The module lifecycle stageExperimental
The module has requirements for installation

The Deckhouse Kubernetes Platform installs CRDs but does not remove them when a module is disabled. If you no longer need the created CRDs, delete them.

ClusterSecurityEventConfig

Scope: Cluster
Version: v1alpha1

  • spec
    object
    Defines which sources are enabled and which destinations they should be shipped to.
    • spec.defaultSeverityThreshold
      string

      Required value

      Minimal severity to ship (inclusive).

      Allowed values: Low, Medium, High, Critical

    • spec.destinations
      array of strings

      Required value

      List of ClusterSecurityEventDestination names.
    • spec.enabledSources
      array of strings

      If set, only these sources are enabled. If omitted, all sources are enabled. Expected format:

      • clusterSecurityEventShipper//<source>
      • podSecurityEventShipper/<namespace>//<source>
      • spec.enabledSources.Element of the array
        string

        Pattern: ^(clusterSecurityEventShipper/[^/]+/[^/]+|podSecurityEventShipper/[^/]+/[^/]+/[^/]+)$

    • spec.enabledSourcesMasks
      array of strings

      If set, only sources matching these glob-style masks are enabled. If omitted, all sources are enabled. Masks use ‘*’ to match any substring (including ‘/’). You must set either enabledSources or enabledSourcesMasks, but not both. Expected format:

      • clusterSecurityEventShipper//<source>
      • podSecurityEventShipper/<namespace>//<source> Examples:
      • podSecurityEventShipper/*
      • clusterSecurityEventShipper/kube-audit/*
      • spec.enabledSourcesMasks.Element of the array
        string

        Pattern: ^(clusterSecurityEventShipper/.+|podSecurityEventShipper/.+)$

  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.

ClusterSecurityEventDestination

Scope: Cluster
Version: v1alpha1

  • spec
    object
    Describes where to send security events. Fields are designed to be translated to deckhouse.io/log-shipper ClusterLogDestination.
    • spec.console
      object
      • spec.console.target
        string

        Default: Stdout

        Allowed values: Stdout, Stderr

    • spec.elasticsearch
      object
      • spec.elasticsearch.auth
        object
        • spec.elasticsearch.auth.password
          string
        • spec.elasticsearch.auth.strategy
          string

          Default: None

          Allowed values: None, Bearer, Basic

        • spec.elasticsearch.auth.token
          string
        • spec.elasticsearch.auth.username
          string
      • spec.elasticsearch.endpoint
        string

        Required value

      • spec.elasticsearch.index
        string
      • spec.elasticsearch.tls
        object
        • spec.elasticsearch.tls.ca
          string
          Base64-encoded PEM with the CA certificate chain used to verify the destination server certificate.
        • spec.elasticsearch.tls.verifyCertificate
          boolean

          Default: true

        • spec.elasticsearch.tls.verifyHostname
          boolean

          Default: true

    • spec.file
      object
      • spec.file.path
        string

        Required value

    • spec.kafka
      object
      • spec.kafka.brokers
        array of strings

        Required value

      • spec.kafka.sasl
        object
        • spec.kafka.sasl.mechanism
          string

          Allowed values: Plain, SCRAM-SHA-256, SCRAM-SHA-512

        • spec.kafka.sasl.password
          string
        • spec.kafka.sasl.username
          string
      • spec.kafka.tls
        object
        • spec.kafka.tls.ca
          string
          Base64-encoded PEM with the CA certificate chain used to verify the destination server certificate.
        • spec.kafka.tls.verifyCertificate
          boolean

          Default: true

        • spec.kafka.tls.verifyHostname
          boolean

          Default: true

      • spec.kafka.topic
        string

        Required value

    • spec.loki
      object
      • spec.loki.auth
        object
        • spec.loki.auth.password
          string
        • spec.loki.auth.strategy
          string

          Default: None

          Allowed values: None, Bearer, Basic

        • spec.loki.auth.token
          string
        • spec.loki.auth.username
          string
      • spec.loki.endpoint
        string

        Required value

      • spec.loki.tls
        object
        • spec.loki.tls.ca
          string
          Base64-encoded PEM with the CA certificate chain used to verify the destination server certificate.
        • spec.loki.tls.verifyCertificate
          boolean

          Default: true

        • spec.loki.tls.verifyHostname
          boolean

          Default: true

    • spec.splunkHEC
      object
      • spec.splunkHEC.endpoint
        string

        Required value

      • spec.splunkHEC.tls
        object
        • spec.splunkHEC.tls.ca
          string
          Base64-encoded PEM with the CA certificate chain used to verify the destination server certificate.
        • spec.splunkHEC.tls.verifyCertificate
          boolean

          Default: true

        • spec.splunkHEC.tls.verifyHostname
          boolean

          Default: true

      • spec.splunkHEC.token
        string

        Required value

    • spec.type
      string

      Required value

      Allowed values: Loki, Elasticsearch, Kafka, SplunkHEC, File, Console, Vector

    • spec.vector
      object
      • spec.vector.endpoint
        string

        Required value

      • spec.vector.tls
        object
        • spec.vector.tls.ca
          string
          Base64-encoded PEM with the CA certificate chain used to verify the destination server certificate.
        • spec.vector.tls.verifyCertificate
          boolean

          Default: true

        • spec.vector.tls.verifyHostname
          boolean

          Default: true

ClusterSecurityEventLoggingTransformationRules

Scope: Cluster
Version: v1alpha1

  • spec
    object

    Cluster-wide rules to transform raw log lines into structured objects (Vector events) before further processing.

    Namespaced SecurityEventLoggingTransformationRules (SELTR) take precedence over these rules when both match the same pod/container.

    • spec.file
      object

      Selection + shared transform for node file logs. Required when type is File.

      File match is performed against the Vector event field .file.

      • spec.file.paths
        array of strings

        Required value

        Exact file paths to match.
      • spec.file.transform
        object

        Required value

        Shared transformation applied to every matched file log line.
        • spec.file.transform.drop_raw
          boolean

          Default: false

        • spec.file.transform.fields
          array of objects
          • spec.file.transform.fields.name
            string
            Field name in the parsed object.
          • spec.file.transform.fields.type
            string
            Target field type.

            Allowed values: String, Int, Float, Bool

        • spec.file.transform.parser
          object

          Required value

          Parser configuration (defines how to unpack the original log line).

          Semantics:

          • parsing is best-effort (errors/mismatches do not drop events)
          • first successful pattern wins (for Regex/Grok)
          • named captures are written into .parsed_data
          • spec.file.transform.parser.grok
            object
            Grok parser configuration. Named fields are saved into .parsed_data.
            • spec.file.transform.parser.grok.customPatterns
              array of objects
              Custom grok pattern definitions (name -> regex). These are added to the built-in grok patterns.
              • spec.file.transform.parser.grok.customPatterns.key
                string
              • spec.file.transform.parser.grok.customPatterns.value
                string
            • spec.file.transform.parser.grok.patterns
              array of strings

              Required value

              Grok patterns to try in order. The first successfully matched pattern wins.
          • spec.file.transform.parser.regex
            object
            Regex parser configuration. Only named capture groups are saved into .parsed_data.
            • spec.file.transform.parser.regex.patterns
              array of strings

              Required value

              Regex patterns to try in order. The first successfully matched pattern wins.
          • spec.file.transform.parser.type
            string

            Required value

            Parser type.

            • JSON: parse the original log line as JSON (parse_json()).
            • Regex: apply regex patterns and extract named capture groups.
            • Grok: apply grok patterns and extract named fields.

            Allowed values: JSON, Regex, Grok

    • spec.kubernetesPods
      object
      Selection + per-container transforms for Kubernetes pod logs. Required when type is KubernetesPods.
      • spec.kubernetesPods.containers
        array of objects

        Required value

        Per-container transformation rules.
        • spec.kubernetesPods.containers.drop_raw
          boolean
          If true, removes the original raw message field after parsing.

          Default: false

        • spec.kubernetesPods.containers.fields
          array of objects
          Optional field type conversions applied after parsing. Useful to enforce stable types for sinks (Elasticsearch/ClickHouse/etc.).
          • spec.kubernetesPods.containers.fields.name
            string
            Field name in the parsed object.
          • spec.kubernetesPods.containers.fields.type
            string
            Target field type.

            Allowed values: String, Int, Float, Bool

        • spec.kubernetesPods.containers.name
          string
          Container name to apply this transformation to.
        • spec.kubernetesPods.containers.parser
          object

          Parser configuration (defines how to unpack the original log line).

          Semantics:

          • parsing is best-effort (errors/mismatches do not drop events)
          • first successful pattern wins (for Regex/Grok)
          • named captures are written into .parsed_data
          • spec.kubernetesPods.containers.parser.grok
            object
            Grok parser configuration. Named fields are saved into .parsed_data.
            • spec.kubernetesPods.containers.parser.grok.customPatterns
              array of objects
              Custom grok pattern definitions (name -> regex). These are added to the built-in grok patterns.
              • spec.kubernetesPods.containers.parser.grok.customPatterns.key
                string
              • spec.kubernetesPods.containers.parser.grok.customPatterns.value
                string
            • spec.kubernetesPods.containers.parser.grok.patterns
              array of strings

              Required value

              Grok patterns to try in order. The first successfully matched pattern wins.
          • spec.kubernetesPods.containers.parser.regex
            object
            Regex parser configuration. Only named capture groups are saved into .parsed_data.
            • spec.kubernetesPods.containers.parser.regex.patterns
              array of strings

              Required value

              Regex patterns to try in order. The first successfully matched pattern wins.
          • spec.kubernetesPods.containers.parser.type
            string

            Required value

            Parser type.

            • JSON: parse the original log line as JSON (parse_json()).
            • Regex: apply regex patterns and extract named capture groups.
            • Grok: apply grok patterns and extract named fields.

            Allowed values: JSON, Regex, Grok

      • spec.kubernetesPods.labelSelector
        object

        Required value

        Pod label selector.
        • spec.kubernetesPods.labelSelector.matchExpressions
          array of objects
          List of label selector requirements.
          • spec.kubernetesPods.labelSelector.matchExpressions.key
            string
          • spec.kubernetesPods.labelSelector.matchExpressions.operator
            string

            Allowed values: In, NotIn, Exists, DoesNotExist

          • spec.kubernetesPods.labelSelector.matchExpressions.values
            array of strings
        • spec.kubernetesPods.labelSelector.matchLabels
          object
          Map of label key to value.
      • spec.kubernetesPods.namespaceSelector
        object
        Namespace selection (subset of ClusterLoggingConfig). Only matchNames/excludeNames are supported.
        • spec.kubernetesPods.namespaceSelector.excludeNames
          array of strings
        • spec.kubernetesPods.namespaceSelector.matchNames
          array of strings
    • spec.type
      string

      Required value

      Input type the rules apply to. KubernetesPods — match pod/container logs. File — match node file logs.

      Allowed values: KubernetesPods, File

  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.

ClusterSecurityEventShipper

Scope: Cluster
Version: v1alpha1

  • spec
    array of objects
    Cluster-wide pipelines for extracting security events from node files or pod logs. Each pipeline item describes the source and one or more event definitions (produces).
    • spec.input
      object
      • spec.input.files
        array of strings
        Node file paths (required for type File).
      • spec.input.kubernetesPods
        object
        Pod selection for cluster-wide collection.
        • spec.input.kubernetesPods.labelSelector
          object

          Required value

          Kubernetes-style label selector.
          • spec.input.kubernetesPods.labelSelector.matchExpressions
            array of objects
            List of label selector requirements.
            • spec.input.kubernetesPods.labelSelector.matchExpressions.key
              string
            • spec.input.kubernetesPods.labelSelector.matchExpressions.operator
              string

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.input.kubernetesPods.labelSelector.matchExpressions.values
              array of strings
          • spec.input.kubernetesPods.labelSelector.matchLabels
            object
            Map of label key to value.
        • spec.input.kubernetesPods.namespace
          string
          Namespace to collect pod logs from (legacy exact namespace match).
        • spec.input.kubernetesPods.namespaceSelector
          object

          Namespace selector for cluster pod log collection.

          • If matchNames is set, only these namespaces are included.
          • If excludeNames is set, these namespaces are excluded.
          • If both are empty, all namespaces are matched.
          • spec.input.kubernetesPods.namespaceSelector.excludeNames
            array of strings
            Explicitly excluded namespace names.
          • spec.input.kubernetesPods.namespaceSelector.matchNames
            array of strings
            Explicitly included namespace names.
      • spec.input.type
        string

        Required value

        File — read from node files. KubernetesPods — read from pod logs (cluster-wide; labelSelector required; namespace or namespaceSelector optional).

        Allowed values: File, KubernetesPods

    • spec.parser
      array of objects

      Parser rules for best-effort parsing of raw log line .message into .parsed_data.

      • For input.type: KubernetesPods: this repeats SecurityEventLoggingTransformationRules.spec.containers[]. Match is performed by .namespace + .container + .pod_labels.
      • For input.type: File: set name: file and the rule will be applied when .file matches one of input.files.

      Container selection happens on the log-shipper side via labelFilter.

      • spec.parser.drop_raw
        boolean
        If true, removes the original raw message field after parsing.

        Default: false

      • spec.parser.fields
        array of objects
        Optional field type conversions applied after parsing.
        • spec.parser.fields.name
          string
          Field name in the parsed object.
        • spec.parser.fields.type
          string
          Target field type.

          Allowed values: String, Int, Float, Bool

      • spec.parser.name
        string
        Container name (or file for file input).
      • spec.parser.parser
        object
        Parser configuration.
        • spec.parser.parser.grok
          object
          • spec.parser.parser.grok.customPatterns
            array of objects
            • spec.parser.parser.grok.customPatterns.key
              string
            • spec.parser.parser.grok.customPatterns.value
              string
          • spec.parser.parser.grok.patterns
            array of strings

            Required value

        • spec.parser.parser.regex
          object
          • spec.parser.parser.regex.patterns
            array of strings

            Required value

        • spec.parser.parser.type
          string

          Required value

          Parser type.

          Allowed values: JSON, Regex, Grok

    • spec.parserRef
      string

      Name of ClusterSecurityEventLoggingTransformationRules (CSELTR) object to use as parser rule source.

      Used only when parser is not set.

    • spec.produces
      array of objects
      List of produced security events for this source.
      • spec.produces.enrich
        array of objects

        Enrichment rules for adding extra fields into outgoing SecurityEvent.

        Each rule writes into a destination field path (target). Sources:

        • Static: write a literal string from value.
        • Plugin: reserved for future (CSV/REST/K8s lookups).

        Enrich rules are applied after transform, so they override transform when targeting the same field.

        • spec.produces.enrich.args
          array of objects
          Plugin arguments. Values may reference .parsed_data.* and/or current SecurityEvent fields. Reserved for future.
          • spec.produces.enrich.args.key
            string
          • spec.produces.enrich.args.value
            string
        • spec.produces.enrich.plugin
          string
          Plugin name (required for source=Plugin).
        • spec.produces.enrich.source
          string
          Enrichment source type.

          Allowed values: Static, Plugin

        • spec.produces.enrich.target
          string
          Destination field path in outgoing SecurityEvent (dot-separated).
        • spec.produces.enrich.value
          string

          For Static source: literal string to be written to target.

          For Plugin source: selector of a field in plugin result (reserved for future).

      • spec.produces.eventCode
        string
        Event code (references SecurityEventDefinition.spec.code).
      • spec.produces.extract
        object

        Detection rule for this produced event.

        This structure maps 1:1 into log-shipper ClusterLoggingConfig.spec.labelFilter item.

        Notes:

        • values is required for In, NotIn, Regex, NotRegex.
        • values must be omitted/empty for Exists, DoesNotExist.

        Allowed field values are message plus log-shipper metadata labels. Kubernetes: pod, namespace, pod_labels, pod_ip, image, container, node, pod_owner, node_group. File: host, host_ip, file.

        • spec.produces.extract.field
          string

          Required value

          Field name for filtering (same as ClusterLoggingConfig labelFilter.field). Typical values: message, file, namespace.
        • spec.produces.extract.operator
          string

          Required value

          Operator for field comparison (same as ClusterLoggingConfig labelFilter.operator).

          Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

        • spec.produces.extract.values
          array of strings
          Array of values or regexes for corresponding operations (same as ClusterLoggingConfig labelFilter.values).
      • spec.produces.transform
        array of objects

        Field mapping for transforming parsed raw logs into outgoing SecurityEvent.

        Keys are destination field paths in the outgoing event (dot-separated). Values are source field paths inside the parsed raw object (dot-separated, relative to .parsed_data). To read from root-level fields, use the @root. prefix (for example: metadata.extra.host_ip: @root.host_ip).

        Example: pod.name: pod_name will copy .parsed_data.pod_name into .pod.name.

        • spec.produces.transform.key
          string
        • spec.produces.transform.value
          string
    • spec.producesDefaults
      object

      Default mappings applied to all items in produces[] of this pipeline item.

      Precedence:

      • transform: keys are merged; defaults first, then produces[].transform overwrites.
      • enrich: used only when produces[].enrich is omitted.
      • spec.producesDefaults.enrich
        array of objects
        Default enrich rules (see produces[].enrich).
        • spec.producesDefaults.enrich.args
          array of objects
          Plugin arguments. Values may reference .parsed_data.* and/or current SecurityEvent fields. Reserved for future.
          • spec.producesDefaults.enrich.args.key
            string
          • spec.producesDefaults.enrich.args.value
            string
        • spec.producesDefaults.enrich.plugin
          string
          Plugin name (required for source=Plugin).
        • spec.producesDefaults.enrich.source
          string
          Enrichment source type.

          Allowed values: Static, Plugin

        • spec.producesDefaults.enrich.target
          string
          Destination field path in outgoing SecurityEvent (dot-separated).
        • spec.producesDefaults.enrich.value
          string

          For Static source: literal string to be written to target.

          For Plugin source: selector of a field in plugin result (reserved for future).

      • spec.producesDefaults.transform
        array of objects
        Default field mapping (see produces[].transform).
        • spec.producesDefaults.transform.key
          string
        • spec.producesDefaults.transform.value
          string
    • spec.source
      string
      Source identifier (used for enable/disable via ClusterSecurityEventConfig).
  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.

PodSecurityEventShipper

Scope: Namespaced
Version: v1alpha1

  • spec
    array of objects
    Namespaced pipelines for extracting security events from pod logs of this namespace. Namespace is implied and equals the PodSecurityEventShipper namespace.
    • spec.input
      object
      • spec.input.kubernetesPods
        object

        Required value

        • spec.input.kubernetesPods.labelSelector
          object

          Required value

          Kubernetes-style label selector.
          • spec.input.kubernetesPods.labelSelector.matchExpressions
            array of objects
            List of label selector requirements.
            • spec.input.kubernetesPods.labelSelector.matchExpressions.key
              string
            • spec.input.kubernetesPods.labelSelector.matchExpressions.operator
              string

              Allowed values: In, NotIn, Exists, DoesNotExist

            • spec.input.kubernetesPods.labelSelector.matchExpressions.values
              array of strings
          • spec.input.kubernetesPods.labelSelector.matchLabels
            object
            Map of label key to value.
      • spec.input.type
        string

        Required value

        Allowed values: KubernetesPods

    • spec.parser
      array of objects
      Parser rules (same shape as SecurityEventLoggingTransformationRules.spec.containers[]). Used by the gateway for best-effort parsing of raw logs .message into .parsed_data before applying transform mappings. Note: container is selected by log-shipper via labelFilter; name is the container name these rules apply to.
      • spec.parser.drop_raw
        boolean
        If true, removes the original raw message field after parsing.

        Default: false

      • spec.parser.fields
        array of objects
        Optional field type conversions applied after parsing.
        • spec.parser.fields.name
          string
          Field name in the parsed object.
        • spec.parser.fields.type
          string
          Target field type.

          Allowed values: String, Int, Float, Bool

      • spec.parser.name
        string
        Container name.
      • spec.parser.parser
        object
        Parser configuration.
        • spec.parser.parser.grok
          object
          Grok parser configuration.
          • spec.parser.parser.grok.customPatterns
            array of objects
            Custom grok pattern definitions (name -> regex).
            • spec.parser.parser.grok.customPatterns.key
              string
            • spec.parser.parser.grok.customPatterns.value
              string
          • spec.parser.parser.grok.patterns
            array of strings

            Required value

            Grok patterns to try in order.
        • spec.parser.parser.regex
          object
          Regex parser configuration.
          • spec.parser.parser.regex.patterns
            array of strings

            Required value

            Regex patterns to try in order.
        • spec.parser.parser.type
          string

          Required value

          Parser type.

          • JSON: parse the original log line as JSON.
          • Regex: apply regex patterns and extract named capture groups.
          • Grok: apply grok patterns and extract named fields.

          Allowed values: JSON, Regex, Grok

    • spec.parserRef
      string
      Name of SecurityEventLoggingTransformationRules (SELTR) resource in the same namespace to use as parser rules. Used only when parser is not set.
    • spec.produces
      array of objects
      List of produced security events for this source.
      • spec.produces.enrich
        array of objects

        Enrichment rules for adding extra fields into outgoing SecurityEvent.

        Each rule writes into a destination field path (target). Sources:

        • Static: write a literal string from value.
        • Plugin: reserved for future (CSV/REST/K8s lookups).

        Enrich rules are applied after transform, so they override transform when targeting the same field.

        • spec.produces.enrich.args
          array of objects
          Plugin arguments. Values may reference .parsed_data.* and/or current SecurityEvent fields. Reserved for future.
          • spec.produces.enrich.args.key
            string
          • spec.produces.enrich.args.value
            string
        • spec.produces.enrich.plugin
          string
          Plugin name (required for source=Plugin).
        • spec.produces.enrich.source
          string
          Enrichment source type.

          Allowed values: Static, Plugin

        • spec.produces.enrich.target
          string
          Destination field path in outgoing SecurityEvent (dot-separated).
        • spec.produces.enrich.value
          string

          For Static source: literal string to be written to target.

          For Plugin source: selector of a field in plugin result (reserved for future).

      • spec.produces.eventCode
        string
        Event code (references SecurityEventDefinition.spec.code).
      • spec.produces.extract
        object

        Detection rule for this produced event.

        This structure maps 1:1 into log-shipper PodLoggingConfig.spec.labelFilter item.

        Notes:

        • values is required for In, NotIn, Regex, NotRegex.
        • values must be omitted/empty for Exists, DoesNotExist.

        Allowed field values are message plus log-shipper metadata labels. Kubernetes: pod, namespace, pod_labels, pod_ip, image, container, node, pod_owner, node_group. File: host, host_ip, file.

        • spec.produces.extract.field
          string

          Required value

          Field name for filtering (same as PodLoggingConfig labelFilter.field). Typical values: message, container, namespace.
        • spec.produces.extract.operator
          string

          Required value

          Operator for field comparison (same as PodLoggingConfig labelFilter.operator).

          Allowed values: In, NotIn, Regex, NotRegex, Exists, DoesNotExist

        • spec.produces.extract.values
          array of strings
          Array of values or regexes for corresponding operations (same as PodLoggingConfig labelFilter.values).
      • spec.produces.transform
        array of objects

        Field mapping for transforming parsed raw logs into outgoing SecurityEvent.

        Keys are destination field paths in the outgoing event (dot-separated). Values are source field paths inside the parsed raw object (dot-separated, relative to .parsed_data). To read from root-level fields, use the @root. prefix (for example: metadata.extra.host_ip: @root.host_ip).

        Example: pod.name: pod_name will copy .parsed_data.pod_name into .pod.name.

        • spec.produces.transform.key
          string
        • spec.produces.transform.value
          string
    • spec.producesDefaults
      object

      Default mappings applied to all items in produces[] of this pipeline item.

      Precedence:

      • transform: keys are merged; defaults first, then produces[].transform overwrites.
      • enrich: used only when produces[].enrich is omitted.
      • spec.producesDefaults.enrich
        array of objects
        Default enrich rules (see produces[].enrich).
        • spec.producesDefaults.enrich.args
          array of objects
          Plugin arguments. Values may reference .parsed_data.* and/or current SecurityEvent fields. Reserved for future.
          • spec.producesDefaults.enrich.args.key
            string
          • spec.producesDefaults.enrich.args.value
            string
        • spec.producesDefaults.enrich.plugin
          string
          Plugin name (required for source=Plugin).
        • spec.producesDefaults.enrich.source
          string
          Enrichment source type.

          Allowed values: Static, Plugin

        • spec.producesDefaults.enrich.target
          string
          Destination field path in outgoing SecurityEvent (dot-separated).
        • spec.producesDefaults.enrich.value
          string

          For Static source: literal string to be written to target.

          For Plugin source: selector of a field in plugin result (reserved for future).

      • spec.producesDefaults.transform
        array of objects
        Default field mapping (see produces[].transform).
        • spec.producesDefaults.transform.key
          string
        • spec.producesDefaults.transform.value
          string
    • spec.source
      string
      Source identifier (used for enable/disable via ClusterSecurityEventConfig).
  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.

SecurityEvent

Scope: Cluster
Version: v1

  • actor
    object
    Actor (subject) that performed the action.
    • actor.id
      string
      Actor identifier.
    • actor.type
      string
      Actor type.

      Allowed values: User, ServiceAccount, System

  • event
    object
    Event classification and details.
    • event.category
      string

      Required value

      Event category.

      Allowed values: Auth, Rbac, Runtime, Network, Config

    • event.code
      string

      Required value

      Event code.
    • event.description
      string
      Human-readable event description.
    • event.outcome
      string

      Required value

      Event outcome.

      Allowed values: Success, Failure, Denied

    • event.severity
      string

      Required value

      Event severity.

      Allowed values: Low, Medium, High, Critical

  • eventMetadata
    object
    Additional metadata.
    • eventMetadata.cluster
      string

      Required value

      Cluster identifier.
    • eventMetadata.extra
      array of objects
      Extra key-value metadata.
      • eventMetadata.extra.key
        string
      • eventMetadata.extra.value
        string
    • eventMetadata.node
      string
      Node name.
  • id
    string
    Unique event identifier.
  • object
    object
    Object the event is related to.
    • object.name
      string
      Object name.
    • object.namespace
      string
      Object namespace.
    • object.type
      string
      Object type.
  • source
    object
    Source identification for the event.
    • source.component
      string

      Required value

      Component name (e.g. kube-apiserver).
    • source.instance
      string
      Optional instance identifier.
  • timestamp
    string
    Event timestamp.

SecurityEventDefinition

Scope: Cluster
Version: v1alpha1

  • spec
    object
    Describes a possible security event.
    • spec.category
      string

      Required value

      Event category.

      Allowed values: Auth, Rbac, Runtime, Network, Config

    • spec.code
      string

      Required value

      Event code.
    • spec.description
      string

      Required value

      Human-readable description.
    • spec.descriptionRu
      string
      Human-readable description in Russian.
    • spec.fields
      array of objects
      List of fields that the event may contain.
      • spec.fields.name
        string
        Field name.
      • spec.fields.required
        boolean
        Whether the field is required.

        Default: true

    • spec.metadata
      object
      Metadata related to the rule
    • spec.severity
      string

      Required value

      Event severity.

      Allowed values: Low, Medium, High, Critical

    • spec.source
      string

      Required value

      Source identifier.
  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.

SecurityEventLoggingTransformationRules

Scope: Namespaced
Version: v1alpha1

  • spec
    object
    Namespaced rules to transform raw log lines into structured objects (Vector events) before further processing.
    • spec.containers
      array of objects

      Required value

      Per-container transformation rules.
      • spec.containers.drop_raw
        boolean
        If true, removes the original raw message field after parsing.

        Default: false

      • spec.containers.fields
        array of objects
        Optional field type conversions applied after parsing. Useful to enforce stable types for sinks (Elasticsearch/ClickHouse/etc.).
        • spec.containers.fields.name
          string
          Field name in the parsed object.
        • spec.containers.fields.type
          string
          Target field type.

          Allowed values: String, Int, Float, Bool

      • spec.containers.name
        string
        Container name to apply this transformation to.
      • spec.containers.parser
        object

        Parser configuration (defines how to unpack the original log line).

        Semantics:

        • parsing is best-effort (errors/mismatches do not drop events)
        • first successful pattern wins (for Regex/Grok)
        • named captures are written into .parsed_data
        • spec.containers.parser.grok
          object
          Grok parser configuration. Named fields are saved into .parsed_data.
          • spec.containers.parser.grok.customPatterns
            array of objects
            Custom grok pattern definitions (name -> regex). These are added to the built-in grok patterns.
            • spec.containers.parser.grok.customPatterns.key
              string
            • spec.containers.parser.grok.customPatterns.value
              string
          • spec.containers.parser.grok.patterns
            array of strings

            Required value

            Grok patterns to try in order. The first successfully matched pattern wins.
        • spec.containers.parser.regex
          object
          Regex parser configuration. Only named capture groups are saved into .parsed_data.
          • spec.containers.parser.regex.patterns
            array of strings

            Required value

            Regex patterns to try in order. The first successfully matched pattern wins.
        • spec.containers.parser.type
          string

          Required value

          Parser type.

          • JSON: parse the original log line as JSON (parse_json()).
          • Regex: apply regex patterns and extract named capture groups.
          • Grok: apply grok patterns and extract named fields.

          Allowed values: JSON, Regex, Grok

    • spec.selector
      object

      Required value

      Pod label selector.
      • spec.selector.matchExpressions
        array of objects
        List of label selector requirements.
        • spec.selector.matchExpressions.key
          string
        • spec.selector.matchExpressions.operator
          string

          Allowed values: In, NotIn, Exists, DoesNotExist

        • spec.selector.matchExpressions.values
          array of strings
      • spec.selector.matchLabels
        object
        Map of label key to value.
  • status
    object
    Current status of this resource.
    • status.conditions
      array of objects
      Represents the latest available observations of an object’s state.
      • status.conditions.lastTransitionTime
        string
      • status.conditions.message
        string

        Maximum length: 32768

      • status.conditions.observedGeneration
        integer
      • status.conditions.reason
        string

        Length: 1..1024

      • status.conditions.status
        string

        Allowed values: True, False, Unknown

      • status.conditions.type
        string

        Maximum length: 316

    • status.observedGeneration
      integer
      The generation observed by the controller.