Field Name	Required	Nullable	Type	Description	Format
action			StorageEnforcementAction		UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT,
message			String

22.1.7.3. AlertProcessViolation
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
message			String
processes			List of StorageProcessIndicator

22.1.7.4. AlertResourceResourceType
Copy link

Expand

Enum Values
UNKNOWN
SECRETS
CONFIGMAPS
CLUSTER_ROLES
CLUSTER_ROLE_BINDINGS
NETWORK_POLICIES
SECURITY_CONTEXT_CONSTRAINTS
EGRESS_FIREWALLS

22.1.7.5. AlertViolation
Copy link

Expand

Field Name	Type	Description	Format
message	String
keyValueAttrs	ViolationKeyValueAttrs
networkFlowInfo	ViolationNetworkFlowInfo
type	AlertViolationType		GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY,
time	Date	Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future.	date-time

22.1.7.6. AlertViolationType
Copy link

Expand

Enum Values
GENERIC
K8S_EVENT
NETWORK_FLOW
NETWORK_POLICY

22.1.7.7. KeyValueAttrsKeyValueAttr
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.1.7.8. NetworkFlowInfoEntity
Copy link

Expand

Field Name	Type	Format
name	String
entityType	StorageNetworkEntityInfoType	UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES,
deploymentNamespace	String
deploymentType	String
port	Integer	int32

22.1.7.9. PolicyMitreAttackVectors
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
tactic			String
techniques			List of `string`

22.1.7.10. ProcessSignalLineageInfo
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
parentUid			Long		int64
parentExecFilePath			String

22.1.7.11. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}

Example 3: Pack and unpack a message in Python.

foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...

Example 4: Pack and unpack a message in Go

foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

The pack methods provided by protobuf library will by default use 'type.googleapis.com/full.type.name' as the type URL and the unpack methods only use the fully qualified type name after the last '/' in the type URL, for example "foo.bar.com/x/y.z" will yield type name "y.z".

22.1.7.11.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}

{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

If the embedded message type is well-known and has a custom JSON representation, that representation will be embedded adding a field value which holds the custom JSON in addition to the @type field. Example (for message [google.protobuf.Duration][]):

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}

Expand

Field Name	Required	Nullable	Type	Description	Format
typeUrl			String	A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics.
value			byte[]	Must be a valid serialized protocol buffer of the above specified type.	byte

22.1.7.12. RuntimeError
Copy link

Expand

Field Name	Type	Format
error	String
code	Integer	int32
message	String
details	List of ProtobufAny

22.1.7.13. StorageAlert
Copy link

Expand

Field Name	Type	Description	Format
id	String
policy	StoragePolicy
lifecycleStage	StorageLifecycleStage		DEPLOY, BUILD, RUNTIME,
clusterId	String
clusterName	String
namespace	String
namespaceId	String
deployment	StorageAlertDeployment
image	StorageContainerImage
resource	StorageAlertResource
violations	List of AlertViolation	For run-time phase alert, a maximum of 40 violations are retained.
processViolation	AlertProcessViolation
enforcement	AlertEnforcement
time	Date		date-time
firstOccurred	Date		date-time
resolvedAt	Date	The time at which the alert was resolved. Only set if ViolationState is RESOLVED.	date-time
state	StorageViolationState		ACTIVE, SNOOZED, RESOLVED, ATTEMPTED,
snoozeTill	Date		date-time

22.1.7.14. StorageAlertDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			String
type			String
namespace			String
namespaceId			String
labels			Map of `string`
clusterId			String
clusterName			String
containers			List of AlertDeploymentContainer
annotations			Map of `string`
inactive			Boolean

22.1.7.15. StorageAlertResource
Copy link

Represents an alert on a kubernetes resource other than a deployment (configmaps, secrets, etc.)

Expand

Field Name	Type	Format
resourceType	AlertResourceResourceType	UNKNOWN, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS,
name	String
clusterId	String
clusterName	String
namespace	String
namespaceId	String

22.1.7.16. StorageBooleanOperator
Copy link

Expand

Enum Values
OR
AND

22.1.7.17. StorageContainerImage
Copy link

Next tag: 12

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			StorageImageName
notPullable			Boolean
isClusterLocal			Boolean

22.1.7.18. StorageEnforcementAction
Copy link

FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.

Expand

Enum Values
UNSET_ENFORCEMENT
SCALE_TO_ZERO_ENFORCEMENT
UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT
KILL_POD_ENFORCEMENT
FAIL_BUILD_ENFORCEMENT
FAIL_KUBE_REQUEST_ENFORCEMENT
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT

22.1.7.19. StorageEventSource
Copy link

Expand

Enum Values
NOT_APPLICABLE
DEPLOYMENT_EVENT
AUDIT_LOG_EVENT

22.1.7.20. StorageExclusion
Copy link

Expand

Field Name	Type	Format
name	String
deployment	StorageExclusionDeployment
image	StorageExclusionImage
expiration	Date	date-time

22.1.7.21. StorageExclusionDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
scope			StorageScope

22.1.7.22. StorageExclusionImage
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String

22.1.7.23. StorageImageName
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
registry			String
remote			String
tag			String
fullName			String

22.1.7.24. StorageL4Protocol
Copy link

Expand

Enum Values
L4_PROTOCOL_UNKNOWN
L4_PROTOCOL_TCP
L4_PROTOCOL_UDP
L4_PROTOCOL_ICMP
L4_PROTOCOL_RAW
L4_PROTOCOL_SCTP
L4_PROTOCOL_ANY

22.1.7.25. StorageLifecycleStage
Copy link

Expand

Enum Values
DEPLOY
BUILD
RUNTIME

22.1.7.26. StorageNetworkEntityInfoType
Copy link

INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal entities under a single network graph node

Expand

Enum Values
UNKNOWN_TYPE
DEPLOYMENT
INTERNET
LISTEN_ENDPOINT
EXTERNAL_SOURCE
INTERNAL_ENTITIES

22.1.7.27. StoragePolicy
Copy link

Expand

Field Name	Type	Description	Format
id	String
name	String
description	String
rationale	String
remediation	String
disabled	Boolean
categories	List of `string`
lifecycleStages	List of StorageLifecycleStage
eventSource	StorageEventSource		NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,
exclusions	List of StorageExclusion
scope	List of StorageScope
severity	StorageSeverity		UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,
enforcementActions	List of StorageEnforcementAction	FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.
notifiers	List of `string`
lastUpdated	Date		date-time
SORTName	String	For internal use only.
SORTLifecycleStage	String	For internal use only.
SORTEnforcement	Boolean	For internal use only.
policyVersion	String
policySections	List of StoragePolicySection
mitreAttackVectors	List of PolicyMitreAttackVectors
criteriaLocked	Boolean	Read-only field. If true, the policy’s criteria fields are rendered read-only.
mitreVectorsLocked	Boolean	Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.
isDefault	Boolean	Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

22.1.7.28. StoragePolicyGroup
Copy link

Expand

Field Name	Type	Format
fieldName	String
booleanOperator	StorageBooleanOperator	OR, AND,
negate	Boolean
values	List of StoragePolicyValue

22.1.7.29. StoragePolicySection
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
sectionName			String
policyGroups			List of StoragePolicyGroup

22.1.7.30. StoragePolicyValue
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
value			String

22.1.7.31. StorageProcessIndicator
Copy link

Next available tag: 13

Expand

Field Name	Type	Format
id	String
deploymentId	String
containerName	String
podId	String
podUid	String
signal	StorageProcessSignal
clusterId	String
namespace	String
containerStartTime	Date	date-time
imageId	String

22.1.7.32. StorageProcessSignal
Copy link

Expand

Field Name	Type	Description	Format
id	String	A unique UUID for identifying the message We have this here instead of at the top level because we want to have each message to be self contained.
containerId	String
time	Date		date-time
name	String
args	String
execFilePath	String
pid	Long		int64
uid	Long		int64
gid	Long		int64
lineage	List of `string`
scraped	Boolean
lineageInfo	List of ProcessSignalLineageInfo

22.1.7.33. StorageScope
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
cluster			String
namespace			String
label			StorageScopeLabel

22.1.7.34. StorageScopeLabel
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.1.7.35. StorageSeverity
Copy link

Expand

Enum Values
UNSET_SEVERITY
LOW_SEVERITY
MEDIUM_SEVERITY
HIGH_SEVERITY
CRITICAL_SEVERITY

22.1.7.36. StorageViolationState
Copy link

Expand

Enum Values
ACTIVE
SNOOZED
RESOLVED
ATTEMPTED

22.1.7.37. V1BuildDetectionRequest
Copy link

Expand

Field Name	Type	Description
image	StorageContainerImage
imageName	String
noExternalMetadata	Boolean
sendNotifications	Boolean
force	Boolean
policyCategories	List of `string`
cluster	String	Cluster to delegate scan to, may be the cluster’s name or ID.

22.1.7.38. V1BuildDetectionResponse
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
alerts			List of StorageAlert

22.1.7.39. ViolationKeyValueAttrs
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
attrs			List of KeyValueAttrsKeyValueAttr

22.1.7.40. ViolationNetworkFlowInfo
Copy link

Expand

Field Name	Type	Format
protocol	StorageL4Protocol	L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,
source	NetworkFlowInfoEntity
destination	NetworkFlowInfoEntity

22.2. DetectDeployTime
Copy link

POST /v1/detect/deploy

DetectDeployTime checks if any deployments violate deploy time policies.

22.2.1. Description
Copy link

22.2.2. Parameters
Copy link

22.2.2.1. Body Parameter
Copy link

Expand

Name	Description	Required	Default	Pattern
body	V1DeployDetectionRequest	X

22.2.3. Return Type
Copy link

V1DeployDetectionResponse

22.2.4. Content Type
Copy link

application/json

22.2.5. Responses
Copy link

Expand

Table 22.2. HTTP Response Codes
Code	Message	Datatype
200	A successful response.	V1DeployDetectionResponse
0	An unexpected error response.	RuntimeError

22.2.6. Samples
Copy link

22.2.7. Common object reference
Copy link

22.2.7.1. AlertDeploymentContainer
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
image			StorageContainerImage
name			String

22.2.7.2. AlertEnforcement
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
action			StorageEnforcementAction		UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT,
message			String

22.2.7.3. AlertProcessViolation
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
message			String
processes			List of StorageProcessIndicator

22.2.7.4. AlertResourceResourceType
Copy link

Expand

Enum Values
UNKNOWN
SECRETS
CONFIGMAPS
CLUSTER_ROLES
CLUSTER_ROLE_BINDINGS
NETWORK_POLICIES
SECURITY_CONTEXT_CONSTRAINTS
EGRESS_FIREWALLS

22.2.7.5. AlertViolation
Copy link

Expand

Field Name	Type	Description	Format
message	String
keyValueAttrs	ViolationKeyValueAttrs
networkFlowInfo	ViolationNetworkFlowInfo
type	AlertViolationType		GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY,
time	Date	Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future.	date-time

22.2.7.6. AlertViolationType
Copy link

Expand

Enum Values
GENERIC
K8S_EVENT
NETWORK_FLOW
NETWORK_POLICY

22.2.7.7. ContainerConfigEnvironmentConfig
Copy link

Expand

Field Name	Type	Format
key	String
value	String
envVarSource	EnvironmentConfigEnvVarSource	UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN,

22.2.7.8. DeployDetectionResponseRun
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
type			String
alerts			List of StorageAlert

22.2.7.9. EnvironmentConfigEnvVarSource
Copy link

For any update to EnvVarSource, please also update 'ui/src/messages/common.js'

Expand

Enum Values
UNSET
RAW
SECRET_KEY
CONFIG_MAP_KEY
FIELD
RESOURCE_FIELD
UNKNOWN

22.2.7.10. KeyValueAttrsKeyValueAttr
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.2.7.11. NetworkFlowInfoEntity
Copy link

Expand

Field Name	Type	Format
name	String
entityType	StorageNetworkEntityInfoType	UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES,
deploymentNamespace	String
deploymentType	String
port	Integer	int32

22.2.7.12. PolicyMitreAttackVectors
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
tactic			String
techniques			List of `string`

22.2.7.13. PortConfigExposureInfo
Copy link

Expand

Field Name	Type	Format
level	PortConfigExposureLevel	UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,
serviceName	String
serviceId	String
serviceClusterIp	String
servicePort	Integer	int32
nodePort	Integer	int32
externalIps	List of `string`
externalHostnames	List of `string`

22.2.7.14. PortConfigExposureLevel
Copy link

Expand

Enum Values
UNSET
EXTERNAL
NODE
INTERNAL
HOST
ROUTE

22.2.7.15. ProcessSignalLineageInfo
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
parentUid			Long		int64
parentExecFilePath			String

22.2.7.16. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}

Example 3: Pack and unpack a message in Python.

foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...

Example 4: Pack and unpack a message in Go

foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

22.2.7.16.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}

{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}

Expand

Field Name	Required	Nullable	Type	Description	Format
typeUrl			String	A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics.
value			byte[]	Must be a valid serialized protocol buffer of the above specified type.	byte

22.2.7.17. RuntimeError
Copy link

Expand

Field Name	Type	Format
error	String
code	Integer	int32
message	String
details	List of ProtobufAny

22.2.7.18. SeccompProfileProfileType
Copy link

Expand

Enum Values
UNCONFINED
RUNTIME_DEFAULT
LOCALHOST

22.2.7.19. SecurityContextSELinux
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
user			String
role			String
type			String
level			String

22.2.7.20. SecurityContextSeccompProfile
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
type			SeccompProfileProfileType		UNCONFINED, RUNTIME_DEFAULT, LOCALHOST,
localhostProfile			String

22.2.7.21. StorageAlert
Copy link

Expand

Field Name	Type	Description	Format
id	String
policy	StoragePolicy
lifecycleStage	StorageLifecycleStage		DEPLOY, BUILD, RUNTIME,
clusterId	String
clusterName	String
namespace	String
namespaceId	String
deployment	StorageAlertDeployment
image	StorageContainerImage
resource	StorageAlertResource
violations	List of AlertViolation	For run-time phase alert, a maximum of 40 violations are retained.
processViolation	AlertProcessViolation
enforcement	AlertEnforcement
time	Date		date-time
firstOccurred	Date		date-time
resolvedAt	Date	The time at which the alert was resolved. Only set if ViolationState is RESOLVED.	date-time
state	StorageViolationState		ACTIVE, SNOOZED, RESOLVED, ATTEMPTED,
snoozeTill	Date		date-time

22.2.7.22. StorageAlertDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			String
type			String
namespace			String
namespaceId			String
labels			Map of `string`
clusterId			String
clusterName			String
containers			List of AlertDeploymentContainer
annotations			Map of `string`
inactive			Boolean

22.2.7.23. StorageAlertResource
Copy link

Represents an alert on a kubernetes resource other than a deployment (configmaps, secrets, etc.)

Expand

Field Name	Type	Format
resourceType	AlertResourceResourceType	UNKNOWN, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS,
name	String
clusterId	String
clusterName	String
namespace	String
namespaceId	String

22.2.7.24. StorageBooleanOperator
Copy link

Expand

Enum Values
OR
AND

22.2.7.25. StorageContainer
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
config			StorageContainerConfig
image			StorageContainerImage
securityContext			StorageSecurityContext
volumes			List of StorageVolume
ports			List of StoragePortConfig
secrets			List of StorageEmbeddedSecret
resources			StorageResources
name			String
livenessProbe			StorageLivenessProbe
readinessProbe			StorageReadinessProbe

22.2.7.26. StorageContainerConfig
Copy link

Expand

Field Name	Type	Format
env	List of ContainerConfigEnvironmentConfig
command	List of `string`
args	List of `string`
directory	String
user	String
uid	String	int64
appArmorProfile	String

22.2.7.27. StorageContainerImage
Copy link

Next tag: 12

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			StorageImageName
notPullable			Boolean
isClusterLocal			Boolean

22.2.7.28. StorageDeployment
Copy link

Next available tag: 35

Expand

Field Name	Type	Format
id	String
name	String
hash	String	uint64
type	String
namespace	String
namespaceId	String
orchestratorComponent	Boolean
replicas	String	int64
labels	Map of `string`
podLabels	Map of `string`
labelSelector	StorageLabelSelector
created	Date	date-time
clusterId	String
clusterName	String
containers	List of StorageContainer
annotations	Map of `string`
priority	String	int64
inactive	Boolean
imagePullSecrets	List of `string`
serviceAccount	String
serviceAccountPermissionLevel	StoragePermissionLevel	UNSET, NONE, DEFAULT, ELEVATED_IN_NAMESPACE, ELEVATED_CLUSTER_WIDE, CLUSTER_ADMIN,
automountServiceAccountToken	Boolean
hostNetwork	Boolean
hostPid	Boolean
hostIpc	Boolean
runtimeClass	String
tolerations	List of StorageToleration
ports	List of StoragePortConfig
stateTimestamp	String	int64
riskScore	Float	float

22.2.7.29. StorageEmbeddedSecret
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
path			String

22.2.7.30. StorageEnforcementAction
Copy link

FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.

Expand

Enum Values
UNSET_ENFORCEMENT
SCALE_TO_ZERO_ENFORCEMENT
UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT
KILL_POD_ENFORCEMENT
FAIL_BUILD_ENFORCEMENT
FAIL_KUBE_REQUEST_ENFORCEMENT
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT

22.2.7.31. StorageEventSource
Copy link

Expand

Enum Values
NOT_APPLICABLE
DEPLOYMENT_EVENT
AUDIT_LOG_EVENT

22.2.7.32. StorageExclusion
Copy link

Expand

Field Name	Type	Format
name	String
deployment	StorageExclusionDeployment
image	StorageExclusionImage
expiration	Date	date-time

22.2.7.33. StorageExclusionDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
scope			StorageScope

22.2.7.34. StorageExclusionImage
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String

22.2.7.35. StorageImageName
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
registry			String
remote			String
tag			String
fullName			String

22.2.7.36. StorageL4Protocol
Copy link

Expand

Enum Values
L4_PROTOCOL_UNKNOWN
L4_PROTOCOL_TCP
L4_PROTOCOL_UDP
L4_PROTOCOL_ICMP
L4_PROTOCOL_RAW
L4_PROTOCOL_SCTP
L4_PROTOCOL_ANY

22.2.7.37. StorageLabelSelector
Copy link

Label selector components are joined with logical AND, see     https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Next available tag: 3

Expand

Field Name	Required	Nullable	Type	Description	Format
matchLabels			Map of `string`	This is actually a oneof, but we can’t make it one due to backwards compatibility constraints.
requirements			List of StorageLabelSelectorRequirement

22.2.7.38. StorageLabelSelectorOperator
Copy link

Expand

Enum Values
UNKNOWN
IN
NOT_IN
EXISTS
NOT_EXISTS

22.2.7.39. StorageLabelSelectorRequirement
Copy link

Next available tag: 4

Expand

Field Name	Type	Format
key	String
op	StorageLabelSelectorOperator	UNKNOWN, IN, NOT_IN, EXISTS, NOT_EXISTS,
values	List of `string`

22.2.7.40. StorageLifecycleStage
Copy link

Expand

Enum Values
DEPLOY
BUILD
RUNTIME

22.2.7.41. StorageLivenessProbe
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
defined			Boolean

22.2.7.42. StorageNetworkEntityInfoType
Copy link

INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal entities under a single network graph node

Expand

Enum Values
UNKNOWN_TYPE
DEPLOYMENT
INTERNET
LISTEN_ENDPOINT
EXTERNAL_SOURCE
INTERNAL_ENTITIES

22.2.7.43. StoragePermissionLevel
Copy link

For any update to PermissionLevel, also update: - pkg/searchbasedpolicies/builders/k8s_rbac.go - ui/src/messages/common.js

Expand

Enum Values
UNSET
NONE
DEFAULT
ELEVATED_IN_NAMESPACE
ELEVATED_CLUSTER_WIDE
CLUSTER_ADMIN

22.2.7.44. StoragePolicy
Copy link

Expand

Field Name	Type	Description	Format
id	String
name	String
description	String
rationale	String
remediation	String
disabled	Boolean
categories	List of `string`
lifecycleStages	List of StorageLifecycleStage
eventSource	StorageEventSource		NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,
exclusions	List of StorageExclusion
scope	List of StorageScope
severity	StorageSeverity		UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,
enforcementActions	List of StorageEnforcementAction	FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.
notifiers	List of `string`
lastUpdated	Date		date-time
SORTName	String	For internal use only.
SORTLifecycleStage	String	For internal use only.
SORTEnforcement	Boolean	For internal use only.
policyVersion	String
policySections	List of StoragePolicySection
mitreAttackVectors	List of PolicyMitreAttackVectors
criteriaLocked	Boolean	Read-only field. If true, the policy’s criteria fields are rendered read-only.
mitreVectorsLocked	Boolean	Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.
isDefault	Boolean	Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

22.2.7.45. StoragePolicyGroup
Copy link

Expand

Field Name	Type	Format
fieldName	String
booleanOperator	StorageBooleanOperator	OR, AND,
negate	Boolean
values	List of StoragePolicyValue

22.2.7.46. StoragePolicySection
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
sectionName			String
policyGroups			List of StoragePolicyGroup

22.2.7.47. StoragePolicyValue
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
value			String

22.2.7.48. StoragePortConfig
Copy link

Next Available Tag: 6

Expand

Field Name	Type	Format
name	String
containerPort	Integer	int32
protocol	String
exposure	PortConfigExposureLevel	UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,
exposedPort	Integer	int32
exposureInfos	List of PortConfigExposureInfo

22.2.7.49. StorageProcessIndicator
Copy link

Next available tag: 13

Expand

Field Name	Type	Format
id	String
deploymentId	String
containerName	String
podId	String
podUid	String
signal	StorageProcessSignal
clusterId	String
namespace	String
containerStartTime	Date	date-time
imageId	String

22.2.7.50. StorageProcessSignal
Copy link

Expand

Field Name	Type	Description	Format
id	String	A unique UUID for identifying the message We have this here instead of at the top level because we want to have each message to be self contained.
containerId	String
time	Date		date-time
name	String
args	String
execFilePath	String
pid	Long		int64
uid	Long		int64
gid	Long		int64
lineage	List of `string`
scraped	Boolean
lineageInfo	List of ProcessSignalLineageInfo

22.2.7.51. StorageReadinessProbe
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
defined			Boolean

22.2.7.52. StorageResources
Copy link

Expand

Field Name	Type	Format
cpuCoresRequest	Float	float
cpuCoresLimit	Float	float
memoryMbRequest	Float	float
memoryMbLimit	Float	float

22.2.7.53. StorageScope
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
cluster			String
namespace			String
label			StorageScopeLabel

22.2.7.54. StorageScopeLabel
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.2.7.55. StorageSecurityContext
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
privileged			Boolean
selinux			SecurityContextSELinux
dropCapabilities			List of `string`
addCapabilities			List of `string`
readOnlyRootFilesystem			Boolean
seccompProfile			SecurityContextSeccompProfile
allowPrivilegeEscalation			Boolean

22.2.7.56. StorageSeverity
Copy link

Expand

Enum Values
UNSET_SEVERITY
LOW_SEVERITY
MEDIUM_SEVERITY
HIGH_SEVERITY
CRITICAL_SEVERITY

22.2.7.57. StorageTaintEffect
Copy link

Expand

Enum Values
UNKNOWN_TAINT_EFFECT
NO_SCHEDULE_TAINT_EFFECT
PREFER_NO_SCHEDULE_TAINT_EFFECT
NO_EXECUTE_TAINT_EFFECT

22.2.7.58. StorageToleration
Copy link

Expand

Field Name	Type	Format
key	String
operator	StorageTolerationOperator	TOLERATION_OPERATION_UNKNOWN, TOLERATION_OPERATOR_EXISTS, TOLERATION_OPERATOR_EQUAL,
value	String
taintEffect	StorageTaintEffect	UNKNOWN_TAINT_EFFECT, NO_SCHEDULE_TAINT_EFFECT, PREFER_NO_SCHEDULE_TAINT_EFFECT, NO_EXECUTE_TAINT_EFFECT,

22.2.7.59. StorageTolerationOperator
Copy link

Expand

Enum Values
TOLERATION_OPERATION_UNKNOWN
TOLERATION_OPERATOR_EXISTS
TOLERATION_OPERATOR_EQUAL

22.2.7.60. StorageViolationState
Copy link

Expand

Enum Values
ACTIVE
SNOOZED
RESOLVED
ATTEMPTED

22.2.7.61. StorageVolume
Copy link

Expand

Field Name	Type	Format
name	String
source	String
destination	String
readOnly	Boolean
type	String
mountPropagation	VolumeMountPropagation	NONE, HOST_TO_CONTAINER, BIDIRECTIONAL,

22.2.7.62. V1DeployDetectionRemark
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
permissionLevel			String
appliedNetworkPolicies			List of `string`

22.2.7.63. V1DeployDetectionRequest
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
deployment			StorageDeployment
noExternalMetadata			Boolean
enforcementOnly			Boolean
clusterId			String

22.2.7.64. V1DeployDetectionResponse
Copy link

Expand

Field Name	Type	Description
runs	List of DeployDetectionResponseRun
ignoredObjectRefs	List of `string`	The reference will be in the format: namespace/name[<group>/<version>, Kind=<kind>].
remarks	List of V1DeployDetectionRemark

22.2.7.65. ViolationKeyValueAttrs
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
attrs			List of KeyValueAttrsKeyValueAttr

22.2.7.66. ViolationNetworkFlowInfo
Copy link

Expand

Field Name	Type	Format
protocol	StorageL4Protocol	L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,
source	NetworkFlowInfoEntity
destination	NetworkFlowInfoEntity

22.2.7.67. VolumeMountPropagation
Copy link

Expand

Enum Values
NONE
HOST_TO_CONTAINER
BIDIRECTIONAL

22.3. DetectDeployTimeFromYAML
Copy link

POST /v1/detect/deploy/yaml

DetectDeployTimeFromYAML checks if the given deployment yaml violates any deploy time policies.

22.3.1. Description
Copy link

22.3.2. Parameters
Copy link

22.3.2.1. Body Parameter
Copy link

Expand

Name	Description	Required	Default	Pattern
body	V1DeployYAMLDetectionRequest	X

22.3.3. Return Type
Copy link

V1DeployDetectionResponse

22.3.4. Content Type
Copy link

application/json

22.3.5. Responses
Copy link

Expand

Table 22.3. HTTP Response Codes
Code	Message	Datatype
200	A successful response.	V1DeployDetectionResponse
0	An unexpected error response.	RuntimeError

22.3.6. Samples
Copy link

22.3.7. Common object reference
Copy link

22.3.7.1. AlertDeploymentContainer
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
image			StorageContainerImage
name			String

22.3.7.2. AlertEnforcement
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
action			StorageEnforcementAction		UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT,
message			String

22.3.7.3. AlertProcessViolation
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
message			String
processes			List of StorageProcessIndicator

22.3.7.4. AlertResourceResourceType
Copy link

Expand

Enum Values
UNKNOWN
SECRETS
CONFIGMAPS
CLUSTER_ROLES
CLUSTER_ROLE_BINDINGS
NETWORK_POLICIES
SECURITY_CONTEXT_CONSTRAINTS
EGRESS_FIREWALLS

22.3.7.5. AlertViolation
Copy link

Expand

Field Name	Type	Description	Format
message	String
keyValueAttrs	ViolationKeyValueAttrs
networkFlowInfo	ViolationNetworkFlowInfo
type	AlertViolationType		GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY,
time	Date	Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future.	date-time

22.3.7.6. AlertViolationType
Copy link

Expand

Enum Values
GENERIC
K8S_EVENT
NETWORK_FLOW
NETWORK_POLICY

22.3.7.7. DeployDetectionResponseRun
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
type			String
alerts			List of StorageAlert

22.3.7.8. KeyValueAttrsKeyValueAttr
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.3.7.9. NetworkFlowInfoEntity
Copy link

Expand

Field Name	Type	Format
name	String
entityType	StorageNetworkEntityInfoType	UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES,
deploymentNamespace	String
deploymentType	String
port	Integer	int32

22.3.7.10. PolicyMitreAttackVectors
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
tactic			String
techniques			List of `string`

22.3.7.11. ProcessSignalLineageInfo
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
parentUid			Long		int64
parentExecFilePath			String

22.3.7.12. ProtobufAny
Copy link

Any contains an arbitrary serialized protocol buffer message along with a URL that describes the type of the serialized message.

Protobuf library provides support to pack/unpack Any values in the form of utility functions or additional generated methods of the Any type.

Example 1: Pack and unpack a message in C++.

Foo foo = ...;
Any any;
any.PackFrom(foo);
...
if (any.UnpackTo(&foo)) {
  ...
}

Example 2: Pack and unpack a message in Java.

Foo foo = ...;
Any any = Any.pack(foo);
...
if (any.is(Foo.class)) {
  foo = any.unpack(Foo.class);
}
// or ...
if (any.isSameTypeAs(Foo.getDefaultInstance())) {
  foo = any.unpack(Foo.getDefaultInstance());
}

Example 3: Pack and unpack a message in Python.

foo = Foo(...)
any = Any()
any.Pack(foo)
...
if any.Is(Foo.DESCRIPTOR):
  any.Unpack(foo)
  ...

Example 4: Pack and unpack a message in Go

foo := &pb.Foo{...}
any, err := anypb.New(foo)
if err != nil {
  ...
}
...
foo := &pb.Foo{}
if err := any.UnmarshalTo(foo); err != nil {
  ...
}

22.3.7.12.1. JSON representation
Copy link

The JSON representation of an Any value uses the regular representation of the deserialized, embedded message, with an additional field @type which contains the type URL. Example:

package google.profile;
message Person {
  string first_name = 1;
  string last_name = 2;
}

{
  "@type": "type.googleapis.com/google.profile.Person",
  "firstName": <string>,
  "lastName": <string>
}

{
  "@type": "type.googleapis.com/google.protobuf.Duration",
  "value": "1.212s"
}

Expand

Field Name	Required	Nullable	Type	Description	Format
typeUrl			String	A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one \"/\" character. The last segment of the URL’s path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading \".\" is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a [google.protobuf.Type][] value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. As of May 2023, there are no widely used type server implementations and no plans to implement one. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics.
value			byte[]	Must be a valid serialized protocol buffer of the above specified type.	byte

22.3.7.13. RuntimeError
Copy link

Expand

Field Name	Type	Format
error	String
code	Integer	int32
message	String
details	List of ProtobufAny

22.3.7.14. StorageAlert
Copy link

Expand

Field Name	Type	Description	Format
id	String
policy	StoragePolicy
lifecycleStage	StorageLifecycleStage		DEPLOY, BUILD, RUNTIME,
clusterId	String
clusterName	String
namespace	String
namespaceId	String
deployment	StorageAlertDeployment
image	StorageContainerImage
resource	StorageAlertResource
violations	List of AlertViolation	For run-time phase alert, a maximum of 40 violations are retained.
processViolation	AlertProcessViolation
enforcement	AlertEnforcement
time	Date		date-time
firstOccurred	Date		date-time
resolvedAt	Date	The time at which the alert was resolved. Only set if ViolationState is RESOLVED.	date-time
state	StorageViolationState		ACTIVE, SNOOZED, RESOLVED, ATTEMPTED,
snoozeTill	Date		date-time

22.3.7.15. StorageAlertDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			String
type			String
namespace			String
namespaceId			String
labels			Map of `string`
clusterId			String
clusterName			String
containers			List of AlertDeploymentContainer
annotations			Map of `string`
inactive			Boolean

22.3.7.16. StorageAlertResource
Copy link

Represents an alert on a kubernetes resource other than a deployment (configmaps, secrets, etc.)

Expand

Field Name	Type	Format
resourceType	AlertResourceResourceType	UNKNOWN, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS,
name	String
clusterId	String
clusterName	String
namespace	String
namespaceId	String

22.3.7.17. StorageBooleanOperator
Copy link

Expand

Enum Values
OR
AND

22.3.7.18. StorageContainerImage
Copy link

Next tag: 12

Expand

Field Name	Required	Nullable	Type	Description	Format
id			String
name			StorageImageName
notPullable			Boolean
isClusterLocal			Boolean

22.3.7.19. StorageEnforcementAction
Copy link

FAIL_KUBE_REQUEST_ENFORCEMENT: FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events.
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT: FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates.
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT: FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.

Expand

Enum Values
UNSET_ENFORCEMENT
SCALE_TO_ZERO_ENFORCEMENT
UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT
KILL_POD_ENFORCEMENT
FAIL_BUILD_ENFORCEMENT
FAIL_KUBE_REQUEST_ENFORCEMENT
FAIL_DEPLOYMENT_CREATE_ENFORCEMENT
FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT

22.3.7.20. StorageEventSource
Copy link

Expand

Enum Values
NOT_APPLICABLE
DEPLOYMENT_EVENT
AUDIT_LOG_EVENT

22.3.7.21. StorageExclusion
Copy link

Expand

Field Name	Type	Format
name	String
deployment	StorageExclusionDeployment
image	StorageExclusionImage
expiration	Date	date-time

22.3.7.22. StorageExclusionDeployment
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
scope			StorageScope

22.3.7.23. StorageExclusionImage
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String

22.3.7.24. StorageImageName
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
registry			String
remote			String
tag			String
fullName			String

22.3.7.25. StorageL4Protocol
Copy link

Expand

Enum Values
L4_PROTOCOL_UNKNOWN
L4_PROTOCOL_TCP
L4_PROTOCOL_UDP
L4_PROTOCOL_ICMP
L4_PROTOCOL_RAW
L4_PROTOCOL_SCTP
L4_PROTOCOL_ANY

22.3.7.26. StorageLifecycleStage
Copy link

Expand

Enum Values
DEPLOY
BUILD
RUNTIME

22.3.7.27. StorageNetworkEntityInfoType
Copy link

INTERNAL_ENTITIES: INTERNAL_ENTITIES is for grouping all internal entities under a single network graph node

Expand

Enum Values
UNKNOWN_TYPE
DEPLOYMENT
INTERNET
LISTEN_ENDPOINT
EXTERNAL_SOURCE
INTERNAL_ENTITIES

22.3.7.28. StoragePolicy
Copy link

Expand

Field Name	Type	Description	Format
id	String
name	String
description	String
rationale	String
remediation	String
disabled	Boolean
categories	List of `string`
lifecycleStages	List of StorageLifecycleStage
eventSource	StorageEventSource		NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,
exclusions	List of StorageExclusion
scope	List of StorageScope
severity	StorageSeverity		UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,
enforcementActions	List of StorageEnforcementAction	FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates.
notifiers	List of `string`
lastUpdated	Date		date-time
SORTName	String	For internal use only.
SORTLifecycleStage	String	For internal use only.
SORTEnforcement	Boolean	For internal use only.
policyVersion	String
policySections	List of StoragePolicySection
mitreAttackVectors	List of PolicyMitreAttackVectors
criteriaLocked	Boolean	Read-only field. If true, the policy’s criteria fields are rendered read-only.
mitreVectorsLocked	Boolean	Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.
isDefault	Boolean	Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

22.3.7.29. StoragePolicyGroup
Copy link

Expand

Field Name	Type	Format
fieldName	String
booleanOperator	StorageBooleanOperator	OR, AND,
negate	Boolean
values	List of StoragePolicyValue

22.3.7.30. StoragePolicySection
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
sectionName			String
policyGroups			List of StoragePolicyGroup

22.3.7.31. StoragePolicyValue
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
value			String

22.3.7.32. StorageProcessIndicator
Copy link

Next available tag: 13

Expand

Field Name	Type	Format
id	String
deploymentId	String
containerName	String
podId	String
podUid	String
signal	StorageProcessSignal
clusterId	String
namespace	String
containerStartTime	Date	date-time
imageId	String

22.3.7.33. StorageProcessSignal
Copy link

Expand

Field Name	Type	Description	Format
id	String	A unique UUID for identifying the message We have this here instead of at the top level because we want to have each message to be self contained.
containerId	String
time	Date		date-time
name	String
args	String
execFilePath	String
pid	Long		int64
uid	Long		int64
gid	Long		int64
lineage	List of `string`
scraped	Boolean
lineageInfo	List of ProcessSignalLineageInfo

22.3.7.34. StorageScope
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
cluster			String
namespace			String
label			StorageScopeLabel

22.3.7.35. StorageScopeLabel
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
key			String
value			String

22.3.7.36. StorageSeverity
Copy link

Expand

Enum Values
UNSET_SEVERITY
LOW_SEVERITY
MEDIUM_SEVERITY
HIGH_SEVERITY
CRITICAL_SEVERITY

22.3.7.37. StorageViolationState
Copy link

Expand

Enum Values
ACTIVE
SNOOZED
RESOLVED
ATTEMPTED

22.3.7.38. V1DeployDetectionRemark
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
name			String
permissionLevel			String
appliedNetworkPolicies			List of `string`

22.3.7.39. V1DeployDetectionResponse
Copy link

Expand

Field Name	Type	Description
runs	List of DeployDetectionResponseRun
ignoredObjectRefs	List of `string`	The reference will be in the format: namespace/name[<group>/<version>, Kind=<kind>].
remarks	List of V1DeployDetectionRemark

22.3.7.40. V1DeployYAMLDetectionRequest
Copy link

Expand

Field Name	Type	Description
yaml	String
noExternalMetadata	Boolean
enforcementOnly	Boolean
force	Boolean
policyCategories	List of `string`
cluster	String	Cluster to delegate scan to, may be the cluster’s name or ID.
namespace	String

22.3.7.41. ViolationKeyValueAttrs
Copy link

Expand

Field Name	Required	Nullable	Type	Description	Format
attrs			List of KeyValueAttrsKeyValueAttr

22.3.7.42. ViolationNetworkFlowInfo
Copy link

Expand

Field Name	Type	Format
protocol	StorageL4Protocol	L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,
source	NetworkFlowInfoEntity
destination	NetworkFlowInfoEntity

Chapter 22. DetectionService

22.1. DetectBuildTimeCopy linkLink copied to clipboard!

22.1.1. DescriptionCopy linkLink copied to clipboard!

22.1.2. ParametersCopy linkLink copied to clipboard!

22.1.2.1. Body ParameterCopy linkLink copied to clipboard!

22.1.3. Return TypeCopy linkLink copied to clipboard!

22.1.4. Content TypeCopy linkLink copied to clipboard!

22.1.5. ResponsesCopy linkLink copied to clipboard!

22.1.6. SamplesCopy linkLink copied to clipboard!

22.1.7. Common object referenceCopy linkLink copied to clipboard!

22.1.7.1. AlertDeploymentContainerCopy linkLink copied to clipboard!

22.1.7.2. AlertEnforcementCopy linkLink copied to clipboard!

22.1.7.3. AlertProcessViolationCopy linkLink copied to clipboard!

22.1.7.4. AlertResourceResourceTypeCopy linkLink copied to clipboard!

22.1.7.5. AlertViolationCopy linkLink copied to clipboard!

22.1.7.6. AlertViolationTypeCopy linkLink copied to clipboard!

22.1.7.7. KeyValueAttrsKeyValueAttrCopy linkLink copied to clipboard!

22.1.7.8. NetworkFlowInfoEntityCopy linkLink copied to clipboard!

22.1.7.9. PolicyMitreAttackVectorsCopy linkLink copied to clipboard!

22.1.7.10. ProcessSignalLineageInfoCopy linkLink copied to clipboard!

22.1.7.11. ProtobufAnyCopy linkLink copied to clipboard!

22.1.7.11.1. JSON representationCopy linkLink copied to clipboard!

22.1.7.12. RuntimeErrorCopy linkLink copied to clipboard!

22.1.7.13. StorageAlertCopy linkLink copied to clipboard!

22.1.7.14. StorageAlertDeploymentCopy linkLink copied to clipboard!

22.1.7.15. StorageAlertResourceCopy linkLink copied to clipboard!

22.1.7.16. StorageBooleanOperatorCopy linkLink copied to clipboard!

22.1.7.17. StorageContainerImageCopy linkLink copied to clipboard!

22.1.7.18. StorageEnforcementActionCopy linkLink copied to clipboard!

22.1.7.19. StorageEventSourceCopy linkLink copied to clipboard!

22.1.7.20. StorageExclusionCopy linkLink copied to clipboard!

22.1.7.21. StorageExclusionDeploymentCopy linkLink copied to clipboard!

22.1.7.22. StorageExclusionImageCopy linkLink copied to clipboard!

22.1.7.23. StorageImageNameCopy linkLink copied to clipboard!

22.1.7.24. StorageL4ProtocolCopy linkLink copied to clipboard!

22.1.7.25. StorageLifecycleStageCopy linkLink copied to clipboard!

22.1.7.26. StorageNetworkEntityInfoTypeCopy linkLink copied to clipboard!

22.1.7.27. StoragePolicyCopy linkLink copied to clipboard!

22.1.7.28. StoragePolicyGroupCopy linkLink copied to clipboard!

22.1.7.29. StoragePolicySectionCopy linkLink copied to clipboard!

22.1.7.30. StoragePolicyValueCopy linkLink copied to clipboard!

22.1.7.31. StorageProcessIndicatorCopy linkLink copied to clipboard!

22.1.7.32. StorageProcessSignalCopy linkLink copied to clipboard!

22.1.7.33. StorageScopeCopy linkLink copied to clipboard!

22.1.7.34. StorageScopeLabelCopy linkLink copied to clipboard!

22.1.7.35. StorageSeverityCopy linkLink copied to clipboard!

22.1.7.36. StorageViolationStateCopy linkLink copied to clipboard!

22.1.7.37. V1BuildDetectionRequestCopy linkLink copied to clipboard!

22.1.7.38. V1BuildDetectionResponseCopy linkLink copied to clipboard!

22.1.7.39. ViolationKeyValueAttrsCopy linkLink copied to clipboard!

22.1.7.40. ViolationNetworkFlowInfoCopy linkLink copied to clipboard!

22.2. DetectDeployTimeCopy linkLink copied to clipboard!

22.2.1. DescriptionCopy linkLink copied to clipboard!

22.2.2. ParametersCopy linkLink copied to clipboard!

22.2.2.1. Body ParameterCopy linkLink copied to clipboard!

22.2.3. Return TypeCopy linkLink copied to clipboard!

22.2.4. Content TypeCopy linkLink copied to clipboard!

22.2.5. ResponsesCopy linkLink copied to clipboard!

22.2.6. SamplesCopy linkLink copied to clipboard!

22.2.7. Common object referenceCopy linkLink copied to clipboard!

22.2.7.1. AlertDeploymentContainerCopy linkLink copied to clipboard!

22.2.7.2. AlertEnforcementCopy linkLink copied to clipboard!

22.2.7.3. AlertProcessViolationCopy linkLink copied to clipboard!

22.2.7.4. AlertResourceResourceTypeCopy linkLink copied to clipboard!

22.2.7.5. AlertViolationCopy linkLink copied to clipboard!

22.2.7.6. AlertViolationTypeCopy linkLink copied to clipboard!

22.2.7.7. ContainerConfigEnvironmentConfigCopy linkLink copied to clipboard!

22.2.7.8. DeployDetectionResponseRunCopy linkLink copied to clipboard!

22.2.7.9. EnvironmentConfigEnvVarSourceCopy linkLink copied to clipboard!

22.2.7.10. KeyValueAttrsKeyValueAttrCopy linkLink copied to clipboard!

22.2.7.11. NetworkFlowInfoEntityCopy linkLink copied to clipboard!

22.2.7.12. PolicyMitreAttackVectorsCopy linkLink copied to clipboard!

22.2.7.13. PortConfigExposureInfoCopy linkLink copied to clipboard!

22.2.7.14. PortConfigExposureLevelCopy linkLink copied to clipboard!

22.2.7.15. ProcessSignalLineageInfoCopy linkLink copied to clipboard!

22.2.7.16. ProtobufAnyCopy linkLink copied to clipboard!

22.2.7.16.1. JSON representationCopy linkLink copied to clipboard!

22.2.7.17. RuntimeErrorCopy linkLink copied to clipboard!

22.2.7.18. SeccompProfileProfileTypeCopy linkLink copied to clipboard!

22.2.7.19. SecurityContextSELinuxCopy linkLink copied to clipboard!

22.1. DetectBuildTime
Copy link

22.1.1. Description
Copy link

22.1.2. Parameters
Copy link

22.1.2.1. Body Parameter
Copy link

22.1.3. Return Type
Copy link

22.1.4. Content Type
Copy link

22.1.5. Responses
Copy link

22.1.6. Samples
Copy link

22.1.7. Common object reference
Copy link

22.1.7.1. AlertDeploymentContainer
Copy link

22.1.7.2. AlertEnforcement
Copy link

22.1.7.3. AlertProcessViolation
Copy link

22.1.7.4. AlertResourceResourceType
Copy link

22.1.7.5. AlertViolation
Copy link

22.1.7.6. AlertViolationType
Copy link

22.1.7.7. KeyValueAttrsKeyValueAttr
Copy link

22.1.7.8. NetworkFlowInfoEntity
Copy link

22.1.7.9. PolicyMitreAttackVectors
Copy link

22.1.7.10. ProcessSignalLineageInfo
Copy link

22.1.7.11. ProtobufAny
Copy link

22.1.7.11.1. JSON representation
Copy link

22.1.7.12. RuntimeError
Copy link

22.1.7.13. StorageAlert
Copy link

22.1.7.14. StorageAlertDeployment
Copy link

22.1.7.15. StorageAlertResource
Copy link

22.1.7.16. StorageBooleanOperator
Copy link

22.1.7.17. StorageContainerImage
Copy link

22.1.7.18. StorageEnforcementAction
Copy link

22.1.7.19. StorageEventSource
Copy link

22.1.7.20. StorageExclusion
Copy link

22.1.7.21. StorageExclusionDeployment
Copy link

22.1.7.22. StorageExclusionImage
Copy link

22.1.7.23. StorageImageName
Copy link

22.1.7.24. StorageL4Protocol
Copy link

22.1.7.25. StorageLifecycleStage
Copy link

22.1.7.26. StorageNetworkEntityInfoType
Copy link

22.1.7.27. StoragePolicy
Copy link

22.1.7.28. StoragePolicyGroup
Copy link

22.1.7.29. StoragePolicySection
Copy link

22.1.7.30. StoragePolicyValue
Copy link

22.1.7.31. StorageProcessIndicator
Copy link

22.1.7.32. StorageProcessSignal
Copy link

22.1.7.33. StorageScope
Copy link

22.1.7.34. StorageScopeLabel
Copy link

22.1.7.35. StorageSeverity
Copy link

22.1.7.36. StorageViolationState
Copy link

22.1.7.37. V1BuildDetectionRequest
Copy link

22.1.7.38. V1BuildDetectionResponse
Copy link

22.1.7.39. ViolationKeyValueAttrs
Copy link

22.1.7.40. ViolationNetworkFlowInfo
Copy link

22.2. DetectDeployTime
Copy link

22.2.1. Description
Copy link

22.2.2. Parameters
Copy link

22.2.2.1. Body Parameter
Copy link

22.2.3. Return Type
Copy link

22.2.4. Content Type
Copy link

22.2.5. Responses
Copy link

22.2.6. Samples
Copy link

22.2.7. Common object reference
Copy link

22.2.7.1. AlertDeploymentContainer
Copy link

22.2.7.2. AlertEnforcement
Copy link

22.2.7.3. AlertProcessViolation
Copy link

22.2.7.4. AlertResourceResourceType
Copy link

22.2.7.5. AlertViolation
Copy link

22.2.7.6. AlertViolationType
Copy link

22.2.7.7. ContainerConfigEnvironmentConfig
Copy link

22.2.7.8. DeployDetectionResponseRun
Copy link

22.2.7.9. EnvironmentConfigEnvVarSource
Copy link

22.2.7.10. KeyValueAttrsKeyValueAttr
Copy link

22.2.7.11. NetworkFlowInfoEntity
Copy link

22.2.7.12. PolicyMitreAttackVectors
Copy link

22.2.7.13. PortConfigExposureInfo
Copy link

22.2.7.14. PortConfigExposureLevel
Copy link

22.2.7.15. ProcessSignalLineageInfo
Copy link

22.2.7.16. ProtobufAny
Copy link

22.2.7.16.1. JSON representation
Copy link

22.2.7.17. RuntimeError
Copy link

22.2.7.18. SeccompProfileProfileType
Copy link

22.2.7.19. SecurityContextSELinux
Copy link

22.2.7.20. SecurityContextSeccompProfile
Copy link