Documentation ¶
Overview ¶
Package trivyoperator provides primitives for working with Trivy-operator toolkit.
Index ¶
- Constants
- func GetPluginConfigMapName(pluginName string) string
- func GetVersionFromImageRef(imageRef string) (string, error)
- func LinuxNodeAffinity() *corev1.Affinity
- func NewScheme() *runtime.Scheme
- type BuildInfo
- type ConfigData
- func (c ConfigData) ComplianceFailEntriesLimit() int
- func (c ConfigData) CompressLogs() bool
- func (c ConfigData) ExposedSecretsScannerEnabled() bool
- func (c ConfigData) GeTrivyServerURL() string
- func (c ConfigData) GenerateSbomEnabled() bool
- func (c ConfigData) GetAdditionalReportLabels() (labels.Set, error)
- func (c ConfigData) GetConfigAuditReportsScanner() Scanner
- func (c ConfigData) GetGetNodeCollectorVolumeMounts() ([]corev1.VolumeMount, error)
- func (c ConfigData) GetMetricsResourceLabelsPrefix() string
- func (c ConfigData) GetNodeCollectorExcludeNodes() (map[string]string, error)
- func (c ConfigData) GetNodeCollectorImagePullsecret() []corev1.LocalObjectReference
- func (c ConfigData) GetNodeCollectorVolumes() ([]corev1.Volume, error)
- func (c ConfigData) GetReportResourceLabels() []string
- func (c ConfigData) GetRequiredData(key string) (string, error)
- func (c ConfigData) GetScanJobAnnotations() (map[string]string, error)
- func (c ConfigData) GetScanJobAutomountServiceAccountToken() bool
- func (c ConfigData) GetScanJobContainerSecurityContext() (*corev1.SecurityContext, error)
- func (c ConfigData) GetScanJobNodeSelector() (map[string]string, error)
- func (c ConfigData) GetScanJobPodPriorityClassName() (string, error)
- func (c ConfigData) GetScanJobPodSecurityContext() (*corev1.PodSecurityContext, error)
- func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error)
- func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error)
- func (c ConfigData) GetSkipInitContainers() bool
- func (c ConfigData) GetSkipResourceByLabels() []string
- func (c ConfigData) GetVulnerabilityReportsScanner() (Scanner, error)
- func (c ConfigData) NodeCollectorImageRef() string
- func (c ConfigData) PolicyBundleOciPassword() string
- func (c ConfigData) PolicyBundleOciRef() string
- func (c ConfigData) PolicyBundleOciUser() string
- func (c ConfigData) ReportRecordFailedChecksOnly() bool
- func (c ConfigData) Set(key, value string)
- func (c ConfigData) UseNodeCollectorNodeSelector() bool
- func (c ConfigData) VulnerabilityScanJobsInSameNamespace() bool
- func (c ConfigData) VulnerabilityScannerEnabled() bool
- type ConfigManager
- type PluginConfig
- type PluginContext
- type PluginContextBuilder
- func (b *PluginContextBuilder) Get() PluginContext
- func (b *PluginContextBuilder) WithClient(c client.Client) *PluginContextBuilder
- func (b *PluginContextBuilder) WithName(name string) *PluginContextBuilder
- func (b *PluginContextBuilder) WithNamespace(namespace string) *PluginContextBuilder
- func (b *PluginContextBuilder) WithServiceAccountName(name string) *PluginContextBuilder
- func (b *PluginContextBuilder) WithTrivyOperatorConfig(config ConfigData) *PluginContextBuilder
- type Scanner
Constants ¶
const ( KeyVulnerabilityScannerEnabled = "vulnerabilityScannerEnabled" KeyExposedSecretsScannerEnabled = "exposedSecretsScannerEnabled" KeyGenerateSbom = "generateSbomEnabled" KeyVulnerabilityScansInSameNamespace = "vulnerabilityReports.scanJobsInSameNamespace" KeyScanJobcompressLogs = "scanJob.compressLogs" KeyNodeCollectorVolumes = "nodeCollector.volumes" KeyNodeCollectorExcludeNodes = "nodeCollector.excludeNodes" KeyNodeCollectorVolumeMounts = "nodeCollector.volumeMounts" KeyScanJobContainerSecurityContext = "scanJob.podTemplateContainerSecurityContext" KeyScanJobPodPriorityClassName = "scanJob.podPriorityClassName" KeyReportResourceLabels = "report.resourceLabels" KeyReportRecordFailedChecksOnly = "report.recordFailedChecksOnly" KeyMetricsResourceLabelsPrefix = "metrics.resourceLabelsPrefix" KeyTrivyServerURL = "trivy.serverURL" KeyNodeCollectorImageRef = "node.collector.imageRef" KeyPoliciesBundleOciRef = "policies.bundle.oci.ref" KeyPoliciesBundleOciUser = "policies.bundle.oci.user" KeyPoliciesBundleOciPassword = "policies.bundle.oci.password" KeyNodeCollectorImagePullSecret = "node.collector.imagePullSecret" KeyAdditionalReportLabels = "report.additionalLabels" KeyNodeCollectorNodeSelector = "node.collector.nodeSelector" )
const ( // NamespaceName the name of the namespace in which Trivy-operator stores its // configuration and where it runs scan jobs. NamespaceName = "trivy-operator" // ConfigMapName the name of the ConfigMap where Trivy-operator stores its // configuration. ConfigMapName = "trivy-operator" // SecretName the name of the secret where Trivy-operator stores is sensitive // configuration. SecretName = "trivy-operator" // PoliciesConfigMapName the name of the ConfigMap used to store OPA Rego // policies. PoliciesConfigMapName = "trivy-operator-policies-config" )
const ( LabelResourceKind = "trivy-operator.resource.kind" LabelResourceName = "trivy-operator.resource.name" LabelResourceNameHash = "trivy-operator.resource.name-hash" LabelResourceNamespace = "trivy-operator.resource.namespace" LabelContainerName = "trivy-operator.container.name" LabelResourceSpecHash = "resource-spec-hash" LabelPluginConfigHash = "plugin-config-hash" LabelResourceImageID = "resource-image-id" LabelReusedReport = "reused-report" LabelCoreComponent = "component" LabelAddon = "k8s-app" LabelVulnerabilityReportScanner = "vulnerabilityReport.scanner" LabelNodeInfoCollector = "node-info.collector" LabelK8SAppManagedBy = "app.kubernetes.io/managed-by" AppTrivyOperator = "trivy-operator" // openshift core component LabelOpenShiftAPIServer = "apiserver" LabelOpenShiftControllerManager = "kube-controller-manager" LabelOpenShiftScheduler = "scheduler" LabelOpenShiftEtcd = "etcd" LabelKbom = "trivy-operator.aquasecurity.github.io/sbom-type" )
const (
AnnotationContainerImages = "trivy-operator.container-images"
)
Variables ¶
This section is empty.
Functions ¶
func GetPluginConfigMapName ¶
GetPluginConfigMapName returns the name of a ConfigMap used to configure a plugin with the given name. TODO Rename to GetPluginConfigObjectName as this method is used to determine the name of ConfigMaps and Secrets.
func GetVersionFromImageRef ¶
GetVersionFromImageRef returns the image identifier for the specified image reference.
func LinuxNodeAffinity ¶
LinuxNodeAffinity constructs a new Affinity resource with linux supported nodes.
Types ¶
type BuildInfo ¶
BuildInfo holds build info such as Git revision, Git SHA-1, build datetime, and the name of the executable binary.
type ConfigData ¶
ConfigData holds Trivy-operator configuration settings as a set of key-value pairs.
func GetDefaultConfig ¶
func GetDefaultConfig() ConfigData
GetDefaultConfig returns the default configuration settings.
func (ConfigData) ComplianceFailEntriesLimit ¶
func (c ConfigData) ComplianceFailEntriesLimit() int
func (ConfigData) CompressLogs ¶ added in v0.5.0
func (c ConfigData) CompressLogs() bool
CompressLogs returns if scan job output should be compressed
func (ConfigData) ExposedSecretsScannerEnabled ¶ added in v0.1.7
func (c ConfigData) ExposedSecretsScannerEnabled() bool
ExposedSecretsScannerEnabled returns if the vulnerability scanners is enabled/disablsed
func (ConfigData) GeTrivyServerURL ¶ added in v0.7.0
func (c ConfigData) GeTrivyServerURL() string
func (ConfigData) GenerateSbomEnabled ¶ added in v0.15.0
func (c ConfigData) GenerateSbomEnabled() bool
GenerateSbomEnabled returns if the sbom generation is enabled
func (ConfigData) GetAdditionalReportLabels ¶ added in v0.13.0
func (c ConfigData) GetAdditionalReportLabels() (labels.Set, error)
func (ConfigData) GetConfigAuditReportsScanner ¶
func (c ConfigData) GetConfigAuditReportsScanner() Scanner
func (ConfigData) GetGetNodeCollectorVolumeMounts ¶ added in v0.13.0
func (c ConfigData) GetGetNodeCollectorVolumeMounts() ([]corev1.VolumeMount, error)
func (ConfigData) GetMetricsResourceLabelsPrefix ¶ added in v0.5.0
func (c ConfigData) GetMetricsResourceLabelsPrefix() string
func (ConfigData) GetNodeCollectorExcludeNodes ¶ added in v0.14.0
func (c ConfigData) GetNodeCollectorExcludeNodes() (map[string]string, error)
func (ConfigData) GetNodeCollectorImagePullsecret ¶ added in v0.13.1
func (c ConfigData) GetNodeCollectorImagePullsecret() []corev1.LocalObjectReference
func (ConfigData) GetNodeCollectorVolumes ¶ added in v0.13.0
func (c ConfigData) GetNodeCollectorVolumes() ([]corev1.Volume, error)
func (ConfigData) GetReportResourceLabels ¶ added in v0.5.0
func (c ConfigData) GetReportResourceLabels() []string
func (ConfigData) GetRequiredData ¶
func (c ConfigData) GetRequiredData(key string) (string, error)
func (ConfigData) GetScanJobAnnotations ¶
func (c ConfigData) GetScanJobAnnotations() (map[string]string, error)
func (ConfigData) GetScanJobAutomountServiceAccountToken ¶ added in v0.5.0
func (c ConfigData) GetScanJobAutomountServiceAccountToken() bool
func (ConfigData) GetScanJobContainerSecurityContext ¶ added in v0.2.0
func (c ConfigData) GetScanJobContainerSecurityContext() (*corev1.SecurityContext, error)
func (ConfigData) GetScanJobNodeSelector ¶ added in v0.2.0
func (c ConfigData) GetScanJobNodeSelector() (map[string]string, error)
func (ConfigData) GetScanJobPodPriorityClassName ¶ added in v0.13.0
func (c ConfigData) GetScanJobPodPriorityClassName() (string, error)
func (ConfigData) GetScanJobPodSecurityContext ¶ added in v0.1.6
func (c ConfigData) GetScanJobPodSecurityContext() (*corev1.PodSecurityContext, error)
func (ConfigData) GetScanJobPodTemplateLabels ¶
func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error)
func (ConfigData) GetScanJobTolerations ¶
func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error)
func (ConfigData) GetSkipInitContainers ¶ added in v0.16.0
func (c ConfigData) GetSkipInitContainers() bool
func (ConfigData) GetSkipResourceByLabels ¶ added in v0.7.0
func (c ConfigData) GetSkipResourceByLabels() []string
func (ConfigData) GetVulnerabilityReportsScanner ¶
func (c ConfigData) GetVulnerabilityReportsScanner() (Scanner, error)
func (ConfigData) NodeCollectorImageRef ¶ added in v0.12.0
func (c ConfigData) NodeCollectorImageRef() string
func (ConfigData) PolicyBundleOciPassword ¶ added in v0.19.0
func (c ConfigData) PolicyBundleOciPassword() string
func (ConfigData) PolicyBundleOciRef ¶ added in v0.19.0
func (c ConfigData) PolicyBundleOciRef() string
func (ConfigData) PolicyBundleOciUser ¶ added in v0.19.0
func (c ConfigData) PolicyBundleOciUser() string
func (ConfigData) ReportRecordFailedChecksOnly ¶ added in v0.7.0
func (c ConfigData) ReportRecordFailedChecksOnly() bool
func (ConfigData) Set ¶ added in v0.1.7
func (c ConfigData) Set(key, value string)
Set sets a key on config data
func (ConfigData) UseNodeCollectorNodeSelector ¶ added in v0.18.2
func (c ConfigData) UseNodeCollectorNodeSelector() bool
func (ConfigData) VulnerabilityScanJobsInSameNamespace ¶
func (c ConfigData) VulnerabilityScanJobsInSameNamespace() bool
func (ConfigData) VulnerabilityScannerEnabled ¶ added in v0.1.7
func (c ConfigData) VulnerabilityScannerEnabled() bool
VulnerabilityScannerEnabled returns if the vulnerability scanners is enabled/disablsed
type ConfigManager ¶
type ConfigManager interface { EnsureDefault(ctx context.Context) error Read(ctx context.Context) (ConfigData, error) Delete(ctx context.Context) error }
ConfigManager defines methods for managing ConfigData.
func NewConfigManager ¶
func NewConfigManager(client kubernetes.Interface, namespace string) ConfigManager
NewConfigManager constructs a new ConfigManager that is using kubernetes.Interface to manage ConfigData backed by the ConfigMap stored in the specified namespace.
type PluginConfig ¶
PluginConfig holds plugin configuration settings.
func (PluginConfig) GetRequiredData ¶
func (c PluginConfig) GetRequiredData(key string) (string, error)
type PluginContext ¶
type PluginContext interface { // GetName returns the name of the plugin. GetName() string // GetConfig returns the PluginConfig object that holds configuration settings of the plugin. GetConfig() (PluginConfig, error) // EnsureConfig ensures the PluginConfig, typically when a plugin is initialized. EnsureConfig(config PluginConfig) error // GetNamespace return the name of the K8s Namespace where Trivy-operator creates Jobs // and other helper objects. GetNamespace() string // GetServiceAccountName return the name of the K8s Service Account used to run workloads // created by Trivy-operator. GetServiceAccountName() string // GetTrivyOperatorConfig returns trivyoperator configuration. GetTrivyOperatorConfig() ConfigData }
PluginContext is plugin's execution context within the Trivy-operator toolkit. The context is used to grant access to other methods so that this plugin can interact with the toolkit.
type PluginContextBuilder ¶
type PluginContextBuilder struct {
// contains filtered or unexported fields
}
func NewPluginContext ¶
func NewPluginContext() *PluginContextBuilder
func (*PluginContextBuilder) Get ¶
func (b *PluginContextBuilder) Get() PluginContext
func (*PluginContextBuilder) WithClient ¶
func (b *PluginContextBuilder) WithClient(c client.Client) *PluginContextBuilder
func (*PluginContextBuilder) WithName ¶
func (b *PluginContextBuilder) WithName(name string) *PluginContextBuilder
func (*PluginContextBuilder) WithNamespace ¶
func (b *PluginContextBuilder) WithNamespace(namespace string) *PluginContextBuilder
func (*PluginContextBuilder) WithServiceAccountName ¶
func (b *PluginContextBuilder) WithServiceAccountName(name string) *PluginContextBuilder
func (*PluginContextBuilder) WithTrivyOperatorConfig ¶
func (b *PluginContextBuilder) WithTrivyOperatorConfig(config ConfigData) *PluginContextBuilder