store

package

v1.3.3 Latest Latest Go to latest Published: Jul 25, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/DataDog/KubeHound

Links

Open Source Insights

Documentation ¶

Constants ¶

View Source

const (
	DefaultEndpointProtocol = "TCP"
	DefaultPortName         = ""
)

Variables ¶

This section is empty.

Functions ¶

func ObjectID ¶

func ObjectID() primitive.ObjectID

ObjectID returns a MongoDB object ID. See: https://www.mongodb.com/docs/manual/reference/method/ObjectId/

Types ¶

type BindSubject ¶

type BindSubject struct {
	IdentityId primitive.ObjectID `bson:"identity_id"`
	Subject    rbacv1.Subject     `bson:"subject"`
}

type Container ¶

type Container struct {
	Id        primitive.ObjectID `bson:"_id"`
	PodId     primitive.ObjectID `bson:"pod_id"`
	NodeId    primitive.ObjectID `bson:"node_id"`
	Inherited ContainerInherited `bson:"inherited"`
	K8        corev1.Container   `bson:"k8"`
	Ownership OwnershipInfo      `bson:"ownership"`
	Runtime   RuntimeInfo        `bson:"runtime"`
}

type ContainerInherited ¶

type ContainerInherited struct {
	Namespace      string `bson:"namespace"`
	PodName        string `bson:"pod_name"`
	NodeName       string `bson:"node_name"`
	HostPID        bool   `bson:"host_pid"`
	HostIPC        bool   `bson:"host_ipc"`
	HostNetwork    bool   `bson:"host_net"`
	ServiceAccount string `bson:"service_account"`
	RunAsUser      int64  `bson:"run_as_user"`
}

Properties that are interesting to attackers can be set at a Pod level such as hostPid, or container level such as capabilities. To simplify the graph model, the container node is chosen as the single source of truth for all host security related information. Any capabilities derived from the containing Pod are set ONLY on the container (and inheritance/override rules applied)

type Endpoint ¶

type Endpoint struct {
	Id           primitive.ObjectID          `bson:"_id"`
	ContainerId  primitive.ObjectID          `bson:"container_id"`
	PodName      string                      `bson:"pod_name"`
	PodNamespace string                      `bson:"pod_namespace"`
	NodeName     string                      `bson:"node_name"`
	IsNamespaced bool                        `bson:"is_namespaced"`
	Namespace    string                      `bson:"namespace"`
	Name         string                      `bson:"name"`
	HasSlice     bool                        `bson:"has_slice"`
	ServiceName  string                      `bson:"service_name"`
	ServiceDns   string                      `bson:"service_dns"`
	K8           metav1.ObjectMeta           `bson:"k8"`
	AddressType  discoveryv1.AddressType     `bson:"address_type"`
	Backend      discoveryv1.Endpoint        `bson:"backend"`
	Port         discoveryv1.EndpointPort    `bson:"port"`
	Ownership    OwnershipInfo               `bson:"ownership"`
	Runtime      RuntimeInfo                 `bson:"runtime"`
	Exposure     shared.EndpointExposureType `bson:"access"`
}

func (*Endpoint) SafePort ¶

func (e *Endpoint) SafePort() int

SafePort is a safe accessor for the endpoint port.

func (*Endpoint) SafePortName ¶

func (e *Endpoint) SafePortName() string

SafePortName is a safe accessor for the endpoint port name.

func (*Endpoint) SafeProtocol ¶

func (e *Endpoint) SafeProtocol() string

SafeProtocol is a safe accessor for the endpoint protocol.

type Identity ¶

type Identity struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Type         string             `bson:"type"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type Node ¶

type Node struct {
	Id           primitive.ObjectID `bson:"_id"`
	UserId       primitive.ObjectID `bson:"user_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Node        `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type OwnershipInfo ¶

type OwnershipInfo struct {
	Application string `bson:"application"`
	Team        string `bson:"team"`
	Service     string `bson:"service"`
}

OwnershipInfo encapsulates internal ownership information of Kubernetes assets.

func ExtractOwnership ¶

func ExtractOwnership(labels map[string]string) OwnershipInfo

ExtractOwnership extracts ownership information from a provided Kubernets labels map.

type PermissionSet ¶

type PermissionSet struct {
	Id              primitive.ObjectID  `bson:"_id"`
	RoleId          primitive.ObjectID  `bson:"role_id"`
	RoleName        string              `bson:"role_name"`
	RoleBindingId   primitive.ObjectID  `bson:"role_binding_id"`
	RoleBindingName string              `bson:"role_binding_name"`
	Name            string              `bson:"name"`
	IsNamespaced    bool                `bson:"is_namespaced"`
	Namespace       string              `bson:"namespace"`
	Rules           []rbacv1.PolicyRule `bson:"rules"`
	Ownership       OwnershipInfo       `bson:"ownership"`
	Runtime         RuntimeInfo         `bson:"runtime"`
}

type Pod ¶

type Pod struct {
	Id           primitive.ObjectID `bson:"_id"`
	NodeId       primitive.ObjectID `bson:"node_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Pod         `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type Role ¶

type Role struct {
	Id           primitive.ObjectID  `bson:"_id"`
	Name         string              `bson:"name"`
	IsNamespaced bool                `bson:"is_namespaced"`
	Namespace    string              `bson:"namespace"`
	Rules        []rbacv1.PolicyRule `bson:"rules"`
	Ownership    OwnershipInfo       `bson:"ownership"`
	Runtime      RuntimeInfo         `bson:"runtime"`
}

type RoleBinding ¶

type RoleBinding struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	RoleId       primitive.ObjectID `bson:"role_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Subjects     []BindSubject      `bson:"subjects"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
	K8           rbacv1.RoleRef     `bson:"k8"`
}

type RuntimeInfo ¶ added in v1.2.0

type RuntimeInfo struct {
	RunID   string `bson:"runID"`
	Cluster string `bson:"cluster"`
}

RuntimeInfo encapsulates information about the KubeHound run.

func Runtime ¶ added in v1.2.0

func Runtime(cfg *config.DynamicConfig) RuntimeInfo

Runtime extracts information about the KubeHound run from passed in config.

type Volume ¶

type Volume struct {
	Id          primitive.ObjectID `bson:"_id"`
	PodId       primitive.ObjectID `bson:"pod_id"`
	NodeId      primitive.ObjectID `bson:"node_id"`
	ContainerId primitive.ObjectID `bson:"container_id"`
	ProjectedId primitive.ObjectID `bson:"projected_id"`
	Name        string             `bson:"name"`
	Type        string             `bson:"type"`
	SourcePath  string             `bson:"source"`
	MountPath   string             `bson:"mount"`
	ReadOnly    bool               `bson:"readonly"`
	Ownership   OwnershipInfo      `bson:"ownership"`
	Runtime     RuntimeInfo        `bson:"runtime"`
	K8          corev1.Volume      `bson:"k8"`
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL