Documentation ¶
Index ¶
Constants ¶
const ( DefaultEndpointProtocol = "TCP" DefaultPortName = "" )
Variables ¶
This section is empty.
Functions ¶
func ObjectID ¶
ObjectID returns a MongoDB object ID. See: https://www.mongodb.com/docs/manual/reference/method/ObjectId/
Types ¶
type BindSubject ¶
type Container ¶
type Container struct { Id primitive.ObjectID `bson:"_id"` PodId primitive.ObjectID `bson:"pod_id"` NodeId primitive.ObjectID `bson:"node_id"` Inherited ContainerInherited `bson:"inherited"` K8 corev1.Container `bson:"k8"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type ContainerInherited ¶
type ContainerInherited struct { Namespace string `bson:"namespace"` PodName string `bson:"pod_name"` NodeName string `bson:"node_name"` HostPID bool `bson:"host_pid"` HostIPC bool `bson:"host_ipc"` HostNetwork bool `bson:"host_net"` ServiceAccount string `bson:"service_account"` RunAsUser int64 `bson:"run_as_user"` }
Properties that are interesting to attackers can be set at a Pod level such as hostPid, or container level such as capabilities. To simplify the graph model, the container node is chosen as the single source of truth for all host security related information. Any capabilities derived from the containing Pod are set ONLY on the container (and inheritance/override rules applied)
type Endpoint ¶
type Endpoint struct { Id primitive.ObjectID `bson:"_id"` ContainerId primitive.ObjectID `bson:"container_id"` PodName string `bson:"pod_name"` PodNamespace string `bson:"pod_namespace"` NodeName string `bson:"node_name"` IsNamespaced bool `bson:"is_namespaced"` Namespace string `bson:"namespace"` Name string `bson:"name"` HasSlice bool `bson:"has_slice"` ServiceName string `bson:"service_name"` ServiceDns string `bson:"service_dns"` K8 metav1.ObjectMeta `bson:"k8"` AddressType discoveryv1.AddressType `bson:"address_type"` Backend discoveryv1.Endpoint `bson:"backend"` Port discoveryv1.EndpointPort `bson:"port"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` Exposure shared.EndpointExposureType `bson:"access"` }
func (*Endpoint) SafePortName ¶
SafePortName is a safe accessor for the endpoint port name.
func (*Endpoint) SafeProtocol ¶
SafeProtocol is a safe accessor for the endpoint protocol.
type Identity ¶
type Identity struct { Id primitive.ObjectID `bson:"_id"` Name string `bson:"name"` IsNamespaced bool `bson:"is_namespaced"` Namespace string `bson:"namespace"` Type string `bson:"type"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type Node ¶
type Node struct { Id primitive.ObjectID `bson:"_id"` UserId primitive.ObjectID `bson:"user_id"` IsNamespaced bool `bson:"is_namespaced"` K8 corev1.Node `bson:"k8"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type OwnershipInfo ¶
type OwnershipInfo struct { Application string `bson:"application"` Team string `bson:"team"` Service string `bson:"service"` }
OwnershipInfo encapsulates internal ownership information of Kubernetes assets.
func ExtractOwnership ¶
func ExtractOwnership(labels map[string]string) OwnershipInfo
ExtractOwnership extracts ownership information from a provided Kubernets labels map.
type PermissionSet ¶
type PermissionSet struct { Id primitive.ObjectID `bson:"_id"` RoleId primitive.ObjectID `bson:"role_id"` RoleName string `bson:"role_name"` RoleBindingId primitive.ObjectID `bson:"role_binding_id"` RoleBindingName string `bson:"role_binding_name"` Name string `bson:"name"` IsNamespaced bool `bson:"is_namespaced"` Namespace string `bson:"namespace"` Rules []rbacv1.PolicyRule `bson:"rules"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type Pod ¶
type Pod struct { Id primitive.ObjectID `bson:"_id"` NodeId primitive.ObjectID `bson:"node_id"` IsNamespaced bool `bson:"is_namespaced"` K8 corev1.Pod `bson:"k8"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type Role ¶
type Role struct { Id primitive.ObjectID `bson:"_id"` Name string `bson:"name"` IsNamespaced bool `bson:"is_namespaced"` Namespace string `bson:"namespace"` Rules []rbacv1.PolicyRule `bson:"rules"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` }
type RoleBinding ¶
type RoleBinding struct { Id primitive.ObjectID `bson:"_id"` Name string `bson:"name"` RoleId primitive.ObjectID `bson:"role_id"` IsNamespaced bool `bson:"is_namespaced"` Namespace string `bson:"namespace"` Subjects []BindSubject `bson:"subjects"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` K8 rbacv1.RoleRef `bson:"k8"` }
type RuntimeInfo ¶ added in v1.2.0
RuntimeInfo encapsulates information about the KubeHound run.
func Runtime ¶ added in v1.2.0
func Runtime(cfg *config.DynamicConfig) RuntimeInfo
Runtime extracts information about the KubeHound run from passed in config.
type Volume ¶
type Volume struct { Id primitive.ObjectID `bson:"_id"` PodId primitive.ObjectID `bson:"pod_id"` NodeId primitive.ObjectID `bson:"node_id"` ContainerId primitive.ObjectID `bson:"container_id"` ProjectedId primitive.ObjectID `bson:"projected_id"` Name string `bson:"name"` Type string `bson:"type"` SourcePath string `bson:"source"` MountPath string `bson:"mount"` ReadOnly bool `bson:"readonly"` Ownership OwnershipInfo `bson:"ownership"` Runtime RuntimeInfo `bson:"runtime"` K8 corev1.Volume `bson:"k8"` }