Documentation
¶
Index ¶
- Constants
- func ApplyOverride(auditResult *kubeaudit.AuditResult, containerName string, ...) *kubeaudit.AuditResult
- func GetContainerOverrideLabel(containerName, overrideLabel string) string
- func GetContainerOverrideReason(containerName string, resource k8stypes.Resource, overrideLabel string) (hasOverride bool, reason string)
- func GetNamespaceOverrideLabel(overrideLabel string) string
- func GetOverriddenResultName(resultName string) string
- func GetPodOverrideLabel(overrideLabel string) string
- func GetResourceOverrideReason(resource k8stypes.Resource, auditorOverrideLabel string) (hasOverride bool, reason string)
- func NewRedundantOverrideResult(containerName string, overrideReason, overrideLabel string) *kubeaudit.AuditResult
Constants ¶
const ( // ContainerOverrideLabelPrefix is used to disable an auditor for a specific container ContainerOverrideLabelPrefix = "container.audit.kubernetes.io/" // PodOverrideLabelPrefix is used to disable an auditor for a specific pod PodOverrideLabelPrefix = "audit.kubernetes.io/pod." // NamespaceOverrideLabelPrefix is used to disable an auditor for a specific namespace resource NamespaceOverrideLabelPrefix = "audit.kubernetes.io/namespace." )
Variables ¶
This section is empty.
Functions ¶
func ApplyOverride ¶
func ApplyOverride(auditResult *kubeaudit.AuditResult, containerName string, resource k8stypes.Resource, overrideLabel string) *kubeaudit.AuditResult
ApplyOverride checks if hasOverride is true. If it is, it changes the severity of the audit result from error to warn, adds the override reason to the metadata and removes the pending fix
func GetContainerOverrideReason ¶
func GetContainerOverrideReason(containerName string, resource k8stypes.Resource, overrideLabel string) (hasOverride bool, reason string)
GetContainerOverrideReason returns true if the resource has a pod-level label disabling a given auditor and the value of the label which is meant to represent the reason for overriding the auditor
Container override labels disable the auditor for that specific container and have the following format:
container.audit.kubernetes.io/[container name].[auditor override label]
If there is no container override label, it calls GetResourceOverrideReason()
func GetOverriddenResultName ¶
GetOverriddenResultName takes an audit result name and modifies it to indicate that the security issue was ignored by an override label
func GetPodOverrideLabel ¶
func GetResourceOverrideReason ¶
func GetResourceOverrideReason(resource k8stypes.Resource, auditorOverrideLabel string) (hasOverride bool, reason string)
GetResourceOverrideReason returns true if the resource has a label disabling a given auditor and the value of the label which is meant to represent the reason for overriding the auditor
Pod override labels disable the auditor for the pod and all containers within the pod and have the following format:
audit.kubernetes.io/pod.[auditor override label]
Namespace override labels disable the auditor for the namespace resource and have the following format:
audit.kubernetes.io/namespace.[auditor override label]
func NewRedundantOverrideResult ¶
func NewRedundantOverrideResult(containerName string, overrideReason, overrideLabel string) *kubeaudit.AuditResult
NewRedundantOverrideResult creates a new AuditResult at warning level telling the user to remove the override label because there are no security issues found, so the label is redundant
Types ¶
This section is empty.
Source Files