store

package
v1.3.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 25, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const (
	DefaultEndpointProtocol = "TCP"
	DefaultPortName         = ""
)

Variables

This section is empty.

Functions

func ObjectID

func ObjectID() primitive.ObjectID

ObjectID returns a MongoDB object ID. See: https://www.mongodb.com/docs/manual/reference/method/ObjectId/

Types

type BindSubject

type BindSubject struct {
	IdentityId primitive.ObjectID `bson:"identity_id"`
	Subject    rbacv1.Subject     `bson:"subject"`
}

type Container

type Container struct {
	Id        primitive.ObjectID `bson:"_id"`
	PodId     primitive.ObjectID `bson:"pod_id"`
	NodeId    primitive.ObjectID `bson:"node_id"`
	Inherited ContainerInherited `bson:"inherited"`
	K8        corev1.Container   `bson:"k8"`
	Ownership OwnershipInfo      `bson:"ownership"`
	Runtime   RuntimeInfo        `bson:"runtime"`
}

type ContainerInherited

type ContainerInherited struct {
	Namespace      string `bson:"namespace"`
	PodName        string `bson:"pod_name"`
	NodeName       string `bson:"node_name"`
	HostPID        bool   `bson:"host_pid"`
	HostIPC        bool   `bson:"host_ipc"`
	HostNetwork    bool   `bson:"host_net"`
	ServiceAccount string `bson:"service_account"`
	RunAsUser      int64  `bson:"run_as_user"`
}

Properties that are interesting to attackers can be set at a Pod level such as hostPid, or container level such as capabilities. To simplify the graph model, the container node is chosen as the single source of truth for all host security related information. Any capabilities derived from the containing Pod are set ONLY on the container (and inheritance/override rules applied)

type Endpoint

type Endpoint struct {
	Id           primitive.ObjectID          `bson:"_id"`
	ContainerId  primitive.ObjectID          `bson:"container_id"`
	PodName      string                      `bson:"pod_name"`
	PodNamespace string                      `bson:"pod_namespace"`
	NodeName     string                      `bson:"node_name"`
	IsNamespaced bool                        `bson:"is_namespaced"`
	Namespace    string                      `bson:"namespace"`
	Name         string                      `bson:"name"`
	HasSlice     bool                        `bson:"has_slice"`
	ServiceName  string                      `bson:"service_name"`
	ServiceDns   string                      `bson:"service_dns"`
	K8           metav1.ObjectMeta           `bson:"k8"`
	AddressType  discoveryv1.AddressType     `bson:"address_type"`
	Backend      discoveryv1.Endpoint        `bson:"backend"`
	Port         discoveryv1.EndpointPort    `bson:"port"`
	Ownership    OwnershipInfo               `bson:"ownership"`
	Runtime      RuntimeInfo                 `bson:"runtime"`
	Exposure     shared.EndpointExposureType `bson:"access"`
}

func (*Endpoint) SafePort

func (e *Endpoint) SafePort() int

SafePort is a safe accessor for the endpoint port.

func (*Endpoint) SafePortName

func (e *Endpoint) SafePortName() string

SafePortName is a safe accessor for the endpoint port name.

func (*Endpoint) SafeProtocol

func (e *Endpoint) SafeProtocol() string

SafeProtocol is a safe accessor for the endpoint protocol.

type Identity

type Identity struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Type         string             `bson:"type"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type Node

type Node struct {
	Id           primitive.ObjectID `bson:"_id"`
	UserId       primitive.ObjectID `bson:"user_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Node        `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type OwnershipInfo

type OwnershipInfo struct {
	Application string `bson:"application"`
	Team        string `bson:"team"`
	Service     string `bson:"service"`
}

OwnershipInfo encapsulates internal ownership information of Kubernetes assets.

func ExtractOwnership

func ExtractOwnership(labels map[string]string) OwnershipInfo

ExtractOwnership extracts ownership information from a provided Kubernets labels map.

type PermissionSet

type PermissionSet struct {
	Id              primitive.ObjectID  `bson:"_id"`
	RoleId          primitive.ObjectID  `bson:"role_id"`
	RoleName        string              `bson:"role_name"`
	RoleBindingId   primitive.ObjectID  `bson:"role_binding_id"`
	RoleBindingName string              `bson:"role_binding_name"`
	Name            string              `bson:"name"`
	IsNamespaced    bool                `bson:"is_namespaced"`
	Namespace       string              `bson:"namespace"`
	Rules           []rbacv1.PolicyRule `bson:"rules"`
	Ownership       OwnershipInfo       `bson:"ownership"`
	Runtime         RuntimeInfo         `bson:"runtime"`
}

type Pod

type Pod struct {
	Id           primitive.ObjectID `bson:"_id"`
	NodeId       primitive.ObjectID `bson:"node_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	K8           corev1.Pod         `bson:"k8"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
}

type Role

type Role struct {
	Id           primitive.ObjectID  `bson:"_id"`
	Name         string              `bson:"name"`
	IsNamespaced bool                `bson:"is_namespaced"`
	Namespace    string              `bson:"namespace"`
	Rules        []rbacv1.PolicyRule `bson:"rules"`
	Ownership    OwnershipInfo       `bson:"ownership"`
	Runtime      RuntimeInfo         `bson:"runtime"`
}

type RoleBinding

type RoleBinding struct {
	Id           primitive.ObjectID `bson:"_id"`
	Name         string             `bson:"name"`
	RoleId       primitive.ObjectID `bson:"role_id"`
	IsNamespaced bool               `bson:"is_namespaced"`
	Namespace    string             `bson:"namespace"`
	Subjects     []BindSubject      `bson:"subjects"`
	Ownership    OwnershipInfo      `bson:"ownership"`
	Runtime      RuntimeInfo        `bson:"runtime"`
	K8           rbacv1.RoleRef     `bson:"k8"`
}

type RuntimeInfo added in v1.2.0

type RuntimeInfo struct {
	RunID   string `bson:"runID"`
	Cluster string `bson:"cluster"`
}

RuntimeInfo encapsulates information about the KubeHound run.

func Runtime added in v1.2.0

func Runtime(cfg *config.DynamicConfig) RuntimeInfo

Runtime extracts information about the KubeHound run from passed in config.

type Volume

type Volume struct {
	Id          primitive.ObjectID `bson:"_id"`
	PodId       primitive.ObjectID `bson:"pod_id"`
	NodeId      primitive.ObjectID `bson:"node_id"`
	ContainerId primitive.ObjectID `bson:"container_id"`
	ProjectedId primitive.ObjectID `bson:"projected_id"`
	Name        string             `bson:"name"`
	Type        string             `bson:"type"`
	SourcePath  string             `bson:"source"`
	MountPath   string             `bson:"mount"`
	ReadOnly    bool               `bson:"readonly"`
	Ownership   OwnershipInfo      `bson:"ownership"`
	Runtime     RuntimeInfo        `bson:"runtime"`
	K8          corev1.Volume      `bson:"k8"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL