Chapter 70. Common Object Reference

image

StorageContainerImage

name

String

action

StorageEnforcementAction

UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT,

message

String

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

count

String

int64

message

String

processes

List of StorageProcessIndicator

whitelist

Boolean

addToBaseline

Boolean

message

String

keyValueAttrs

ViolationKeyValueAttrs

networkFlowInfo

ViolationNetworkFlowInfo

type

AlertViolationType

GENERIC, K8S_EVENT, NETWORK_FLOW, NETWORK_POLICY,

time

Date

Indicates violation time. This field differs from top-level field 'time' which represents last time the alert occurred in case of multiple occurrences of the policy alert. As of 55.0, this field is set only for kubernetes event violations, but may not be limited to it in future.

date-time

key

String

A key within the identity token’s claim value to use.

valueExpression

String

A regular expression that will be evaluated against values of the identity token claim identified by the specified key. This regular expressions is in RE2 format, see more here: https://github.com/google/re2/wiki/Syntax.

role

String

The role which should be issued when the key and value match for a particular identity token.

attributeKey

String

attributeValue

String

name

String

type

String

uiEndpoint

String

enabled

Boolean

config

Map of string

Config holds auth provider specific configuration. Each configuration options are different based on the given auth provider type. OIDC: - "issuer": the OIDC issuer according to https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier. - "client_id": the client ID according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2. - "client_secret": the client secret according to https://www.rfc-editor.org/rfc/rfc6749.html#section-2.3.1. - "do_not_use_client_secret": set to "true" if you want to create a configuration with only a client ID and no client secret. - "mode": the OIDC callback mode, choosing from "fragment", "post", or "query". - "disable_offline_access_scope": set to "true" if no offline tokens shall be issued. - "extra_scopes": a space-delimited string of additional scopes to request in addition to "openid profile email" according to https://www.rfc-editor.org/rfc/rfc6749.html#section-3.3. OpenShift Auth: supports no extra configuration options. User PKI: - "keys": the trusted certificates PEM encoded. SAML: - "sp_issuer": the service provider issuer according to https://datatracker.ietf.org/doc/html/rfc7522#section-3. - "idp_metadata_url": the metadata URL according to https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf. - "idp_issuer": the IdP issuer. - "idp_cert_pem": the cert PEM encoded for the IdP endpoint. - "idp_sso_url": the IdP SSO URL. - "idp_nameid_format": the IdP name ID format. IAP: - "audience": the audience to use.

loginUrl

String

The login URL will be provided by the backend, and may not be specified in a request.

validated

Boolean

extraUiEndpoints

List of string

UI endpoints which to allow in addition to ui_endpoint. I.e., if a login request is coming from any of these, the auth request will use these for the callback URL, not ui_endpoint.

active

Boolean

requiredAttributes

List of AuthProviderRequiredAttribute

traits

StorageTraits

claimMappings

Map of string

Specifies claims from IdP token that will be copied to Rox token attributes. Each key in this map contains a path in IdP token we want to map. Path is separated by "." symbol. For example, if IdP token payload looks like: { "a": { "b" : "c", "d": true, "e": [ "val1", "val2", "val3" ], "f": [ true, false, false ], "g": 123.0, "h": [ 1, 2, 3] } } then "a.b" would be a valid key and "a.z" is not. We support the following types of claims: * string(path "a.b") * bool(path "a.d") * string array(path "a.e") * bool array (path "a.f.") We do NOT support the following types of claims: * complex claims(path "a") * float/integer claims(path "a.g") * float/integer array claims(path "a.h") Each value in this map contains a Rox token attribute name we want to add claim to. If, for example, value is "groups", claim would be found in "external_user.Attributes.groups" in token. Note: we only support this feature for OIDC auth provider.

lastUpdated

Date

Last updated indicates the last time the auth provider has been updated. In case there have been tokens issued by an auth provider before this timestamp, they will be considered invalid. Subsequently, all clients will have to re-issue their tokens (either by refreshing or by an additional login attempt).

date-time

name

String

enabled

Boolean

config

AuthServiceUpdateAuthMachineToMachineConfigBody

type

V1AuthMachineToMachineConfigType

GENERIC, GITHUB_ACTIONS, KUBE_SERVICE_ACCOUNT,

tokenExpirationDuration

String

Sets the expiration of the token returned from the ExchangeAuthMachineToMachineToken API call. Possible valid time units are: s, m, h. The maximum allowed expiration duration is 24h. As an example: 2h45m. For additional information on the validation of the duration, see: https://pkg.go.dev/time#ParseDuration.

mappings

List of AuthMachineToMachineConfigMapping

At least one mapping is required to resolve to a valid role for the access token to be successfully generated.

issuer

String

The issuer of the related OIDC provider issuing the ID tokens to exchange. Must be non-empty string containing URL when type is GENERIC. In case of GitHub actions, this must be empty or set to https://token.actions.githubusercontent.com. Issuer is a unique key, therefore there may be at most one GITHUB_ACTIONS config, and each GENERIC config must have a distinct issuer.

scopeCheckerType

String

builtIn

TraceBuiltInAuthorizer

name

String

permissions

Map of StorageAccess

accessScopeName

String

accessScope

SimpleAccessScopeRules

type

String

suggestedAttributes

List of string

id

String

error

String

userId

String

endpoint

String

storageKeyV1

String

cloudSource

CloudSourcesServiceUpdateCloudSourceBody

updateCredentials

Boolean

If true, cloud_source must include valid credentials. If false, the resource must already exist and credentials in cloud_source are ignored.

name

String

type

V1CloudSourceType

TYPE_UNSPECIFIED, TYPE_PALADIN_CLOUD, TYPE_OCM,

credentials

V1CloudSourceCredentials

skipTestIntegration

Boolean

paladinCloud

V1PaladinCloudConfig

ocm

V1OCMConfig

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

events

List of V1AlertEvent

phase

String

result

String

errorMessage

String

lastTransitionTime

Date

date-time

active

Boolean

id

String

targetVersion

String

upgraderImage

String

initiatedAt

Date

date-time

progress

StorageUpgradeProgress

type

UpgradeProcessStatusUpgradeProcessType

UPGRADE, CERT_ROTATION,

name

String

type

StorageClusterType

GENERIC_CLUSTER, KUBERNETES_CLUSTER, OPENSHIFT_CLUSTER, OPENSHIFT4_CLUSTER,

labels

Map of string

mainImage

String

collectorImage

String

centralApiEndpoint

String

runtimeSupport

Boolean

collectionMethod

StorageCollectionMethod

UNSET_COLLECTION, NO_COLLECTION, KERNEL_MODULE, EBPF, CORE_BPF,

admissionController

Boolean

admissionControllerUpdates

Boolean

admissionControllerEvents

Boolean

status

StorageClusterStatus

dynamicConfig

StorageDynamicClusterConfig

tolerationsConfig

StorageTolerationsConfig

priority

String

int64

healthStatus

StorageClusterHealthStatus

slimCollector

Boolean

helmConfig

StorageCompleteClusterConfig

mostRecentSensorId

StorageSensorDeploymentIdentification

auditLogState

Map of StorageAuditLogFileState

For internal use only.

initBundleId

String

managedBy

StorageManagerType

MANAGER_TYPE_UNKNOWN, MANAGER_TYPE_MANUAL, MANAGER_TYPE_HELM_CHART, MANAGER_TYPE_KUBERNETES_OPERATOR,

sensorCapabilities

List of string

name

String

description

String

resourceSelectors

List of StorageResourceSelector

embeddedCollectionIds

List of string

scope

StorageComplianceAggregationScope

UNKNOWN, STANDARD, CLUSTER, CATEGORY, CONTROL, NAMESPACE, NODE, DEPLOYMENT, CHECK,

id

String

state

StorageComplianceState

COMPLIANCE_STATE_UNKNOWN, COMPLIANCE_STATE_SKIP, COMPLIANCE_STATE_NOTE, COMPLIANCE_STATE_SUCCESS, COMPLIANCE_STATE_FAILURE, COMPLIANCE_STATE_ERROR,

message

String

messageId

Integer

int32

platform

String

disruption

String

controlResults

Map of StorageComplianceResultValue

scanName

String

scanConfig

V2BaseComplianceScanConfigurationSettings

clusters

List of string

hideScanResults

Boolean

simpleRules

SimpleAccessScopeRules

key

String

value

String

envVarSource

EnvironmentConfigEnvVarSource

UNSET, RAW, SECRET_KEY, CONFIG_MAP_KEY, FIELD, RESOURCE_FIELD, UNKNOWN,

name

String

publicKeyPemEnc

String

pos

String

int64

path

String

The full path of the file.

bytesSize

String

The size of the file, in bytes. 0 if unknown.

int64

path

String

clusterId

String

name

String

type

String

alerts

List of StorageAlert

values

List of string

port

Long

int64

l4protocol

StorageL4Protocol

L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,

username

String

password

String

expiresAt

Date

date-time

environments

List of V4Environment

name

String

type

String

schedule

StorageSchedule

backupsToKeep

Integer

int32

s3

StorageS3Config

gcs

StorageGCSConfig

s3compatible

StorageS3Compatible

includeCertificates

Boolean

externalBackup

NextAvailableTag10

updatePassword

Boolean

When false, use the stored credentials of an existing external backup configuration given its ID.

cluster

String

severities

List of ClusterAlertsAlertEvents

group

String

counts

List of AlertGroupAlertCounts

id

String

name

String

type

String

loginUrl

String

enableAutoUpgrade

Boolean

autoUpgradeFeature

GetSensorUpgradeConfigResponseSensorAutoUpgradeFeatureStatus

NOT_SUPPORTED, SUPPORTED,

code

Integer

int32

message

String

details

List of ProtobufAny

name

String

type

String

categories

List of StorageImageIntegrationCategory

clairify

StorageClairifyConfig

scannerV4

StorageScannerV4Config

docker

StorageDockerConfig

quay

StorageQuayConfig

ecr

StorageECRConfig

google

StorageGoogleConfig

clair

StorageClairConfig

clairV4

StorageClairV4Config

ibm

StorageIBMRegistryConfig

azure

StorageAzureConfig

autogenerated

Boolean

clusterId

String

skipTestIntegration

Boolean

source

StorageImageIntegrationSource

config

NextTag25

updatePassword

Boolean

When false, use the stored credentials of an existing image integration given its ID.

name

String

username

String

imageName

X

String

Image name and reference. (e.g. nginx:latest or nginx@sha256:…​)

force

Boolean

Bypass Central’s cache for the image and force a new pull from the Scanner

name

String

id

String

id

String

error

String

impactedClusters

List of InitBundleMetaImpactedCluster

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

priorityName

String

key

String

value

String

clusterName

String

namespace

String

clusterId

String

namespaceId

String

resourceType

StorageListAlertResourceType

DEPLOYMENT, SECRETS, CONFIGMAPS, CLUSTER_ROLES, CLUSTER_ROLE_BINDINGS, NETWORK_POLICIES, SECURITY_CONTEXT_CONSTRAINTS, EGRESS_FIREWALLS,

SORTName

String

name

String

deployment

StorageListDeployment

baselineStatuses

List of StorageContainerNameAndBaselineStatus

clientCert

String

PEM encoded ASN.1 DER format.

privateKey

String

PEM encoded PKCS #8, ASN.1 DER format.

streamName

String

dataCollectionRuleId

String

enabled

Boolean

peers

List of V1NetworkBaselineStatusPeer

peers

List of V1NetworkBaselinePeerStatus

name

String

cidr

String

default

Boolean

default indicates whether the external source is user-generated or system-generated.

discovered

Boolean

discovered indicates whether the external source is harvested from monitored traffic.

name

String

entityType

StorageNetworkEntityInfoType

UNKNOWN_TYPE, DEPLOYMENT, INTERNET, LISTEN_ENDPOINT, EXTERNAL_SOURCE, INTERNAL_ENTITIES,

deploymentNamespace

String

deploymentType

String

port

Integer

int32

entity

NetworkEntityInfoExternalSource

name

String

modification

StorageNetworkPolicyModification

deleteExisting

GenerateNetworkPoliciesRequestDeleteExistingPoliciesMode

UNKNOWN, NONE, GENERATED_ONLY, ALL,

includePorts

Boolean

name

String

type

String

schedule

StorageSchedule

backupsToKeep

Integer

int32

s3

StorageS3Config

gcs

StorageGCSConfig

s3compatible

StorageS3Compatible

includeCertificates

Boolean

name

String

type

String

uiEndpoint

String

labelKey

String

labelDefault

String

jira

StorageJira

email

StorageEmail

cscc

StorageCSCC

splunk

StorageSplunk

pagerduty

StoragePagerDuty

generic

StorageGeneric

sumologic

StorageSumoLogic

awsSecurityHub

StorageAWSSecurityHub

syslog

StorageSyslog

microsoftSentinel

StorageMicrosoftSentinel

notifierSecret

String

traits

StorageTraits

name

String

type

String

categories

List of StorageImageIntegrationCategory

clairify

StorageClairifyConfig

scannerV4

StorageScannerV4Config

docker

StorageDockerConfig

quay

StorageQuayConfig

ecr

StorageECRConfig

google

StorageGoogleConfig

clair

StorageClairConfig

clairV4

StorageClairV4Config

ibm

StorageIBMRegistryConfig

azure

StorageAzureConfig

autogenerated

Boolean

clusterId

String

skipTestIntegration

Boolean

source

StorageImageIntegrationSource

name

String

type

String

uiEndpoint

String

labelKey

String

labelDefault

String

jira

StorageJira

email

StorageEmail

cscc

StorageCSCC

splunk

StorageSplunk

pagerduty

StoragePagerDuty

generic

StorageGeneric

sumologic

StorageSumoLogic

awsSecurityHub

StorageAWSSecurityHub

syslog

StorageSyslog

microsoftSentinel

StorageMicrosoftSentinel

notifierSecret

String

traits

StorageTraits

notifier

NextTag21

updatePassword

Boolean

When false, use the stored credentials of an existing notifier configuration given its ID.

name

String

namespaceRule

RuleNamespaceRule

instances

List of StorageContainerInstance

tactic

String

techniques

List of string

notifierIds

List of string

disable

Boolean

disabled

Boolean

name

String

Name of the policy. Must be unique.

description

String

Free-form text description of this policy.

rationale

String

remediation

String

Describes how to remediate a violation of this policy.

disabled

Boolean

Toggles whether or not this policy will be executing and actively firing alerts.

categories

List of string

List of categories that this policy falls under. Category names must already exist in Central.

lifecycleStages

List of StorageLifecycleStage

Describes which policy lifecylce stages this policy applies to. Choices are DEPLOY, BUILD, and RUNTIME.

eventSource

StorageEventSource

NOT_APPLICABLE, DEPLOYMENT_EVENT, AUDIT_LOG_EVENT,

exclusions

List of StorageExclusion

Define deployments or images that should be excluded from this policy.

scope

List of StorageScope

Defines clusters, namespaces, and deployments that should be included in this policy. No scopes defined includes everything.

severity

StorageSeverity

UNSET_SEVERITY, LOW_SEVERITY, MEDIUM_SEVERITY, HIGH_SEVERITY, CRITICAL_SEVERITY,

enforcementActions

List of StorageEnforcementAction

FAIL_DEPLOYMENT_CREATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object creates/updates. FAIL_KUBE_REQUEST_ENFORCEMENT takes effect only if admission control webhook is enabled to listen on exec and port-forward events. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT takes effect only if admission control webhook is configured to enforce on object updates. Lists the enforcement actions to take when a violation from this policy is identified. Possible value are UNSET_ENFORCEMENT, SCALE_TO_ZERO_ENFORCEMENT, UNSATISFIABLE_NODE_CONSTRAINT_ENFORCEMENT, KILL_POD_ENFORCEMENT, FAIL_BUILD_ENFORCEMENT, FAIL_KUBE_REQUEST_ENFORCEMENT, FAIL_DEPLOYMENT_CREATE_ENFORCEMENT, and. FAIL_DEPLOYMENT_UPDATE_ENFORCEMENT.

notifiers

List of string

List of IDs of the notifiers that should be triggered when a violation from this policy is identified. IDs should be in the form of a UUID and are found through the Central API.

lastUpdated

Date

date-time

SORTName

String

For internal use only.

SORTLifecycleStage

String

For internal use only.

SORTEnforcement

Boolean

For internal use only.

policyVersion

String

policySections

List of StoragePolicySection

PolicySections define the violation criteria for this policy.

mitreAttackVectors

List of PolicyMitreAttackVectors

criteriaLocked

Boolean

Read-only field. If true, the policy’s criteria fields are rendered read-only.

mitreVectorsLocked

Boolean

Read-only field. If true, the policy’s MITRE ATT&CK fields are rendered read-only.

isDefault

Boolean

Read-only field. Indicates the policy is a default policy if true and a custom policy if false.

source

StoragePolicySource

IMPERATIVE, DECLARATIVE,

level

PortConfigExposureLevel

UNSET, EXTERNAL, NODE, INTERNAL, HOST, ROUTE,

serviceName

String

serviceId

String

serviceClusterIp

String

servicePort

Integer

int32

nodePort

Integer

int32

externalIps

List of string

externalHostnames

List of string

port

Long

int64

protocol

StorageL4Protocol

L4_PROTOCOL_UNKNOWN, L4_PROTOCOL_TCP, L4_PROTOCOL_UDP, L4_PROTOCOL_ICMP, L4_PROTOCOL_RAW, L4_PROTOCOL_SCTP, L4_PROTOCOL_ANY,

parentUid

Long

int64

parentExecFilePath

String

@type

String

username

String

password

String

The server will mask the value of this password in responses and logs.

reportConfig

StorageReportConfiguration

name

String

description

String

type

ReportConfigurationReportType

VULNERABILITY,

vulnReportFilters

V2VulnerabilityReportFilters

schedule

V2ReportSchedule

resourceScope

V2ResourceScope

notifiers

List of V2NotifierConfiguration

id

String

message

String

url

String

name

String

name and description are provided by the user and can be changed.

description

String

resourceToAccess

Map of StorageAccess

traits

StorageTraits

name