diff --git a/config/crds/auditing.kubesphere.io_rules.yaml b/config/crds/auditing.kubesphere.io_rules.yaml new file mode 100644 index 000000000..b0b273a97 --- /dev/null +++ b/config/crds/auditing.kubesphere.io_rules.yaml @@ -0,0 +1,92 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: rules.auditing.kubesphere.io +spec: + group: auditing.kubesphere.io + names: + kind: Rule + listKind: RuleList + plural: rules + singular: rule + scope: Namespaced + validation: + openAPIV3Schema: + description: Rule is the Schema for the rules API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AuditRuleSpec defines the desired state of Rule + properties: + rules: + items: + properties: + alias: + description: This effective When the rule type is alias + type: string + condition: + description: Rule condition This effective When the rule type + is rule + type: string + desc: + description: Rule describe + type: string + enable: + description: Is the rule enable + type: boolean + list: + description: This effective When the rule type is list + items: + type: string + type: array + macro: + description: This effective When the rule type is macro + type: string + name: + description: Rule name + type: string + output: + description: The output formater of message which send to user + type: string + priority: + description: Rule priority, DEBUG, INFO, WARNING + type: string + type: + description: Rule type, rule, macro,list,alias + type: string + required: + - enable + type: object + type: array + type: object + status: + description: AuditRuleStatus defines the observed state of Rule + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/auditing.kubesphere.io_webhooks.yaml b/config/crds/auditing.kubesphere.io_webhooks.yaml new file mode 100644 index 000000000..fa110655c --- /dev/null +++ b/config/crds/auditing.kubesphere.io_webhooks.yaml @@ -0,0 +1,915 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: webhooks.auditing.kubesphere.io +spec: + group: auditing.kubesphere.io + names: + kind: Webhook + listKind: WebhookList + plural: webhooks + singular: webhook + scope: Namespaced + validation: + openAPIV3Schema: + description: Webhook is the Schema for the webhooks API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: WebhookSpec defines the desired state of Webhook + properties: + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node matches the corresponding matchExpressions; the + node(s) with the highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches all + objects with implicit weight 0 (i.e. it's a no-op). A null + preferred scheduling term matches no objects (i.e. is also + a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. The + terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. Gt, and Lt. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be + empty. If the operator is Gt or Lt, the values + array must have a single element, which will + be interpreted as an integer. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + type: array + required: + - nodeSelectorTerms + type: object + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the affinity expressions specified by this field, + but it may choose a node that violates one or more of the + expressions. The node that is most preferred is the one with + the greatest sum of weights, i.e. for each node that meets + all of the scheduling requirements (resource request, requiredDuringScheduling + affinity expressions, etc.), compute a sum by iterating through + the elements of this field and adding "weight" to the sum + if the node has pods which matches the corresponding podAffinityTerm; + the node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may not + try to eventually evict the pod from its node. When there + are multiple elements, the lists of nodes corresponding to + each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some other + pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to nodes + that satisfy the anti-affinity expressions specified by this + field, but it may choose a node that violates one or more + of the expressions. The node that is most preferred is the + one with the greatest sum of weights, i.e. for each node that + meets all of the scheduling requirements (resource request, + requiredDuringScheduling anti-affinity expressions, etc.), + compute a sum by iterating through the elements of this field + and adding "weight" to the sum if the node has pods which + matches the corresponding podAffinityTerm; the node(s) with + the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces + the labelSelector applies to (matches against); + null or empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey matches + that of any node on which any of the selected pods + is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will not + be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its node. + When there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms must + be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) that + this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of pods + is running + properties: + labelSelector: + description: A label query over a set of resources, in + this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: namespaces specifies which namespaces the + labelSelector applies to (matches against); null or + empty list means "this pod's namespace" + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of any + node on which any of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + args: + description: Arguments to the entrypoint.. It will be appended to the + args and replace the default value. + items: + type: string + type: array + auditLevel: + description: 'The Level that all requests are recorded at. available + options: None, Metadata, Request, RequestResponse default: Metadata' + type: string + auditSinkPolicy: + description: AuditSinkPolicy is a rule selector, only the rule matched + this selector will be taked effect. + properties: + alertingRuleSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An empty + label selector matches all objects. A null label selector matches + no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + archivingRuleSelector: + description: A label selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. An empty + label selector matches all objects. A null label selector matches + no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + type: object + auditType: + description: Audit type, static or dynamic. + type: string + image: + description: The webhook docker image name. + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. + Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to + secrets in the same namespace to use for pulling any of the images + used by this PodSpec. If specified, these secrets will be passed to + individual puller implementations for them to use. For example, in + the case of docker, only DockerConfig type secrets are honored. More + info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough information to let + you locate the referenced object inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + type: object + type: array + k8sAuditingEnabled: + description: K8s auditing is enabled or not. + type: boolean + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must be true for the + pod to fit on a node. Selector which must match a node''s labels for + the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + priority: + description: Rule priority, DEBUG < INFO < WARNING Audit events will + be stored only when the priority of the audit rule matching the audit + event is greater than this. + type: string + receivers: + description: ' Receiver contains the information to make a connection + with the alertmanager' + items: + description: Receiver config which received the audit alert + properties: + config: + description: ClientConfig holds the connection parameters for + the webhook + properties: + caBundle: + description: '`caBundle` is a PEM encoded CA bundle which + will be used to validate the webhook''s server certificate. + If unspecified, system trust roots on the apiserver are + used.' + format: byte + type: string + service: + description: "`service` is a reference to the service for + this webhook. Either `service` or `url` must be specified. + \n If the webhook is running within the cluster, then you + should use `service`." + properties: + name: + description: '`name` is the name of the service. Required' + type: string + namespace: + description: '`namespace` is the namespace of the service. + Required' + type: string + path: + description: '`path` is an optional URL path which will + be sent in any request to this service.' + type: string + port: + description: If specified, the port on the service that + hosting webhook. Default to 443 for backward compatibility. + `port` should be a valid port number (1-65535, inclusive). + format: int32 + type: integer + required: + - name + - namespace + type: object + url: + description: "`url` gives the location of the webhook, in + standard URL form (`scheme://host:port/path`). Exactly one + of `url` or `service` must be specified. \n The `host` should + not refer to a service running in the cluster; use the `service` + field instead. The host might be resolved via external DNS + in some apiservers (e.g., `kube-apiserver` cannot resolve + in-cluster DNS as that would be a layering violation). `host` + may also be an IP address. \n Please note that using `localhost` + or `127.0.0.1` as a `host` is risky unless you take great + care to run this webhook on all hosts which run an apiserver + which might need to make calls to this webhook. Such installs + are likely to be non-portable, i.e., not easy to turn up + in a new cluster. \n The scheme must be \"https\"; the URL + must begin with \"https://\". \n A path is optional, and + if present may be any string permissible in a URL. You may + use the path to pass an arbitrary string to the webhook, + for example, a cluster identifier. \n Attempting to use + a user or basic auth e.g. \"user:password@\" is not allowed. + Fragments (\"#...\") and query parameters (\"?...\") are + not allowed, either." + type: string + type: object + name: + description: Receiver name + type: string + type: + description: Receiver type, alertmanager or webhook + type: string + type: object + type: array + replicas: + description: Number of desired pods. This is a pointer to distinguish + between explicit zero and not specified. Defaults to 1. + format: int32 + type: integer + resources: + description: 'Compute Resources required by this container. Cannot be + updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + properties: + limits: + additionalProperties: + type: string + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + requests: + additionalProperties: + type: string + description: 'Requests describes the minimum amount of compute resources + required. If Requests is omitted for a container, it defaults + to Limits if that is explicitly specified, otherwise to an implementation-defined + value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + type: object + type: object + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, operator + must be Exists; this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship to the value. + Valid operators are Exists and Equal. Defaults to Equal. Exists + is equivalent to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time the + toleration (which must be of effect NoExecute, otherwise this + field is ignored) tolerates the taint. By default, it is not + set, which means tolerate the taint forever (do not evict). + Zero and negative values will be treated as 0 (evict immediately) + by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches to. + If the operator is Exists, the value should be empty, otherwise + just a regular string. + type: string + type: object + type: array + type: object + status: + description: WebhookStatus defines the observed state of Webhook + type: object + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/devops.kubesphere.io_pipelines.yaml b/config/crds/devops.kubesphere.io_pipelines.yaml index 1d3df2fa6..c2c6a55e3 100644 --- a/config/crds/devops.kubesphere.io_pipelines.yaml +++ b/config/crds/devops.kubesphere.io_pipelines.yaml @@ -71,7 +71,7 @@ spec: scm_id: type: string type: object - descriptio: + description: type: string discarder: properties: @@ -188,7 +188,7 @@ spec: type: object pipeline: properties: - descriptio: + description: type: string disable_concurrent: type: boolean diff --git a/config/crds/iam.kubesphere.io_federatedrolebindings.yaml b/config/crds/iam.kubesphere.io_federatedrolebindings.yaml new file mode 100644 index 000000000..240a985f3 --- /dev/null +++ b/config/crds/iam.kubesphere.io_federatedrolebindings.yaml @@ -0,0 +1,127 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: federatedrolebindings.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + kind: FederatedRoleBinding + listKind: FederatedRoleBindingList + plural: federatedrolebindings + singular: federatedrolebinding + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + placement: + properties: + clusterSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + metadata: + type: object + roleRef: + description: RoleRef contains information that points to the role + being used + properties: + apiGroup: + description: APIGroup is the group for the resource being referenced + type: string + kind: + description: Kind is the type of resource being referenced + type: string + name: + description: Name is the name of resource being referenced + type: string + required: + - apiGroup + - kind + - name + type: object + subjects: + items: + description: Subject contains a reference to the object or user + identities a role binding applies to. This can either hold + a direct API object reference, or a value for non-objects such + as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. Defaults + to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined + by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the + Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object + kind is non-namespace, such as "User" or "Group", and this + value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + type: array + required: + - roleRef + type: object + required: + - placement + - template + type: object + required: + - spec + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/iam.kubesphere.io_federatedroles.yaml b/config/crds/iam.kubesphere.io_federatedroles.yaml new file mode 100644 index 000000000..e69d98723 --- /dev/null +++ b/config/crds/iam.kubesphere.io_federatedroles.yaml @@ -0,0 +1,125 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: federatedroles.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + kind: FederatedRole + listKind: FederatedRoleList + plural: federatedroles + singular: federatedrole + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + placement: + properties: + clusterSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + metadata: + type: object + rules: + items: + description: PolicyRule holds information that describes a policy + rule, but does not contain information about who the rule applies + to or which namespace the rule applies to. + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains + the resources. If multiple API groups are specified, any + action requested against one of the enumerated resources + in any API group will be allowed. + items: + type: string + type: array + nonResourceURLs: + description: NonResourceURLs is a set of partial urls that + a user should have access to. *s are allowed, but only + as the full, final step in the path Since non-resource URLs + are not namespaced, this field is only applicable for ClusterRoles + referenced from a ClusterRoleBinding. Rules can either apply + to API resources (such as "pods" or "secrets") or non-resource + URL paths (such as "/api"), but not both. + items: + type: string + type: array + resourceNames: + description: ResourceNames is an optional white list of names + that the rule applies to. An empty set means that everything + is allowed. + items: + type: string + type: array + resources: + description: Resources is a list of resources this rule applies + to. ResourceAll represents all resources. + items: + type: string + type: array + verbs: + description: Verbs is a list of Verbs that apply to ALL the + ResourceKinds and AttributeRestrictions contained in this + rule. VerbAll represents all kinds. + items: + type: string + type: array + required: + - verbs + type: object + type: array + type: object + required: + - placement + - template + type: object + required: + - spec + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/iam.kubesphere.io_federatedusers.yaml b/config/crds/iam.kubesphere.io_federatedusers.yaml new file mode 100644 index 000000000..d6dc4a18a --- /dev/null +++ b/config/crds/iam.kubesphere.io_federatedusers.yaml @@ -0,0 +1,116 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: federatedusers.iam.kubesphere.io +spec: + group: iam.kubesphere.io + names: + kind: FederatedUser + listKind: FederatedUserList + plural: federatedusers + singular: federateduser + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + placement: + properties: + clusterSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + metadata: + type: object + spec: + description: UserSpec defines the desired state of User + properties: + description: + description: Description of the user. + type: string + displayName: + type: string + email: + description: Unique email address(https://www.ietf.org/rfc/rfc5322.txt). + type: string + groups: + items: + type: string + type: array + lang: + description: The preferred written or spoken language for the + user. + type: string + password: + description: password will be encrypted by mutating admission + webhook + type: string + required: + - email + type: object + status: + description: UserStatus defines the observed state of User + properties: + lastTransitionTime: + format: date-time + type: string + reason: + type: string + state: + description: The user status + type: string + type: object + required: + - spec + type: object + required: + - placement + - template + type: object + required: + - spec + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/iam.kubesphere.io_loginrecords.yaml b/config/crds/iam.kubesphere.io_loginrecords.yaml index 318908927..9dd74bcd4 100644 --- a/config/crds/iam.kubesphere.io_loginrecords.yaml +++ b/config/crds/iam.kubesphere.io_loginrecords.yaml @@ -12,7 +12,16 @@ spec: - JSONPath: .spec.type name: Type type: string - - JSONPath: .status.reason + - JSONPath: .spec.provider + name: Provider + type: string + - JSONPath: .spec.sourceIP + name: From + type: string + - JSONPath: .spec.success + name: Success + type: string + - JSONPath: .spec.reason name: Reason type: string - JSONPath: .metadata.creationTimestamp @@ -45,15 +54,29 @@ spec: type: object spec: properties: + provider: + description: Provider of authentication, Ldap/Github etc. + type: string reason: + description: States failed login attempt reason type: string sourceIP: + description: Source IP of client type: string + success: + description: Successful login attempt or not + type: boolean type: + description: Which authentication method used, BasicAuth/OAuth + type: string + userAgent: + description: User agent of login attempt type: string required: + - provider - reason - sourceIP + - success - type type: object required: diff --git a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml index d7ef63060..e827a6e95 100644 --- a/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml +++ b/config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml @@ -101,7 +101,6 @@ spec: description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" type: string - pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$ except: description: Except is a slice of CIDRs that should not be included within an IP Block Valid examples diff --git a/config/crds/storage.kubesphere.io_provisionercapabilities.yaml b/config/crds/storage.kubesphere.io_provisionercapabilities.yaml index 502bca4c4..fb85f34c8 100644 --- a/config/crds/storage.kubesphere.io_provisionercapabilities.yaml +++ b/config/crds/storage.kubesphere.io_provisionercapabilities.yaml @@ -1,99 +1,110 @@ -# according to https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/, -# and https://kubernetes.io/docs/concepts/storage/storage-classes/#allow-volume-expansion -# volume expansion support for the following in-tree volume plugins: -# AWS-EBS, GCE-PD, Azure Disk, Azure File, Glusterfs, Cinder, Portworx, and Ceph RBD. -# online file system expansion support for the following in-tree plugin -# GCE-PD, AWS-EBS, Cinder, and Ceph RBD +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null name: provisionercapabilities.storage.kubesphere.io spec: group: storage.kubesphere.io - version: v1alpha1 - preserveUnknownFields: false names: + kind: ProvisionerCapability + listKind: ProvisionerCapabilityList plural: provisionercapabilities singular: provisionercapability - kind: ProvisionerCapability - shortNames: - - pcap - scope: Cluster - additionalPrinterColumns: - - name: Provisioner - type: string - description: The provisioner name should be the same as name - JSONPath: .spec.pluginInfo.name - - name: Expand - type: string - JSONPath: .spec.features.volume.expandMode - - name: Age - type: date - JSONPath: .metadata.creationTimestamp + scope: Namespaced validation: openAPIV3Schema: - required: - - spec - type: object + description: ProvisionerCapability is the schema for the provisionercapability + API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object.' + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this object represents.' + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string - spec: + metadata: type: object - description: 'spec defines the desired characteristics of obejct' + spec: + description: ProvisionerCapabilitySpec defines the desired state of ProvisionerCapability properties: - pluginInfo: - type: object - description: 'Plugininfo represents plugin metadata' - properties: - name: - description: 'provisioner name' - type: string - version: - description: 'plugin version' - type: string features: - type: object - description: 'Features represents plugin capability' + description: CapabilityFeatures describe storage features properties: + snapshot: + description: SnapshotFeature describe snapshot features + properties: + create: + type: boolean + list: + type: boolean + required: + - create + - list + type: object topology: - description: 'topology determines whether a provisioner support topology by looking up GetPluginCapabilities.PluginCapability' type: boolean volume: - type: object - description: 'Volume represents whether plugin supports volume features' + description: VolumeFeature describe volume features properties: - create: - description: 'Determined by ControllerGetCapabilities in ControllerServer' - type: boolean attach: - description: 'Determined by ControllerGetCapabilities in ControllerServer' - type: boolean - list: - description: 'Determined by ControllerGetCapabilities in ControllerServer' type: boolean clone: - description: 'Determined by ControllerGetCapabilities in ControllerServer' type: boolean - stats: - description: 'Determined by NodeGetCapabilities in NodeServer' - type: boolean - expandMode: - description: 'Determined by GetPluginCapabilities in IdentityServer' - type: string - items: - type: string - enum: ["UNKNOWN", "OFFLINE", "ONLINE"] - snapshot: - type: object - description: 'Snapshot represents whether plugin supports snapshot features' - properties: create: type: boolean + expandMode: + type: string list: - type: boolean \ No newline at end of file + type: boolean + stats: + type: boolean + required: + - attach + - clone + - create + - expandMode + - list + - stats + type: object + required: + - snapshot + - topology + - volume + type: object + pluginInfo: + description: PluginInfo describes plugin info + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + required: + - features + - pluginInfo + type: object + required: + - spec + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml b/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml index b44b3cc02..a2ce2a433 100644 --- a/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml +++ b/config/crds/storage.kubesphere.io_storageclasscapabilities.yaml @@ -1,86 +1,101 @@ + +--- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null name: storageclasscapabilities.storage.kubesphere.io spec: group: storage.kubesphere.io - version: v1alpha1 names: + kind: StorageClassCapability + listKind: StorageClassCapabilityList plural: storageclasscapabilities singular: storageclasscapability - kind: StorageClassCapability - shortNames: - - sccap - preserveUnknownFields: false - additionalPrinterColumns: - - name: Provisioner - type: string - JSONPath: .spec.provisioner - - name: Volume - type: boolean - JSONPath: .spec.features.volume.create - - name: Expand - type: string - JSONPath: .spec.features.volume.expandMode - - name: Clone - type: boolean - JSONPath: .spec.features.volume.clone - - name: Snapshot - type: boolean - JSONPath: .spec.features.snapshot.create - - name: Age - type: date - JSONPath: .metadata.creationTimestamp - scope: Cluster + scope: Namespaced validation: openAPIV3Schema: - type: object + description: StorageClassCapability is the Schema for the storage class capability + API properties: apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - type: object + description: StorageClassCapabilitySpec defines the desired state of StorageClassCapability properties: - provisioner: - type: string features: - type: object + description: CapabilityFeatures describe storage features properties: + snapshot: + description: SnapshotFeature describe snapshot features + properties: + create: + type: boolean + list: + type: boolean + required: + - create + - list + type: object topology: - description: topology determines whether a provisioner support topology by looking up GetPluginCapabilities.PluginCapability type: boolean volume: - type: object + description: VolumeFeature describe volume features properties: - create: - description: 'Create/Delete volume. Determined by ControllerGetCapabilities in ControllerServer' - type: boolean attach: - description: 'CSI Plugin implement ControllerPublishVolume/ControllerUnpublishVolume. Determined by ControllerGetCapabilities in ControllerServer' - type: boolean - list: - description: 'CSI Plugin implement ListVolume. Determined by ControllerGetCapabilities in ControllerServer' type: boolean clone: - description: 'Determined by ControllerGetCapabilities in ControllerServer' type: boolean - stats: - description: 'Determined by NodeGetCapabilities in NodeServer' - type: boolean - expandMode: - description: 'Determined by GetPluginCapabilities in IdentityServer and StorageClass AllowVolumeExpansion' - type: string - items: - type: string - enum: ["UNKNOWN", "OFFLINE", "ONLINE"] - snapshot: - type: object - properties: create: type: boolean + expandMode: + type: string list: - type: boolean \ No newline at end of file + type: boolean + stats: + type: boolean + required: + - attach + - clone + - create + - expandMode + - list + - stats + type: object + required: + - snapshot + - topology + - volume + type: object + provisioner: + type: string + required: + - features + - provisioner + type: object + required: + - spec + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/tenant.kubesphere.io_federatedworkspaces.yaml b/config/crds/tenant.kubesphere.io_federatedworkspaces.yaml new file mode 100644 index 000000000..a7b574fbe --- /dev/null +++ b/config/crds/tenant.kubesphere.io_federatedworkspaces.yaml @@ -0,0 +1,110 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: federatedworkspaces.tenant.kubesphere.io +spec: + group: tenant.kubesphere.io + names: + kind: FederatedWorkspace + listKind: FederatedWorkspaceList + plural: federatedworkspaces + singular: federatedworkspace + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + overrides: + items: + properties: + clusterName: + type: string + clusterOverrides: + items: + properties: + op: + type: string + path: + type: string + value: + type: object + required: + - path + - value + type: object + type: array + required: + - clusterName + - clusterOverrides + type: object + type: array + placement: + properties: + clusterSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + metadata: + type: object + spec: + description: WorkspaceSpec defines the desired state of Workspace + properties: + manager: + type: string + networkIsolation: + type: boolean + type: object + required: + - spec + type: object + required: + - placement + - template + type: object + required: + - spec + type: object + version: v1alpha2 + versions: + - name: v1alpha2 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/tenant.kubesphere.io_workspacetemplates.yaml b/config/crds/tenant.kubesphere.io_workspacetemplates.yaml index e4bb27061..027a7fc3d 100644 --- a/config/crds/tenant.kubesphere.io_workspacetemplates.yaml +++ b/config/crds/tenant.kubesphere.io_workspacetemplates.yaml @@ -45,15 +45,10 @@ spec: properties: op: type: string - path: - type: string - value: - anyOf: - - type: string - - type: integer - - type: boolean - - type: object - - type: array + path: + type: string + value: + type: object required: - path - value diff --git a/config/crds/types.kubefed.io_federatednamespaces.yaml b/config/crds/types.kubefed.io_federatednamespaces.yaml new file mode 100644 index 000000000..870fb8042 --- /dev/null +++ b/config/crds/types.kubefed.io_federatednamespaces.yaml @@ -0,0 +1,125 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: federatednamespaces.types.kubefed.io +spec: + group: types.kubefed.io + names: + kind: FederatedNamespace + listKind: FederatedNamespaceList + plural: federatednamespaces + singular: federatednamespace + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + overrides: + items: + properties: + clusterName: + type: string + clusterOverrides: + items: + properties: + op: + type: string + path: + type: string + value: + type: object + required: + - path + - value + type: object + type: array + required: + - clusterName + - clusterOverrides + type: object + type: array + placement: + properties: + clusterSelector: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + clusters: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + template: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the + latest internal value, and may reject unrecognized values. More + info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource + this object represents. Servers may infer this from the endpoint + the client submits requests to. Cannot be updated. In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NamespaceSpec describes the attributes on a Namespace. + properties: + finalizers: + description: 'Finalizers is an opaque list of values that must + be empty to permanently remove object from storage. More info: + https://kubernetes.io/docs/tasks/administer-cluster/namespaces/' + items: + description: FinalizerName is the name identifying a finalizer + during namespace lifecycle. + type: string + type: array + type: object + type: object + required: + - placement + - template + type: object + required: + - spec + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/config/crds/types.kubefed.io_namespacetemplates.yaml b/config/crds/types.kubefed.io_namespacetemplates.yaml new file mode 100644 index 000000000..583d0323f --- /dev/null +++ b/config/crds/types.kubefed.io_namespacetemplates.yaml @@ -0,0 +1,56 @@ + +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: namespacetemplates.types.kubefed.io +spec: + group: types.kubefed.io + names: + kind: NamespaceTemplate + listKind: NamespaceTemplateList + plural: namespacetemplates + singular: namespacetemplate + scope: Namespaced + validation: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NamespaceSpec describes the attributes on a Namespace. + properties: + finalizers: + description: 'Finalizers is an opaque list of values that must be empty + to permanently remove object from storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/' + items: + description: FinalizerName is the name identifying a finalizer during + namespace lifecycle. + type: string + type: array + type: object + type: object + version: v1beta1 + versions: + - name: v1beta1 + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/pkg/apis/auditing/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/auditing/v1alpha1/zz_generated.deepcopy.go index 2737ab625..aab83f9d2 100644 --- a/pkg/apis/auditing/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/auditing/v1alpha1/zz_generated.deepcopy.go @@ -1,6 +1,7 @@ // +build !ignore_autogenerated /* +Copyright 2020 The KubeSphere Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -20,15 +21,104 @@ limitations under the License. package v1alpha1 import ( - "k8s.io/apimachinery/pkg/runtime" + auditregistrationv1alpha1 "k8s.io/api/auditregistration/v1alpha1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuditSinkPolicy) DeepCopyInto(out *AuditSinkPolicy) { + *out = *in + if in.ArchivingRuleSelector != nil { + in, out := &in.ArchivingRuleSelector, &out.ArchivingRuleSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } + if in.AlertingRuleSelector != nil { + in, out := &in.AlertingRuleSelector, &out.AlertingRuleSelector + *out = new(v1.LabelSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditSinkPolicy. +func (in *AuditSinkPolicy) DeepCopy() *AuditSinkPolicy { + if in == nil { + return nil + } + out := new(AuditSinkPolicy) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DynamicAuditConfig) DeepCopyInto(out *DynamicAuditConfig) { + *out = *in + if in.Throttle != nil { + in, out := &in.Throttle, &out.Throttle + *out = new(auditregistrationv1alpha1.WebhookThrottleConfig) + (*in).DeepCopyInto(*out) + } + if in.Policy != nil { + in, out := &in.Policy, &out.Policy + *out = new(auditregistrationv1alpha1.Policy) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicAuditConfig. +func (in *DynamicAuditConfig) DeepCopy() *DynamicAuditConfig { + if in == nil { + return nil + } + out := new(DynamicAuditConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PolicyRule) DeepCopyInto(out *PolicyRule) { + *out = *in + if in.List != nil { + in, out := &in.List, &out.List + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRule. +func (in *PolicyRule) DeepCopy() *PolicyRule { + if in == nil { + return nil + } + out := new(PolicyRule) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Receiver) DeepCopyInto(out *Receiver) { + *out = *in + in.ReceiverConfig.DeepCopyInto(&out.ReceiverConfig) +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Receiver. +func (in *Receiver) DeepCopy() *Receiver { + if in == nil { + return nil + } + out := new(Receiver) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Rule) DeepCopyInto(out *Rule) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status } @@ -85,6 +175,13 @@ func (in *RuleList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RuleSpec) DeepCopyInto(out *RuleSpec) { *out = *in + if in.PolicyRules != nil { + in, out := &in.PolicyRules, &out.PolicyRules + *out = make([]PolicyRule, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleSpec. @@ -117,7 +214,7 @@ func (in *Webhook) DeepCopyInto(out *Webhook) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec + in.Spec.DeepCopyInto(&out.Spec) out.Status = in.Status } @@ -174,6 +271,57 @@ func (in *WebhookList) DeepCopyObject() runtime.Object { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *WebhookSpec) DeepCopyInto(out *WebhookSpec) { *out = *in + if in.Replicas != nil { + in, out := &in.Replicas, &out.Replicas + *out = new(int32) + **out = **in + } + if in.ImagePullSecrets != nil { + in, out := &in.ImagePullSecrets, &out.ImagePullSecrets + *out = make([]corev1.LocalObjectReference, len(*in)) + copy(*out, *in) + } + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Affinity != nil { + in, out := &in.Affinity, &out.Affinity + *out = new(corev1.Affinity) + (*in).DeepCopyInto(*out) + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]corev1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = new(corev1.ResourceRequirements) + (*in).DeepCopyInto(*out) + } + if in.Receivers != nil { + in, out := &in.Receivers, &out.Receivers + *out = make([]Receiver, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AuditSinkPolicy != nil { + in, out := &in.AuditSinkPolicy, &out.AuditSinkPolicy + *out = new(AuditSinkPolicy) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookSpec. diff --git a/pkg/apis/iam/v1alpha2/types.go b/pkg/apis/iam/v1alpha2/types.go index 4df0cece2..b0535ffea 100644 --- a/pkg/apis/iam/v1alpha2/types.go +++ b/pkg/apis/iam/v1alpha2/types.go @@ -125,9 +125,6 @@ const ( // UserDisabled means the user is disabled. UserAuthLimitExceeded UserState = "AuthLimitExceeded" - LoginFailure LoginRecordType = "LoginFailure" - LoginSuccess LoginRecordType = "LoginSuccess" - AuthenticatedSuccessfully = "authenticated successfully" ) @@ -290,7 +287,10 @@ type RoleBaseList struct { // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +kubebuilder:printcolumn:name="Type",type="string",JSONPath=".spec.type" -// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".status.reason" +// +kubebuilder:printcolumn:name="Provider",type="string",JSONPath=".spec.provider" +// +kubebuilder:printcolumn:name="From",type="string",JSONPath=".spec.sourceIP" +// +kubebuilder:printcolumn:name="Success",type="string",JSONPath=".spec.success" +// +kubebuilder:printcolumn:name="Reason",type="string",JSONPath=".spec.reason" // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" // +kubebuilder:resource:categories="iam",scope="Cluster" type LoginRecord struct { @@ -300,12 +300,27 @@ type LoginRecord struct { } type LoginRecordSpec struct { - SourceIP string `json:"sourceIP"` - Type LoginRecordType `json:"type"` - Reason string `json:"reason"` + // Which authentication method used, BasicAuth/OAuth + Type LoginType `json:"type"` + // Provider of authentication, Ldap/Github etc. + Provider string `json:"provider"` + // Source IP of client + SourceIP string `json:"sourceIP"` + // User agent of login attempt + UserAgent string `json:"userAgent,omitempty"` + // Successful login attempt or not + Success bool `json:"success"` + // States failed login attempt reason + Reason string `json:"reason"` } -type LoginRecordType string +type LoginType string + +const ( + BasicAuth LoginType = "Basic" + OAuth LoginType = "OAuth" + Token LoginType = "Token" +) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/storage/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/storage/v1alpha1/zz_generated.deepcopy.go index b21ac6d4f..457457e1c 100644 --- a/pkg/apis/storage/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/apis/storage/v1alpha1/zz_generated.deepcopy.go @@ -1,7 +1,7 @@ // +build !ignore_autogenerated /* -Copyright The Kubernetes Authors. +Copyright 2020 The KubeSphere Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. @@ -16,37 +16,22 @@ See the License for the specific language governing permissions and limitations under the License. */ -// Code generated by deepcopy-gen. DO NOT EDIT. +// Code generated by controller-gen. DO NOT EDIT. package v1alpha1 -import "k8s.io/apimachinery/pkg/runtime" +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. -func (in *PluginInfo) DeepCopyInto(out *PluginInfo) { - *out = *in - return -} - -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilitySpecPluginInfo. -func (in *PluginInfo) DeepCopy() *PluginInfo { - if in == nil { - return nil - } - out := new(PluginInfo) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *CapabilityFeatures) DeepCopyInto(out *CapabilityFeatures) { *out = *in out.Volume = in.Volume out.Snapshot = in.Snapshot - return } -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new CapabilityFeatures. +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapabilityFeatures. func (in *CapabilityFeatures) DeepCopy() *CapabilityFeatures { if in == nil { return nil @@ -56,93 +41,30 @@ func (in *CapabilityFeatures) DeepCopy() *CapabilityFeatures { return out } -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. -func (in *StorageClassCapability) DeepCopyInto(out *StorageClassCapability) { +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *PluginInfo) DeepCopyInto(out *PluginInfo) { *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - out.Spec = in.Spec - return } -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapability. -func (in *StorageClassCapability) DeepCopy() *StorageClassCapability { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PluginInfo. +func (in *PluginInfo) DeepCopy() *PluginInfo { if in == nil { return nil } - out := new(StorageClassCapability) + out := new(PluginInfo) in.DeepCopyInto(out) return out } -// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object. -func (in *StorageClassCapability) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. -func (in *StorageClassCapabilityList) DeepCopyInto(out *StorageClassCapabilityList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]StorageClassCapability, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - return -} - -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapabilityList. -func (in *StorageClassCapabilityList) DeepCopy() *StorageClassCapabilityList { - if in == nil { - return nil - } - out := new(StorageClassCapabilityList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object. -func (in *StorageClassCapabilityList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. -func (in *StorageClassCapabilitySpec) DeepCopyInto(out *StorageClassCapabilitySpec) { - *out = *in - out.Features = in.Features - return -} - -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new StorageClassCapabilitySpec. -func (in *StorageClassCapabilitySpec) DeepCopy() *StorageClassCapabilitySpec { - if in == nil { - return nil - } - out := new(StorageClassCapabilitySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProvisionerCapability) DeepCopyInto(out *ProvisionerCapability) { *out = *in out.TypeMeta = in.TypeMeta in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) out.Spec = in.Spec - return } -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapability. +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapability. func (in *ProvisionerCapability) DeepCopy() *ProvisionerCapability { if in == nil { return nil @@ -152,7 +74,7 @@ func (in *ProvisionerCapability) DeepCopy() *ProvisionerCapability { return out } -// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object. +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. func (in *ProvisionerCapability) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c @@ -160,7 +82,7 @@ func (in *ProvisionerCapability) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProvisionerCapabilityList) DeepCopyInto(out *ProvisionerCapabilityList) { *out = *in out.TypeMeta = in.TypeMeta @@ -172,10 +94,9 @@ func (in *ProvisionerCapabilityList) DeepCopyInto(out *ProvisionerCapabilityList (*in)[i].DeepCopyInto(&(*out)[i]) } } - return } -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilityList. +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapabilityList. func (in *ProvisionerCapabilityList) DeepCopy() *ProvisionerCapabilityList { if in == nil { return nil @@ -185,7 +106,7 @@ func (in *ProvisionerCapabilityList) DeepCopy() *ProvisionerCapabilityList { return out } -// DeepCopyObject is an autogenerated deep copy function, copying the receiver, creating a new runtime.Object. +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. func (in *ProvisionerCapabilityList) DeepCopyObject() runtime.Object { if c := in.DeepCopy(); c != nil { return c @@ -193,15 +114,14 @@ func (in *ProvisionerCapabilityList) DeepCopyObject() runtime.Object { return nil } -// DeepCopyInto is an autogenerated deep copy function, copying the receiver, writing into out. in must be non-nil. +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProvisionerCapabilitySpec) DeepCopyInto(out *ProvisionerCapabilitySpec) { *out = *in out.PluginInfo = in.PluginInfo out.Features = in.Features - return } -// DeepCopy is an autogenerated deep copy function, copying the receiver, creating a new ProvisionerCapabilitySpec. +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionerCapabilitySpec. func (in *ProvisionerCapabilitySpec) DeepCopy() *ProvisionerCapabilitySpec { if in == nil { return nil @@ -210,3 +130,107 @@ func (in *ProvisionerCapabilitySpec) DeepCopy() *ProvisionerCapabilitySpec { in.DeepCopyInto(out) return out } + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SnapshotFeature) DeepCopyInto(out *SnapshotFeature) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotFeature. +func (in *SnapshotFeature) DeepCopy() *SnapshotFeature { + if in == nil { + return nil + } + out := new(SnapshotFeature) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StorageClassCapability) DeepCopyInto(out *StorageClassCapability) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapability. +func (in *StorageClassCapability) DeepCopy() *StorageClassCapability { + if in == nil { + return nil + } + out := new(StorageClassCapability) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *StorageClassCapability) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StorageClassCapabilityList) DeepCopyInto(out *StorageClassCapabilityList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]StorageClassCapability, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapabilityList. +func (in *StorageClassCapabilityList) DeepCopy() *StorageClassCapabilityList { + if in == nil { + return nil + } + out := new(StorageClassCapabilityList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *StorageClassCapabilityList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *StorageClassCapabilitySpec) DeepCopyInto(out *StorageClassCapabilitySpec) { + *out = *in + out.Features = in.Features +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassCapabilitySpec. +func (in *StorageClassCapabilitySpec) DeepCopy() *StorageClassCapabilitySpec { + if in == nil { + return nil + } + out := new(StorageClassCapabilitySpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *VolumeFeature) DeepCopyInto(out *VolumeFeature) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeFeature. +func (in *VolumeFeature) DeepCopy() *VolumeFeature { + if in == nil { + return nil + } + out := new(VolumeFeature) + in.DeepCopyInto(out) + return out +} diff --git a/pkg/apiserver/authentication/request/basictoken/basic_token.go b/pkg/apiserver/authentication/request/basictoken/basic_token.go index e6adb3170..7a7dc6b9c 100644 --- a/pkg/apiserver/authentication/request/basictoken/basic_token.go +++ b/pkg/apiserver/authentication/request/basictoken/basic_token.go @@ -43,11 +43,6 @@ func (a *Authenticator) AuthenticateRequest(req *http.Request) (*authenticator.R } resp, ok, err := a.auth.AuthenticatePassword(req.Context(), username, password) - // if we authenticated successfully, go ahead and remove the bearer token so that no one - // is ever tempted to use it inside of the API server - if ok { - req.Header.Del("Authorization") - } // If the token authenticator didn't error, provide a default error if !ok && err == nil { diff --git a/pkg/apiserver/filters/authentication.go b/pkg/apiserver/filters/authentication.go index 3faf7cd27..3955e3431 100644 --- a/pkg/apiserver/filters/authentication.go +++ b/pkg/apiserver/filters/authentication.go @@ -26,12 +26,16 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/klog" + iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2" "kubesphere.io/kubesphere/pkg/apiserver/request" "kubesphere.io/kubesphere/pkg/models/iam/im" "net/http" + "strings" ) // WithAuthentication installs authentication handler to handler chain. +// The following part is a little bit ugly, WithAuthentication also logs user failed login attempt +// if using basic auth. But only treats request with requestURI `/oauth/authorize` as login attempt func WithAuthentication(handler http.Handler, auth authenticator.Request, loginRecorder im.LoginRecorder) http.Handler { if auth == nil { klog.Warningf("Authentication is disabled") @@ -41,15 +45,24 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { resp, ok, err := auth.AuthenticateRequest(req) + username, _, usingBasicAuth := req.BasicAuth() + + defer func() { + // if we authenticated successfully, go ahead and remove the bearer token so that no one + // is ever tempted to use it inside of the API server + if usingBasicAuth && ok { + req.Header.Del("Authorization") + } + }() + if err != nil || !ok { if err != nil { klog.Errorf("Unable to authenticate the request due to error: %v", err) - if err.Error() == im.AuthFailedIncorrectPassword.Error() { // log failed login attempts - username, _, _ := req.BasicAuth() + if usingBasicAuth { // log failed login attempts go func(user string) { if loginRecorder != nil && len(user) != 0 { - err = loginRecorder.RecordLogin(user, err, req) - klog.Errorf("Failed to record unsuccessful login attempt for user %s", user) + err = loginRecorder.RecordLogin(user, iamv1alpha2.BasicAuth, "", err, req) + klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", user, err) } }(username) } @@ -67,6 +80,13 @@ func WithAuthentication(handler http.Handler, auth authenticator.Request, loginR return } + go func() { + if loginRecorder != nil && usingBasicAuth && strings.HasPrefix(req.URL.Path, "/oauth/authorize") { + err = loginRecorder.RecordLogin(username, iamv1alpha2.BasicAuth, "", nil, req) + klog.Errorf("Failed to record unsuccessful login attempt for user %s, error: %v", username, err) + } + }() + req = req.WithContext(request.WithUser(req.Context(), resp.User)) handler.ServeHTTP(w, req) }) diff --git a/pkg/controller/user/user_controller.go b/pkg/controller/user/user_controller.go index 532fc454c..ca0728fc4 100644 --- a/pkg/controller/user/user_controller.go +++ b/pkg/controller/user/user_controller.go @@ -528,8 +528,7 @@ func (c *Controller) deleteRoleBindings(user *iamv1alpha2.User) error { return err } else { for _, namespace := range result.Items { - if err := c.k8sClient.RbacV1().RoleBindings(namespace.Name). - DeleteCollection(deleteOptions, listOptions); err != nil { + if err = c.k8sClient.RbacV1().RoleBindings(namespace.Name).DeleteCollection(deleteOptions, listOptions); err != nil { klog.Error(err) return err } @@ -590,8 +589,7 @@ func (c *Controller) syncUserStatus(user *iamv1alpha2.User) (*iamv1alpha2.User, now := time.Now() failedLoginAttempts := 0 for _, loginRecord := range records { - if loginRecord.Spec.Type == iamv1alpha2.LoginFailure && - loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) { + if !loginRecord.Spec.Success && loginRecord.CreationTimestamp.Add(c.authenticationOptions.AuthenticateRateLimiterDuration).After(now) { failedLoginAttempts++ } } diff --git a/pkg/kapis/oauth/handler.go b/pkg/kapis/oauth/handler.go index 90b63753a..c33125304 100644 --- a/pkg/kapis/oauth/handler.go +++ b/pkg/kapis/oauth/handler.go @@ -133,7 +133,7 @@ func (h *handler) Authorize(req *restful.Request, resp *restful.Response) { http.Redirect(resp, req.Request, redirectURL, http.StatusFound) } -func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) { +func (h *handler) oAuthCallBack(req *restful.Request, resp *restful.Response) { code := req.QueryParameter("code") name := req.PathParameter("callback") @@ -161,7 +161,7 @@ func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) { identity, err := oauthIdentityProvider.IdentityExchange(code) if err != nil { - err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) + err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) resp.WriteError(http.StatusUnauthorized, err) return } @@ -217,7 +217,7 @@ func (h *handler) OAuthCallBack(req *restful.Request, resp *restful.Response) { return } - if err = h.loginRecorder.RecordLogin(authenticated.Name, nil, req.Request); err != nil { + if err = h.loginRecorder.RecordLogin(authenticated.Name, iamv1alpha2.OAuth, providerOptions.Name, nil, req.Request); err != nil { klog.Error(err) err := apierrors.NewInternalError(err) resp.WriteError(http.StatusInternalServerError, err) @@ -273,9 +273,9 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R authenticated, err := h.authenticator.Authenticate(username, password) if err != nil { if err == im.AuthFailedIncorrectPassword { - if err := h.loginRecorder.RecordLogin(username, err, req.Request); err != nil { + if err := h.loginRecorder.RecordLogin(username, iamv1alpha2.Token, "", err, req.Request); err != nil { klog.Error(err) - err := apierrors.NewInternalError(err) + err = apierrors.NewInternalError(err) response.WriteError(http.StatusInternalServerError, err) return } @@ -284,7 +284,7 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R err == im.AuthFailedIdentityMappingNotMatch || err == im.AuthRateLimitExceeded { klog.V(4).Info(err) - err := apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) + err = apierrors.NewUnauthorized(fmt.Sprintf("Unauthorized: %s", err)) response.WriteError(http.StatusUnauthorized, err) return } @@ -302,7 +302,7 @@ func (h *handler) passwordGrant(username string, password string, req *restful.R return } - if err = h.loginRecorder.RecordLogin(authenticated.GetName(), nil, req.Request); err != nil { + if err = h.loginRecorder.RecordLogin(authenticated.GetName(), iamv1alpha2.Token, "", nil, req.Request); err != nil { klog.Error(err) err := apierrors.NewInternalError(err) response.WriteError(http.StatusInternalServerError, err) diff --git a/pkg/kapis/oauth/register.go b/pkg/kapis/oauth/register.go index fd8f57fcb..af76e0235 100644 --- a/pkg/kapis/oauth/register.go +++ b/pkg/kapis/oauth/register.go @@ -91,7 +91,7 @@ func AddToContainer(c *restful.Container, im im.IdentityManagementInterface, tok "otherwise, REQUIRED. The scope of the access token as described by [RFC6479] Section 3.3.").Required(false)). Param(ws.QueryParameter("state", "if the \"state\" parameter was present in the client authorization request."+ "The exact value received from the client.").Required(true)). - To(handler.OAuthCallBack). + To(handler.oAuthCallBack). Returns(http.StatusOK, api.StatusOK, oauth.Token{})) c.Add(ws) diff --git a/pkg/models/iam/im/login_recoder.go b/pkg/models/iam/im/login_recoder.go index e4332ec21..e3c3df491 100644 --- a/pkg/models/iam/im/login_recoder.go +++ b/pkg/models/iam/im/login_recoder.go @@ -29,7 +29,7 @@ import ( ) type LoginRecorder interface { - RecordLogin(username string, authErr error, req *http.Request) error + RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error } type loginRecorder struct { @@ -42,7 +42,7 @@ func NewLoginRecorder(ksClient kubesphere.Interface) LoginRecorder { } } -func (l *loginRecorder) RecordLogin(username string, authErr error, req *http.Request) error { +func (l *loginRecorder) RecordLogin(username string, loginType iamv1alpha2.LoginType, provider string, authErr error, req *http.Request) error { loginEntry := &iamv1alpha2.LoginRecord{ ObjectMeta: metav1.ObjectMeta{ GenerateName: fmt.Sprintf("%s-", username), @@ -51,14 +51,17 @@ func (l *loginRecorder) RecordLogin(username string, authErr error, req *http.Re }, }, Spec: iamv1alpha2.LoginRecordSpec{ - SourceIP: net.GetRequestIP(req), - Type: iamv1alpha2.LoginSuccess, - Reason: iamv1alpha2.AuthenticatedSuccessfully, + Type: loginType, + Provider: provider, + Success: true, + Reason: iamv1alpha2.AuthenticatedSuccessfully, + SourceIP: net.GetRequestIP(req), + UserAgent: req.UserAgent(), }, } if authErr != nil { - loginEntry.Spec.Type = iamv1alpha2.LoginFailure + loginEntry.Spec.Success = false loginEntry.Spec.Reason = authErr.Error() }