store

package

v0.2.1 Latest Latest Go to latest Published: Aug 21, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/DataDog/KubeHound

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func ObjectID() primitive.ObjectID
type BindSubject
type Container
type ContainerInherited
type Endpoint
type Identity
type Node
type OwnershipInfo
- func ExtractOwnership(labels map[string]string) OwnershipInfo
type PermissionSet
type Pod
type Role
type RoleBinding
type Volume

Constants ¶

View Source

const (
	DefaultEndpointProtocol = "TCP"
	DefaultPortName         = ""
)

Variables ¶

This section is empty.

Functions ¶

func ObjectID ¶

func ObjectID() primitive.ObjectID

ObjectID returns a MongoDB object ID. See: https://www.mongodb.com/docs/manual/reference/method/ObjectId/

Types ¶

type BindSubject ¶

type BindSubject struct {
	IdentityId primitive.ObjectID `bson:"identity_id"`
	Subject    rbacv1.Subject     `bson:"subject"`
}

type Container ¶

type Container struct {
	Id        primitive.ObjectID `bson:"_id"`
	PodId     primitive.ObjectID `bson:"pod_id"`
	NodeId    primitive.ObjectID `bson:"node_id"`
	Inherited ContainerInherited `bson:"inherited"`
	K8        corev1.Container   `bson:"k8"`
	Ownership OwnershipInfo      `bson:"ownership"`
}

type ContainerInherited ¶

type ContainerInherited struct {
	Namespace      string `bson:"namespace"`
	PodName        string `bson:"pod_name"`
	NodeName       string `bson:"node_name"`
	HostPID        bool   `bson:"host_pid"`
	HostIPC        bool   `bson:"host_ipc"`
	HostNetwork    bool   `bson:"host_net"`
	ServiceAccount string `bson:"service_account"`
	RunAsUser      int64  `bson:"run_as_user"`
}

Properties that are interesting to attackers can be set at a Pod level such as hostPid, or container level such as capabilities. To simplify the graph model, the container node is chosen as the single source of truth for all host security related information. Any capabilities derived from the containing Pod are set ONLY on the container (and inheritance/override rules applied)

type Endpoint ¶

type Endpoint struct {
	Id           primitive.ObjectID          `bson:"_id"`
	ContainerId  primitive.ObjectID          `bson:"container_id"`
	PodName      string                      `bson:"pod_name"`
	PodNamespace string                      `bson:"pod_namespace"`
	NodeName     string                      `bson:"node_name"`
	IsNamespaced bool                        `bson:"is_namespaced"`
	Namespace    string                      `bson:"namespace"`
	Name         string                      `bson:"name"`
	HasSlice     bool                        `bson:"has_slice"`
	ServiceName  string                      `bson:"service_name"`
	ServiceDns   string                      `bson:"service_dns"`
	K8           metav1.ObjectMeta           `bson:"k8"`
	AddressType  discoveryv1.AddressType     `bson:"address_type"`
	Backend      discoveryv1.Endpoint        `bson:"backend"`
	Port         discoveryv1.EndpointPort    `bson:"port"`
	Ownership    OwnershipInfo               `bson:"ownership"`
	Exposure     shared.EndpointExposureType `bson:"access"`
}

func (*Endpoint) SafePort ¶

func (e *Endpoint) SafePort() int

SafePort is a safe accessor for the endpoint port.

func (*Endpoint) SafePortName ¶

func (e *Endpoint) SafePortName() string

SafePortName is a safe accessor for the endpoint port name.

func (*Endpoint) SafeProtocol ¶

func (e *Endpoint) SafeProtocol() string

SafeProtocol is a safe accessor for the endpoint protocol.

type Identity ¶

type Identity struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Type         string             `bson:"type"`
	Ownership    OwnershipInfo      `bson:"ownership"`
}

type Node ¶

type Node struct {
	Id           primitive.ObjectID `bson:"_id"`
	UserId       primitive.ObjectID `bson:"user_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Node        `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
}

type OwnershipInfo ¶

type OwnershipInfo struct {
	Application string `bson:"application"`
	Team        string `bson:"team"`
	Service     string `bson:"service"`
}

OwnershipInfo encapsulates internal ownership information of Kubernetes assets.

func ExtractOwnership ¶

func ExtractOwnership(labels map[string]string) OwnershipInfo

ExtractOwnership extracts ownership information from a provided Kubernets labels map.

type PermissionSet ¶

type PermissionSet struct {
	Id              primitive.ObjectID  `bson:"_id"`
	RoleId          primitive.ObjectID  `bson:"role_id"`
	RoleName        string              `bson:"role_name"`
	RoleBindingId   primitive.ObjectID  `bson:"role_binding_id"`
	RoleBindingName string              `bson:"role_binding_name"`
	Name            string              `bson:"name"`
	IsNamespaced    bool                `bson:"is_namespaced"`
	Namespace       string              `bson:"namespace"`
	Rules           []rbacv1.PolicyRule `bson:"rules"`
	Ownership       OwnershipInfo       `bson:"ownership"`
}

type Pod ¶

type Pod struct {
	Id           primitive.ObjectID `bson:"_id"`
	NodeId       primitive.ObjectID `bson:"node_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Pod         `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
}

type Role ¶

type Role struct {
	Id           primitive.ObjectID  `bson:"_id"`
	Name         string              `bson:"name"`
	IsNamespaced bool                `bson:"is_namespaced"`
	Namespace    string              `bson:"namespace"`
	Rules        []rbacv1.PolicyRule `bson:"rules"`
	Ownership    OwnershipInfo       `bson:"ownership"`
}

type RoleBinding ¶

type RoleBinding struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	RoleId       primitive.ObjectID `bson:"role_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Subjects     []BindSubject      `bson:"subjects"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	K8           rbacv1.RoleRef     `bson:"k8"`
}

type Volume ¶

type Volume struct {
	Id          primitive.ObjectID `bson:"_id"`
	PodId       primitive.ObjectID `bson:"pod_id"`
	NodeId      primitive.ObjectID `bson:"node_id"`
	ContainerId primitive.ObjectID `bson:"container_id"`
	ProjectedId primitive.ObjectID `bson:"projected_id"`
	Name        string             `bson:"name"`
	Type        string             `bson:"type"`
	SourcePath  string             `bson:"source"`
	MountPath   string             `bson:"mount"`
	ReadOnly    bool               `bson:"readonly"`
	Ownership   OwnershipInfo      `bson:"ownership"`
	K8          corev1.Volume      `bson:"k8"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL