Documentation ¶
Index ¶
- Constants
- Variables
- func DefaultHostMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)
- func DefaultKubernetesMetadataExtractor(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)
- func DefaultMetadataExtractor(info *types.ContainerJSON) (*policy.PURuntime, error)
- func ErrNetclsAlreadyProgrammed(mark string) error
- func IsErrNetclsAlreadyProgrammed(err error) bool
- func IsErrNoHostNetworkPod(err error) bool
- func IsHostPU(runtime policy.RuntimeReader, mode constants.ModeType) bool
- func IsHostmodePU(runtime policy.RuntimeReader, mode constants.ModeType) bool
- func ProcessInfo(pid int32) []string
- func SSHMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)
- func SystemdEventMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)
- func UIDMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)
- type DockerMetadataExtractor
- type EventMetadataExtractor
- type KubernetesMetadataExtractorType
- type LinuxMetadataExtractorType
- type PodMetadataExtractor
- type PodNetclsProgrammer
- type PodPidsSetMaxProcsProgrammer
- type PodSandboxExtractor
- type ResetNetclsKubepods
Constants ¶
const KubernetesContainerNameIdentifier = "@usr:io.kubernetes.container.name"
KubernetesContainerNameIdentifier is the label used by Docker for the K8S container name.
const KubernetesInfraContainerName = "POD"
KubernetesInfraContainerName is the name of the infra POD.
const KubernetesPodNameIdentifier = "@usr:io.kubernetes.pod.name"
KubernetesPodNameIdentifier is the label used by Docker for the K8S pod name.
const KubernetesPodNamespaceIdentifier = "@usr:io.kubernetes.pod.namespace"
KubernetesPodNamespaceIdentifier is the label used by Docker for the K8S namespace.
const UpstreamNameIdentifier = "@app:k8s:name"
UpstreamNameIdentifier is the identifier used to identify the nane on the resulting PU
const UpstreamNamespaceIdentifier = "@app:k8s:namespace"
UpstreamNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU
const UpstreamOldNameIdentifier = "@k8s:name"
UpstreamOldNameIdentifier is the identifier used to identify the nane on the resulting PU TODO: Remove OLDTAGS
const UpstreamOldNamespaceIdentifier = "@k8s:namespace"
UpstreamOldNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU
const UserLabelPrefix = "@usr:"
UserLabelPrefix is the label prefix for all user defined labels
Variables ¶
var ErrNoHostNetworkPod = fmt.Errorf("pod is not a host network pod")
ErrNoHostNetworkPod is returned from the NetclsProgrammer if the given pod is not a host network pod.
Functions ¶
func DefaultHostMetadataExtractor ¶
DefaultHostMetadataExtractor is a host specific metadata extractor
func DefaultKubernetesMetadataExtractor ¶
func DefaultKubernetesMetadataExtractor(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)
DefaultKubernetesMetadataExtractor is a default implementation for the medatadata extractor for Kubernetes It only activates the POD//INFRA containers and strips all the labels from docker to only keep the ones from Kubernetes
func DefaultMetadataExtractor ¶
func DefaultMetadataExtractor(info *types.ContainerJSON) (*policy.PURuntime, error)
DefaultMetadataExtractor is the default metadata extractor for Docker
func ErrNetclsAlreadyProgrammed ¶
ErrNetclsAlreadyProgrammed is returned from the NetclsProgrammer when the net_cls cgroup for this pod has already been programmed
func IsErrNetclsAlreadyProgrammed ¶
IsErrNetclsAlreadyProgrammed checks if the provided error is an ErrNetclsAlreadyProgrammed error
func IsErrNoHostNetworkPod ¶
IsErrNoHostNetworkPod checks if the provided error is an ErrNoHostNetworkPod error
func IsHostPU ¶
func IsHostPU(runtime policy.RuntimeReader, mode constants.ModeType) bool
IsHostPU returns true if puType stored by policy extensions is host PU
func IsHostmodePU ¶
func IsHostmodePU(runtime policy.RuntimeReader, mode constants.ModeType) bool
IsHostmodePU returns true if puType stored by policy extensions is hostmode PU
func ProcessInfo ¶
ProcessInfo returns all metadata captured by a process
func SSHMetadataExtractor ¶
SSHMetadataExtractor is a metadata extractor for ssh.
func SystemdEventMetadataExtractor ¶
SystemdEventMetadataExtractor is a systemd based metadata extractor TODO: Remove OLDTAGS
Types ¶
type DockerMetadataExtractor ¶
type DockerMetadataExtractor func(*types.ContainerJSON) (*policy.PURuntime, error)
A DockerMetadataExtractor is a function used to extract a *policy.PURuntime from a given docker ContainerJSON.
func NewExternalExtractor ¶
func NewExternalExtractor(filePath string) (DockerMetadataExtractor, error)
NewExternalExtractor returns a new bash metadata extractor for Docker that will call the executable given in parameter and will generate a Policy Runtime as standard output The format of Input/Output of the executable are in standard JSON.
type EventMetadataExtractor ¶
EventMetadataExtractor is a function used to extract a *policy.PURuntime from a given EventInfo. The EventInfo is generic and is provided over the RPC interface
type KubernetesMetadataExtractorType ¶
type KubernetesMetadataExtractorType func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)
KubernetesMetadataExtractorType is an extractor function for Kubernetes. It takes as parameter a standard Docker runtime and a Pod Kubernetes definition and return a PolicyRuntime This extractor also provides an extra boolean parameter that is used as a token to decide if activation is required.
type LinuxMetadataExtractorType ¶
LinuxMetadataExtractorType is a type of Linux metadata extractors
type PodMetadataExtractor ¶
type PodMetadataExtractor func(context.Context, client.Client, *runtime.Scheme, *corev1.Pod, bool) (*policy.PURuntime, error)
PodMetadataExtractor is a function used to extract a *policy.PURuntime from a given Kubernetes pod. It can furthermore extract more information using the client. The 5th argument (bool) indicates if a network namespace should get extracted
type PodNetclsProgrammer ¶
PodNetclsProgrammer is a function used to program the net_cls cgroup of a pod for Trireme. This has to be used when Trireme is used in conjunction with pods that are in HostNetwork=true mode.
type PodPidsSetMaxProcsProgrammer ¶
PodPidsSetMaxProcsProgrammer is a function used to program the pids cgroup of a pod for Trireme.
type PodSandboxExtractor ¶
PodSandboxExtractor is a function used to extract the SandboxID from a given pod.
type ResetNetclsKubepods ¶
ResetNetclsKubepods is a function which must implement to reset all netcls cgroup programming of Trireme. It is called during Resync events in monitors and guarantees a fresh slate for the monitors for Kubernetes.