diff --git a/src/shared/operator_cloud_client/status_report.go b/src/shared/operator_cloud_client/status_report.go index bdfbfb5c6..c74333668 100644 --- a/src/shared/operator_cloud_client/status_report.go +++ b/src/shared/operator_cloud_client/status_report.go @@ -7,7 +7,9 @@ import ( "github.com/otterize/intents-operator/src/shared/operatorconfig/enforcement" "github.com/otterize/intents-operator/src/shared/otterizecloud/graphqlclient" "github.com/otterize/intents-operator/src/shared/otterizecloud/otterizecloudclient" + "github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity" "github.com/otterize/intents-operator/src/shared/telemetries/errorreporter" + "github.com/samber/lo" "github.com/sirupsen/logrus" "github.com/spf13/viper" "time" @@ -68,6 +70,7 @@ func getAllowExternalConfig() graphqlclient.AllowExternalTrafficPolicy { func uploadConfiguration(ctx context.Context, client CloudClient) { ingressConfigIdentities := operatorconfig.GetIngressControllerServiceIdentities() + externallyManagedPolicyWorkloadIdentities := operatorconfig.GetExternallyManagedPoliciesServiceIdentities() enforcementConfig := enforcement.GetConfig() timeoutCtx, cancel := context.WithTimeout(ctx, viper.GetDuration(otterizecloudclient.CloudClientTimeoutKey)) defer cancel() @@ -87,17 +90,21 @@ func uploadConfiguration(ctx context.Context, client CloudClient) { AllowExternalTrafficPolicy: getAllowExternalConfig(), } - if len(ingressConfigIdentities) != 0 { - ingressControllerConfigInput := make([]graphqlclient.IngressControllerConfigInput, 0) - for _, identity := range ingressConfigIdentities { - ingressControllerConfigInput = append(ingressControllerConfigInput, graphqlclient.IngressControllerConfigInput{ - Name: identity.Name, - Namespace: identity.Namespace, - Kind: identity.Kind, - }) + configInput.IngressControllerConfig = lo.Map(ingressConfigIdentities, func(identity serviceidentity.ServiceIdentity, _ int) graphqlclient.IngressControllerConfigInput { + return graphqlclient.IngressControllerConfigInput{ + Name: identity.Name, + Namespace: identity.Namespace, + Kind: identity.Kind, } - configInput.IngressControllerConfig = ingressControllerConfigInput - } + }) + + configInput.ExternallyManagedPolicyWorkloads = lo.Map(externallyManagedPolicyWorkloadIdentities, func(identity serviceidentity.ServiceIdentity, _ int) graphqlclient.ExternallyManagedPolicyWorkloadInput { + return graphqlclient.ExternallyManagedPolicyWorkloadInput{ + Name: identity.Name, + Namespace: identity.Namespace, + Kind: identity.Kind, + } + }) configInput.AwsALBLoadBalancerExemptionEnabled = viper.GetBool(operatorconfig.IngressControllerALBExemptKey) diff --git a/src/shared/operatorconfig/config.go b/src/shared/operatorconfig/config.go index f7f2b024e..0e242855f 100644 --- a/src/shared/operatorconfig/config.go +++ b/src/shared/operatorconfig/config.go @@ -5,6 +5,7 @@ import ( "github.com/otterize/intents-operator/src/shared/operatorconfig/enforcement" "github.com/otterize/intents-operator/src/shared/serviceidresolver/serviceidentity" "github.com/otterize/intents-operator/src/shared/telemetries/telemetriesconfig" + "github.com/samber/lo" "github.com/sirupsen/logrus" "github.com/spf13/pflag" "github.com/spf13/viper" @@ -62,6 +63,7 @@ const ( IngressControllerConfigKey = "ingressControllers" SeparateNetpolsForIngressAndEgress = "separate-netpols-for-ingress-and-egress" SeparateNetpolsForIngressAndEgressDefault = false + ExternallyManagedPolicyWorkloadsKey = "externallyManagedPolicyWorkloads" ) func init() { @@ -125,15 +127,35 @@ func GetIngressControllerServiceIdentities() []serviceidentity.ServiceIdentity { logrus.WithError(err).Panic("Failed to unmarshal ingress controller config") } - identities := make([]serviceidentity.ServiceIdentity, 0) - for _, controller := range controllers { - identities = append(identities, serviceidentity.ServiceIdentity{ + return lo.Map(controllers, func(controller IngressControllerConfig, _ int) serviceidentity.ServiceIdentity { + return serviceidentity.ServiceIdentity{ Name: controller.Name, Namespace: controller.Namespace, Kind: controller.Kind, - }) + } + }) +} + +type ExternallyManagedPolicyWorkload struct { + Name string + Namespace string + Kind string +} + +func GetExternallyManagedPoliciesServiceIdentities() []serviceidentity.ServiceIdentity { + workloads := make([]ExternallyManagedPolicyWorkload, 0) + err := viper.UnmarshalKey(ExternallyManagedPolicyWorkloadsKey, &workloads) + if err != nil { + logrus.WithError(err).Panic("Failed to unmarshal externally managed policy workloads config") } - return identities + + return lo.Map(workloads, func(workload ExternallyManagedPolicyWorkload, _ int) serviceidentity.ServiceIdentity { + return serviceidentity.ServiceIdentity{ + Name: workload.Name, + Namespace: workload.Namespace, + Kind: workload.Kind, + } + }) } func InitCLIFlags() { diff --git a/src/shared/otterizecloud/graphqlclient/generated.go b/src/shared/otterizecloud/graphqlclient/generated.go index ee46bf52c..9721b3775 100644 --- a/src/shared/otterizecloud/graphqlclient/generated.go +++ b/src/shared/otterizecloud/graphqlclient/generated.go @@ -215,6 +215,21 @@ func (v *ExternallyAccessibleServiceInput) GetServiceType() KubernetesServiceTyp return v.ServiceType } +type ExternallyManagedPolicyWorkloadInput struct { + Name string `json:"name"` + Namespace string `json:"namespace"` + Kind string `json:"kind"` +} + +// GetName returns ExternallyManagedPolicyWorkloadInput.Name, and is useful for accessing the field via an interface. +func (v *ExternallyManagedPolicyWorkloadInput) GetName() string { return v.Name } + +// GetNamespace returns ExternallyManagedPolicyWorkloadInput.Namespace, and is useful for accessing the field via an interface. +func (v *ExternallyManagedPolicyWorkloadInput) GetNamespace() string { return v.Namespace } + +// GetKind returns ExternallyManagedPolicyWorkloadInput.Kind, and is useful for accessing the field via an interface. +func (v *ExternallyManagedPolicyWorkloadInput) GetKind() string { return v.Kind } + type HTTPConfigInput struct { Path *string `json:"path"` Methods []*HTTPMethod `json:"methods"` @@ -349,20 +364,21 @@ const ( ) type IntentsOperatorConfigurationInput struct { - GlobalEnforcementEnabled bool `json:"globalEnforcementEnabled"` - NetworkPolicyEnforcementEnabled bool `json:"networkPolicyEnforcementEnabled"` - KafkaACLEnforcementEnabled bool `json:"kafkaACLEnforcementEnabled"` - IstioPolicyEnforcementEnabled bool `json:"istioPolicyEnforcementEnabled"` - ProtectedServicesEnabled bool `json:"protectedServicesEnabled"` - EgressNetworkPolicyEnforcementEnabled bool `json:"egressNetworkPolicyEnforcementEnabled"` - AwsIAMPolicyEnforcementEnabled bool `json:"awsIAMPolicyEnforcementEnabled"` - GcpIAMPolicyEnforcementEnabled bool `json:"gcpIAMPolicyEnforcementEnabled"` - AzureIAMPolicyEnforcementEnabled bool `json:"azureIAMPolicyEnforcementEnabled"` - DatabaseEnforcementEnabled bool `json:"databaseEnforcementEnabled"` - EnforcedNamespaces []string `json:"enforcedNamespaces"` - IngressControllerConfig []IngressControllerConfigInput `json:"ingressControllerConfig"` - AwsALBLoadBalancerExemptionEnabled bool `json:"awsALBLoadBalancerExemptionEnabled"` - AllowExternalTrafficPolicy AllowExternalTrafficPolicy `json:"allowExternalTrafficPolicy"` + GlobalEnforcementEnabled bool `json:"globalEnforcementEnabled"` + NetworkPolicyEnforcementEnabled bool `json:"networkPolicyEnforcementEnabled"` + KafkaACLEnforcementEnabled bool `json:"kafkaACLEnforcementEnabled"` + IstioPolicyEnforcementEnabled bool `json:"istioPolicyEnforcementEnabled"` + ProtectedServicesEnabled bool `json:"protectedServicesEnabled"` + EgressNetworkPolicyEnforcementEnabled bool `json:"egressNetworkPolicyEnforcementEnabled"` + AwsIAMPolicyEnforcementEnabled bool `json:"awsIAMPolicyEnforcementEnabled"` + GcpIAMPolicyEnforcementEnabled bool `json:"gcpIAMPolicyEnforcementEnabled"` + AzureIAMPolicyEnforcementEnabled bool `json:"azureIAMPolicyEnforcementEnabled"` + DatabaseEnforcementEnabled bool `json:"databaseEnforcementEnabled"` + EnforcedNamespaces []string `json:"enforcedNamespaces"` + IngressControllerConfig []IngressControllerConfigInput `json:"ingressControllerConfig"` + AwsALBLoadBalancerExemptionEnabled bool `json:"awsALBLoadBalancerExemptionEnabled"` + AllowExternalTrafficPolicy AllowExternalTrafficPolicy `json:"allowExternalTrafficPolicy"` + ExternallyManagedPolicyWorkloads []ExternallyManagedPolicyWorkloadInput `json:"externallyManagedPolicyWorkloads"` } // GetGlobalEnforcementEnabled returns IntentsOperatorConfigurationInput.GlobalEnforcementEnabled, and is useful for accessing the field via an interface. @@ -435,6 +451,11 @@ func (v *IntentsOperatorConfigurationInput) GetAllowExternalTrafficPolicy() Allo return v.AllowExternalTrafficPolicy } +// GetExternallyManagedPolicyWorkloads returns IntentsOperatorConfigurationInput.ExternallyManagedPolicyWorkloads, and is useful for accessing the field via an interface. +func (v *IntentsOperatorConfigurationInput) GetExternallyManagedPolicyWorkloads() []ExternallyManagedPolicyWorkloadInput { + return v.ExternallyManagedPolicyWorkloads +} + type InternetConfigInput struct { Domains []*string `json:"domains"` DiscoveredTarget *DNSIPPairInput `json:"discoveredTarget"` diff --git a/src/shared/otterizecloud/graphqlclient/schema.graphql b/src/shared/otterizecloud/graphqlclient/schema.graphql index 06f0c8bcb..5be8ab5a7 100644 --- a/src/shared/otterizecloud/graphqlclient/schema.graphql +++ b/src/shared/otterizecloud/graphqlclient/schema.graphql @@ -106,7 +106,7 @@ type AWSS3Resource { type AWSVisibility { arn: String! - resourceType: String! + resourceType: AWSVisibilityResourceType! name: String! lbArn: String domain: String @@ -115,6 +115,10 @@ type AWSVisibility { region: String! } +enum AWSVisibilityResourceType { + EKS +} + type AWSVisibilitySettings { isActive: Boolean! awsAccountId: String! @@ -172,7 +176,6 @@ type AccessLogEdge { originIntent: Intent! dns: String! accessStatus: EdgeAccessStatus! - accessStatuses: EdgeAccessStatuses! } enum AllowExternalTrafficPolicy { @@ -301,8 +304,8 @@ input ClientIPConfig { } type ClientIntentEvent { - firstTimestamp: Time! - lastTimestamp: Time! + firstTimestamp: Time + lastTimestamp: Time reportingComponent: String count: Int! type: String! @@ -319,8 +322,8 @@ input ClientIntentEventInput { annotations: [KeyValueInput!] count: Int! clientIntentName: String! - firstTimestamp: Time! - lastTimestamp: Time! + firstTimestamp: Time + lastTimestamp: Time reportingComponent: String reportingInstance: String sourceComponent: String @@ -419,6 +422,7 @@ type ClusterViolation { cluster: Cluster! reason: String! intentsOperatorState: IntentsOperatorState + relatedServices: [Service!] } input Component { @@ -537,6 +541,12 @@ enum DatabaseVisibilitySource { GCP_PUBSUB } +type DetectedCloudServer { + cloudProvider: String! + cloudService: String! + region: String! +} + input DiscoveredIntentInput { discoveredAt: Time! intent: IntentInput! @@ -558,6 +568,7 @@ enum EdgeAccessStatusReason { ALLOWED_BY_APPLIED_INTENTS_KAFKA_OVERLY_PERMISSIVE ALLOWED_BY_APPLIED_INTENTS_DATABASE_OVERLY_PERMISSIVE ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY + WOULD_BE_ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY BLOCKED_BY_APPLIED_INTENTS_UNDER_PERMISSIVE BLOCKED_BY_APPLIED_INTENTS_RESOURCE_MISMATCH BLOCKED_BY_APPLIED_INTENTS_HTTP_UNDER_PERMISSIVE @@ -583,6 +594,9 @@ enum EdgeAccessStatusReason { NO_INTENTS_FOUND_OF_RELEVANT_TYPE IGNORED_IN_CALCULATION INTERNET_INTENTS_ENFORCEMENT_DISABLED + BLOCKED_BY_DEFAULT_DENY_MISSING_EXTERNAL_TRAFFIC_POLICY + BLOCKED_BY_APPLIED_INTENTS_MISSING_EXTERNAL_TRAFFIC_POLICY + ALLOWED_BY_EXTERNALLY_MANAGED_NETWORK_POLICY } enum EdgeAccessStatusVerdict { @@ -671,6 +685,12 @@ input ExternallyAccessibleServiceInput { serviceType: KubernetesServiceType! } +input ExternallyManagedPolicyWorkloadInput { + name: String! + namespace: String! + kind: String! +} + type FeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean @@ -832,8 +852,8 @@ enum IDFilterOperators { } type IDFilterValue { - value: [ID!]! - operator: IDFilterOperators! + include: [ID!] + exclude: [ID!] } enum IPFamily { @@ -888,6 +908,10 @@ input InputAccessLogFilter { featureFlags: InputFeatureFlags """ Access log filter """ pagination: PaginationInput +""" Access log filter """ + accessVerdicts: InputIDFilterValue +""" Access log filter """ + accessStatusReasons: InputIDFilterValue } input InputFeatureFlags { @@ -912,8 +936,8 @@ input InputFindingFilter { } input InputIDFilterValue { - value: [ID!]! - operator: IDFilterOperators! + include: [ID!] + exclude: [ID!] } input InputIntegrationAccessGraphFilter { @@ -934,6 +958,8 @@ input InputResourceInventoryFilter { """ Service filter """ input InputServiceFilter { +""" Service filter """ + search: String """ Service filter """ serviceType: InputIDFilterValue """ Service filter """ @@ -1144,6 +1170,7 @@ input IntentsOperatorConfigurationInput { ingressControllerConfig: [IngressControllerConfigInput!] awsALBLoadBalancerExemptionEnabled: Boolean allowExternalTrafficPolicy: AllowExternalTrafficPolicy + externallyManagedPolicyWorkloads: [ExternallyManagedPolicyWorkloadInput!] } type IntentsOperatorState { @@ -1716,6 +1743,10 @@ type Mutation { id: ID! tags: [String!] ): Service! +"""update service metadata from operator""" + reportServiceMetadata( + serviceMeta: ReportServiceMetadataInput! + ): Boolean! """Bulk Update services""" addTagsToServices( ids: [ID!]! @@ -1831,6 +1862,11 @@ input PaginationInput { limit: Int } +""" Pagination types """ +type PaginationMeta { + total: Int +} + enum PathType { IMPLEMENTATION_SPECIFIC PREFIX @@ -1861,6 +1897,7 @@ type Query { serviceAccessGraph( id: ID! ): ServiceAccessGraph! +""" Get service ClientIntents """ serviceClientIntents( id: ID! asServiceId: ID @@ -1991,12 +2028,21 @@ type Query { name: String filter: InputServiceFilter ): [Service!]! +"""Paginate services""" + paginateServices( + filter: InputServiceFilter + pagination: PaginationInput + ): ServicesResponse! """Get service by filters""" oneService( environmentId: ID namespaceId: ID name: String ): Service +"""Get service by kubernetes identity""" + serviceByIdentity( + identity: ServiceIdentityInput! + ): Service! """List users""" users: [User!]! """Get user""" @@ -2021,12 +2067,17 @@ type Regulation { enum RegulationCode { PCI_4_0 PCI_4_0_1_1 + PCI_4_0_1_1_2 PCI_4_0_1_1_4 + PCI_4_0_1_1_6 PCI_4_0_1_2 PCI_4_0_1_2_1 PCI_4_0_1_3 PCI_4_0_1_3_4 PCI_4_0_1_3_6 + PCI_4_0_7_1 + PCI_4_0_7_2 + PCI_4_0_8_7 ZERO_TRUST ZERO_TRUST_SENSITIVE ZERO_TRUST_DEFAULT_DENY @@ -2042,6 +2093,11 @@ enum RegulationStandard { ZERO_TRUST } +input ReportServiceMetadataInput { + identity: ServiceIdentityInput! + metadata: ServiceMetadataInput! +} + type Resource { id: ID! service: Service! @@ -2142,6 +2198,7 @@ type Service { gcpResource: GCPResource azureResource: AzureResource discoveredByIntegration: Integration + detectedCloudServer: DetectedCloudServer awsVisibility: AWSVisibility databaseIntegration: Integration tlsKeyPair: KeyPair! @@ -2182,11 +2239,21 @@ enum ServiceExternalTrafficPolicy { LOCAL } +input ServiceIdentityInput { + name: String! + namespace: String! + kind: String! +} + enum ServiceInternalTrafficPolicy { CLUSTER LOCAL } +input ServiceMetadataInput { + tags: [String!] +} + enum ServiceType { NODE_GROUP PREFIX_GROUP @@ -2200,6 +2267,7 @@ enum ServiceType { DATABASE_USER KUBERNETES_LOAD_BALANCER AWS_VISIBILITY_EKS + DETECTED_CLOUD_SERVER } type ServiceViolation { @@ -2208,6 +2276,11 @@ type ServiceViolation { violatedCalls: [AccessGraphEdge!] } +type ServicesResponse { + data: [Service!]! + meta: PaginationMeta +} + enum SessionAffinity { CLIENT_IP NONE diff --git a/src/shared/telemetries/telemetriesgql/schema.graphql b/src/shared/telemetries/telemetriesgql/schema.graphql index 06f0c8bcb..5be8ab5a7 100644 --- a/src/shared/telemetries/telemetriesgql/schema.graphql +++ b/src/shared/telemetries/telemetriesgql/schema.graphql @@ -106,7 +106,7 @@ type AWSS3Resource { type AWSVisibility { arn: String! - resourceType: String! + resourceType: AWSVisibilityResourceType! name: String! lbArn: String domain: String @@ -115,6 +115,10 @@ type AWSVisibility { region: String! } +enum AWSVisibilityResourceType { + EKS +} + type AWSVisibilitySettings { isActive: Boolean! awsAccountId: String! @@ -172,7 +176,6 @@ type AccessLogEdge { originIntent: Intent! dns: String! accessStatus: EdgeAccessStatus! - accessStatuses: EdgeAccessStatuses! } enum AllowExternalTrafficPolicy { @@ -301,8 +304,8 @@ input ClientIPConfig { } type ClientIntentEvent { - firstTimestamp: Time! - lastTimestamp: Time! + firstTimestamp: Time + lastTimestamp: Time reportingComponent: String count: Int! type: String! @@ -319,8 +322,8 @@ input ClientIntentEventInput { annotations: [KeyValueInput!] count: Int! clientIntentName: String! - firstTimestamp: Time! - lastTimestamp: Time! + firstTimestamp: Time + lastTimestamp: Time reportingComponent: String reportingInstance: String sourceComponent: String @@ -419,6 +422,7 @@ type ClusterViolation { cluster: Cluster! reason: String! intentsOperatorState: IntentsOperatorState + relatedServices: [Service!] } input Component { @@ -537,6 +541,12 @@ enum DatabaseVisibilitySource { GCP_PUBSUB } +type DetectedCloudServer { + cloudProvider: String! + cloudService: String! + region: String! +} + input DiscoveredIntentInput { discoveredAt: Time! intent: IntentInput! @@ -558,6 +568,7 @@ enum EdgeAccessStatusReason { ALLOWED_BY_APPLIED_INTENTS_KAFKA_OVERLY_PERMISSIVE ALLOWED_BY_APPLIED_INTENTS_DATABASE_OVERLY_PERMISSIVE ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY + WOULD_BE_ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY BLOCKED_BY_APPLIED_INTENTS_UNDER_PERMISSIVE BLOCKED_BY_APPLIED_INTENTS_RESOURCE_MISMATCH BLOCKED_BY_APPLIED_INTENTS_HTTP_UNDER_PERMISSIVE @@ -583,6 +594,9 @@ enum EdgeAccessStatusReason { NO_INTENTS_FOUND_OF_RELEVANT_TYPE IGNORED_IN_CALCULATION INTERNET_INTENTS_ENFORCEMENT_DISABLED + BLOCKED_BY_DEFAULT_DENY_MISSING_EXTERNAL_TRAFFIC_POLICY + BLOCKED_BY_APPLIED_INTENTS_MISSING_EXTERNAL_TRAFFIC_POLICY + ALLOWED_BY_EXTERNALLY_MANAGED_NETWORK_POLICY } enum EdgeAccessStatusVerdict { @@ -671,6 +685,12 @@ input ExternallyAccessibleServiceInput { serviceType: KubernetesServiceType! } +input ExternallyManagedPolicyWorkloadInput { + name: String! + namespace: String! + kind: String! +} + type FeatureFlags { isCloudServicesDetectionEnabled: Boolean isCloudSecurityEnabled: Boolean @@ -832,8 +852,8 @@ enum IDFilterOperators { } type IDFilterValue { - value: [ID!]! - operator: IDFilterOperators! + include: [ID!] + exclude: [ID!] } enum IPFamily { @@ -888,6 +908,10 @@ input InputAccessLogFilter { featureFlags: InputFeatureFlags """ Access log filter """ pagination: PaginationInput +""" Access log filter """ + accessVerdicts: InputIDFilterValue +""" Access log filter """ + accessStatusReasons: InputIDFilterValue } input InputFeatureFlags { @@ -912,8 +936,8 @@ input InputFindingFilter { } input InputIDFilterValue { - value: [ID!]! - operator: IDFilterOperators! + include: [ID!] + exclude: [ID!] } input InputIntegrationAccessGraphFilter { @@ -934,6 +958,8 @@ input InputResourceInventoryFilter { """ Service filter """ input InputServiceFilter { +""" Service filter """ + search: String """ Service filter """ serviceType: InputIDFilterValue """ Service filter """ @@ -1144,6 +1170,7 @@ input IntentsOperatorConfigurationInput { ingressControllerConfig: [IngressControllerConfigInput!] awsALBLoadBalancerExemptionEnabled: Boolean allowExternalTrafficPolicy: AllowExternalTrafficPolicy + externallyManagedPolicyWorkloads: [ExternallyManagedPolicyWorkloadInput!] } type IntentsOperatorState { @@ -1716,6 +1743,10 @@ type Mutation { id: ID! tags: [String!] ): Service! +"""update service metadata from operator""" + reportServiceMetadata( + serviceMeta: ReportServiceMetadataInput! + ): Boolean! """Bulk Update services""" addTagsToServices( ids: [ID!]! @@ -1831,6 +1862,11 @@ input PaginationInput { limit: Int } +""" Pagination types """ +type PaginationMeta { + total: Int +} + enum PathType { IMPLEMENTATION_SPECIFIC PREFIX @@ -1861,6 +1897,7 @@ type Query { serviceAccessGraph( id: ID! ): ServiceAccessGraph! +""" Get service ClientIntents """ serviceClientIntents( id: ID! asServiceId: ID @@ -1991,12 +2028,21 @@ type Query { name: String filter: InputServiceFilter ): [Service!]! +"""Paginate services""" + paginateServices( + filter: InputServiceFilter + pagination: PaginationInput + ): ServicesResponse! """Get service by filters""" oneService( environmentId: ID namespaceId: ID name: String ): Service +"""Get service by kubernetes identity""" + serviceByIdentity( + identity: ServiceIdentityInput! + ): Service! """List users""" users: [User!]! """Get user""" @@ -2021,12 +2067,17 @@ type Regulation { enum RegulationCode { PCI_4_0 PCI_4_0_1_1 + PCI_4_0_1_1_2 PCI_4_0_1_1_4 + PCI_4_0_1_1_6 PCI_4_0_1_2 PCI_4_0_1_2_1 PCI_4_0_1_3 PCI_4_0_1_3_4 PCI_4_0_1_3_6 + PCI_4_0_7_1 + PCI_4_0_7_2 + PCI_4_0_8_7 ZERO_TRUST ZERO_TRUST_SENSITIVE ZERO_TRUST_DEFAULT_DENY @@ -2042,6 +2093,11 @@ enum RegulationStandard { ZERO_TRUST } +input ReportServiceMetadataInput { + identity: ServiceIdentityInput! + metadata: ServiceMetadataInput! +} + type Resource { id: ID! service: Service! @@ -2142,6 +2198,7 @@ type Service { gcpResource: GCPResource azureResource: AzureResource discoveredByIntegration: Integration + detectedCloudServer: DetectedCloudServer awsVisibility: AWSVisibility databaseIntegration: Integration tlsKeyPair: KeyPair! @@ -2182,11 +2239,21 @@ enum ServiceExternalTrafficPolicy { LOCAL } +input ServiceIdentityInput { + name: String! + namespace: String! + kind: String! +} + enum ServiceInternalTrafficPolicy { CLUSTER LOCAL } +input ServiceMetadataInput { + tags: [String!] +} + enum ServiceType { NODE_GROUP PREFIX_GROUP @@ -2200,6 +2267,7 @@ enum ServiceType { DATABASE_USER KUBERNETES_LOAD_BALANCER AWS_VISIBILITY_EKS + DETECTED_CLOUD_SERVER } type ServiceViolation { @@ -2208,6 +2276,11 @@ type ServiceViolation { violatedCalls: [AccessGraphEdge!] } +type ServicesResponse { + data: [Service!]! + meta: PaginationMeta +} + enum SessionAffinity { CLIENT_IP NONE