// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v1;

import "google/cloud/securitycenter/v1/container.proto";
import "google/cloud/securitycenter/v1/label.proto";

option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
option java_multiple_files = true;
option java_outer_classname = "KubernetesProto";
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";

// Kubernetes-related attributes.
message Kubernetes {
  // Kubernetes Pod.
  message Pod {
    // Kubernetes Pod namespace.
    string ns = 1;

    // Kubernetes Pod name.
    string name = 2;

    // Pod labels.  For Kubernetes containers, these are applied to the
    // container.
    repeated Label labels = 3;

    // Pod containers associated with this finding, if any.
    repeated Container containers = 4;
  }

  // Kubernetes Nodes associated with the finding.
  message Node {
    // Full Resource name of the Compute Engine VM running the
    // cluster node.
    string name = 1;
  }

  // Provides GKE Node Pool information.
  message NodePool {
    // Kubernetes Node pool name.
    string name = 1;

    // Nodes associated with the finding.
    repeated Node nodes = 2;
  }

  // Kubernetes Role or ClusterRole.
  message Role {
    // Types of Kubernetes roles.
    enum Kind {
      // Role type is not specified.
      KIND_UNSPECIFIED = 0;

      // Kubernetes Role.
      ROLE = 1;

      // Kubernetes ClusterRole.
      CLUSTER_ROLE = 2;
    }

    // Role type.
    Kind kind = 1;

    // Role namespace.
    string ns = 2;

    // Role name.
    string name = 3;
  }

  // Represents a Kubernetes RoleBinding or ClusterRoleBinding.
  message Binding {
    // Namespace for binding.
    string ns = 1;

    // Name for binding.
    string name = 2;

    // The Role or ClusterRole referenced by the binding.
    Role role = 3;

    // Represents one or more subjects that are bound to the role. Not always
    // available for PATCH requests.
    repeated Subject subjects = 4;
  }

  // Represents a Kubernetes Subject.
  message Subject {
    // Auth types that can be used for Subject's kind field.
    enum AuthType {
      // Authentication is not specified.
      AUTH_TYPE_UNSPECIFIED = 0;

      // User with valid certificate.
      USER = 1;

      // Users managed by Kubernetes API with credentials stored as Secrets.
      SERVICEACCOUNT = 2;

      // Collection of users.
      GROUP = 3;
    }

    // Authentication type for subject.
    AuthType kind = 1;

    // Namespace for subject.
    string ns = 2;

    // Name for subject.
    string name = 3;
  }

  // Conveys information about a Kubernetes access review (e.g. kubectl auth
  // can-i ...) that was involved in a finding.
  message AccessReview {
    // Group is the API Group of the Resource. "*" means all.
    string group = 1;

    // Namespace of the action being requested. Currently, there is no
    // distinction between no namespace and all namespaces.  Both
    // are represented by "" (empty).
    string ns = 2;

    // Name is the name of the resource being requested. Empty means all.
    string name = 3;

    // Resource is the optional resource type requested. "*" means all.
    string resource = 4;

    // Subresource is the optional subresource type.
    string subresource = 5;

    // Verb is a Kubernetes resource API verb, like: get, list, watch, create,
    // update, delete, proxy. "*" means all.
    string verb = 6;

    // Version is the API Version of the Resource. "*" means all.
    string version = 7;
  }

  // Kubernetes Pods associated with the finding. This field will contain Pod
  // records for each container that is owned by a Pod.
  repeated Pod pods = 1;

  // Provides Kubernetes Node information.
  repeated Node nodes = 2;

  // GKE Node Pools associated with the finding. This field will
  // contain NodePool information for each Node, when it is available.
  repeated NodePool node_pools = 3;

  // Provides Kubernetes role information for findings that involve
  // Roles or ClusterRoles.
  repeated Role roles = 4;

  // Provides Kubernetes role binding information for findings that involve
  // RoleBindings or ClusterRoleBindings.
  repeated Binding bindings = 5;

  // Provides information on any Kubernetes access reviews (i.e. privilege
  // checks) relevant to the finding.
  repeated AccessReview access_reviews = 6;
}