{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "additionalRedactions": { "description": "AdditionalRedactions details additional informatino to be redacted. If there are any Filers defined in the same\npolicy, these Redactions will only be applied to logs that are Allowed by those filters. If there are no\nFilters, the redactions will be applied to all logs.", "items": { "properties": { "headers": { "items": { "type": "string" }, "type": "array" }, "paths": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enabled": { "type": "boolean" }, "filters": { "description": "Filters described what logs are explicitly allowed and denied. Leave empty if all logs should be allowed. The\nAllow action has higher precedence than Deny. So if there are multiple filters that match a log and at least one\nAllow, the log will be allowed.", "items": { "description": "Filter provides values used to filter out audit logs.", "properties": { "action": { "description": "Action defines what happens", "type": "string" }, "requestURI": { "description": "RequestURI is a regular expression used to match against the url of the log request. For example, the Filter:\n\nFilter {\n Action: Allow.\n REquestURI: \"/foo/.*\"\n}\n\nwould allow logs sent to \"/foo/some/endpoint\" but not \"/foo\" or \"/foobar\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "verbosity": { "description": "Verbosity defines how much data to collect from each log. The end verbosity for a log is calculated as a merge\nof each policy that Allows a log (including plicies with no Filters). For example, take the two policie specs\nbelow:\n\nAuditPolicySpec {\n Enabled: True,\n Verbosity: LogVerbosity {\n Request: Verbosity {\n Body: True,\n },\n },\n}\n\nAuditPolicySpec {\n Enabled: True,\n Filters: []Filters{\n {\n Action: \"allow\",\n RequestURI: \"/foo\"\n },\n },\n Verbosity: LogVerbosity {\n Response: Verbosity {\n Body: True,\n },\n },\n}\n\nA request to the \"/foo\" endpoint will log both the request and response bodies, but a request to \"/bar\" will\nonly log the request body.", "properties": { "level": { "description": "Level is carried over from the previous implementation of audit logging, and provides a shorthand for defining\nLogVerbosities. When Level is not LevelNull, Request and Reponse are ignored.", "type": "integer" }, "request": { "properties": { "body": { "type": "boolean" }, "headers": { "type": "boolean" } }, "type": "object", "additionalProperties": false }, "response": { "properties": { "body": { "type": "boolean" }, "headers": { "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "required": [ "level" ], "type": "object", "additionalProperties": false } }, "required": [ "enabled" ], "type": "object", "additionalProperties": false }, "status": { "properties": { "conditions": { "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }