azdsecinfo

Documentation

Index

• type AzdSecInfoProvider
  • func NewAzdSecInfoProvider(instrumentationProvider instrumentation.IInstrumentationProvider, ...) *AzdSecInfoProvider
  • func (provider *AzdSecInfoProvider) GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)
• type AzdSecInfoProviderCacheClient
  • func NewAzdSecInfoProviderCacheClient(instrumentationProvider instrumentation.IInstrumentationProvider, ...) *AzdSecInfoProviderCacheClient
  • func (client *AzdSecInfoProviderCacheClient) GetContainerVulnerabilityScanInfofromCache(podSpecCacheKey string) ([]*contracts.ContainerVulnerabilityScanInfo, error, error)
  • func (client *AzdSecInfoProviderCacheClient) GetPodSpecCacheKey(podSpec *admisionrequest.PodSpec) string
  • func (client *AzdSecInfoProviderCacheClient) GetTimeOutStatus(podSpecCacheKey string) (int, error)
  • func (client *AzdSecInfoProviderCacheClient) ResetTimeOutInCacheAfterGettingScanResults(podSpecCacheKey string) error
  • func (client *AzdSecInfoProviderCacheClient) SetContainerVulnerabilityScanInfoInCache(podSpecCacheKey string, ...) error
  • func (client *AzdSecInfoProviderCacheClient) SetTimeOutStatusAfterEncounteredTimeout(podSpecCacheKey string, timeOutStatus int) error
• type AzdSecInfoProviderConfiguration
• type IAzdSecInfoProvider
• type IAzdSecInfoProviderCacheClient

Types

type AzdSecInfoProvider

type AzdSecInfoProvider struct {
	// contains filtered or unexported fields
}

AzdSecInfoProvider represents default implementation of IAzdSecInfoProvider interface

func NewAzdSecInfoProvider

func NewAzdSecInfoProvider(instrumentationProvider instrumentation.IInstrumentationProvider,
	argDataProvider arg.IARGDataProvider,
	tag2digestResolver tag2digest.ITag2DigestResolver,
	GetContainersVulnerabilityScanInfoTimeoutDuration *utils.TimeoutConfiguration,
	cacheClient IAzdSecInfoProviderCacheClient) *AzdSecInfoProvider

NewAzdSecInfoProvider - AzdSecInfoProvider Ctor

func (*AzdSecInfoProvider) GetContainersVulnerabilityScanInfo

func (provider *AzdSecInfoProvider) GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)

GetContainersVulnerabilityScanInfo receives api-resource pod spec containing containers, resource deployed metadata and kind Function returns evaluated ContainerVulnerabilityScanInfo for pod spec's container list (pod spec can be related to template of any resource creates pods eventually) Function Logic: 1. validate Arguments 2. Try to get ContainersVulnerabilityScanInfo from cache. If succeeded (got results from cache either valid results or invalid results and error) - return results 3. In a new thread, get ContainersVulnerabilityScanInfo. If it takes more than the defined timeout we must return a response to the API server. So if it is the first or second there is timeout for this podSpec - return unscanned result (meaning gatekeeper will block this request) Otherwise return an error and don't block the request If no timeout occurred - save the results in the cache, reset the timeout status and return the results For more information - see README

type AzdSecInfoProviderCacheClient

type AzdSecInfoProviderCacheClient struct {
	// contains filtered or unexported fields
}

AzdSecInfoProviderCacheClient cache client designated for AzdSecInfoProvider It wraps ICache client

func NewAzdSecInfoProviderCacheClient

func NewAzdSecInfoProviderCacheClient(instrumentationProvider instrumentation.IInstrumentationProvider, cacheClient cache.ICacheClient, azdSecInfoProviderConfiguration *AzdSecInfoProviderConfiguration) *AzdSecInfoProviderCacheClient

NewAzdSecInfoProviderCacheClient - AzdSecInfoProviderCacheClient Ctor

func (*AzdSecInfoProviderCacheClient) GetContainerVulnerabilityScanInfofromCache

func (client *AzdSecInfoProviderCacheClient) GetContainerVulnerabilityScanInfofromCache(podSpecCacheKey string) ([]*contracts.ContainerVulnerabilityScanInfo, error, error)

GetContainerVulnerabilityScanInfofromCache try to get ContainerVulnerabilityScanInfo from cache. It gets the results from the cache and parse it to containerVulnerabilityCacheResultsWrapper object. Returns: []*contracts.ContainerVulnerabilityScanInfo - If scan results was STORED in cache as value from previous scans, otherwise nil error - If error was STORED in cache as value from previous scans, otherwise nil If there is an error with the cache or the value is invalid returns an error.

func (*AzdSecInfoProviderCacheClient) GetPodSpecCacheKey

func (client *AzdSecInfoProviderCacheClient) GetPodSpecCacheKey(podSpec *admisionrequest.PodSpec) string

GetPodSpecCacheKey get the cache key without the prefix of a given podSpec The key is containerName:imageName as string seperate each containerName:imageName by comma. For example - 'myName1:alpine,myName2:nginx'

func (*AzdSecInfoProviderCacheClient) GetTimeOutStatus

func (client *AzdSecInfoProviderCacheClient) GetTimeOutStatus(podSpecCacheKey string) (int, error)

GetTimeOutStatus gets the timeout status of the podSpec from cache - how many times timeout has occurred for this podSpec

func (*AzdSecInfoProviderCacheClient) ResetTimeOutInCacheAfterGettingScanResults

func (client *AzdSecInfoProviderCacheClient) ResetTimeOutInCacheAfterGettingScanResults(podSpecCacheKey string) error

ResetTimeOutInCacheAfterGettingScanResults resets the timeout status in cache after scanResults was received. If scanResults was received the timeout is no longer relevant and needs to be reset. If no timeout occurred before, do nothing.

func (*AzdSecInfoProviderCacheClient) SetContainerVulnerabilityScanInfoInCache

func (client *AzdSecInfoProviderCacheClient) SetContainerVulnerabilityScanInfoInCache(podSpecCacheKey string, containerVulnerabilityScanInfo []*contracts.ContainerVulnerabilityScanInfo, err error) error

SetContainerVulnerabilityScanInfoInCache set ContainerVulnerabilityScanInfo in cache No error is reported back, only tracing it

func (*AzdSecInfoProviderCacheClient) SetTimeOutStatusAfterEncounteredTimeout

func (client *AzdSecInfoProviderCacheClient) SetTimeOutStatusAfterEncounteredTimeout(podSpecCacheKey string, timeOutStatus int) error

SetTimeOutStatusAfterEncounteredTimeout update the timeout status if already exist in cache or set for the first time timeout status

type AzdSecInfoProviderConfiguration

type AzdSecInfoProviderConfiguration struct {
	// CacheExpirationTimeTimeout is the expiration time **IN MINUTES** for timout.
	CacheExpirationTimeTimeout int
	// CacheExpirationContainerVulnerabilityScanInfo is the expiration time **IN SECONDS** for ContainerVulnerabilityScanInfo.
	CacheExpirationContainerVulnerabilityScanInfo int
}

AzdSecInfoProviderConfiguration is configuration data for AzdSecInfoProvider

type IAzdSecInfoProvider

type IAzdSecInfoProvider interface {
	// GetContainersVulnerabilityScanInfo receives pod template spec containing containers list, and returns their fetched ContainersVulnerabilityScanInfo
	GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)
}

IAzdSecInfoProvider represents interface for providing azure defender security information

type IAzdSecInfoProviderCacheClient

type IAzdSecInfoProviderCacheClient interface {
	// GetContainerVulnerabilityScanInfofromCache try to get ContainerVulnerabilityScanInfo from cache.
	// It gets the results from the cache and parse it to containerVulnerabilityCacheResultsWrapper object.
	// If there is an error with the cache or the value is invalid returns an error.
	GetContainerVulnerabilityScanInfofromCache(podSpecCacheKey string) ([]*contracts.ContainerVulnerabilityScanInfo, error, error)

	// SetContainerVulnerabilityScanInfoInCache set ContainerVulnerabilityScanInfo in cache
	// No error is reported back, only tracing it
	SetContainerVulnerabilityScanInfoInCache(podSpecCacheKey string, containerVulnerabilityScanInfo []*contracts.ContainerVulnerabilityScanInfo, err error) error

	// GetTimeOutStatus gets the timeout status of the podSpec from cache - how many times timeout has occurred for this podSpec
	GetTimeOutStatus(podSpecCacheKey string) (int, error)

	// SetTimeOutStatusAfterEncounteredTimeout update the timeout status if already exist in cache or set for the first time timeout status
	SetTimeOutStatusAfterEncounteredTimeout(podSpecCacheKey string, timeOutStatus int) error

	// ResetTimeOutInCacheAfterGettingScanResults resets the timeout status in cache after scanResults was received.
	// If scanResults was received the timeout is no longer relevant and needs to be reset.
	// If no timeout occurred before, do nothing.
	ResetTimeOutInCacheAfterGettingScanResults(podSpecCacheKey string) error

	// GetPodSpecCacheKey get the cache key without the prefix of a given podSpec
	GetPodSpecCacheKey(podSpec *admisionrequest.PodSpec) string
}

IAzdSecInfoProviderCacheClient cache client designated for AzdSecInfoProvider