New and Changed APIs in 25.2.10
This topic lists the new and updated REST APIs in 25.2.10.
New APIs in 25.2.10
sec_policy_policy_check_get
This API is used to get all sec_rules,deny_rules , and override_deny_rules based on parameters. It was created to extend the response of the original allow endpoint and preserve compatibility with existing tools.
The request format is as follows:
GET api/v2/orgs/:xorg_id/sec_policy/:pversion/policy_check?<params>;
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"required": [
"sec_rules",
"deny_rules",
"override_deny_rules"
],
"properties": {
"sec_rules": {
"description": "Array of allow rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/sec_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"deny_rules": {
"description": "Array of deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"override_deny_rules": {
"description": "Array of override deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
}
}
}
vens_remote_action_put
The new schema vens_remote_action_put is sent by a user to execute a remote action on a VEN. Users authorized to use this method are global administrators, global organization owners, and workload managers.
The required properties include:
action which describes the remote action type
vens which describes an array of VENs to restart
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"required": [
"action",
"vens"
],
"properties": {
"action": {
"description": "Remote action type",
"type": "string",
"enum": [
"restart"
]
},
"vens": {
"description": "An array of VENs to restart",
"type": "array",
"minItems": 1,
"maxItems": 1,
"items": {
"type": "object",
"additionalProperties": false,
"required": [
"href"
],
"properties": {
"href": {
"description": "VEN URI",
"type": "string"
}
}
}
}
}
}New Common Schemas
common deny_rule_actor: The Enforcement Boundary Actor schema describes the actors as workloads and defines the exclusions.
{ "$schema": "http://json-schema.org/draft-04/schema#", "description": "Enforcement boundary actor", "type": "array", "minItems": 1, "items": { "type": "object", "additionalProperties": false, "properties": { "actors": { "description": "Rule actors are all workloads ('ams')", "type": "string", "enum": ["ams"] }, "exclusion": { "description": "Boolean to specify whether or not the actor is an exclusion - only for labels and label groups", "type": "boolean", "expose_to": ["end_user_experimental"], "default": false }, "label": { "$ref": "href_object.schema.json" }, "label_group": { "$ref": "href_object.schema.json" }, "ip_list": { "$ref": "href_object.schema.json" }, "workload": { "expose_to": ["end_user_private_perm"], "$ref": "href_object.schema.json" } } } }common deny_rules_get: For deny_rules, this gets the timestamps when the Enforcement Boundary was created, updated, and deleted. It also defines the users who originally created, updated, and deleted the boundary.
{ "$schema": "http://json-schema.org/draft-04/schema#", "description": "Enforcement boundary", "type": "object", "required": ["href", "providers", "consumers", "ingress_services"], "expose_to": ["end_user_private_perm"], "_comment": "Don't set additionalProperties:false here as it collides with usage in allOf, set that in the schema that references this one instead.", "properties": { "created_at": { "description": "Timestamp when this Enforcement Boundary was first created", "type": "string", "format": "date-time" }, "updated_at": { "description": "Timestamp when this Enforcement Boundary was last updated", "type": "string", "format": "date-time" }, "deleted_at": { "description": "Timestamp when this Enforcement Boundary was deleted", "type": ["string", "null"], "format": "date-time" }, "created_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who originally created this Enforcement Boundary", "type": "string" } } }, "updated_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who last updated this Enforcement Boundary", "type": "string" } } }, "deleted_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who deleted this Enforcement Boundary", "type": "string" } } }, "update_type": { "$ref": "../common/sec_policy_update_type.schema.json" }, "href": { "description": "The job URI.", "type": "string" }, "providers": { "$ref": "deny_rule_actor.schema.json" }, "consumers": { "$ref": "deny_rule_actor.schema.json" }, "ingress_services": { "$ref": "sec_rule_ingress_services.schema.json" }, "egress_services": { "$ref": "sec_rule_egress_services.schema.json" }, "caps": { "$ref": "../common/entity_caps.schema.json" }, "enabled": { "description": "Enabled flag", "type": "boolean" }, "description": { "description": "Description", "type": ["string", "null"] }, "network_type": { "$ref": "../common/rule_network_type.schema.json" }, "override": { "description": "When true, the deny rule will override and take precedence over other user defined allow rules.", "default": false, "type": "boolean" }, "unscoped_consumers": { "description": "Set the scope for rule consumers to All", "type": "boolean" } } }common rule_set: Parent Rule Set of a Rule.
{ "$schema": "http://json-schema.org/draft-04/schema#", "description": "Enforcement boundary", "type": "object", "required": ["href", "providers", "consumers", "ingress_services"], "expose_to": ["end_user_private_perm"], "_comment": "Don't set additionalProperties:false here as it collides with usage in allOf, set that in the schema that references this one instead.", "properties": { "created_at": { "description": "Timestamp when this Enforcement Boundary was first created", "type": "string", "format": "date-time" }, "updated_at": { "description": "Timestamp when this Enforcement Boundary was last updated", "type": "string", "format": "date-time" }, "deleted_at": { "description": "Timestamp when this Enforcement Boundary was deleted", "type": ["string", "null"], "format": "date-time" }, "created_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who originally created this Enforcement Boundary", "type": "string" } } }, "updated_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who last updated this Enforcement Boundary", "type": "string" } } }, "deleted_by": { "type": ["object", "null"], "required": ["href"], "properties": { "href": { "description": "User who deleted this Enforcement Boundary", "type": "string" } } }, "update_type": { "$ref": "../common/sec_policy_update_type.schema.json" }, "href": { "description": "The job URI.", "type": "string" }, "providers": { "$ref": "deny_rule_actor.schema.json" }, "consumers": { "$ref": "deny_rule_actor.schema.json" }, "ingress_services": { "$ref": "sec_rule_ingress_services.schema.json" }, "egress_services": { "$ref": "sec_rule_egress_services.schema.json" }, "caps": { "$ref": "../common/entity_caps.schema.json" }, "enabled": { "description": "Enabled flag", "type": "boolean" }, "description": { "description": "Description", "type": ["string", "null"] }, "network_type": { "$ref": "../common/rule_network_type.schema.json" }, "override": { "description": "When true, the deny rule will override and take precedence over other user defined allow rules.", "default": false, "type": "boolean" }, "unscoped_consumers": { "description": "Set the scope for rule consumers to All", "type": "boolean" } } }common sec_rule_egress_services: Array of objects.
{ "$schema": "http://json-schema.org/draft-04/schema#", "description": "Array of objects", "type": "array", "items": { "type": "object", "$ref": "../common/href_object.schema.json" } }common sec_rules_get: For sec_rules, this gets the timestamps when the Enforcement Boundary was created, updated, and deleted. It also defines the users who originally created, updated, and deleted the boundary.
{ "$schema": "http://json-schema.org/draft-04/schema#", "description": "Enforcement boundary", "type": "object", "required": ["href", "providers", "consumers", "ingress_services"], "expose_to": ["end_user_private_perm"], "_comment": "Don't set additionalProperties:false here as it collides with usage in allOf, set that in the schema that references this one instead.", "properties": { "created_at": { "description": "Timestamp when record was first created", "type": "string", "format": "date-time" }, "updated_at": { "description": "Timestamp when record was last updated", "type": "string", "format": "date-time" }, "deleted_at": { "description": "Timestamp when record was deleted", "type": ["string", "null"], "format": "date-time" }, "created_by": { "type": "object", "properties": { "username": { "description": "The username which created this record", "type": "string" } } }, "updated_by": { "type": "object", "properties": { "username": { "description": "The username which last updated this record", "type": "string" } } }, "deleted_by": { "type": ["object", "null" ], "properties": { "username": { "description": "The username which deleted this record", "type": "string" } } }, "update_type": { "description": "Type of update", "oneOf": [ { "type": "null" }, { "type": "string", "enum": ["create", "update", "delete"] } ] }, "update_label": { "description": "Type of update", "oneOf": [ { "type": "null" }, { "type": "string", "enum": ["create", "update", "delete"] } ] }, "href": { "description": "URI of object", "type": "string" }, "enabled": { "description": "Enabled flag", "type": "boolean" }, "description": { "description": "Description", "type": ["string", "null"] }, "ingress_services": { "$ref": "sec_rule_ingress_services.schema.json" }, "egress_services": { "$ref": "sec_rule_egress_services.schema.json" }, "resolve_labels_as": { "$ref": "sec_rule_resolve_labels_as.schema.json" }, "sec_connect": { "description": "Whether a secure connection is established", "type": "boolean" }, "stateless": { "expose_to": ["end_user_experimental"], "description": "Whether packet filtering is stateless for the rule", "type": "boolean" }, "machine_auth": { "expose_to": ["end_user_experimental"], "description": "Whether machine authentication is enabled", "type": "boolean" }, "providers": { "$ref": "sec_policy_rule_sets_sec_rules_providers_get.schema.json" }, "consumers": { "$ref": "sec_policy_rule_sets_sec_rules_consumers_get.schema.json" }, "consuming_security_principals": { "$ref": "consuming_security_principals_get.schema.json" }, "unscoped_consumers": { "description": "Set the scope for rule consumers to All", "type": "boolean" }, "use_workload_subnets": { "$ref": "sec_rule_use_workload_subnets.schema.json" }, "rule_set": { "$ref": "../common/rule_set.schema.json" }, "log_flow": { "description": "If false, the VEN will not log any traffic that matches this flow.", "type": "boolean", "expose_to": ["end_user_private_transitional"] }, "network_type": { "$ref": "../common/rule_network_type.schema.json" } } }
Changed APIs in 25.2.10
The following public APIs have changed in 25.2.10.
Simplified schema by using a reference for
sec_policy_allow_get
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "array",
"items": {
"allOf": [
{
"$ref": "sec_policy_rule_sets_sec_rules_get.schema.json"
}
]
}
}The initial schema, which contained the required objects "enabled", "providers", "consumers", and "ub_service", has been simplified to use a reference to the sec_policy_rule_sets_sec_rules_get schema.
Additional properties container_workload and kubernetes_workload were added to
sec_policy_rule_search_consumers
sec_policy_rule_search_providers
{
"items": {
"properties": {
"container_workload__added": {
"type": "object",
"additionalProperties": false,
"required": [
"href"
],
"properties": {
"href": {
"description": "Container workload URI",
"type": "string"
}
}
},
"kubernetes_workload__added": {
"type": "object",
"additionalProperties": false,
"required": [
"href"
],
"properties": {
"href": {
"description": "Kubernetes workload URI",
"type": "string"
}
}
}
}
}
}In the initial API sec_policy_rule_search_consumers, in addition to properties "actors", "label", "label_group", "workload", "virtual_service", and "ip_list", two new ones have been added:
Additional properties:
kubernetes_workload: href ofkubernetes_workloadto which the searched rule should apply tocontainer_workload: href ofcontainer_workloadto which the searched rule should apply to
Property rule_types added to
sec_policy_rule_search_post
{
"properties": {
"rule_types": {
"description": "List of rule types",
"type": "array",
"items": {
"type": "string",
"enum": [
"sec_rules",
"deny_rules",
"override_deny_rules",
"ip_tables_rules"
]
}
}
}
}A new property rule_types was added, which lists the rule types: sec_rules, deny_rules, override_deny_rules, and ip_tables_rules. Request rule_types that should be searched for.
Simplified schema
sec_policy_rule_search_post_response
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"additionalProperties": false,
"properties": {
"sec_rules": {
"description": "Array of allow rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/sec_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"deny_rules": {
"description": "Array of deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"override_deny_rules": {
"description": "Array of override deny rules",
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/deny_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
},
"ip_tables_rules": {
"type": "array",
"items": {
"allOf": [
{
"$ref": "../common/ip_tables_rules_get.schema.json"
},
{
"rule_set": {
"$ref": "../common/rule_set.schema.json"
}
}
]
}
}
}
}
This schema was simplified using allOf and a reference to the two existing schemas.