiryOptions + storageVulnerabilityExceptionConfigExpiryOptions: + type: object + properties: + dayOptions: + type: array + items: + $ref: '#/components/schemas/storageDayOption' + fixableCveOptions: + $ref: >- + #/components/schemas/storageVulnerabilityExceptionConfigFixableCVEOptions + customDate: + type: boolean + indefinite: + type: boolean + storageVulnerabilityExceptionConfigFixableCVEOptions: + type: object + properties: + allFixable: + type: boolean + anyFixable: + type: boolean + v1DayOption: + type: object + properties: + numDays: + type: integer + format: int64 + enabled: + type: boolean + v1GetDefaultRedHatLayeredProductsRegexResponse: + type: object + properties: + regex: + type: string + v1GetVulnerabilityExceptionConfigResponse: + type: object + properties: + config: + $ref: '#/components/schemas/v1VulnerabilityExceptionConfig' v1PutConfigRequest: type: object properties: config: $ref: '#/components/schemas/storageConfig' + v1PutPlatformComponentConfigRequest: + type: object + properties: + rules: + type: array + items: + $ref: '#/components/schemas/PlatformComponentConfigRule' + v1UpdateVulnerabilityExceptionConfigRequest: + type: object + properties: + config: + $ref: '#/components/schemas/v1VulnerabilityExceptionConfig' + v1UpdateVulnerabilityExceptionConfigResponse: + type: object + properties: + config: + $ref: '#/components/schemas/v1VulnerabilityExceptionConfig' + v1VulnerabilityExceptionConfig: + type: object + properties: + expiryOptions: + $ref: '#/components/schemas/v1VulnerabilityExceptionConfigExpiryOptions' + v1VulnerabilityExceptionConfigExpiryOptions: + type: object + properties: + dayOptions: + type: array + items: + $ref: '#/components/schemas/v1DayOption' + description: This allows users to set expiry interval based on number of days. + fixableCveOptions: + $ref: '#/components/schemas/v1VulnerabilityExceptionConfigFixableCVEOptions' + customDate: + type: boolean + description: >- + This option, if true, allows UI to show a custom date picker for + setting expiry date. + indefinite: + type: boolean + v1VulnerabilityExceptionConfigFixableCVEOptions: + type: object + properties: + allFixable: + type: boolean + description: >- + This options allows users to expire the vulnerability deferral + request if and only if **all** vulnerabilities + + in the requests become fixable. + anyFixable: + type: boolean + description: >- + This options allows users to expire the vulnerability deferral + request if **any** vulnerability + + in the requests become fixable. v1GetCertExpiryComponent: type: string enum: - UNKNOWN - CENTRAL - SCANNER + - SCANNER_V4 + - CENTRAL_DB default: UNKNOWN v1GetCertExpiryResponse: type: object @@ -10587,19 +14326,46 @@ components: v1SuppressCVERequest: type: object properties: - ids: + cves: type: array items: type: string + description: >- + These are (NVD) vulnerability identifiers, `cve` field of + `storage.CVE`, and *not* the `id` field. + + For example, CVE-2021-44832. duration: type: string + description: >- + In JSON format, the Duration type is encoded as a string rather than + an object, + + where the string ends in the suffix "s" (indicating seconds) and is + preceded by the number of seconds, + + with nanoseconds expressed as fractional seconds. + + For example, 3 seconds with 0 nanoseconds should be encoded in JSON + format as "3s", + + while 3 seconds and 1 nanosecond should be expressed in JSON format + as "3.000000001s", + + and 3 seconds and 1 microsecond should be expressed in JSON format + as "3.000001s". v1UnsuppressCVERequest: type: object properties: - ids: + cves: type: array items: type: string + description: >- + These are (NVD) vulnerability identifiers, `cve` field of + `storage.CVE`, and *not* the `id` field. + + For example, CVE-2021-44832. DBExportManifestEncodingType: type: string enum: @@ -10607,7 +14373,9 @@ components: - UNCOMPREESSED - DEFLATED default: UNKNOWN - description: The encoding of the file data in the restore body, usually for compression purposes. + description: >- + The encoding of the file data in the restore body, usually for + compression purposes. DBRestoreProcessStatusResumeInfo: type: object properties: @@ -10624,9 +14392,12 @@ components: type: string format: int64 description: The size of the file, in bytes. 0 if unknown. - description: |- - LocalFileInfo provides information about the file on the local machine of the user initiating the restore - process, in order to provide information to other users about ongoing restore processes. + description: >- + LocalFileInfo provides information about the file on the local machine + of the user initiating the restore + + process, in order to provide information to other users about ongoing + restore processes. v1DBExportFormat: type: object properties: @@ -10636,7 +14407,9 @@ components: type: array items: $ref: '#/components/schemas/v1DBExportFormatFile' - description: DBExportFormat describes a format (= a collection of files) for the database export. + description: >- + DBExportFormat describes a format (= a collection of files) for the + database export. v1DBExportFormatFile: type: object properties: @@ -10651,18 +14424,25 @@ components: type: array items: $ref: '#/components/schemas/v1DBExportManifestFile' - description: |- - A DB export manifest describes the file contents of a restore request. To prevent data loss, a manifest is always - interpreted as binding, i.e., the server must ensure that it will read and make use of every file listed in the + description: >- + A DB export manifest describes the file contents of a restore request. + To prevent data loss, a manifest is always + + interpreted as binding, i.e., the server must ensure that it will read + and make use of every file listed in the + manifest, otherwise it must reject the request. v1DBExportManifestFile: type: object properties: name: type: string - description: |- - The name of the file. This may or may not be a (relative) file path and up to the server to interpret. - For databases exported as ZIP files, this is the path relative to the root of the archive. + description: >- + The name of the file. This may or may not be a (relative) file path + and up to the server to interpret. + + For databases exported as ZIP files, this is the path relative to + the root of the archive. encoding: $ref: '#/components/schemas/DBExportManifestEncodingType' encodedSize: @@ -10691,8 +14471,10 @@ components: initiatingUserName: type: string description: The user who initiated the database restore process. - description: |- - The metadata of an ongoing or completed restore process. This is the *static* metadata, which will not change + description: >- + The metadata of an ongoing or completed restore process. This is the + *static* metadata, which will not change + (i.e., it is not a status). v1DBRestoreProcessStatus: type: object @@ -10707,12 +14489,15 @@ components: $ref: '#/components/schemas/DBRestoreProcessStatusResumeInfo' error: type: string + title: only populated when state is COMPLETED bytesRead: type: string format: int64 + title: Payload bytes read so far (approximate) filesProcessed: type: string format: int64 + title: Files processed so far (approximate) v1DBRestoreProcessStatusState: type: string enum: @@ -10722,6 +14507,7 @@ components: - PAUSED - COMPLETED default: UNKNOWN + title: '- COMPLETED: successful if error is empty, unsuccessful otherwise' v1DBRestoreRequestHeader: type: object properties: @@ -10834,173 +14620,556 @@ components: type: object additionalProperties: type: string - runtimeStreamError: + storageSetBasedLabelSelector: + type: object + properties: + requirements: + type: array + items: + $ref: '#/components/schemas/storageSetBasedLabelSelectorRequirement' + description: |- + SetBasedLabelSelector only allows set-based label requirements. + + Next available tag: 3 + storageSetBasedLabelSelectorOperator: + type: string + enum: + - UNKNOWN + - IN + - NOT_IN + - EXISTS + - NOT_EXISTS + default: UNKNOWN + storageSetBasedLabelSelectorRequirement: + type: object + properties: + key: + type: string + op: + $ref: '#/components/schemas/storageSetBasedLabelSelectorOperator' + values: + type: array + items: + type: string + title: 'Next available tag: 4' + v1AuthorizationTraceResponse: + type: object + properties: + arrivedAt: + type: string + format: date-time + processedAt: + type: string + format: date-time + request: + $ref: '#/components/schemas/v1AuthorizationTraceResponseRequest' + response: + $ref: '#/components/schemas/v1AuthorizationTraceResponseResponse' + user: + $ref: '#/components/schemas/v1AuthorizationTraceResponseUser' + trace: + $ref: '#/components/schemas/AuthorizationTraceResponseTrace' + v1AuthorizationTraceResponseRequest: + type: object + properties: + endpoint: + type: string + method: + type: string + v1AuthorizationTraceResponseResponse: + type: object + properties: + status: + $ref: '#/components/schemas/AuthorizationTraceResponseResponseStatus' + error: + type: string + v1AuthorizationTraceResponseUser: + type: object + properties: + username: + type: string + friendlyName: + type: string + aggregatedPermissions: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAccess' + roles: + type: array + items: + $ref: '#/components/schemas/AuthorizationTraceResponseUserRole' + v1LogLevelRequest: + type: object + properties: + level: + type: string + modules: + type: array + items: + type: string + v1LogLevelResponse: + type: object + properties: + level: + type: string + moduleLevels: + type: array + items: + $ref: '#/components/schemas/v1ModuleLevel' + v1ModuleLevel: + type: object + properties: + module: + type: string + level: + type: string + storageDeclarativeConfigHealth: + type: object + properties: + id: + type: string + name: + type: string + status: + $ref: '#/components/schemas/storageDeclarativeConfigHealthStatus' + errorMessage: + type: string + resourceName: + type: string + resourceType: + $ref: '#/components/schemas/storageDeclarativeConfigHealthResourceType' + lastTimestamp: + type: string + format: date-time + description: Timestamp when the current status was set. + storageDeclarativeConfigHealthResourceType: + type: string + enum: + - CONFIG_MAP + - ACCESS_SCOPE + - PERMISSION_SET + - ROLE + - AUTH_PROVIDER + - GROUP + - NOTIFIER + default: CONFIG_MAP + storageDeclarativeConfigHealthStatus: + type: string + enum: + - UNHEALTHY + - HEALTHY + default: UNHEALTHY + v1GetDeclarativeConfigHealthsResponse: + type: object + properties: + healths: + type: array + items: + $ref: '#/components/schemas/storageDeclarativeConfigHealth' + DelegatedRegistryConfigDelegatedRegistry: + type: object + properties: + path: + type: string + title: 'Registry + optional path, ie: quay.example.com/prod' + clusterId: + type: string + title: ID of the cluster to delegate ad-hoc requests to + DelegatedRegistryConfigEnabledFor: + type: string + enum: + - NONE + - ALL + - SPECIFIC + default: NONE + title: >- + - NONE: Scan all images via central services except for images from the + OCP integrated registry + - ALL: Scan all images via the secured clusters + - SPECIFIC: Scan images that match `registries` or are from the OCP integrated registry via the secured clusters + otherwise scan via central services + v1DelegatedRegistryCluster: + type: object + properties: + id: + type: string + name: + type: string + isValid: + type: boolean + v1DelegatedRegistryClustersResponse: + type: object + properties: + clusters: + type: array + items: + $ref: '#/components/schemas/v1DelegatedRegistryCluster' + v1DelegatedRegistryConfig: + type: object + properties: + enabledFor: + $ref: '#/components/schemas/DelegatedRegistryConfigEnabledFor' + defaultClusterId: + type: string + title: >- + The default cluster to delegate ad-hoc requests to if no match found + in registries, not used + + if `enabled for` is NONE + registries: + type: array + items: + $ref: '#/components/schemas/DelegatedRegistryConfigDelegatedRegistry' + description: >- + If `enabled for` is NONE registries has no effect. + + + If `ALL` registries directs ad-hoc requests to the specified secured + clusters if the path matches. + + + If `SPECIFIC` registries directs ad-hoc requests to the specified + secured clusters just like with `ALL`, + + but in addition images that match the specified paths will be + scanned locally by the secured clusters + + (images from the OCP integrated registry are always scanned + locally). Images that do not match a path + + will be scanned via central services + description: >- + DelegatedRegistryConfig determines if and where scan requests are + delegated to, such as kept in + + central services or sent to particular secured clusters. + ContainerConfigEnvironmentConfig: + type: object + properties: + key: + type: string + value: + type: string + envVarSource: + $ref: '#/components/schemas/EnvironmentConfigEnvVarSource' + ContainerNameAndBaselineStatusBaselineStatus: + type: string + enum: + - INVALID + - NOT_GENERATED + - UNLOCKED + - LOCKED + default: INVALID + description: ' - NOT_GENERATED: In current implementation, this is a temporary condition.' + DeploymentLabelsResponseLabelValues: + type: object + properties: + values: + type: array + items: + type: string + EnvironmentConfigEnvVarSource: + type: string + enum: + - UNSET + - RAW + - SECRET_KEY + - CONFIG_MAP_KEY + - FIELD + - RESOURCE_FIELD + - UNKNOWN + default: UNSET + title: >- + For any update to EnvVarSource, please also update + 'ui/src/messages/common.js' + ListDeploymentsWithProcessInfoResponseDeploymentWithProcessInfo: + type: object + properties: + deployment: + $ref: '#/components/schemas/storageListDeployment' + baselineStatuses: + type: array + items: + $ref: '#/components/schemas/storageContainerNameAndBaselineStatus' + PortConfigExposureInfo: + type: object + properties: + level: + $ref: '#/components/schemas/PortConfigExposureLevel' + serviceName: + type: string + title: only set if level is not HOST + serviceId: + type: string + serviceClusterIp: + type: string + servicePort: + type: integer + format: int32 + nodePort: + type: integer + format: int32 + title: only set if level is HOST, NODE, EXTERNAL or ROUTE + externalIps: + type: array + items: + type: string + title: only set if level is EXTERNAL + externalHostnames: + type: array + items: + type: string + title: only set if level is EXTERNAL or ROUTE + PortConfigExposureLevel: + type: string + enum: + - UNSET + - EXTERNAL + - NODE + - INTERNAL + - HOST + - ROUTE + default: UNSET + ResultFactor: type: object properties: - grpcCode: - type: integer - format: int32 - httpCode: - type: integer - format: int32 message: type: string - httpStatus: + url: type: string - details: - type: array - items: - $ref: '#/components/schemas/protobufAny' - storageSetBasedLabelSelector: + SeccompProfileProfileType: + type: string + enum: + - UNCONFINED + - RUNTIME_DEFAULT + - LOCALHOST + default: UNCONFINED + SecurityContextSELinux: type: object properties: - requirements: - type: array - items: - $ref: '#/components/schemas/storageSetBasedLabelSelectorRequirement' - description: |- - SetBasedLabelSelector only allows set-based label requirements. - - Next available tag: 3 - storageSetBasedLabelSelectorOperator: + user: + type: string + role: + type: string + type: + type: string + level: + type: string + SecurityContextSeccompProfile: + type: object + properties: + type: + $ref: '#/components/schemas/SeccompProfileProfileType' + localhostProfile: + type: string + VolumeMountPropagation: type: string enum: - - UNKNOWN - - IN - - NOT_IN - - EXISTS - - NOT_EXISTS - default: UNKNOWN - storageSetBasedLabelSelectorRequirement: + - NONE + - HOST_TO_CONTAINER + - BIDIRECTIONAL + default: NONE + storageContainer: type: object properties: - key: + id: type: string - op: - $ref: '#/components/schemas/storageSetBasedLabelSelectorOperator' - values: + config: + $ref: '#/components/schemas/storageContainerConfig' + image: + $ref: '#/components/schemas/storageContainerImage' + securityContext: + $ref: '#/components/schemas/storageSecurityContext' + volumes: type: array items: - type: string - title: 'Next available tag: 4' - v1AuthorizationTraceResponse: + $ref: '#/components/schemas/storageVolume' + ports: + type: array + items: + $ref: '#/components/schemas/storagePortConfig' + title: Policies use the port config on the top-level deployment. + secrets: + type: array + items: + $ref: '#/components/schemas/storageEmbeddedSecret' + resources: + $ref: '#/components/schemas/storageResources' + name: + type: string + livenessProbe: + $ref: '#/components/schemas/storageLivenessProbe' + readinessProbe: + $ref: '#/components/schemas/storageReadinessProbe' + storageContainerConfig: type: object properties: - arrivedAt: - type: string - format: date-time - processedAt: + env: + type: array + items: + $ref: '#/components/schemas/ContainerConfigEnvironmentConfig' + command: + type: array + items: + type: string + args: + type: array + items: + type: string + directory: type: string - format: date-time - request: - $ref: '#/components/schemas/v1AuthorizationTraceResponseRequest' - response: - $ref: '#/components/schemas/v1AuthorizationTraceResponseResponse' user: - $ref: '#/components/schemas/v1AuthorizationTraceResponseUser' - trace: - $ref: '#/components/schemas/AuthorizationTraceResponseTrace' - v1AuthorizationTraceResponseRequest: - type: object - properties: - endpoint: type: string - method: + uid: type: string - v1AuthorizationTraceResponseResponse: + format: int64 + appArmorProfile: + type: string + storageContainerNameAndBaselineStatus: type: object properties: - status: - $ref: '#/components/schemas/AuthorizationTraceResponseResponseStatus' - error: + containerName: type: string - v1AuthorizationTraceResponseUser: + baselineStatus: + $ref: '#/components/schemas/ContainerNameAndBaselineStatusBaselineStatus' + anomalousProcessesExecuted: + type: boolean + description: |- + `ContainerNameAndBaselineStatus` represents a cached result + of process evaluation on a specific container name. + storageDeployment: type: object properties: - username: + id: type: string - friendlyName: + name: type: string - aggregatedPermissions: + hash: + type: string + format: uint64 + type: + type: string + namespace: + type: string + namespaceId: + type: string + orchestratorComponent: + type: boolean + replicas: + type: string + format: int64 + labels: type: object additionalProperties: - $ref: '#/components/schemas/storageAccess' - roles: + type: string + podLabels: + type: object + additionalProperties: + type: string + labelSelector: + $ref: '#/components/schemas/storageLabelSelector' + created: + type: string + format: date-time + clusterId: + type: string + clusterName: + type: string + containers: type: array items: - $ref: '#/components/schemas/AuthorizationTraceResponseUserRole' - v1LogLevelRequest: - type: object - properties: - level: + $ref: '#/components/schemas/storageContainer' + annotations: + type: object + additionalProperties: + type: string + priority: type: string - modules: + format: int64 + inactive: + type: boolean + imagePullSecrets: type: array items: type: string - v1LogLevelResponse: - type: object - properties: - level: + serviceAccount: type: string - moduleLevels: + serviceAccountPermissionLevel: + $ref: '#/components/schemas/storagePermissionLevel' + automountServiceAccountToken: + type: boolean + hostNetwork: + type: boolean + hostPid: + type: boolean + hostIpc: + type: boolean + runtimeClass: + type: string + tolerations: type: array items: - $ref: '#/components/schemas/v1ModuleLevel' - v1ModuleLevel: + $ref: '#/components/schemas/storageToleration' + ports: + type: array + items: + $ref: '#/components/schemas/storagePortConfig' + stateTimestamp: + type: string + format: int64 + title: Internal use only + riskScore: + type: number + format: float + platformComponent: + type: boolean + title: 'Next available tag: 36' + storageEmbeddedSecret: type: object properties: - module: + name: type: string - level: + path: type: string - ContainerNameAndBaselineStatusBaselineStatus: + storageLabelSelector: + type: object + properties: + matchLabels: + type: object + additionalProperties: + type: string + description: |- + This is actually a oneof, but we can't make it one due to backwards + compatibility constraints. + requirements: + type: array + items: + $ref: '#/components/schemas/storageLabelSelectorRequirement' + description: 'Next available tag: 3' + title: |- + Label selector components are joined with logical AND, see + https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + storageLabelSelectorOperator: type: string enum: - - INVALID - - NOT_GENERATED - - UNLOCKED - - LOCKED - default: INVALID - DeploymentLabelsResponseLabelValues: + - UNKNOWN + - IN + - NOT_IN + - EXISTS + - NOT_EXISTS + default: UNKNOWN + storageLabelSelectorRequirement: type: object properties: + key: + type: string + op: + $ref: '#/components/schemas/storageLabelSelectorOperator' values: type: array items: type: string - ListDeploymentsWithProcessInfoResponseDeploymentWithProcessInfo: - type: object - properties: - deployment: - $ref: '#/components/schemas/storageListDeployment' - whitelistStatuses: - type: array - items: - $ref: '#/components/schemas/storageContainerNameAndBaselineStatus' - baselineStatuses: - type: array - items: - $ref: '#/components/schemas/storageContainerNameAndBaselineStatus' - ResultFactor: - type: object - properties: - message: - type: string - url: - type: string - storageContainerNameAndBaselineStatus: - type: object - properties: - containerName: - type: string - baselineStatus: - $ref: '#/components/schemas/ContainerNameAndBaselineStatusBaselineStatus' - anomalousProcessesExecuted: - type: boolean - description: |- - `ContainerNameAndBaselineStatus` represents a cached result - of process evaluation on a specific container name. + title: 'Next available tag: 4' storageListDeployment: type: object properties: @@ -11024,6 +15193,65 @@ components: type: string format: int64 title: 'Next available tag: 9' + storageLivenessProbe: + type: object + properties: + defined: + type: boolean + storagePermissionLevel: + type: string + enum: + - UNSET + - NONE + - DEFAULT + - ELEVATED_IN_NAMESPACE + - ELEVATED_CLUSTER_WIDE + - CLUSTER_ADMIN + default: UNSET + title: |- + For any update to PermissionLevel, also update: + - pkg/searchbasedpolicies/builders/k8s_rbac.go + - ui/src/messages/common.js + storagePortConfig: + type: object + properties: + name: + type: string + containerPort: + type: integer + format: int32 + protocol: + type: string + exposure: + $ref: '#/components/schemas/PortConfigExposureLevel' + exposedPort: + type: integer + format: int32 + exposureInfos: + type: array + items: + $ref: '#/components/schemas/PortConfigExposureInfo' + title: 'Next Available Tag: 6' + storageReadinessProbe: + type: object + properties: + defined: + type: boolean + storageResources: + type: object + properties: + cpuCoresRequest: + type: number + format: float + cpuCoresLimit: + type: number + format: float + memoryMbRequest: + type: number + format: float + memoryMbLimit: + type: number + format: float storageRisk: type: object properties: @@ -11075,6 +15303,68 @@ components: - SERVICEACCOUNT default: UNKNOWN title: 'Next tag: 9' + storageSecurityContext: + type: object + properties: + privileged: + type: boolean + selinux: + $ref: '#/components/schemas/SecurityContextSELinux' + dropCapabilities: + type: array + items: + type: string + addCapabilities: + type: array + items: + type: string + readOnlyRootFilesystem: + type: boolean + seccompProfile: + $ref: '#/components/schemas/SecurityContextSeccompProfile' + allowPrivilegeEscalation: + type: boolean + storageTaintEffect: + type: string + enum: + - UNKNOWN_TAINT_EFFECT + - NO_SCHEDULE_TAINT_EFFECT + - PREFER_NO_SCHEDULE_TAINT_EFFECT + - NO_EXECUTE_TAINT_EFFECT + default: UNKNOWN_TAINT_EFFECT + storageToleration: + type: object + properties: + key: + type: string + operator: + $ref: '#/components/schemas/storageTolerationOperator' + value: + type: string + taintEffect: + $ref: '#/components/schemas/storageTaintEffect' + storageTolerationOperator: + type: string + enum: + - TOLERATION_OPERATION_UNKNOWN + - TOLERATION_OPERATOR_EXISTS + - TOLERATION_OPERATOR_EQUAL + default: TOLERATION_OPERATION_UNKNOWN + storageVolume: + type: object + properties: + name: + type: string + source: + type: string + destination: + type: string + readOnly: + type: boolean + type: + type: string + mountPropagation: + $ref: '#/components/schemas/VolumeMountPropagation' v1CountDeploymentsResponse: type: object properties: @@ -11092,6 +15382,11 @@ components: type: array items: type: string + v1ExportDeploymentResponse: + type: object + properties: + deployment: + $ref: '#/components/schemas/storageDeployment' v1GetDeploymentWithRiskResponse: type: object properties: @@ -11112,7 +15407,8 @@ components: deployments: type: array items: - $ref: '#/components/schemas/ListDeploymentsWithProcessInfoResponseDeploymentWithProcessInfo' + $ref: >- + #/components/schemas/ListDeploymentsWithProcessInfoResponseDeploymentWithProcessInfo DeployDetectionResponseRun: type: object properties: @@ -11135,6 +15431,8 @@ components: type: boolean sendNotifications: type: boolean + force: + type: boolean policyCategories: type: array items: @@ -11142,6 +15440,16 @@ components: cluster: type: string description: Cluster to delegate scan to, may be the cluster's name or ID. + namespace: + type: string + description: >- + Namespace on the secured cluster from which to read context + information + + when delegating image scans, specifically pull secrets to access the + image + + registry. v1BuildDetectionResponse: type: object properties: @@ -11149,6 +15457,17 @@ components: type: array items: $ref: '#/components/schemas/storageAlert' + v1DeployDetectionRemark: + type: object + properties: + name: + type: string + permissionLevel: + type: string + appliedNetworkPolicies: + type: array + items: + type: string v1DeployDetectionRequest: type: object properties: @@ -11171,20 +15490,157 @@ components: type: array items: type: string - description: 'The reference will be in the format: namespace/name[/, Kind=].' - v1DeployYAMLDetectionRequest: + description: >- + The reference will be in the format: + namespace/name[/, Kind=]. + remarks: + type: array + items: + $ref: '#/components/schemas/v1DeployDetectionRemark' + v1DeployYAMLDetectionRequest: + type: object + properties: + yaml: + type: string + noExternalMetadata: + type: boolean + enforcementOnly: + type: boolean + force: + type: boolean + policyCategories: + type: array + items: + type: string + cluster: + type: string + description: Cluster to delegate scan to, may be the cluster's name or ID. + namespace: + type: string + DiscoveredClusterMetadataType: + type: string + enum: + - UNSPECIFIED + - AKS + - ARO + - EKS + - GKE + - OCP + - OSD + - ROSA + default: UNSPECIFIED + MetadataProviderType: + type: string + enum: + - PROVIDER_TYPE_UNSPECIFIED + - PROVIDER_TYPE_AWS + - PROVIDER_TYPE_GCP + - PROVIDER_TYPE_AZURE + default: PROVIDER_TYPE_UNSPECIFIED + v1CountDiscoveredClustersResponse: + type: object + properties: + count: + type: integer + format: int32 + v1DiscoveredCluster: + type: object + properties: + id: + type: string + description: >- + UUIDv5 generated deterministically from the tuple (metadata.id, + metadata.type, source.id). + metadata: + $ref: '#/components/schemas/v1DiscoveredClusterMetadata' + status: + $ref: '#/components/schemas/v1DiscoveredClusterStatus' + source: + $ref: '#/components/schemas/v1DiscoveredClusterCloudSource' + description: DiscoveredCluster represents a cluster discovered from a cloud source. + v1DiscoveredClusterCloudSource: + type: object + properties: + id: + type: string + v1DiscoveredClusterMetadata: + type: object + properties: + id: + type: string + description: >- + Represents a unique ID under which the cluster is registered with + the + + cloud provider. Matches storage.ClusterMetadata.id for secured + clusters. + name: + type: string + description: >- + Represents the name under which the cluster is registered with the + + cloud provider. Matches storage.ClusterMetadata.name for secured + clusters. + type: + $ref: '#/components/schemas/DiscoveredClusterMetadataType' + providerType: + $ref: '#/components/schemas/MetadataProviderType' + region: + type: string + description: The region as reported by the cloud provider. + firstDiscoveredAt: + type: string + format: date-time + description: >- + Timestamp at which the cluster was first discovered by the cloud + source. + v1DiscoveredClusterStatus: + type: string + enum: + - STATUS_UNSPECIFIED + - STATUS_SECURED + - STATUS_UNSECURED + default: STATUS_UNSPECIFIED + description: |2- + - STATUS_UNSPECIFIED: The status of the cluster is unknown. May occur if a secured cluster + is missing the metadata for a possible match. + - STATUS_SECURED: The discovered cluster was matched with a secured cluster. + - STATUS_UNSECURED: The discovered cluster was not matched with a secured cluster. + v1DiscoveredClustersFilter: + type: object + properties: + names: + type: array + items: + type: string + description: Matches discovered clusters of specific names. + types: + type: array + items: + $ref: '#/components/schemas/DiscoveredClusterMetadataType' + description: Matches discovered clusters of specific types. + statuses: + type: array + items: + $ref: '#/components/schemas/v1DiscoveredClusterStatus' + description: Matches discovered clusters of specific statuses. + sourceIds: + type: array + items: + type: string + description: Matches discovered clusters of specific cloud source IDs. + v1GetDiscoveredClusterResponse: type: object properties: - yaml: - type: string - noExternalMetadata: - type: boolean - enforcementOnly: - type: boolean - policyCategories: + cluster: + $ref: '#/components/schemas/v1DiscoveredCluster' + v1ListDiscoveredClustersResponse: + type: object + properties: + clusters: type: array items: - type: string + $ref: '#/components/schemas/v1DiscoveredCluster' v1FeatureFlag: type: object properties: @@ -11213,20 +15669,28 @@ components: storageGroupProperties: type: object properties: + id: + type: string + description: Unique identifier for group properties and respectively the group. + traits: + $ref: '#/components/schemas/storageTraits' authProviderId: type: string key: type: string value: type: string - description: |- - GroupProperties defines the properties of a unique group. - Groups apply to users when their properties match. For instance: - If the GroupProperties on has a auth_provider_id, then that group applies to all users logged in - with that auth provider. If it has a claim key, then it applies to all users with that auth provider - and claim key, etc. - This can be used to create default groups/roles for All source provider (no fields set), a specific - auth provider (only auth_provider_id field set) etc. + description: >- + GroupProperties defines the properties of a group. Groups apply to users + when + + their properties match. For instance: + - If GroupProperties has only an auth_provider_id, then that group applies + to all users logged in with that auth provider. + - If GroupProperties in addition has a claim key, then it applies to all + users with that auth provider and the claim key, etc. + Note: Changes to GroupProperties may require changes to + v1.DeleteGroupRequest. v1GetGroupsResponse: type: object properties: @@ -11244,20 +15708,126 @@ components: type: array items: $ref: '#/components/schemas/storageGroup' - description: |- + description: >- Previous groups are the groups expected to be present in the store. - Performs a diff on the GroupProperties present in previous_groups and required_groups: + + Performs a diff on the GroupProperties present in previous_groups + and required_groups: + 1) if in previous_groups but not required_groups, it gets deleted. + 2) if in previous_groups and required_groups, it gets updated. + 3) if not in previous_groups but in required_groups, it gets added. requiredGroups: type: array items: $ref: '#/components/schemas/storageGroup' - description: Required groups are the groups we want to mutate the previous groups into. - title: |- - GroupBatchUpdateRequest is an in transaction batch update to the groups present. + description: >- + Required groups are the groups we want to mutate the previous groups + into. + force: + type: boolean + title: >- + GroupBatchUpdateRequest is an in transaction batch update to the groups + present. + Next Available Tag: 3 + v1Preferences: + type: object + properties: + maxGrpcReceiveSizeBytes: + type: string + format: uint64 + imageSBOMRequest: + type: object + properties: + imageName: + type: string + description: Image name and reference. (e.g. nginx:latest or nginx@sha256:...) + force: + type: boolean + description: >- + Bypass Central's cache for the image and force a new pull from the + Scanner + default: false + required: + - imageName + SBOM-SPDX23-Document: + description: >- + SPDX 2.3 document, refer to https://spdx.github.io/spdx-spec/v2.3/ for + more details. + type: object + properties: + spdxVersion: + type: string + example: SPDX-2.3 + dataLicense: + type: string + example: CC0-1.0 + SPDXID: + type: string + example: SPDXRef-DOCUMENT + name: + type: string + example: >- + sha256:2107993405718600b5e53aae90c78647eff44086e6605862fc69389a4f9d1a09 + documentNamespace: + type: string + example: >- + https://quay.io/rhacs-eng/scanner-v4-665956d1-21dc-4f7c-ae96-48f7cdd460ff + creationInfo: + type: object + properties: + created: + type: string + example: '2025-02-18T16:33:54Z' + creators: + type: array + items: + type: string + example: + - 'Tool: Claircore-' + - 'Tool: scanner-v4-matcher-' + packages: + type: array + items: + type: object + properties: + SPDXID: + example: SPDXRef-Package- + name: + type: string + example: example-package + versionInfo: + type: string + example: example-version + packageFileName: + type: string + example: path/to/example/file + downloadLocation: + type: string + example: NOASSERTION + filesAnalyzed: + type: boolean + example: true + primaryPackagePurpose: + type: string + example: APPLICATION + relationships: + type: array + items: + type: object + properties: + spdxElementId: + type: string + example: SPDXRef-Package- + relatedSpdxElement: + type: string + example: SPDXRef-Repository- + relationshipType: + type: string + example: CONTAINED_BY ECRConfigAuthorizationData: type: object properties: @@ -11272,7 +15842,111 @@ components: An authorization data represents the IAM authentication credentials and can be used to access any Amazon ECR registry that the IAM principal has access to. - storageAnchoreConfig: + ImageIntegrationServicePutImageIntegrationBody: + type: object + properties: + name: + type: string + type: + type: string + categories: + type: array + items: + $ref: '#/components/schemas/storageImageIntegrationCategory' + clairify: + $ref: '#/components/schemas/storageClairifyConfig' + scannerV4: + $ref: '#/components/schemas/storageScannerV4Config' + docker: + $ref: '#/components/schemas/storageDockerConfig' + quay: + $ref: '#/components/schemas/storageQuayConfig' + ecr: + $ref: '#/components/schemas/storageECRConfig' + google: + $ref: '#/components/schemas/storageGoogleConfig' + clair: + $ref: '#/components/schemas/storageClairConfig' + clairV4: + $ref: '#/components/schemas/storageClairV4Config' + ibm: + $ref: '#/components/schemas/storageIBMRegistryConfig' + azure: + $ref: '#/components/schemas/storageAzureConfig' + autogenerated: + type: boolean + clusterId: + type: string + skipTestIntegration: + type: boolean + source: + $ref: '#/components/schemas/storageImageIntegrationSource' + title: 'Next Tag: 25' + ImageIntegrationServiceUpdateImageIntegrationBody: + type: object + properties: + config: + type: object + properties: + name: + type: string + type: + type: string + categories: + type: array + items: + $ref: '#/components/schemas/storageImageIntegrationCategory' + clairify: + $ref: '#/components/schemas/storageClairifyConfig' + scannerV4: + $ref: '#/components/schemas/storageScannerV4Config' + docker: + $ref: '#/components/schemas/storageDockerConfig' + quay: + $ref: '#/components/schemas/storageQuayConfig' + ecr: + $ref: '#/components/schemas/storageECRConfig' + google: + $ref: '#/components/schemas/storageGoogleConfig' + clair: + $ref: '#/components/schemas/storageClairConfig' + clairV4: + $ref: '#/components/schemas/storageClairV4Config' + ibm: + $ref: '#/components/schemas/storageIBMRegistryConfig' + azure: + $ref: '#/components/schemas/storageAzureConfig' + autogenerated: + type: boolean + clusterId: + type: string + skipTestIntegration: + type: boolean + source: + $ref: '#/components/schemas/storageImageIntegrationSource' + title: 'Next Tag: 25' + updatePassword: + type: boolean + description: >- + When false, use the stored credentials of an existing image + integration given its ID. + QuayConfigRobotAccount: + type: object + properties: + username: + type: string + password: + type: string + description: >- + The server will mask the value of this password in responses and + logs. + title: >- + Robot account is Quay's named tokens that can be granted permissions on + multiple repositories under an organization. + + It's Quay's recommended authentication model when possible (i.e. + registry integration) + storageAzureConfig: type: object properties: endpoint: @@ -11281,9 +15955,17 @@ components: type: string password: type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. - insecure: + description: >- + The password for the integration. The server will mask the value of + this credential in responses and logs. + wifEnabled: type: boolean + description: >- + Enables authentication with short-lived tokens using Azure managed + identities or Azure workload identities. + description: >- + Azure container registry configuration. Used by integrations of type + "azure". storageClairConfig: type: object properties: @@ -11291,6 +15973,13 @@ components: type: string insecure: type: boolean + storageClairV4Config: + type: object + properties: + endpoint: + type: string + insecure: + type: boolean storageClairifyConfig: type: object properties: @@ -11301,18 +15990,6 @@ components: numConcurrentScans: type: integer format: int32 - storageDTRConfig: - type: object - properties: - username: - type: string - password: - type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. - endpoint: - type: string - insecure: - type: boolean storageDockerConfig: type: object properties: @@ -11322,9 +15999,18 @@ components: type: string password: type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The password for the integration. The server will mask the value of + this credential in responses and logs. insecure: type: boolean + description: >- + Docker registry configuration. Used by integrations of type "docker" and + other docker compliant registries without dedicated configuration type. + + + Use of type "azure" with `DockerConfig` has been deprecated in 4.7. Use + `AzureConfig` instead. storageECRConfig: type: object properties: @@ -11332,10 +16018,14 @@ components: type: string accessKeyId: type: string - description: The access key ID for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The access key ID for the integration. The server will mask the + value of this credential in responses and logs. secretAccessKey: type: string - description: The secret access key for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The secret access key for the integration. The server will mask the + value of this credential in responses and logs. region: type: string useIam: @@ -11357,9 +16047,13 @@ components: type: string serviceAccount: type: string - description: The service account for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The service account for the integration. The server will mask the + value of this credential in responses and logs. project: type: string + wifEnabled: + type: boolean storageIBMRegistryConfig: type: object properties: @@ -11367,7 +16061,9 @@ components: type: string apiKey: type: string - description: The API key for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The API key for the integration. The server will mask the value of + this credential in responses and logs. storageImageIntegration: type: object properties: @@ -11381,33 +16077,35 @@ components: type: array items: $ref: '#/components/schemas/storageImageIntegrationCategory' - dtr: - $ref: '#/components/schemas/storageDTRConfig' clairify: $ref: '#/components/schemas/storageClairifyConfig' + scannerV4: + $ref: '#/components/schemas/storageScannerV4Config' docker: $ref: '#/components/schemas/storageDockerConfig' quay: $ref: '#/components/schemas/storageQuayConfig' ecr: $ref: '#/components/schemas/storageECRConfig' - tenable: - $ref: '#/components/schemas/storageTenableConfig' google: $ref: '#/components/schemas/storageGoogleConfig' clair: $ref: '#/components/schemas/storageClairConfig' - anchore: - $ref: '#/components/schemas/storageAnchoreConfig' + clairV4: + $ref: '#/components/schemas/storageClairV4Config' ibm: $ref: '#/components/schemas/storageIBMRegistryConfig' + azure: + $ref: '#/components/schemas/storageAzureConfig' autogenerated: type: boolean clusterId: type: string skipTestIntegration: type: boolean - title: 'Next Tag: 21' + source: + $ref: '#/components/schemas/storageImageIntegrationSource' + title: 'Next Tag: 25' storageImageIntegrationCategory: type: string enum: @@ -11415,10 +16113,21 @@ components: - SCANNER - NODE_SCANNER default: REGISTRY - description: |2- + description: >2- - NODE_SCANNER: Image and Node integrations are currently done on the same form in the UI so the image integration is also currently used for node integrations. - This decision was made because we currently only support one node scanner (our scanner). + + This decision was made because we currently only support one node + scanner (our scanner). + storageImageIntegrationSource: + type: object + properties: + clusterId: + type: string + namespace: + type: string + imagePullSecretName: + type: string storageQuayConfig: type: object properties: @@ -11426,18 +16135,24 @@ components: type: string oauthToken: type: string - description: The OAuth token for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The OAuth token for the integration. Required if this is a scanner + integration. The server will mask the value of this credential in + responses and logs. insecure: type: boolean - storageTenableConfig: + registryRobotCredentials: + $ref: '#/components/schemas/QuayConfigRobotAccount' + storageScannerV4Config: type: object properties: - accessKey: + numConcurrentScans: + type: integer + format: int32 + indexerEndpoint: type: string - description: The access key for the integration. The server will mask the value of this credential in responses and logs. - secretKey: + matcherEndpoint: type: string - description: The secret key for the integration. The server will mask the value of this credential in responses and logs. v1GetImageIntegrationsResponse: type: object properties: @@ -11452,7 +16167,59 @@ components: $ref: '#/components/schemas/storageImageIntegration' updatePassword: type: boolean - description: When false, use the stored credentials of an existing image integration given its ID. + description: >- + When false, use the stored credentials of an existing image + integration given its ID. + CVSSV2AccessComplexity: + type: string + enum: + - ACCESS_HIGH + - ACCESS_MEDIUM + - ACCESS_LOW + default: ACCESS_HIGH + CVSSV2Authentication: + type: string + enum: + - AUTH_MULTIPLE + - AUTH_SINGLE + - AUTH_NONE + default: AUTH_MULTIPLE + CVSSV3Complexity: + type: string + enum: + - COMPLEXITY_LOW + - COMPLEXITY_HIGH + default: COMPLEXITY_LOW + CVSSV3Privileges: + type: string + enum: + - PRIVILEGE_NONE + - PRIVILEGE_LOW + - PRIVILEGE_HIGH + default: PRIVILEGE_NONE + CVSSV3UserInteraction: + type: string + enum: + - UI_NONE + - UI_REQUIRED + default: UI_NONE + EmbeddedVulnerabilityVulnerabilityType: + type: string + enum: + - UNKNOWN_VULNERABILITY + - IMAGE_VULNERABILITY + - K8S_VULNERABILITY + - ISTIO_VULNERABILITY + - NODE_VULNERABILITY + - OPENSHIFT_VULNERABILITY + default: UNKNOWN_VULNERABILITY + EnvironmentList: + type: object + properties: + environments: + type: array + items: + $ref: '#/components/schemas/v4Environment' WatchImageResponseErrorType: type: string enum: @@ -11478,6 +16245,10 @@ components: type: array items: $ref: '#/components/schemas/scannerV1LanguageComponent' + rhelContentSets: + type: array + items: + type: string scannerV1Executable: type: object properties: @@ -11584,20 +16355,151 @@ components: type: string addedBy: type: string - executables: - type: array - items: - $ref: '#/components/schemas/scannerV1Executable' - scannerV1SourceType: + executables: + type: array + items: + $ref: '#/components/schemas/scannerV1Executable' + scannerV1SourceType: + type: string + enum: + - UNSET_SOURCE_TYPE + - JAVA + - PYTHON + - NPM + - GEM + - DOTNETCORERUNTIME + default: UNSET_SOURCE_TYPE + storageAdvisory: + type: object + properties: + name: + type: string + link: + type: string + storageCVSSScore: + type: object + properties: + source: + $ref: '#/components/schemas/storageSource' + url: + type: string + cvssv2: + $ref: '#/components/schemas/storageCVSSV2' + cvssv3: + $ref: '#/components/schemas/storageCVSSV3' + storageCVSSV2: + type: object + properties: + vector: + type: string + attackVector: + $ref: '#/components/schemas/storageCVSSV2AttackVector' + accessComplexity: + $ref: '#/components/schemas/CVSSV2AccessComplexity' + authentication: + $ref: '#/components/schemas/CVSSV2Authentication' + confidentiality: + $ref: '#/components/schemas/storageCVSSV2Impact' + integrity: + $ref: '#/components/schemas/storageCVSSV2Impact' + availability: + $ref: '#/components/schemas/storageCVSSV2Impact' + exploitabilityScore: + type: number + format: float + impactScore: + type: number + format: float + score: + type: number + format: float + severity: + $ref: '#/components/schemas/storageCVSSV2Severity' + storageCVSSV2AttackVector: + type: string + enum: + - ATTACK_LOCAL + - ATTACK_ADJACENT + - ATTACK_NETWORK + default: ATTACK_LOCAL + storageCVSSV2Impact: + type: string + enum: + - IMPACT_NONE + - IMPACT_PARTIAL + - IMPACT_COMPLETE + default: IMPACT_NONE + storageCVSSV2Severity: + type: string + enum: + - UNKNOWN + - LOW + - MEDIUM + - HIGH + default: UNKNOWN + storageCVSSV3: + type: object + properties: + vector: + type: string + exploitabilityScore: + type: number + format: float + impactScore: + type: number + format: float + attackVector: + $ref: '#/components/schemas/storageCVSSV3AttackVector' + attackComplexity: + $ref: '#/components/schemas/CVSSV3Complexity' + privilegesRequired: + $ref: '#/components/schemas/CVSSV3Privileges' + userInteraction: + $ref: '#/components/schemas/CVSSV3UserInteraction' + scope: + $ref: '#/components/schemas/storageCVSSV3Scope' + confidentiality: + $ref: '#/components/schemas/storageCVSSV3Impact' + integrity: + $ref: '#/components/schemas/storageCVSSV3Impact' + availability: + $ref: '#/components/schemas/storageCVSSV3Impact' + score: + type: number + format: float + severity: + $ref: '#/components/schemas/storageCVSSV3Severity' + storageCVSSV3AttackVector: type: string enum: - - UNSET_SOURCE_TYPE - - JAVA - - PYTHON - - NPM - - GEM - - DOTNETCORERUNTIME - default: UNSET_SOURCE_TYPE + - ATTACK_LOCAL + - ATTACK_ADJACENT + - ATTACK_NETWORK + - ATTACK_PHYSICAL + default: ATTACK_LOCAL + storageCVSSV3Impact: + type: string + enum: + - IMPACT_NONE + - IMPACT_LOW + - IMPACT_HIGH + default: IMPACT_NONE + storageCVSSV3Scope: + type: string + enum: + - UNCHANGED + - CHANGED + default: UNCHANGED + storageCVSSV3Severity: + type: string + enum: + - UNKNOWN + - NONE + - LOW + - MEDIUM + - HIGH + - CRITICAL + default: UNKNOWN storageCosignSignature: type: object properties: @@ -11607,6 +16509,15 @@ components: signaturePayload: type: string format: byte + certPem: + type: string + format: byte + certChainPem: + type: string + format: byte + rekorBundle: + type: string + format: byte storageDataSource: type: object properties: @@ -11614,6 +16525,20 @@ components: type: string name: type: string + mirror: + type: string + storageEPSS: + type: object + properties: + epssProbability: + type: number + format: float + epssPercentile: + type: number + format: float + title: >- + EPSS Score stores two epss metrics returned by scanner - epss + probability and epss percentile storageEmbeddedImageScanComponent: type: object properties: @@ -11645,13 +16570,19 @@ components: format: float fixedBy: type: string - description: Component version that fixes all the fixable vulnerabilities in this component. + description: >- + Component version that fixes all the fixable vulnerabilities in this + component. executables: type: array items: $ref: '#/components/schemas/storageEmbeddedImageScanComponentExecutable' - title: Values are cleared after moving to cache, remove them from the grpc return as well - title: 'Next Tag: 13' + title: >- + Values are cleared after moving to cache, remove them from the grpc + return as well + architecture: + type: string + title: 'Next Tag: 14' storageEmbeddedImageScanComponentExecutable: type: object properties: @@ -11661,6 +16592,83 @@ components: type: array items: type: string + storageEmbeddedVulnerability: + type: object + properties: + cve: + type: string + advisory: + $ref: '#/components/schemas/storageAdvisory' + cvss: + type: number + format: float + summary: + type: string + link: + type: string + fixedBy: + type: string + scoreVersion: + $ref: '#/components/schemas/storageEmbeddedVulnerabilityScoreVersion' + cvssV2: + $ref: '#/components/schemas/storageCVSSV2' + cvssV3: + $ref: '#/components/schemas/storageCVSSV3' + publishedOn: + type: string + format: date-time + lastModified: + type: string + format: date-time + vulnerabilityType: + $ref: '#/components/schemas/EmbeddedVulnerabilityVulnerabilityType' + vulnerabilityTypes: + type: array + items: + $ref: '#/components/schemas/EmbeddedVulnerabilityVulnerabilityType' + suppressed: + type: boolean + suppressActivation: + type: string + format: date-time + suppressExpiry: + type: string + format: date-time + firstSystemOccurrence: + type: string + format: date-time + description: >- + Time when the CVE was first seen, for this specific distro, in the + system. + firstImageOccurrence: + type: string + format: date-time + description: Time when the CVE was first seen in this image. + severity: + $ref: '#/components/schemas/storageVulnerabilitySeverity' + state: + $ref: '#/components/schemas/storageVulnerabilityState' + cvssMetrics: + type: array + items: + $ref: '#/components/schemas/storageCVSSScore' + title: >- + cvss_metrics stores list of cvss scores from different sources like + nvd, Redhat etc + nvdCvss: + type: number + format: float + epss: + $ref: '#/components/schemas/storageEPSS' + title: 'Next Tag: 25' + storageEmbeddedVulnerabilityScoreVersion: + type: string + enum: + - V2 + - V3 + default: V2 + description: '- V2: No unset for automatic backwards compatibility' + title: ScoreVersion can be deprecated ROX-26066 storageImage: type: object properties: @@ -11672,6 +16680,14 @@ components: type: array items: $ref: '#/components/schemas/storageImageName' + description: >- + This should deprecate the ImageName field long-term, allowing images + with the same digest to be associated with + + different locations. + + TODO(dhaus): For now, this message will be without search tags due + to duplicated search tags otherwise. metadata: $ref: '#/components/schemas/storageImageMetadata' scan: @@ -11709,7 +16725,7 @@ components: type: array items: $ref: '#/components/schemas/storageImageNote' - title: 'Next Tag: 18' + title: 'Next Tag: 19' storageImageLayer: type: object properties: @@ -11735,16 +16751,21 @@ components: type: array items: type: string - title: We never need both sets of layers so consolidate them. They will be ordered by oldest->newest + title: >- + We never need both sets of layers so consolidate them. They will be + ordered by oldest->newest dataSource: $ref: '#/components/schemas/storageDataSource' version: type: string format: uint64 title: Version is used to determine if the metadata needs to be re-pulled - title: |- - If any fields of ImageMetadata are modified including subfields, please check pkg/images/enricher/metadata.go + title: >- + If any fields of ImageMetadata are modified including subfields, please + check pkg/images/enricher/metadata.go + to ensure that those changes will be automatically picked up + Next Tag: 6 storageImageNote: type: string @@ -11774,7 +16795,10 @@ components: type: array items: $ref: '#/components/schemas/storageImageScanNote' - title: 'Next tag: 7' + hash: + type: string + format: uint64 + title: 'Next tag: 8' storageImageScanNote: type: string enum: @@ -11811,13 +16835,24 @@ components: format: date-time verifierId: type: string - description: verifier_id correlates to the ID of the signature integration used to verify the signature. + description: >- + verifier_id correlates to the ID of the signature integration used + to verify the signature. status: $ref: '#/components/schemas/storageImageSignatureVerificationResultStatus' description: type: string - description: description is set in the case of an error with the specific error's message. Otherwise, this will not be set. - title: 'Next Tag: 5' + description: >- + description is set in the case of an error with the specific error's + message. Otherwise, this will not be set. + verifiedImageReferences: + type: array + items: + type: string + description: >- + The full image names that are verified by this specific signature + integration ID. + title: 'Next Tag: 6' storageImageSignatureVerificationResultStatus: type: string enum: @@ -11876,6 +16911,14 @@ components: properties: cosign: $ref: '#/components/schemas/storageCosignSignature' + storageSource: + type: string + enum: + - SOURCE_UNKNOWN + - SOURCE_RED_HAT + - SOURCE_OSV + - SOURCE_NVD + default: SOURCE_UNKNOWN storageSourceType: type: string enum: @@ -11884,6 +16927,7 @@ components: - JAVA - RUBY - NODEJS + - GO - DOTNETCORERUNTIME - INFRASTRUCTURE default: OS @@ -11924,6 +16968,27 @@ components: properties: digest: type: string + storageVulnerabilitySeverity: + type: string + enum: + - UNKNOWN_VULNERABILITY_SEVERITY + - LOW_VULNERABILITY_SEVERITY + - MODERATE_VULNERABILITY_SEVERITY + - IMPORTANT_VULNERABILITY_SEVERITY + - CRITICAL_VULNERABILITY_SEVERITY + default: UNKNOWN_VULNERABILITY_SEVERITY + storageVulnerabilityState: + type: string + enum: + - OBSERVED + - DEFERRED + - FALSE_POSITIVE + default: OBSERVED + description: >- + VulnerabilityState indicates if vulnerability is being observed or + deferred(/suppressed). By default, it vulnerabilities are observed. + + - OBSERVED: [Default state] storageWatchedImage: type: object properties: @@ -11943,6 +17008,11 @@ components: format: int64 dryRun: type: boolean + v1ExportImageResponse: + type: object + properties: + image: + $ref: '#/components/schemas/storageImage' v1GetWatchedImagesResponse: type: object properties: @@ -11957,6 +17027,17 @@ components: type: array items: $ref: '#/components/schemas/storageListImage' + v1ScanImageInternalRequestSource: + type: object + properties: + clusterId: + type: string + namespace: + type: string + imagePullSecrets: + type: array + items: + type: string v1ScanImageInternalResponse: type: object properties: @@ -11973,30 +17054,150 @@ components: type: boolean cluster: type: string - description: Cluster to delegate scan to, may be the cluster's name or ID. - v1WatchImageRequest: + description: Cluster to delegate scan to, may be the cluster's name or ID. + namespace: + type: string + description: >- + Namespace on the secured cluster from which to read context + information + + when delegating image scans, specifically pull secrets to access the + image + + registry. + v1WatchImageRequest: + type: object + properties: + name: + type: string + description: |- + The name of the image. + This must be fully qualified, including a tag, + but must NOT include a SHA. + v1WatchImageResponse: + type: object + properties: + normalizedName: + type: string + title: >- + If the image was scanned successfully, this returns the normalized + name of the image. + + This depends on what we get from the registry. + + For example, "docker.io/wordpress:latest" -> + "docker.io/library/wordpress:latest" + errorType: + $ref: '#/components/schemas/WatchImageResponseErrorType' + errorMessage: + type: string + description: Only set if error_type is NOT equal to "NO_ERROR". + v4Contents: + type: object + properties: + packages: + type: array + items: + $ref: '#/components/schemas/v4Package' + distributions: + type: array + items: + $ref: '#/components/schemas/v4Distribution' + repositories: + type: array + items: + $ref: '#/components/schemas/v4Repository' + environments: + type: object + additionalProperties: + $ref: '#/components/schemas/EnvironmentList' + v4Distribution: + type: object + properties: + id: + type: string + did: + type: string + name: + type: string + version: + type: string + versionCodeName: + type: string + versionId: + type: string + arch: + type: string + cpe: + type: string + prettyName: + type: string + v4Environment: + type: object + properties: + packageDb: + type: string + introducedIn: + type: string + distributionId: + type: string + repositoryIds: + type: array + items: + type: string + description: |- + Environment describes the surrounding environment a package was + discovered in. + v4NormalizedVersion: + type: object + properties: + kind: + type: string + v: + type: array + items: + type: integer + format: int32 + v4Package: type: object properties: + id: + type: string name: type: string - description: |- - The name of the image. - This must be fully qualified, including a tag, - but must NOT include a SHA. - v1WatchImageResponse: + version: + type: string + normalizedVersion: + $ref: '#/components/schemas/v4NormalizedVersion' + fixedInVersion: + type: string + kind: + type: string + source: + $ref: '#/components/schemas/v4Package' + packageDb: + type: string + repositoryHint: + type: string + module: + type: string + arch: + type: string + cpe: + type: string + v4Repository: type: object properties: - normalizedName: + id: type: string - title: |- - If the image was scanned successfully, this returns the normalized name of the image. - This depends on what we get from the registry. - For example, "docker.io/wordpress:latest" -> "docker.io/library/wordpress:latest" - errorType: - $ref: '#/components/schemas/WatchImageResponseErrorType' - errorMessage: + name: + type: string + key: + type: string + uri: + type: string + cpe: type: string - description: Only set if error_type is NOT equal to "NO_ERROR". storageIntegrationHealth: type: object properties: @@ -12028,6 +17229,7 @@ components: - IMAGE_INTEGRATION - NOTIFIER - BACKUP + - DECLARATIVE_CONFIG default: UNKNOWN v1GetIntegrationHealthResponse: type: object @@ -12042,149 +17244,105 @@ components: lastUpdatedTimestamp: type: string format: date-time - LicenseContact: - type: object - properties: - phone: - type: string - email: - type: string - url: - type: string - name: - type: string - LicenseRestrictions: + v1VulnDefinitionsInfoRequestComponent: + type: string + enum: + - SCANNER + - SCANNER_V4 + default: SCANNER + CentralServicesCapabilitiesCapabilityStatus: + type: string + enum: + - CapabilityAvailable + - CapabilityDisabled + default: CapabilityAvailable + description: >2- + - CapabilityAvailable: CapabilityAvailable means that UI and APIs should be available for users to use. + This does not automatically mean that the functionality is 100% + available and any calls to APIs will result + + in successful execution. Rather it means that users should be allowed to + leverage the functionality as + + opposed to CapabilityDisabled when functionality should be blocked. + - CapabilityDisabled: CapabilityDisabled means the corresponding UI should be disabled and attempts to use related APIs + should lead to errors. + DatabaseStatusDatabaseType: + type: string + enum: + - Hidden + - RocksDB + - PostgresDB + default: Hidden + MetadataLicenseStatus: + type: string + enum: + - NONE + - INVALID + - EXPIRED + - RESTARTING + - VALID + default: NONE + storageBackupInfo: type: object properties: - notValidBefore: - type: string - format: date-time - notValidAfter: + backupLastRunAt: type: string format: date-time - enforcementUrl: - type: string - description: URL for on-line license enforcement. Must be set unless allow_offline is true. - allowOffline: - type: boolean - description: Allow offline use (i.e., no online license enforcement). - maxNodes: - type: integer - format: int32 - description: Maximum number of nodes. Must be set unless no_node_restriction is true. - noNodeRestriction: - type: boolean - description: Do not restrict the number of nodes. - buildFlavors: - type: array - items: - type: string - description: |- - Build flavors of the product this license is valid for (e.g., "development" or "release"). Must be set unless - no_build_flavor_restriction is true. - noBuildFlavorRestriction: - type: boolean - description: Do not restrict license to certain build flavors. - deploymentEnvironments: - type: array - items: - type: string - description: |- - Deployment environments that are valid for the product, such as `gcp` or `gcp/ultra-current-825`. Must be - set unless no_deployment_environment_restriction is true. - noDeploymentEnvironmentRestriction: - type: boolean - description: Do not restrict license to certain deployment environments. - licenseLicense: - type: object - properties: - metadata: - $ref: '#/components/schemas/licenseLicenseMetadata' - supportContact: - $ref: '#/components/schemas/LicenseContact' - restrictions: - $ref: '#/components/schemas/LicenseRestrictions' - licenseLicenseMetadata: + status: + $ref: '#/components/schemas/storageOperationStatus' + requestor: + $ref: '#/components/schemas/storageSlimUser' + storageOperationStatus: + type: string + enum: + - FAIL + - PASS + default: FAIL + storageSlimUser: type: object properties: id: type: string - signingKeyId: - type: string - issueDate: - type: string - format: date-time - licensedForId: - type: string - licensedForName: + name: type: string - v1AddLicenseRequest: + v1CentralServicesCapabilities: + type: object + properties: + centralScanningCanUseContainerIamRoleForEcr: + $ref: '#/components/schemas/CentralServicesCapabilitiesCapabilityStatus' + centralCanUseCloudBackupIntegrations: + $ref: '#/components/schemas/CentralServicesCapabilitiesCapabilityStatus' + centralCanDisplayDeclarativeConfigHealth: + $ref: '#/components/schemas/CentralServicesCapabilitiesCapabilityStatus' + centralCanUpdateCert: + $ref: '#/components/schemas/CentralServicesCapabilitiesCapabilityStatus' + centralCanUseAcscsEmailIntegration: + $ref: '#/components/schemas/CentralServicesCapabilitiesCapabilityStatus' + description: >- + Provides availability of certain functionality of Central Services in + the current configuration. + + The initial intended use is to disable certain functionality that does + not make sense in the Cloud Service context. + v1DatabaseBackupStatus: type: object properties: - licenseKey: - type: string - activate: - type: boolean - description: Indicates whether the license represented by this key should be made the active license. - v1AddLicenseResponse: + backupInfo: + $ref: '#/components/schemas/storageBackupInfo' + v1DatabaseStatus: type: object properties: - license: - $ref: '#/components/schemas/v1LicenseInfo' - accepted: + databaseAvailable: type: boolean - description: |- - Indicates whether or not the license was accepted by the product. Only licenses which are either valid or - not yet valid will be accepted. Note that we prefer this over a GRPC error, as it might be helpful to show the, - e.g., contact information from the decoded blob. - v1GetActiveLicenseExpirationResponse: - type: object - properties: - expirationTime: - type: string - format: date-time - v1GetActiveLicenseKeyResponse: - type: object - properties: - licenseKey: - type: string - v1GetLicensesResponse: - type: object - properties: - licenses: - type: array - items: - $ref: '#/components/schemas/v1LicenseInfo' - v1LicenseInfo: - type: object - properties: - license: - $ref: '#/components/schemas/licenseLicense' - status: - $ref: '#/components/schemas/v1LicenseInfoStatus' - statusReason: + title: indicates whether or not central can communicate with the database + databaseType: + $ref: '#/components/schemas/DatabaseStatusDatabaseType' + databaseVersion: type: string - active: + title: version of the database + databaseIsExternal: type: boolean - v1LicenseInfoStatus: - type: string - enum: - - UNKNOWN - - VALID - - REVOKED - - NOT_YET_VALID - - EXPIRED - - OTHER - default: UNKNOWN - MetadataLicenseStatus: - type: string - enum: - - NONE - - INVALID - - EXPIRED - - RESTARTING - - VALID - default: NONE v1Metadata: type: object properties: @@ -12202,7 +17360,9 @@ components: trustInfoSerialized: type: string format: byte - title: signed data which is returned to the caller, is validated against the signature + title: >- + signed data which is returned to the caller, is validated against + the signature signature: type: string format: byte @@ -12260,7 +17420,6 @@ components: type: object additionalProperties: type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' creationTime: type: string format: date-time @@ -12300,6 +17459,24 @@ components: format: int64 l4protocol: $ref: '#/components/schemas/storageL4Protocol' + NetworkBaselineServiceGetNetworkBaselineStatusForFlowsBody: + type: object + properties: + peers: + type: array + items: + $ref: '#/components/schemas/v1NetworkBaselineStatusPeer' + NetworkBaselineServiceLockNetworkBaselineBody: + type: object + NetworkBaselineServiceModifyBaselineStatusForPeersBody: + type: object + properties: + peers: + type: array + items: + $ref: '#/components/schemas/v1NetworkBaselinePeerStatus' + NetworkBaselineServiceUnlockNetworkBaselineBody: + type: object NetworkEntityInfoExternalSource: type: object properties: @@ -12309,8 +17486,18 @@ components: type: string default: type: boolean - description: '`default` indicates whether the external source is user-generated or system-generated.' - description: Update normalizeDupNameExtSrcs(...) in `central/networkgraph/aggregator/aggregator.go` whenever this message is updated. + description: >- + `default` indicates whether the external source is user-generated or + system-generated. + discovered: + type: boolean + description: >- + `discovered` indicates whether the external source is harvested from + monitored traffic. + description: >- + Update normalizeDupNameExtSrcs(...) in + `central/networkgraph/aggregator/aggregator.go` whenever this message is + updated. storageNetworkBaseline: type: object properties: @@ -12346,9 +17533,12 @@ components: 2: Start reporting violations on flows that are not in the baseline deploymentName: type: string - title: |- - NetworkBaseline represents a network baseline of a deployment. It contains all + title: >- + NetworkBaseline represents a network baseline of a deployment. It + contains all + the baseline peers and their respective connections. + next available tag: 8 storageNetworkBaselineConnectionProperties: type: object @@ -12361,11 +17551,15 @@ components: port: type: integer format: int64 - title: May be 0 if not applicable (e.g., icmp), and denotes the destination port + title: >- + May be 0 if not applicable (e.g., icmp), and denotes the destination + port protocol: $ref: '#/components/schemas/storageL4Protocol' - title: |- - NetworkBaselineConnectionProperties represents information about a baseline connection + title: >- + NetworkBaselineConnectionProperties represents information about a + baseline connection + next available tag: 4 storageNetworkBaselinePeer: type: object @@ -12416,15 +17610,23 @@ components: properties: clusterId: type: string - v1ModifyBaselineStatusForPeersRequest: + v1NetworkBaselineExternalStatusResponse: type: object properties: - deploymentId: - type: string - peers: + anomalous: + type: array + items: + $ref: '#/components/schemas/v1NetworkBaselinePeerStatus' + totalAnomalous: + type: integer + format: int32 + baseline: type: array items: $ref: '#/components/schemas/v1NetworkBaselinePeerStatus' + totalBaseline: + type: integer + format: int32 v1NetworkBaselinePeerEntity: type: object properties: @@ -12432,6 +17634,10 @@ components: type: string type: $ref: '#/components/schemas/storageNetworkEntityInfoType' + name: + type: string + discovered: + type: boolean v1NetworkBaselinePeerStatus: type: object properties: @@ -12470,15 +17676,6 @@ components: this should be false. - If it is in the outEdges of the peer deployment, this should be true. - v1NetworkBaselineStatusRequest: - type: object - properties: - deploymentId: - type: string - peers: - type: array - items: - $ref: '#/components/schemas/v1NetworkBaselineStatusPeer' v1NetworkBaselineStatusResponse: type: object properties: @@ -12486,23 +17683,62 @@ components: type: array items: $ref: '#/components/schemas/v1NetworkBaselinePeerStatus' - v1ResourceByID: + NetworkGraphServiceCreateExternalNetworkEntityBody: type: object properties: - id: + entity: + $ref: '#/components/schemas/NetworkEntityInfoExternalSource' + NetworkGraphServicePatchExternalNetworkEntityBody: + type: object + properties: + name: + type: string + storageNetworkFlow: + type: object + properties: + props: + $ref: '#/components/schemas/storageNetworkFlowProperties' + lastSeenTimestamp: + type: string + format: date-time + clusterId: type: string + title: Need the clusterID as that is part of the key in RocksDB + updatedAt: + type: string + format: date-time + title: |- + This field is set by Central everytime a flow is upserted. + This should not be set by Sensor. + For more context: https://github.com/stackrox/stackrox/pull/14483 + storageNetworkFlowProperties: + type: object + properties: + srcEntity: + $ref: '#/components/schemas/storageNetworkEntityInfo' + dstEntity: + $ref: '#/components/schemas/storageNetworkEntityInfo' + dstPort: + type: integer + format: int64 + description: may be 0 if not applicable (e.g., icmp). + l4protocol: + $ref: '#/components/schemas/storageL4Protocol' storageNetworkGraphConfig: type: object properties: + id: + type: string hideDefaultExternalSrcs: type: boolean - v1CreateNetworkEntityRequest: + v1ExternalNetworkFlowMetadata: type: object properties: - clusterId: - type: string entity: - $ref: '#/components/schemas/NetworkEntityInfoExternalSource' + $ref: '#/components/schemas/storageNetworkEntityInfo' + flowsCount: + type: integer + format: int32 v1GetExternalNetworkEntitiesResponse: type: object properties: @@ -12510,6 +17746,28 @@ components: type: array items: $ref: '#/components/schemas/storageNetworkEntity' + v1GetExternalNetworkFlowsMetadataResponse: + type: object + properties: + entities: + type: array + items: + $ref: '#/components/schemas/v1ExternalNetworkFlowMetadata' + totalEntities: + type: integer + format: int32 + v1GetExternalNetworkFlowsResponse: + type: object + properties: + entity: + $ref: '#/components/schemas/storageNetworkEntityInfo' + totalFlows: + type: integer + format: int32 + flows: + type: array + items: + $ref: '#/components/schemas/storageNetworkFlow' v1NetworkEdgeProperties: type: object properties: @@ -12564,13 +17822,6 @@ components: type: object additionalProperties: $ref: '#/components/schemas/v1NetworkEdgePropertiesBundle' - v1PatchNetworkEntityRequest: - type: object - properties: - id: - type: string - name: - type: string v1PutNetworkGraphConfigRequest: type: object properties: @@ -12584,6 +17835,23 @@ components: - GENERATED_ONLY - ALL default: UNKNOWN + description: |2- + - NONE: Do not delete any existing network policies. + - GENERATED_ONLY: Delete any existing *auto-generated* network policies. + - ALL: Delete all existing network policies in the respective namespace. + NetworkPolicyServiceApplyNetworkPolicyYamlForDeploymentBody: + type: object + properties: + modification: + $ref: '#/components/schemas/storageNetworkPolicyModification' + NetworkPolicyServiceGetBaselineGeneratedNetworkPolicyForDeploymentBody: + type: object + properties: + deleteExisting: + $ref: >- + #/components/schemas/GenerateNetworkPoliciesRequestDeleteExistingPoliciesMode + includePorts: + type: boolean storageIPBlock: type: object properties: @@ -12626,6 +17894,8 @@ components: storageNetworkPolicyApplicationUndoRecord: type: object properties: + clusterId: + type: string user: type: string applyTimestamp: @@ -12726,13 +17996,6 @@ components: - UDP_PROTOCOL - SCTP_PROTOCOL default: UNSET_PROTOCOL - v1ApplyNetworkPolicyYamlForDeploymentRequest: - type: object - properties: - deploymentId: - type: string - modification: - $ref: '#/components/schemas/storageNetworkPolicyModification' v1GenerateNetworkPoliciesResponse: type: object properties: @@ -12743,18 +18006,9 @@ components: type: object properties: allowedPeers: - type: array - items: - $ref: '#/components/schemas/v1NetworkBaselineStatusPeer' - v1GetBaselineGeneratedPolicyForDeploymentRequest: - type: object - properties: - deploymentId: - type: string - deleteExisting: - $ref: '#/components/schemas/GenerateNetworkPoliciesRequestDeleteExistingPoliciesMode' - includePorts: - type: boolean + type: array + items: + $ref: '#/components/schemas/v1NetworkBaselineStatusPeer' v1GetBaselineGeneratedPolicyForDeploymentResponse: type: object properties: @@ -12885,6 +18139,267 @@ components: $ref: '#/components/schemas/v1NetworkGraphDiff' removed: $ref: '#/components/schemas/v1NetworkGraphDiff' + NodeScanScanner: + type: string + enum: + - SCANNER + - SCANNER_V4 + default: SCANNER + storageCVEInfo: + type: object + properties: + cve: + type: string + summary: + type: string + link: + type: string + publishedOn: + type: string + format: date-time + description: >- + This indicates the timestamp when the cve was first published in the + cve feeds. + createdAt: + type: string + format: date-time + description: Time when the CVE was first seen in the system. + lastModified: + type: string + format: date-time + scoreVersion: + $ref: '#/components/schemas/storageCVEInfoScoreVersion' + cvssV2: + $ref: '#/components/schemas/storageCVSSV2' + cvssV3: + $ref: '#/components/schemas/storageCVSSV3' + references: + type: array + items: + $ref: '#/components/schemas/storageCVEInfoReference' + cvssMetrics: + type: array + items: + $ref: '#/components/schemas/storageCVSSScore' + title: >- + cvss_metrics stores list of cvss scores from different sources like + nvd, Redhat etc + epss: + $ref: '#/components/schemas/storageEPSS' + storageCVEInfoReference: + type: object + properties: + URI: + type: string + tags: + type: array + items: + type: string + storageCVEInfoScoreVersion: + type: string + enum: + - V2 + - V3 + - UNKNOWN + default: V2 + description: '- V2: No unset for automatic backwards compatibility' + title: ScoreVersion can be deprecated ROX-26066 + storageContainerRuntime: + type: string + enum: + - UNKNOWN_CONTAINER_RUNTIME + - DOCKER_CONTAINER_RUNTIME + - CRIO_CONTAINER_RUNTIME + default: UNKNOWN_CONTAINER_RUNTIME + storageContainerRuntimeInfo: + type: object + properties: + type: + $ref: '#/components/schemas/storageContainerRuntime' + version: + type: string + storageEmbeddedNodeScanComponent: + type: object + properties: + name: + type: string + version: + type: string + vulns: + type: array + items: + $ref: '#/components/schemas/storageEmbeddedVulnerability' + vulnerabilities: + type: array + items: + $ref: '#/components/schemas/storageNodeVulnerability' + priority: + type: string + format: int64 + topCvss: + type: number + format: float + riskScore: + type: number + format: float + storageNode: + type: object + properties: + id: + type: string + description: A unique ID identifying this node. + name: + type: string + description: The (host)name of the node. Might or might not be the same as ID. + taints: + type: array + items: + $ref: '#/components/schemas/storageTaint' + title: Taints on the host + clusterId: + type: string + clusterName: + type: string + labels: + type: object + additionalProperties: + type: string + annotations: + type: object + additionalProperties: + type: string + joinedAt: + type: string + format: date-time + title: When the cluster reported the node was added + internalIpAddresses: + type: array + items: + type: string + title: node internal IP addresses + externalIpAddresses: + type: array + items: + type: string + title: node external IP addresses + containerRuntimeVersion: + type: string + description: Use container_runtime.version + title: From NodeInfo + containerRuntime: + $ref: '#/components/schemas/storageContainerRuntimeInfo' + kernelVersion: + type: string + operatingSystem: + type: string + description: 'From NodeInfo. Operating system reported by the node (ex: linux).' + osImage: + type: string + description: From NodeInfo. OS image reported by the node from /etc/os-release. + kubeletVersion: + type: string + kubeProxyVersion: + type: string + lastUpdated: + type: string + format: date-time + k8sUpdated: + type: string + format: date-time + description: Time we received an update from Kubernetes. + scan: + $ref: '#/components/schemas/storageNodeScan' + components: + type: integer + format: int32 + cves: + type: integer + format: int32 + fixableCves: + type: integer + format: int32 + priority: + type: string + format: int64 + riskScore: + type: number + format: float + topCvss: + type: number + format: float + notes: + type: array + items: + $ref: '#/components/schemas/storageNodeNote' + title: |- + Node represents information about a node in the cluster. + next available tag: 28 + storageNodeNote: + type: string + enum: + - MISSING_SCAN_DATA + default: MISSING_SCAN_DATA + storageNodeScan: + type: object + properties: + scanTime: + type: string + format: date-time + operatingSystem: + type: string + components: + type: array + items: + $ref: '#/components/schemas/storageEmbeddedNodeScanComponent' + notes: + type: array + items: + $ref: '#/components/schemas/storageNodeScanNote' + scannerVersion: + $ref: '#/components/schemas/NodeScanScanner' + title: 'Next tag: 5' + storageNodeScanNote: + type: string + enum: + - UNSET + - UNSUPPORTED + - KERNEL_UNSUPPORTED + - CERTIFIED_RHEL_CVES_UNAVAILABLE + default: UNSET + storageNodeVulnerability: + type: object + properties: + cveBaseInfo: + $ref: '#/components/schemas/storageCVEInfo' + cvss: + type: number + format: float + severity: + $ref: '#/components/schemas/storageVulnerabilitySeverity' + fixedBy: + type: string + snoozed: + type: boolean + snoozeStart: + type: string + format: date-time + snoozeExpiry: + type: string + format: date-time + storageTaint: + type: object + properties: + key: + type: string + value: + type: string + taintEffect: + $ref: '#/components/schemas/storageTaintEffect' + v1ExportNodeResponse: + type: object + properties: + node: + $ref: '#/components/schemas/storageNode' v1ListNodesResponse: type: object properties: @@ -12892,27 +18407,126 @@ components: type: array items: $ref: '#/components/schemas/storageNode' - AWSSecurityHubCredentials: + EmailAuthMethod: + type: string + enum: + - DISABLED + - PLAIN + - LOGIN + default: DISABLED + JiraPriorityMapping: type: object properties: - accessKeyId: + severity: + $ref: '#/components/schemas/storageSeverity' + priorityName: type: string - secretAccessKey: + MicrosoftSentinelClientCertAuthConfig: + type: object + properties: + clientCert: + type: string + description: PEM encoded ASN.1 DER format. + privateKey: + type: string + description: 'PEM encoded PKCS #8, ASN.1 DER format.' + title: client certificate which is used for authentication + MicrosoftSentinelDataCollectionRuleConfig: + type: object + properties: + streamName: + type: string + dataCollectionRuleId: + type: string + enabled: + type: boolean + description: >- + DataCollectionRuleConfig contains information about the data collection + rule which is a config per notifier type. + NotifierServicePutNotifierBody: + type: object + properties: + name: + type: string + type: + type: string + uiEndpoint: + type: string + labelKey: + type: string + labelDefault: + type: string + jira: + $ref: '#/components/schemas/storageJira' + email: + $ref: '#/components/schemas/storageEmail' + cscc: + $ref: '#/components/schemas/storageCSCC' + splunk: + $ref: '#/components/schemas/storageSplunk' + pagerduty: + $ref: '#/components/schemas/storagePagerDuty' + generic: + $ref: '#/components/schemas/storageGeneric' + sumologic: + $ref: '#/components/schemas/storageSumoLogic' + awsSecurityHub: + $ref: '#/components/schemas/storageAWSSecurityHub' + syslog: + $ref: '#/components/schemas/storageSyslog' + microsoftSentinel: + $ref: '#/components/schemas/storageMicrosoftSentinel' + notifierSecret: type: string - EmailAuthMethod: - type: string - enum: - - DISABLED - - PLAIN - - LOGIN - default: DISABLED - JiraPriorityMapping: + traits: + $ref: '#/components/schemas/storageTraits' + title: 'Next Tag: 21' + NotifierServiceUpdateNotifierBody: type: object properties: - severity: - $ref: '#/components/schemas/storageSeverity' - priorityName: - type: string + notifier: + type: object + properties: + name: + type: string + type: + type: string + uiEndpoint: + type: string + labelKey: + type: string + labelDefault: + type: string + jira: + $ref: '#/components/schemas/storageJira' + email: + $ref: '#/components/schemas/storageEmail' + cscc: + $ref: '#/components/schemas/storageCSCC' + splunk: + $ref: '#/components/schemas/storageSplunk' + pagerduty: + $ref: '#/components/schemas/storagePagerDuty' + generic: + $ref: '#/components/schemas/storageGeneric' + sumologic: + $ref: '#/components/schemas/storageSumoLogic' + awsSecurityHub: + $ref: '#/components/schemas/storageAWSSecurityHub' + syslog: + $ref: '#/components/schemas/storageSyslog' + microsoftSentinel: + $ref: '#/components/schemas/storageMicrosoftSentinel' + notifierSecret: + type: string + traits: + $ref: '#/components/schemas/storageTraits' + title: 'Next Tag: 21' + updatePassword: + type: boolean + description: >- + When false, use the stored credentials of an existing notifier + configuration given its ID. SyslogLocalFacility: type: string enum: @@ -12925,6 +18539,12 @@ components: - LOCAL6 - LOCAL7 default: LOCAL0 + SyslogMessageFormat: + type: string + enum: + - LEGACY + - CEF + default: LEGACY SyslogTCPConfig: type: object properties: @@ -12943,17 +18563,30 @@ components: region: type: string credentials: - $ref: '#/components/schemas/AWSSecurityHubCredentials' + $ref: '#/components/schemas/storageAWSSecurityHubCredentials' accountId: type: string + storageAWSSecurityHubCredentials: + type: object + properties: + accessKeyId: + type: string + secretAccessKey: + type: string + stsEnabled: + type: boolean storageCSCC: type: object properties: serviceAccount: type: string - description: The service account for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The service account for the integration. The server will mask the + value of this credential in responses and logs. sourceId: type: string + wifEnabled: + type: boolean storageEmail: type: object properties: @@ -12965,15 +18598,23 @@ components: type: string password: type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The password for the integration. The server will mask the value of + this credential in responses and logs. disableTLS: type: boolean DEPRECATEDUseStartTLS: type: boolean + title: useStartTLS has been deprecated for startTLSAuthMethod from: type: string startTLSAuthMethod: $ref: '#/components/schemas/EmailAuthMethod' + allowUnauthenticatedSmtp: + type: boolean + title: Set to true to allow unauthenticated SMTP + skipTLSVerify: + type: boolean storageGeneric: type: object properties: @@ -12987,7 +18628,9 @@ components: type: string password: type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The password for the integration. The server will mask the value of + this credential in responses and logs. headers: type: array items: @@ -13007,7 +18650,9 @@ components: type: string password: type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The password for the integration. The server will mask the value of + this credential in responses and logs. issueType: type: string priorityMappings: @@ -13016,6 +18661,8 @@ components: $ref: '#/components/schemas/JiraPriorityMapping' defaultFieldsJson: type: string + disablePriority: + type: boolean storageKeyValuePair: type: object properties: @@ -13023,6 +18670,46 @@ components: type: string value: type: string + storageMicrosoftSentinel: + type: object + properties: + logIngestionEndpoint: + type: string + description: log_ingestion_endpoint is the log ingestion endpoint. + directoryTenantId: + type: string + description: >- + directory_tenant_id contains the ID of the Microsoft Directory ID of + the selected tenant. + applicationClientId: + type: string + description: >- + application_client_id contains the ID of the application ID of the + service principal. + secret: + type: string + description: secret contains the client secret. + alertDcrConfig: + $ref: '#/components/schemas/MicrosoftSentinelDataCollectionRuleConfig' + auditLogDcrConfig: + $ref: '#/components/schemas/MicrosoftSentinelDataCollectionRuleConfig' + clientCertAuthConfig: + $ref: '#/components/schemas/MicrosoftSentinelClientCertAuthConfig' + wifEnabled: + type: boolean + description: >- + Enables authentication with short-lived tokens using Azure managed + identities + + or Azure workload identities. + + The toggle exists to make the use of Azure default credentials + explicit rather + + than always using them as a fallback. The explicit behavior is more + consistent + + with other integrations. storageNotifier: type: object properties: @@ -13056,18 +18743,29 @@ components: $ref: '#/components/schemas/storageAWSSecurityHub' syslog: $ref: '#/components/schemas/storageSyslog' + microsoftSentinel: + $ref: '#/components/schemas/storageMicrosoftSentinel' + notifierSecret: + type: string + traits: + $ref: '#/components/schemas/storageTraits' + title: 'Next Tag: 21' storagePagerDuty: type: object properties: apiKey: type: string - description: The API key for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The API key for the integration. The server will mask the value of + this credential in responses and logs. storageSplunk: type: object properties: httpToken: type: string - description: The HTTP token for the integration. The server will mask the value of this credential in responses and logs. + description: >- + The HTTP token for the integration. The server will mask the value + of this credential in responses and logs. httpEndpoint: type: string insecure: @@ -13098,6 +18796,15 @@ components: $ref: '#/components/schemas/SyslogLocalFacility' tcpConfig: $ref: '#/components/schemas/SyslogTCPConfig' + extraFields: + type: array + items: + $ref: '#/components/schemas/storageKeyValuePair' + messageFormat: + $ref: '#/components/schemas/SyslogMessageFormat' + maxMessageSize: + type: integer + format: int32 v1GetNotifiersResponse: type: object properties: @@ -13112,7 +18819,9 @@ components: $ref: '#/components/schemas/storageNotifier' updatePassword: type: boolean - description: When false, use the stored credentials of an existing notifier configuration given its ID. + description: >- + When false, use the stored credentials of an existing notifier + configuration given its ID. v1PongMessage: type: object properties: @@ -13155,11 +18864,15 @@ components: exitCode: type: integer format: int32 - description: The exit code of the container. Only valid when finished is populated. + description: >- + The exit code of the container. Only valid when finished is + populated. terminationReason: type: string description: The reason for the container's termination, if it finished. - description: ContainerInstanceID allows to uniquely identify a container within a cluster. + description: >- + ContainerInstanceID allows to uniquely identify a container within a + cluster. storageContainerInstanceID: type: object properties: @@ -13193,14 +18906,23 @@ components: type: array items: $ref: '#/components/schemas/PodContainerInstanceList' - description: |- - Must be a list of lists, so we can perform search queries (does not work for maps that aren't ) + description: >- + Must be a list of lists, so we can perform search queries (does not + work for maps that aren't ) + There is one bucket (list) per container name. started: type: string format: date-time description: Time Kubernetes reports the pod was created. - description: Pod represents information for a currently running pod or deleted pod in an active deployment. + description: >- + Pod represents information for a currently running pod or deleted pod in + an active deployment. + v1ExportPodResponse: + type: object + properties: + pod: + $ref: '#/components/schemas/storagePod' v1PodsResponse: type: object properties: @@ -13208,12 +18930,164 @@ components: type: array items: $ref: '#/components/schemas/storagePod' - GetPolicyMitreVectorsRequestOptions: + v1GetPolicyCategoriesResponse: type: object properties: - excludePolicy: + categories: + type: array + items: + $ref: '#/components/schemas/v1PolicyCategory' + v1PolicyCategory: + type: object + properties: + id: + type: string + name: + type: string + isDefault: type: boolean - description: If set to true, policy is excluded from the response. + v1RenamePolicyCategoryRequest: + type: object + properties: + id: + type: string + newCategoryName: + type: string + PolicyServiceEnableDisablePolicyNotificationBody: + type: object + properties: + notifierIds: + type: array + items: + type: string + disable: + type: boolean + PolicyServicePatchPolicyBody: + type: object + properties: + disabled: + type: boolean + PolicyServicePutPolicyBody: + type: object + properties: + name: + type: string + description: Name of the policy. Must be unique. + description: + type: string + description: Free-form text description of this policy. + rationale: + type: string + remediation: + type: string + description: Describes how to remediate a violation of this policy. + disabled: + type: boolean + description: >- + Toggles whether or not this policy will be executing and actively + firing alerts. + categories: + type: array + items: + type: string + description: >- + List of categories that this policy falls under. Category names + must already exist in Central. + lifecycleStages: + type: array + items: + $ref: '#/components/schemas/storageLifecycleStage' + description: >- + Describes which policy lifecylce stages this policy applies to. + Choices are DEPLOY, BUILD, and RUNTIME. + eventSource: + $ref: '#/components/schemas/storageEventSource' + exclusions: + type: array + items: + $ref: '#/components/schemas/storageExclusion' + description: >- + Define deployments or images that should be excluded from this + policy. + scope: + type: array + items: + $ref: '#/components/schemas/storageScope' + description: >- + Defines clusters, namespaces, and deployments that should be + included in this policy. No scopes defined includes everything. + severity: + $ref: '#/components/schemas/storageSeverity' + enforcementActions: + type: array + items: + $ref: '#/components/schemas/storageEnforcementAction' + description: >- + FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission + control webhook is configured to enforce on object creates/updates. + + FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control + webhook is enabled to listen on exec and port-forward events. + + FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission + control webhook is configured to enforce on object updates. + + Lists the enforcement actions to take when a violation from this + policy is identified. Possible value are UNSET_ENFORCEMENT, + SCALE_TO_ZERO_ENFORCEMENT, + UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, + FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, + FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. + FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT. + notifiers: + type: array + items: + type: string + description: >- + List of IDs of the notifiers that should be triggered when a + violation from this policy is identified. IDs should be in the form + of a UUID and are found through the Central API. + lastUpdated: + type: string + format: date-time + SORTName: + type: string + description: For internal use only. + SORTLifecycleStage: + type: string + description: For internal use only. + SORTEnforcement: + type: boolean + description: For internal use only. + policyVersion: + type: string + policySections: + type: array + items: + $ref: '#/components/schemas/storagePolicySection' + description: PolicySections define the violation criteria for this policy. + mitreAttackVectors: + type: array + items: + $ref: '#/components/schemas/PolicyMitreAttackVectors' + criteriaLocked: + type: boolean + description: >- + Read-only field. If true, the policy's criteria fields are rendered + read-only. + mitreVectorsLocked: + type: boolean + description: >- + Read-only field. If true, the policy's MITRE ATT&CK fields are + rendered read-only. + isDefault: + type: boolean + description: >- + Read-only field. Indicates the policy is a default policy if true + and a custom policy if false. + source: + $ref: '#/components/schemas/storagePolicySource' + title: 'Next tag: 28' storageExportPoliciesResponse: type: object properties: @@ -13221,9 +19095,12 @@ components: type: array items: $ref: '#/components/schemas/storagePolicy' - title: |- - ExportPoliciesResponse is used by the API but it is defined in storage because we expect customers to store them. - We do backwards-compatibility checks on objects in the storge folder and those checks should be applied to this object + title: >- + ExportPoliciesResponse is used by the API but it is defined in storage + because we expect customers to store them. + + We do backwards-compatibility checks on objects in the storge folder and + those checks should be applied to this object storageListPolicy: type: object properties: @@ -13252,6 +19129,8 @@ components: $ref: '#/components/schemas/storageEventSource' isDefault: type: boolean + source: + $ref: '#/components/schemas/storagePolicySource' v1DryRunJobStatusResponse: type: object properties: @@ -13275,17 +19154,6 @@ components: type: array items: type: string - v1EnableDisablePolicyNotificationRequest: - type: object - properties: - policyId: - type: string - notifierIds: - type: array - items: - type: string - disable: - type: boolean v1ExportPoliciesRequest: type: object properties: @@ -13293,6 +19161,12 @@ components: type: array items: type: string + v1GetPolicyMitreVectorsRequestOptions: + type: object + properties: + excludePolicy: + type: boolean + description: If set to true, policy is excluded from the response. v1GetPolicyMitreVectorsResponse: type: object properties: @@ -13359,13 +19233,6 @@ components: type: array items: $ref: '#/components/schemas/storageListPolicy' - v1PatchPolicyRequest: - type: object - properties: - id: - type: string - disabled: - type: boolean v1PolicyCategoriesResponse: type: object properties: @@ -13389,13 +19256,6 @@ components: type: string hasNestedFields: type: boolean - v1RenamePolicyCategoryRequest: - type: object - properties: - oldCategory: - type: string - newCategory: - type: string v1GetExistingProbesResponse: type: object properties: @@ -13489,34 +19349,83 @@ components: properties: error: type: string - key: - $ref: '#/components/schemas/storageProcessBaselineKey' - v1UpdateProcessBaselinesRequest: + key: + $ref: '#/components/schemas/storageProcessBaselineKey' + v1UpdateProcessBaselinesRequest: + type: object + properties: + keys: + type: array + items: + $ref: '#/components/schemas/storageProcessBaselineKey' + addElements: + type: array + items: + $ref: '#/components/schemas/storageBaselineItem' + removeElements: + type: array + items: + $ref: '#/components/schemas/storageBaselineItem' + v1UpdateProcessBaselinesResponse: + type: object + properties: + baselines: + type: array + items: + $ref: '#/components/schemas/storageProcessBaseline' + errors: + type: array + items: + $ref: '#/components/schemas/v1ProcessBaselineUpdateError' + ProcessListeningOnPortEndpoint: + type: object + properties: + port: + type: integer + format: int64 + protocol: + $ref: '#/components/schemas/storageL4Protocol' + storageProcessListeningOnPort: + type: object + properties: + endpoint: + $ref: '#/components/schemas/ProcessListeningOnPortEndpoint' + deploymentId: + type: string + containerName: + type: string + podId: + type: string + podUid: + type: string + signal: + $ref: '#/components/schemas/storageProcessSignal' + clusterId: + type: string + namespace: + type: string + containerStartTime: + type: string + format: date-time + imageId: + type: string + title: The API returns an array of these + v1GetProcessesListeningOnPortsResponse: type: object properties: - keys: - type: array - items: - $ref: '#/components/schemas/storageProcessBaselineKey' - addElements: + listeningEndpoints: type: array items: - $ref: '#/components/schemas/storageBaselineItem' - removeElements: - type: array - items: - $ref: '#/components/schemas/storageBaselineItem' - v1UpdateProcessBaselinesResponse: + $ref: '#/components/schemas/storageProcessListeningOnPort' + totalListeningEndpoints: + type: integer + format: int32 + v1CountProcessesResponse: type: object properties: - baselines: - type: array - items: - $ref: '#/components/schemas/storageProcessBaseline' - errors: - type: array - items: - $ref: '#/components/schemas/v1ProcessBaselineUpdateError' + count: + type: integer + format: int32 v1GetGroupedProcessesResponse: type: object properties: @@ -13575,56 +19484,6 @@ components: type: array items: $ref: '#/components/schemas/v1ProcessGroup' - v1DeleteProcessWhitelistsResponse: - type: object - properties: - numDeleted: - type: integer - format: int32 - dryRun: - type: boolean - v1LockProcessWhitelistsRequest: - type: object - properties: - keys: - type: array - items: - $ref: '#/components/schemas/storageProcessBaselineKey' - locked: - type: boolean - v1ProcessWhitelistUpdateError: - type: object - properties: - error: - type: string - key: - $ref: '#/components/schemas/storageProcessBaselineKey' - v1UpdateProcessWhitelistsRequest: - type: object - properties: - keys: - type: array - items: - $ref: '#/components/schemas/storageProcessBaselineKey' - addElements: - type: array - items: - $ref: '#/components/schemas/storageBaselineItem' - removeElements: - type: array - items: - $ref: '#/components/schemas/storageBaselineItem' - v1UpdateProcessWhitelistsResponse: - type: object - properties: - whitelists: - type: array - items: - $ref: '#/components/schemas/storageProcessBaseline' - errors: - type: array - items: - $ref: '#/components/schemas/v1ProcessWhitelistUpdateError' storageK8sRole: type: object properties: @@ -13644,7 +19503,6 @@ components: type: object additionalProperties: type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' annotations: type: object additionalProperties: @@ -13674,11 +19532,19 @@ components: type: string clusterRole: type: boolean + description: >- + ClusterRole specifies whether the binding binds a cluster role. + However, it cannot be used to determine whether + + the binding is a cluster role binding. This can be done in + conjunction with the namespace. If the namespace is + + empty and cluster role is true, the binding is a cluster role + binding. labels: type: object additionalProperties: type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' annotations: type: object additionalProperties: @@ -13726,6 +19592,7 @@ components: properties: id: type: string + title: ID is derived from base64 of cluster id and name kind: $ref: '#/components/schemas/storageSubjectKind' name: @@ -13736,8 +19603,10 @@ components: type: string clusterName: type: string - title: |- - Properties of an individual subjects who are granted roles via role bindings. + title: >- + Properties of an individual subjects who are granted roles via role + bindings. + //////////////////////////////////////// storageSubjectKind: type: string @@ -13797,8 +19666,10 @@ components: type: array items: $ref: '#/components/schemas/v1SubjectAndRoles' - title: |- - A list of k8s subjects (users and groups only, for service accounts, try the service account service) + title: >- + A list of k8s subjects (users and groups only, for service accounts, try + the service account service) + Next Tag: 2 v1ScopedRoles: type: object @@ -13823,6 +19694,11 @@ components: enum: - VULNERABILITY default: VULNERABILITY + ReportConfigurationServiceUpdateReportConfigurationBody: + type: object + properties: + reportConfig: + $ref: '#/components/schemas/storageReportConfiguration' ReportLastRunStatusRunStatus: type: string enum: @@ -13836,6 +19712,12 @@ components: - FIXABLE - NOT_FIXABLE default: BOTH + VulnerabilityReportFiltersImageType: + type: string + enum: + - DEPLOYED + - WATCHED + default: DEPLOYED storageEmailNotifierConfiguration: type: object properties: @@ -13845,6 +19727,17 @@ components: type: array items: type: string + customSubject: + type: string + customBody: + type: string + storageNotifierConfiguration: + type: object + properties: + emailConfig: + $ref: '#/components/schemas/storageEmailNotifierConfiguration' + id: + type: string storageReportConfiguration: type: object properties: @@ -13869,6 +19762,20 @@ components: lastSuccessfulRunTime: type: string format: date-time + resourceScope: + $ref: '#/components/schemas/storageResourceScope' + notifiers: + type: array + items: + $ref: '#/components/schemas/storageNotifierConfiguration' + creator: + $ref: '#/components/schemas/storageSlimUser' + version: + type: integer + format: int32 + title: >- + version=0 is unmigrated v1 config, version=1 is migrated v1 config + and version=2 is v2 config storageReportLastRunStatus: type: object properties: @@ -13879,6 +19786,11 @@ components: format: date-time errorMsg: type: string + storageResourceScope: + type: object + properties: + collectionId: + type: string storageVulnerabilityReportFilters: type: object properties: @@ -13890,6 +19802,27 @@ components: type: array items: $ref: '#/components/schemas/storageVulnerabilitySeverity' + imageTypes: + type: array + items: + $ref: '#/components/schemas/VulnerabilityReportFiltersImageType' + allVuln: + type: boolean + sinceLastSentScheduledReport: + type: boolean + sinceStartDate: + type: string + format: date-time + accessScopeRules: + type: array + items: + $ref: '#/components/schemas/SimpleAccessScopeRules' + includeNvdCvss: + type: boolean + includeEpssProbability: + type: boolean + includeAdvisory: + type: boolean v1CountReportConfigurationsResponse: type: object properties: @@ -13918,25 +19851,265 @@ components: properties: reportConfig: $ref: '#/components/schemas/storageReportConfiguration' - v1UpdateReportConfigurationRequest: + CollectionServiceUpdateCollectionBody: + type: object + properties: + name: + type: string + description: + type: string + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/storageResourceSelector' + embeddedCollectionIds: + type: array + items: + type: string + ResourceCollectionEmbeddedResourceCollection: + type: object + properties: + id: + type: string + title: '''id'' is searchable to force a separate table' + storageMatchType: + type: string + enum: + - EXACT + - REGEX + default: EXACT + storageResourceCollection: + type: object + properties: + id: + type: string + name: + type: string + description: + type: string + createdAt: + type: string + format: date-time + lastUpdated: + type: string + format: date-time + createdBy: + $ref: '#/components/schemas/storageSlimUser' + updatedBy: + $ref: '#/components/schemas/storageSlimUser' + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/storageResourceSelector' + description: >- + `resource_selectors` resolve as disjunction (OR) with each-other and + with selectors from `embedded_collections`. For MVP, the size of + resource_selectors will at most be 1 from UX standpoint. + embeddedCollections: + type: array + items: + $ref: '#/components/schemas/ResourceCollectionEmbeddedResourceCollection' + storageResourceSelector: + type: object + properties: + rules: + type: array + items: + $ref: '#/components/schemas/storageSelectorRule' + description: '`rules` resolve as a conjunction (AND).' + storageRuleValue: + type: object + properties: + value: + type: string + matchType: + $ref: '#/components/schemas/storageMatchType' + storageSelectorRule: + type: object + properties: + fieldName: + type: string + title: |- + `field_name` can be one of the following: + - Cluster + - Cluster Label + - Namespace + - Namespace Label + - Namespace Annotation + - Deployment + - Deployment Label + - Deployment Annotation + operator: + $ref: '#/components/schemas/storageBooleanOperator' + values: + type: array + items: + $ref: '#/components/schemas/storageRuleValue' + description: >- + `values` resolve as a conjunction (AND) or disjunction (OR) + depending on operator. For MVP, only OR is supported from UX + standpoint. + v1CollectionDeploymentMatchOptions: + type: object + properties: + withMatches: + type: boolean + filterQuery: + $ref: '#/components/schemas/v1RawQuery' + v1CreateCollectionRequest: + type: object + properties: + name: + type: string + description: + type: string + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/storageResourceSelector' + embeddedCollectionIds: + type: array + items: + type: string + v1CreateCollectionResponse: + type: object + properties: + collection: + $ref: '#/components/schemas/storageResourceCollection' + v1DryRunCollectionRequest: + type: object + properties: + name: + type: string + id: + type: string + title: set if dryrun on existing collections + description: + type: string + resourceSelectors: + type: array + items: + $ref: '#/components/schemas/storageResourceSelector' + embeddedCollectionIds: + type: array + items: + type: string + options: + $ref: '#/components/schemas/v1CollectionDeploymentMatchOptions' + v1DryRunCollectionResponse: + type: object + properties: + deployments: + type: array + items: + $ref: '#/components/schemas/storageListDeployment' + v1GetCollectionCountResponse: + type: object + properties: + count: + type: integer + format: int32 + v1GetCollectionResponse: + type: object + properties: + collection: + $ref: '#/components/schemas/storageResourceCollection' + deployments: + type: array + items: + $ref: '#/components/schemas/storageListDeployment' + v1ListCollectionSelectorsResponse: + type: object + properties: + selectors: + type: array + items: + type: string + v1ListCollectionsResponse: + type: object + properties: + collections: + type: array + items: + $ref: '#/components/schemas/storageResourceCollection' + v1UpdateCollectionResponse: + type: object + properties: + collection: + $ref: '#/components/schemas/storageResourceCollection' + ComputeEffectiveAccessScopeRequestDetail: + type: string + enum: + - STANDARD + - MINIMAL + - HIGH + default: STANDARD + ComputeEffectiveAccessScopeRequestPayload: + type: object + properties: + simpleRules: + $ref: '#/components/schemas/SimpleAccessScopeRules' + RoleServicePutPermissionSetBody: + type: object + properties: + name: + type: string + description: >- + `name` and `description` are provided by the user and can be + changed. + description: + type: string + resourceToAccess: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAccess' + traits: + $ref: '#/components/schemas/storageTraits' + description: This encodes a set of permissions for StackRox resources. + RoleServicePutSimpleAccessScopeBody: type: object properties: - id: + name: type: string - reportConfig: - $ref: '#/components/schemas/storageReportConfiguration' - ComputeEffectiveAccessScopeRequestDetail: - type: string - enum: - - STANDARD - - MINIMAL - - HIGH - default: STANDARD - ComputeEffectiveAccessScopeRequestPayload: + description: >- + `name` and `description` are provided by the user and can be + changed. + description: + type: string + rules: + $ref: '#/components/schemas/SimpleAccessScopeRules' + traits: + $ref: '#/components/schemas/storageTraits' + description: >- + Simple access scope is a (simple) selection criteria for scoped + resources. + + It does *not* allow multi-component AND-rules nor set operations on + names. + RoleServiceUpdateRoleBody: type: object properties: - simpleRules: - $ref: '#/components/schemas/SimpleAccessScopeRules' + description: + type: string + permissionSetId: + type: string + description: The associated PermissionSet and AccessScope for this Role. + accessScopeId: + type: string + globalAccess: + $ref: '#/components/schemas/storageAccess' + resourceToAccess: + type: object + additionalProperties: + $ref: '#/components/schemas/storageAccess' + description: Deprecated 2021-04-20 in favor of `permission_set_id`. + traits: + $ref: '#/components/schemas/storageTraits' + description: |- + A role specifies which actions are allowed for which subset of cluster + objects. Permissions be can either specified directly via setting + resource_to_access together with global_access or by referencing a + permission set by its id in permission_set_name. storageEffectiveAccessScope: type: object properties: @@ -13944,12 +20117,18 @@ components: type: array items: $ref: '#/components/schemas/storageEffectiveAccessScopeCluster' - description: |- - EffectiveAccessScope describes which clusters and namespaces are "in scope" - given current state. Basically, if AccessScope is applied to the currently + description: >- + EffectiveAccessScope describes which clusters and namespaces are "in + scope" + + given current state. Basically, if AccessScope is applied to the + currently + known clusters and namespaces, the result is EffectiveAccessScope. + EffectiveAccessScope represents a tree with nodes marked as included and + excluded. If a node is included, all its child nodes are included. storageEffectiveAccessScopeCluster: type: object @@ -13997,20 +20176,26 @@ components: description: id is generated and cannot be changed. name: type: string - description: '`name` and `description` are provided by the user and can be changed.' + description: >- + `name` and `description` are provided by the user and can be + changed. description: type: string resourceToAccess: type: object additionalProperties: $ref: '#/components/schemas/storageAccess' + traits: + $ref: '#/components/schemas/storageTraits' description: This encodes a set of permissions for StackRox resources. storageRole: type: object properties: name: type: string - description: '`name` and `description` are provided by the user and can be changed.' + description: >- + `name` and `description` are provided by the user and can be + changed. description: type: string permissionSetId: @@ -14025,6 +20210,8 @@ components: additionalProperties: $ref: '#/components/schemas/storageAccess' description: Deprecated 2021-04-20 in favor of `permission_set_id`. + traits: + $ref: '#/components/schemas/storageTraits' description: |- A role specifies which actions are allowed for which subset of cluster objects. Permissions be can either specified directly via setting @@ -14038,14 +20225,35 @@ components: description: '`id` is generated and cannot be changed.' name: type: string - description: '`name` and `description` are provided by the user and can be changed.' + description: >- + `name` and `description` are provided by the user and can be + changed. description: type: string rules: $ref: '#/components/schemas/SimpleAccessScopeRules' - description: |- - Simple access scope is a (simple) selection criteria for scoped resources. - It does *not* allow multi-component AND-rules nor set operations on names. + traits: + $ref: '#/components/schemas/storageTraits' + description: >- + Simple access scope is a (simple) selection criteria for scoped + resources. + + It does *not* allow multi-component AND-rules nor set operations on + names. + v1GetClustersForPermissionsResponse: + type: object + properties: + clusters: + type: array + items: + $ref: '#/components/schemas/v1ScopeObject' + v1GetNamespacesForClusterAndPermissionsResponse: + type: object + properties: + namespaces: + type: array + items: + $ref: '#/components/schemas/v1ScopeObject' v1GetPermissionsResponse: type: object properties: @@ -14053,8 +20261,10 @@ components: type: object additionalProperties: $ref: '#/components/schemas/storageAccess' - description: |- - GetPermissionsResponse is wire-compatible with the old format of the Role + description: >- + GetPermissionsResponse is wire-compatible with the old format of the + Role + message and represents a collection of aggregated permissions. v1GetResourcesResponse: type: object @@ -14084,56 +20294,18 @@ components: type: array items: $ref: '#/components/schemas/storageSimpleAccessScope' - storageAuthzPluginConfig: + v1ScopeObject: type: object properties: id: type: string name: type: string - enabled: - type: boolean - endpointConfig: - $ref: '#/components/schemas/storageHTTPEndpointConfig' - storageHTTPEndpointConfig: - type: object - properties: - endpoint: - type: string - skipTlsVerify: - type: boolean - caCert: - type: string - username: - type: string - password: - type: string - description: The password for the integration. The server will mask the value of this credential in responses and logs. - headers: - type: array - items: - $ref: '#/components/schemas/storageKeyValuePair' - clientCertPem: - type: string - description: The client certificate in PEM format for the integration. - clientKeyPem: - type: string - description: The client key in PEM format for the integration. The server will mask the value of this credential in responses and logs. - v1GetAuthzPluginConfigsResponse: - type: object - properties: - configs: - type: array - items: - $ref: '#/components/schemas/storageAuthzPluginConfig' - v1UpsertAuthzPluginConfigRequest: - type: object - properties: - config: - $ref: '#/components/schemas/storageAuthzPluginConfig' - updatePassword: - type: boolean - description: When false, use the stored credentials of an existing scoped access control configuration given its ID. + description: >- + ScopeObject represents an ID, name pair, which can apply to any + + entity that takes part in an access scope (so far Cluster and + Namespace). SearchResponseCount: type: object properties: @@ -14175,8 +20347,10 @@ components: - CLUSTERS - NAMESPACES - NODES + - NODE_COMPONENTS - NODE_VULN_EDGE - NODE_COMPONENT_EDGE + - NODE_COMPONENT_CVE_EDGE - COMPLIANCE_STANDARD - COMPLIANCE_CONTROL_GROUP - COMPLIANCE_CONTROL @@ -14195,8 +20369,43 @@ components: - CLUSTER_VULN_EDGE - NETWORK_ENTITY - VULN_REQUEST + - NETWORK_BASELINE + - NETWORK_POLICIES + - PROCESS_BASELINE_RESULTS + - COMPLIANCE_METADATA + - COMPLIANCE_RESULTS + - COMPLIANCE_DOMAIN + - CLUSTER_HEALTH + - POLICY_CATEGORIES + - IMAGE_INTEGRATIONS + - COLLECTIONS + - POLICY_CATEGORY_EDGE + - PROCESS_LISTENING_ON_PORT + - API_TOKEN + - REPORT_METADATA + - REPORT_SNAPSHOT + - COMPLIANCE_INTEGRATIONS + - COMPLIANCE_SCAN_CONFIG + - COMPLIANCE_SCAN + - COMPLIANCE_CHECK_RESULTS + - BLOB + - ADMINISTRATION_EVENTS + - COMPLIANCE_SCAN_CONFIG_STATUS + - ADMINISTRATION_USAGE + - COMPLIANCE_PROFILES + - COMPLIANCE_RULES + - COMPLIANCE_SCAN_SETTING_BINDINGS + - COMPLIANCE_SUITES + - CLOUD_SOURCES + - DISCOVERED_CLUSTERS + - COMPLIANCE_REMEDIATIONS + - COMPLIANCE_BENCHMARKS + - AUTH_PROVIDERS + - COMPLIANCE_REPORT_SNAPSHOT + - IMAGE_COMPONENTS_V2 + - IMAGE_VULNERABILITIES_V2 default: SEARCH_UNSET - title: 'Next available tag: 37' + title: 'Next available tag: 74' v1SearchOptionsResponse: type: object properties: @@ -14378,8 +20587,10 @@ components: $ref: '#/components/schemas/storageCert' imagePullSecret: $ref: '#/components/schemas/storageImagePullSecret' - description: |- - Metadata about secret. Additional information is presented for a certificate file and + description: >- + Metadata about secret. Additional information is presented for a + certificate file and + imagePullSecret, but the "file" may also represent some arbitrary value. storageSecretDeploymentRelationship: type: object @@ -14444,18 +20655,34 @@ components: title: |- A list of secrets with their relationships. Next Tag: 2 + GetSensorUpgradeConfigResponseSensorAutoUpgradeFeatureStatus: + type: string + enum: + - NOT_SUPPORTED + - SUPPORTED + default: NOT_SUPPORTED + GetSensorUpgradeConfigResponseUpgradeConfig: + type: object + properties: + enableAutoUpgrade: + type: boolean + autoUpgradeFeature: + $ref: >- + #/components/schemas/GetSensorUpgradeConfigResponseSensorAutoUpgradeFeatureStatus storageSensorUpgradeConfig: type: object properties: enableAutoUpgrade: type: boolean description: Whether to automatically trigger upgrades for out-of-date sensors. - description: SensorUpgradeConfig encapsulates configuration relevant to sensor auto-upgrades. + description: >- + SensorUpgradeConfig encapsulates configuration relevant to sensor + auto-upgrades. v1GetSensorUpgradeConfigResponse: type: object properties: config: - $ref: '#/components/schemas/storageSensorUpgradeConfig' + $ref: '#/components/schemas/GetSensorUpgradeConfigResponseUpgradeConfig' v1UpdateSensorUpgradeConfigRequest: type: object properties: @@ -14478,7 +20705,6 @@ components: type: object additionalProperties: type: string - description: 'TODO(ROX-6895): "Label" search term is ambiguous.' annotations: type: object additionalProperties: @@ -14595,6 +20821,103 @@ components: type: string publicKeyPemEnc: type: string + SignatureIntegrationServicePutSignatureIntegrationBody: + type: object + properties: + name: + type: string + cosign: + $ref: '#/components/schemas/storageCosignPublicKeyVerification' + cosignCertificates: + type: array + items: + $ref: '#/components/schemas/storageCosignCertificateVerification' + transparencyLog: + $ref: '#/components/schemas/storageTransparencyLogVerification' + storageCertificateTransparencyLogVerification: + type: object + properties: + enabled: + type: boolean + description: >- + Validate the inclusion of certificates into a certificate + transparency log. + + Disables validation if not enabled. + publicKeyPemEnc: + type: string + description: >- + PEM encoded public key used to validate the proof of inclusion into + the + + certificate transparency log. Defaults to the key of the public + Sigstore + + instance if left empty. + description: |- + Validate that the signature certificate contains a signed + certificate timestamp as proof of inclusion into the certificate + transparency log. + storageCosignCertificateVerification: + type: object + properties: + certificatePemEnc: + type: string + description: |- + PEM encoded certificate to use for verification. Leave empty when + using short-lived certificates as issued by Fulcio. + certificateChainPemEnc: + type: string + description: >- + PEM encoded certificate chain to use for verification. Defaults to + the + + root certificate authority of the public Sigstore instance if left + empty. + certificateOidcIssuer: + type: string + description: >- + Certificate OIDC issuer to verify against. + + This supports regular expressions following the RE2 syntax: + https://github.com/google/re2/wiki/Syntax. + + In case the certificate does not specify an OIDC issuer, you may use + '.*' as the OIDC issuer. However, + + it is recommended to use Fulcio compatible certificates according to + the specification: + + https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md. + certificateIdentity: + type: string + description: >- + Certificate identity to verify against. + + This supports regular expressions following the RE2 syntax: + https://github.com/google/re2/wiki/Syntax. + + In case the certificate does not specify an identity, you may use + '.*' as the identity. However, it is + + recommended to use Fulcio compatible certificates according to the + specification: + + https://github.com/sigstore/fulcio/blob/main/docs/certificate-specification.md. + certificateTransparencyLog: + $ref: '#/components/schemas/storageCertificateTransparencyLogVerification' + description: >- + Holds all verification data for verifying certificates attached to + cosign signatures. + + If only the certificate is given, the Fulcio trusted root chain will be + assumed and verified against. + + If only the chain is given, this will be used over the Fulcio trusted + root chain for verification. + + If no certificate or chain is given, the Fulcio trusted root chain will + be assumed and verified against. storageCosignPublicKeyVerification: type: object properties: @@ -14611,6 +20934,51 @@ components: type: string cosign: $ref: '#/components/schemas/storageCosignPublicKeyVerification' + cosignCertificates: + type: array + items: + $ref: '#/components/schemas/storageCosignCertificateVerification' + transparencyLog: + $ref: '#/components/schemas/storageTransparencyLogVerification' + storageTransparencyLogVerification: + type: object + properties: + enabled: + type: boolean + description: |- + Validate the inclusion of signatures into a transparency log. + Disables validation if not enabled. + url: + type: string + description: >- + The URL of the transparency log. Required for online confirmation of + + inclusion into the transparency log. Defaults to the Sigstore + instance + + `rekor.sigstore.dev`. + validateOffline: + type: boolean + description: >- + Force offline validation of the signature proof of inclusion into + the + + transparency log. Do not fall back to request confirmation from the + + transparency log over network. + publicKeyPemEnc: + type: string + description: >- + PEM encoded public key used to validate the proof of inclusion into + the + + transparency log. Defaults to the key of the public Sigstore + instance if + + left empty. + description: >- + Validate the inclusion of signature signing events into a transparency + log. v1ListSignatureIntegrationsResponse: type: object properties: @@ -14618,35 +20986,18 @@ components: type: array items: $ref: '#/components/schemas/storageSignatureIntegration' - v1SummaryCountsResponse: + centralTelemetryConfig: type: object properties: - numAlerts: - type: string - format: int64 - numClusters: - type: string - format: int64 - numDeployments: - type: string - format: int64 - numImages: - type: string - format: int64 - numSecrets: + userId: type: string - format: int64 - numNodes: + title: 'API user ID hash:' + endpoint: type: string - format: int64 - storageTelemetryConfiguration: - type: object - properties: - enabled: - type: boolean - lastSetTime: + title: 'An empty endpoint means using default endpoint:' + storageKeyV1: type: string - format: date-time + title: 'Telemetry storage service key:' v1ConfigureTelemetryRequest: type: object properties: @@ -14677,18 +21028,32 @@ components: type: string value: type: string - title: |- - UserAttributeTuple descript the auth:key:value tuple that decides group membership. + title: >- + UserAttributeTuple descript the auth:key:value tuple that decides group + membership. + Next Tag: 4 + RequestExpiryExpiryType: + type: string + enum: + - TIME + - ALL_CVE_FIXABLE + - ANY_CVE_FIXABLE + default: TIME ScopeGlobal: type: object VulnerabilityRequestCVEs: type: object properties: - ids: + cves: type: array items: type: string + description: >- + These are (NVD) vulnerability identifiers, `cve` field of + `storage.CVE`, and *not* the `id` field. + + For example, CVE-2021-44832. VulnerabilityRequestScopeImage: type: object properties: @@ -14698,13 +21063,53 @@ components: type: string tag: type: string + VulnerabilityRequestServiceApproveVulnerabilityRequestBody: + type: object + properties: + comment: + type: string + VulnerabilityRequestServiceDenyVulnerabilityRequestBody: + type: object + properties: + comment: + type: string + VulnerabilityRequestServiceUpdateVulnerabilityRequestBody: + type: object + properties: + comment: + type: string + expiry: + $ref: '#/components/schemas/storageRequestExpiry' + storageApprover: + type: object + properties: + id: + type: string + name: + type: string storageDeferralRequest: type: object properties: expiry: $ref: '#/components/schemas/storageRequestExpiry' + storageDeferralUpdate: + type: object + properties: + CVEs: + type: array + items: + type: string + expiry: + $ref: '#/components/schemas/storageRequestExpiry' storageFalsePositiveRequest: type: object + storageFalsePositiveUpdate: + type: object + properties: + CVEs: + type: array + items: + type: string storageRequestComment: type: object properties: @@ -14722,11 +21127,15 @@ components: properties: expiresWhenFixed: type: boolean - description: Indicates that this request expires when the associated vulnerability is fixed. + description: >- + Indicates that this request expires when the associated + vulnerability is fixed. expiresOn: type: string format: date-time description: Indicates the timestamp when this request expires. + expiryType: + $ref: '#/components/schemas/RequestExpiryExpiryType' storageRequestStatus: type: string enum: @@ -14735,15 +21144,18 @@ components: - DENIED - APPROVED_PENDING_UPDATE default: PENDING - description: |- - Indicates the status of a request. Requests canceled by the user before they are acted upon by the approver - are not tracked/persisted (with the exception of audit logs if it is turned on). + description: >- + Indicates the status of a request. Requests canceled by the user before + they are acted upon by the approver + + are not tracked/persisted (with the exception of audit logs if it is + turned on). - PENDING: Default request state. It indicates that the request has not been fulfilled and that an action (approve/deny) is required. - APPROVED: Indicates that the request has been approved by the approver. - DENIED: Indicates that the request has been denied by the approver. - APPROVED_PENDING_UPDATE: Indicates that the original request was approved, but an update is still pending an approval or denial. - storageSlimUser: + storageRequester: type: object properties: id: @@ -14755,14 +21167,18 @@ components: properties: id: type: string + name: + type: string targetState: $ref: '#/components/schemas/storageVulnerabilityState' status: $ref: '#/components/schemas/storageRequestStatus' expired: type: boolean - description: |- - Indicates if this request is a historical request that is no longer in effect + description: >- + Indicates if this request is a historical request that is no longer + in effect + due to deferral expiry, cancellation, or restarting cve observation. requestor: $ref: '#/components/schemas/storageSlimUser' @@ -14782,6 +21198,12 @@ components: $ref: '#/components/schemas/storageRequestComment' scope: $ref: '#/components/schemas/storageVulnerabilityRequestScope' + requesterV2: + $ref: '#/components/schemas/storageRequester' + approversV2: + type: array + items: + $ref: '#/components/schemas/storageApprover' deferralReq: $ref: '#/components/schemas/storageDeferralRequest' fpRequest: @@ -14790,9 +21212,15 @@ components: $ref: '#/components/schemas/VulnerabilityRequestCVEs' updatedDeferralReq: $ref: '#/components/schemas/storageDeferralRequest' - description: |- - Next available tag: 21 - VulnerabilityRequest encapsulates a request such as deferral request and false-positive request. + deferralUpdate: + $ref: '#/components/schemas/storageDeferralUpdate' + falsePositiveUpdate: + $ref: '#/components/schemas/storageFalsePositiveUpdate' + description: >- + Next available tag: 30 + + VulnerabilityRequest encapsulates a request such as deferral request and + false-positive request. storageVulnerabilityRequestScope: type: object properties: @@ -14800,13 +21228,6 @@ components: $ref: '#/components/schemas/VulnerabilityRequestScopeImage' globalScope: $ref: '#/components/schemas/ScopeGlobal' - v1ApproveVulnRequest: - type: object - properties: - id: - type: string - comment: - type: string v1ApproveVulnRequestResponse: type: object properties: @@ -14817,6 +21238,7 @@ components: properties: cve: type: string + description: This field indicates the CVEs requested to be deferred. comment: type: string scope: @@ -14826,18 +21248,12 @@ components: expiresOn: type: string format: date-time + title: 'next available tag: 6' v1DeferVulnResponse: type: object properties: requestInfo: $ref: '#/components/schemas/storageVulnerabilityRequest' - v1DenyVulnRequest: - type: object - properties: - id: - type: string - comment: - type: string v1DenyVulnRequestResponse: type: object properties: @@ -14848,6 +21264,9 @@ components: properties: cve: type: string + description: >- + This field indicates the CVE requested to be marked as + false-positive. scope: $ref: '#/components/schemas/storageVulnerabilityRequestScope' comment: @@ -14874,20 +21293,26 @@ components: properties: requestInfo: $ref: '#/components/schemas/storageVulnerabilityRequest' - v1UpdateVulnRequest: - type: object - properties: - id: - type: string - comment: - type: string - expiry: - $ref: '#/components/schemas/storageRequestExpiry' v1UpdateVulnRequestResponse: type: object properties: requestInfo: $ref: '#/components/schemas/storageVulnerabilityRequest' + v1VulnMgmtExportWorkloadsResponse: + type: object + properties: + deployment: + $ref: '#/components/schemas/storageDeployment' + images: + type: array + items: + $ref: '#/components/schemas/storageImage' + livePods: + type: integer + format: int32 + description: |- + The workloads response contains the full image details including the + vulnerability data. ########################## securitySchemes: basicAuth: diff --git a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/data/CVE.java b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/data/CVE.java index afe626ba..f0209ede 100644 --- a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/data/CVE.java +++ b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/data/CVE.java @@ -20,6 +20,8 @@ public class CVE { private final boolean fixable; private final String link; private final String severity; + private final String advisory; + private final String advisoryLink; public CVE(String packageName, String packageVersion, @Nonnull StorageEmbeddedVulnerability vulnerability) { this( @@ -30,7 +32,9 @@ public CVE(String packageName, String packageVersion, @Nonnull StorageEmbeddedVu packageVersion, !Strings.isNullOrEmpty(vulnerability.getFixedBy()), vulnerability.getLink(), - SeverityUtil.prettySeverity(vulnerability.getSeverity()) + SeverityUtil.prettySeverity(vulnerability.getSeverity()), + vulnerability.getAdvisory() != null ? vulnerability.getAdvisory().getName() : null, + vulnerability.getAdvisory() != null ? vulnerability.getAdvisory().getLink() : null ); } } diff --git a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/report/ReportGenerator.java b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/report/ReportGenerator.java index 8b2b890d..d2dba1e9 100644 --- a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/report/ReportGenerator.java +++ b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/report/ReportGenerator.java @@ -22,7 +22,7 @@ public class ReportGenerator { - private static final String[] CVES_HEADER = {"COMPONENT", "VERSION", "CVE", "SEVERITY", "FIXABLE", "CVSS SCORE", "SCORE TYPE", "LINK"}; + private static final String[] CVES_HEADER = {"COMPONENT", "VERSION", "CVE", "SEVERITY", "FIXABLE", "CVSS SCORE", "SCORE TYPE", "LINK", "ADVISORY", "ADVISORY LINK"}; private static final String[] VIOLATED_POLICIES_HEADER = {"POLICY", "SEVERITY", "DESCRIPTION", "VIOLATION", "REMEDIATION", "ENFORCED"}; private static final String CVES_FILENAME = "cves.csv"; private static final String POLICY_VIOLATIONS_FILENAME = "policyViolations.csv"; @@ -54,7 +54,9 @@ private static void generateReport(FilePath reportsDir, ImageCheckResults result cve.isFixable(), cve.getCvssScore(), cve.getScoreType(), - cve.getLink() + cve.getLink(), + cve.getAdvisory(), + cve.getAdvisoryLink() )); } } diff --git a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/services/ServiceException.java b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/services/ServiceException.java index b910359b..d6162d6b 100644 --- a/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/services/ServiceException.java +++ b/stackrox-container-image-scanner/src/main/java/com/stackrox/jenkins/plugins/services/ServiceException.java @@ -7,7 +7,7 @@ import com.google.gson.JsonSyntaxException; import com.stackrox.invoker.ApiException; -import com.stackrox.model.RuntimeError; +import com.stackrox.model.GooglerpcStatus; public class ServiceException extends IOException { @@ -23,7 +23,7 @@ public static ServiceException fromApiException(String ownMessage, ApiException String responseBody = apiException.getResponseBody(); if (!Strings.isNullOrEmpty(responseBody)) { try { - RuntimeError error = GSON.fromJson(responseBody, RuntimeError.class); + GooglerpcStatus error = GSON.fromJson(responseBody, GooglerpcStatus.class); if (!Strings.isNullOrEmpty(error.getMessage())) { messageBuilder.append(String.format(" Error: %s", error.getMessage())); } diff --git a/stackrox-container-image-scanner/src/main/webapp/js/renderTables.js b/stackrox-container-image-scanner/src/main/webapp/js/renderTables.js index f1220eb8..ff804c6c 100644 --- a/stackrox-container-image-scanner/src/main/webapp/js/renderTables.js +++ b/stackrox-container-image-scanner/src/main/webapp/js/renderTables.js @@ -22,6 +22,13 @@ function renderCVETable(tableId, cves) { } }, { title: 'FIXABLE', data : 'fixable' }, + { title: 'ADVISORY',mData : function (data, type, dataToSet) { + if (!data.hasOwnProperty('advisory')) { + return "-" + } + return `${data.advisory}`; + } + }, ], columnDefs: [ { diff --git a/stackrox-container-image-scanner/src/test/java/com/stackrox/jenkins/plugins/report/ReportGeneratorTest.java b/stackrox-container-image-scanner/src/test/java/com/stackrox/jenkins/plugins/report/ReportGeneratorTest.java index a9b0db3d..b2b7ec09 100644 --- a/stackrox-container-image-scanner/src/test/java/com/stackrox/jenkins/plugins/report/ReportGeneratorTest.java +++ b/stackrox-container-image-scanner/src/test/java/com/stackrox/jenkins/plugins/report/ReportGeneratorTest.java @@ -36,6 +36,7 @@ import com.stackrox.jenkins.plugins.data.CVE; import com.stackrox.jenkins.plugins.data.ImageCheckResults; import com.stackrox.jenkins.plugins.data.PolicyViolation; +import com.stackrox.model.StorageAdvisory; import com.stackrox.model.StorageEmbeddedVulnerability; import com.stackrox.model.StoragePolicy; @@ -92,7 +93,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory( .severity(IMPORTANT_VULNERABILITY_SEVERITY) .cvss(9.8F) .scoreVersion(V3) - .link("https://security-tracker.debian.org/tracker/CVE-2015-5224")), + .link("https://security-tracker.debian.org/tracker/CVE-2015-5224") + .advisory(new StorageAdvisory() + .name("DSA-SOMETHING") + .link("https://advisory.com"))), new CVE("gcc-4.8", "4.8.4-1", new StorageEmbeddedVulnerability() .cve("CVE-2017-11671") .severity(MODERATE_VULNERABILITY_SEVERITY) @@ -105,7 +109,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory( .cvss(6.5F) .scoreVersion(V3) .link("https://security-tracker.debian.org/tracker/CVE-2016-3189") - .fixedBy("1.0.6-8")) + .fixedBy("1.0.6-8") + .advisory(new StorageAdvisory() + .name("DSA-SOMETHING-ELSE") + .link("https://advisory.com"))) ), ImmutableList.of( new PolicyViolation(new StoragePolicy() @@ -123,7 +130,10 @@ void testGenerateReportForResultsWritesReportsForEveryImageInSeparatedDirectory( .severity(LOW_VULNERABILITY_SEVERITY) .cvss(5.8F) .scoreVersion(V2) - .link("https://security-tracker.debian.org/tracker/CVE-2007-6755")), + .link("https://security-tracker.debian.org/tracker/CVE-2007-6755") + .advisory(new StorageAdvisory() + .name("DSA-SOMETHING") + .link("https://advisory.com"))), new CVE(null, null, new StorageEmbeddedVulnerability() .cve("CVE-MISSING-DATA") .scoreVersion(null) diff --git a/stackrox-container-image-scanner/src/test/resources/report/jenkins.lts/cves.csv b/stackrox-container-image-scanner/src/test/resources/report/jenkins.lts/cves.csv index 2e88057d..21aa57c8 100644 --- a/stackrox-container-image-scanner/src/test/resources/report/jenkins.lts/cves.csv +++ b/stackrox-container-image-scanner/src/test/resources/report/jenkins.lts/cves.csv @@ -1,4 +1,4 @@ -COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK -util-linux,2.25.2-6,CVE-2015-5224,IMPORTANT,false,9.8,V3,https://security-tracker.debian.org/tracker/CVE-2015-5224 -gcc-4.8,4.8.4-1,CVE-2017-11671,MODERATE,false,4.0,V3,https://security-tracker.debian.org/tracker/CVE-2017-11671 -bzip2,1.0.6-7,CVE-2016-3189,LOW,true,6.5,V3,https://security-tracker.debian.org/tracker/CVE-2016-3189 +COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK +util-linux,2.25.2-6,CVE-2015-5224,IMPORTANT,false,9.8,V3,https://security-tracker.debian.org/tracker/CVE-2015-5224,DSA-SOMETHING,https://advisory.com +gcc-4.8,4.8.4-1,CVE-2017-11671,MODERATE,false,4.0,V3,https://security-tracker.debian.org/tracker/CVE-2017-11671,-,- +bzip2,1.0.6-7,CVE-2016-3189,LOW,true,6.5,V3,https://security-tracker.debian.org/tracker/CVE-2016-3189,DSA-SOMETHING-ELSE,https://advisory.com diff --git a/stackrox-container-image-scanner/src/test/resources/report/nginx.latest/cves.csv b/stackrox-container-image-scanner/src/test/resources/report/nginx.latest/cves.csv index 8e6b91a8..31566039 100644 --- a/stackrox-container-image-scanner/src/test/resources/report/nginx.latest/cves.csv +++ b/stackrox-container-image-scanner/src/test/resources/report/nginx.latest/cves.csv @@ -1,3 +1,3 @@ -COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK -openssl,1.1.1d-0+deb10u7,CVE-2007-6755,LOW,false,5.8,V2,https://security-tracker.debian.org/tracker/CVE-2007-6755 --,-,CVE-MISSING-DATA,UNKNOWN,false,0.0,-,- +COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK +openssl,1.1.1d-0+deb10u7,CVE-2007-6755,LOW,false,5.8,V2,https://security-tracker.debian.org/tracker/CVE-2007-6755,DSA-SOMETHING,https://advisory.com +-,-,CVE-MISSING-DATA,UNKNOWN,false,0.0,-,-,-,- diff --git a/stackrox-container-image-scanner/src/test/resources/report_with_no_issues/mis-spelled.lts/cves.csv b/stackrox-container-image-scanner/src/test/resources/report_with_no_issues/mis-spelled.lts/cves.csv index 2f227edf..0694c56f 100644 --- a/stackrox-container-image-scanner/src/test/resources/report_with_no_issues/mis-spelled.lts/cves.csv +++ b/stackrox-container-image-scanner/src/test/resources/report_with_no_issues/mis-spelled.lts/cves.csv @@ -1 +1 @@ -COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK +COMPONENT,VERSION,CVE,SEVERITY,FIXABLE,CVSS SCORE,SCORE TYPE,LINK,ADVISORY,ADVISORY LINK