// Copyright 2023 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.securitycenter.v1;

import "google/cloud/securitycenter/v1/container.proto";
import "google/cloud/securitycenter/v1/label.proto";

option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
option java_multiple_files = true;
option java_outer_classname = "KubernetesProto";
option java_package = "com.google.cloud.securitycenter.v1";
option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
option ruby_package = "Google::Cloud::SecurityCenter::V1";

// Kubernetes-related attributes.
message Kubernetes {
  // A Kubernetes Pod.
  message Pod {
    // Kubernetes Pod namespace.
    string ns = 1;

    // Kubernetes Pod name.
    string name = 2;

    // Pod labels.  For Kubernetes containers, these are applied to the
    // container.
    repeated Label labels = 3;

    // Pod containers associated with this finding, if any.
    repeated Container containers = 4;
  }

  // Kubernetes nodes associated with the finding.
  message Node {
    // [Full resource name](https://google.aip.dev/122#full-resource-names) of
    // the Compute Engine VM running the cluster node.
    string name = 1;
  }

  // Provides GKE node pool information.
  message NodePool {
    // Kubernetes node pool name.
    string name = 1;

    // Nodes associated with the finding.
    repeated Node nodes = 2;
  }

  // Kubernetes Role or ClusterRole.
  message Role {
    // Types of Kubernetes roles.
    enum Kind {
      // Role type is not specified.
      KIND_UNSPECIFIED = 0;

      // Kubernetes Role.
      ROLE = 1;

      // Kubernetes ClusterRole.
      CLUSTER_ROLE = 2;
    }

    // Role type.
    Kind kind = 1;

    // Role namespace.
    string ns = 2;

    // Role name.
    string name = 3;
  }

  // Represents a Kubernetes RoleBinding or ClusterRoleBinding.
  message Binding {
    // Namespace for the binding.
    string ns = 1;

    // Name for the binding.
    string name = 2;

    // The Role or ClusterRole referenced by the binding.
    Role role = 3;

    // Represents one or more subjects that are bound to the role. Not always
    // available for PATCH requests.
    repeated Subject subjects = 4;
  }

  // Represents a Kubernetes subject.
  message Subject {
    // Auth types that can be used for the subject's kind field.
    enum AuthType {
      // Authentication is not specified.
      AUTH_TYPE_UNSPECIFIED = 0;

      // User with valid certificate.
      USER = 1;

      // Users managed by Kubernetes API with credentials stored as secrets.
      SERVICEACCOUNT = 2;

      // Collection of users.
      GROUP = 3;
    }

    // Authentication type for the subject.
    AuthType kind = 1;

    // Namespace for the subject.
    string ns = 2;

    // Name for the subject.
    string name = 3;
  }

  // Conveys information about a Kubernetes access review (such as one returned
  // by a [`kubectl auth
  // can-i`](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access)
  // command) that was involved in a finding.
  message AccessReview {
    // The API group of the resource. "*" means all.
    string group = 1;

    // Namespace of the action being requested. Currently, there is no
    // distinction between no namespace and all namespaces.  Both
    // are represented by "" (empty).
    string ns = 2;

    // The name of the resource being requested. Empty means all.
    string name = 3;

    // The optional resource type requested. "*" means all.
    string resource = 4;

    // The optional subresource type.
    string subresource = 5;

    // A Kubernetes resource API verb, like get, list, watch, create, update,
    // delete, proxy. "*" means all.
    string verb = 6;

    // The API version of the resource. "*" means all.
    string version = 7;
  }

  // Kubernetes
  // [Pods](https://cloud.google.com/kubernetes-engine/docs/concepts/pod)
  // associated with the finding. This field contains Pod records for each
  // container that is owned by a Pod.
  repeated Pod pods = 1;

  // Provides Kubernetes
  // [node](https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-architecture#nodes)
  // information.
  repeated Node nodes = 2;

  // GKE [node
  // pools](https://cloud.google.com/kubernetes-engine/docs/concepts/node-pools)
  // associated with the finding. This field contains node pool information for
  // each node, when it is available.
  repeated NodePool node_pools = 3;

  // Provides Kubernetes role information for findings that involve [Roles or
  // ClusterRoles](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).
  repeated Role roles = 4;

  // Provides Kubernetes role binding information for findings that involve
  // [RoleBindings or
  // ClusterRoleBindings](https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control).
  repeated Binding bindings = 5;

  // Provides information on any Kubernetes access reviews (privilege checks)
  // relevant to the finding.
  repeated AccessReview access_reviews = 6;
}