Documentation ¶
Index ¶
- Constants
- Variables
- type GraphConverter
- func (c *GraphConverter) Container(input *store.Container, parent *store.Pod) (*graph.Container, error)
- func (c *GraphConverter) Endpoint(input *store.Endpoint) (*graph.Endpoint, error)
- func (c *GraphConverter) Identity(input *store.Identity) (*graph.Identity, error)
- func (c *GraphConverter) Node(input *store.Node) (*graph.Node, error)
- func (c *GraphConverter) PermissionSet(input *store.PermissionSet) (*graph.PermissionSet, error)
- func (c *GraphConverter) Pod(input *store.Pod) (*graph.Pod, error)
- func (c *GraphConverter) Volume(input *store.Volume, parent *store.Pod) (*graph.Volume, error)
- type ObjectIDConverter
- type StoreConverter
- func (c *StoreConverter) ClusterRole(_ context.Context, input types.ClusterRoleType) (*store.Role, error)
- func (c *StoreConverter) ClusterRoleBinding(ctx context.Context, input types.ClusterRoleBindingType) (*store.RoleBinding, error)
- func (c *StoreConverter) Container(_ context.Context, input types.ContainerType, parent *store.Pod) (*store.Container, error)
- func (c *StoreConverter) Endpoint(_ context.Context, addr discoveryv1.Endpoint, port discoveryv1.EndpointPort, ...) (*store.Endpoint, error)
- func (c *StoreConverter) EndpointPrivate(_ context.Context, port *corev1.ContainerPort, pod *store.Pod, ...) (*store.Endpoint, error)
- func (c *StoreConverter) Identity(_ context.Context, input *store.BindSubject, parent *store.RoleBinding) (*store.Identity, error)
- func (c *StoreConverter) Node(ctx context.Context, input types.NodeType) (*store.Node, error)
- func (c *StoreConverter) PermissionSet(ctx context.Context, roleBinding *store.RoleBinding) (*store.PermissionSet, error)
- func (c *StoreConverter) PermissionSetCluster(ctx context.Context, clusterRoleBinding *store.RoleBinding) (*store.PermissionSet, error)
- func (c *StoreConverter) Pod(ctx context.Context, input types.PodType) (*store.Pod, error)
- func (c *StoreConverter) Role(_ context.Context, input types.RoleType) (*store.Role, error)
- func (c *StoreConverter) RoleBinding(ctx context.Context, input types.RoleBindingType) (*store.RoleBinding, error)
- func (c *StoreConverter) Volume(ctx context.Context, input types.VolumeMountType, pod *store.Pod, ...) (*store.Volume, error)
Constants ¶
const (
EmptyNamespace = ""
)
Variables ¶
var ( ErrUnsupportedVolume = errors.New("provided volume is not currently supported") ErrNoCacheInitialized = errors.New("cache reader required for conversion") ErrDanglingRoleBinding = errors.New("role binding found with no matching role") ErrProjectedDefaultToken = errors.New("projected volume grant no access (default serviceaccount)") ErrEndpointTarget = errors.New("target reference for an endpoint could not be resolved") ErrRoleCacheMiss = errors.New("missing role in cache") ErrRoleBindProperties = errors.New("incorrect combination of (cluster) role and (cluster) role binding properties") )
Functions ¶
This section is empty.
Types ¶
type GraphConverter ¶
type GraphConverter struct {
// contains filtered or unexported fields
}
GraphConverter enables converting between an input store model to its equivalent graph model.
func NewGraph ¶
func NewGraph(cfg *config.KubehoundConfig) *GraphConverter
NewGraph returns a new graph converter instance.
func (*GraphConverter) Container ¶
func (c *GraphConverter) Container(input *store.Container, parent *store.Pod) (*graph.Container, error)
Container returns the graph representation of a container vertex from a store container model input.
func (*GraphConverter) Endpoint ¶
Endpoint returns the graph representation of an endpoint vertex from a store endpoint model input.
func (*GraphConverter) Identity ¶
Identity returns the graph representation of an identity vertex from a store identity model input.
func (*GraphConverter) Node ¶
Node returns the graph representation of a node vertex from a store node model input.
func (*GraphConverter) PermissionSet ¶
func (c *GraphConverter) PermissionSet(input *store.PermissionSet) (*graph.PermissionSet, error)
PermissionSet returns the graph representation of a role vertex from a store role model input.
type ObjectIDConverter ¶
type ObjectIDConverter struct {
// contains filtered or unexported fields
}
ObjectIDConverter enables converting between an store object ID and an existing graph vertex ID.
func NewObjectID ¶
func NewObjectID(cache cache.CacheReader) *ObjectIDConverter
NewObjectID creates a new ObjectIdConverter instance from the provided cache reader.
type StoreConverter ¶
type StoreConverter struct {
// contains filtered or unexported fields
}
StoreConverter enables converting between an input K8s model to its equivalent store model.
func NewStore ¶
func NewStore(cfg *config.KubehoundConfig) *StoreConverter
NewStore returns a new store converter instance.
func NewStoreWithCache ¶
func NewStoreWithCache(cfg *config.KubehoundConfig, cache cache.CacheReader) *StoreConverter
NewStoreWithCache returns a new store converter instance with read access to the cache.
func (*StoreConverter) ClusterRole ¶
func (c *StoreConverter) ClusterRole(_ context.Context, input types.ClusterRoleType) (*store.Role, error)
ClusterRole returns the store representation of a K8s cluster role from an input K8s ClusterRole object.
func (*StoreConverter) ClusterRoleBinding ¶
func (c *StoreConverter) ClusterRoleBinding(ctx context.Context, input types.ClusterRoleBindingType) (*store.RoleBinding, error)
ClusterRoleBinding returns the store representation of a K8s cluster role binding from an input K8s ClusterRoleBinding object. NOTE: requires cache access (RoleKey).
func (*StoreConverter) Container ¶
func (c *StoreConverter) Container(_ context.Context, input types.ContainerType, parent *store.Pod) (*store.Container, error)
Container returns the store representation of a K8s container from an input K8s container object.
func (*StoreConverter) Endpoint ¶
func (c *StoreConverter) Endpoint(_ context.Context, addr discoveryv1.Endpoint, port discoveryv1.EndpointPort, parent types.EndpointType) (*store.Endpoint, error)
Endpoint returns the store representation of a K8s endpoint from an input Endpoint & EndpointPort objects (subfields of EndpointSlice). NOTE: store.Endpoint does not map directly to a K8s API object and instead derives from the elements of an EndpointSlice.
func (*StoreConverter) EndpointPrivate ¶
func (c *StoreConverter) EndpointPrivate(_ context.Context, port *corev1.ContainerPort, pod *store.Pod, container *store.Container) (*store.Endpoint, error)
EndpointPrivate returns the store representation of a K8s endpoint from an input port, container & pod. This variant handles the case when the provided container port does not match a known EndpointSlice. The generated endpoint will not be accessible from outside the cluster but can still provide value to an attacker with an presence inside the cluster.
func (*StoreConverter) Identity ¶
func (c *StoreConverter) Identity(_ context.Context, input *store.BindSubject, parent *store.RoleBinding) (*store.Identity, error)
Identity returns the store representation of a K8s identity role binding from an input store BindSubject (subfield of RoleBinding) object. NOTE: store.Identity does not map directly to a K8s API object and instead derives from the subject of a role binding.
func (*StoreConverter) Node ¶
Node returns the store representation of a K8s node from an input K8s node object.
func (*StoreConverter) PermissionSet ¶
func (c *StoreConverter) PermissionSet(ctx context.Context, roleBinding *store.RoleBinding) (*store.PermissionSet, error)
PermissionSet returns the store representation of a K8s role / rolebinding combination from input K8s objects. RBAC rules and limitation:
- Roles and RoleBindings must exist in the same namespace.
- RoleBindings can exist in separate namespaces to Service Accounts.
- RoleBindings can link ClusterRoles, but they only grant access to the namespace of the RoleBinding.
func (*StoreConverter) PermissionSetCluster ¶
func (c *StoreConverter) PermissionSetCluster(ctx context.Context, clusterRoleBinding *store.RoleBinding) (*store.PermissionSet, error)
PermissionSet returns the store representation of a K8s role / rolebinding combination from input K8s objects. RBAC rules and limitation:
- ClusterRoleBindings link accounts to ClusterRoles and grant access across all resources.
- ClusterRoleBindings can not reference Roles.
func (*StoreConverter) Pod ¶
Pod returns the store representation of a K8s pod from an input K8s pod object. NOTE: requires cache access (NodeKey).
func (*StoreConverter) Role ¶
Role returns the store representation of a K8s role from an input K8s Role object.
func (*StoreConverter) RoleBinding ¶
func (c *StoreConverter) RoleBinding(ctx context.Context, input types.RoleBindingType) (*store.RoleBinding, error)
RoleBinding returns the store representation of a K8s role binding from an input K8s RoleBinding object. NOTE: requires cache access (RoleKey).
func (*StoreConverter) Volume ¶
func (c *StoreConverter) Volume(ctx context.Context, input types.VolumeMountType, pod *store.Pod, container *store.Container) (*store.Volume, error)
Volume returns the store representation of a K8s mounted volume from an input K8s volume object. NOTE: requires cache access (IdentityKey).