trivyoperator

package
v0.19.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 4, 2024 License: Apache-2.0 Imports: 23 Imported by: 2

Documentation

Overview

Package trivyoperator provides primitives for working with Trivy-operator toolkit.

Index

Constants

View Source
const (
	KeyVulnerabilityScannerEnabled  = "vulnerabilityScannerEnabled"
	KeyExposedSecretsScannerEnabled = "exposedSecretsScannerEnabled"
	KeyGenerateSbom                 = "generateSbomEnabled"

	KeyVulnerabilityScansInSameNamespace = "vulnerabilityReports.scanJobsInSameNamespace"

	KeyScanJobcompressLogs       = "scanJob.compressLogs"
	KeyNodeCollectorVolumes      = "nodeCollector.volumes"
	KeyNodeCollectorExcludeNodes = "nodeCollector.excludeNodes"
	KeyNodeCollectorVolumeMounts = "nodeCollector.volumeMounts"

	KeyScanJobContainerSecurityContext = "scanJob.podTemplateContainerSecurityContext"

	KeyScanJobPodPriorityClassName = "scanJob.podPriorityClassName"

	KeyReportResourceLabels         = "report.resourceLabels"
	KeyReportRecordFailedChecksOnly = "report.recordFailedChecksOnly"
	KeyMetricsResourceLabelsPrefix  = "metrics.resourceLabelsPrefix"
	KeyTrivyServerURL               = "trivy.serverURL"
	KeyNodeCollectorImageRef        = "node.collector.imageRef"
	KeyPoliciesBundleOciRef         = "policies.bundle.oci.ref"
	KeyPoliciesBundleOciUser        = "policies.bundle.oci.user"
	KeyPoliciesBundleOciPassword    = "policies.bundle.oci.password"
	KeyNodeCollectorImagePullSecret = "node.collector.imagePullSecret"
	KeyAdditionalReportLabels       = "report.additionalLabels"
	KeyNodeCollectorNodeSelector    = "node.collector.nodeSelector"
)
View Source
const (
	// NamespaceName the name of the namespace in which Trivy-operator stores its
	// configuration and where it runs scan jobs.
	NamespaceName = "trivy-operator"

	// ConfigMapName the name of the ConfigMap where Trivy-operator stores its
	// configuration.
	ConfigMapName = "trivy-operator"

	// SecretName the name of the secret where Trivy-operator stores is sensitive
	// configuration.
	SecretName = "trivy-operator"

	// PoliciesConfigMapName the name of the ConfigMap used to store OPA Rego
	// policies.
	PoliciesConfigMapName = "trivy-operator-policies-config"
)
View Source
const (
	LabelResourceKind      = "trivy-operator.resource.kind"
	LabelResourceName      = "trivy-operator.resource.name"
	LabelResourceNameHash  = "trivy-operator.resource.name-hash"
	LabelResourceNamespace = "trivy-operator.resource.namespace"
	LabelContainerName     = "trivy-operator.container.name"
	LabelResourceSpecHash  = "resource-spec-hash"
	LabelPluginConfigHash  = "plugin-config-hash"
	LabelResourceImageID   = "resource-image-id"
	LabelReusedReport      = "reused-report"
	LabelCoreComponent     = "component"
	LabelAddon             = "k8s-app"

	LabelVulnerabilityReportScanner = "vulnerabilityReport.scanner"
	LabelNodeInfoCollector          = "node-info.collector"

	LabelK8SAppManagedBy = "app.kubernetes.io/managed-by"
	AppTrivyOperator     = "trivy-operator"

	// openshift core component
	LabelOpenShiftAPIServer         = "apiserver"
	LabelOpenShiftControllerManager = "kube-controller-manager"
	LabelOpenShiftScheduler         = "scheduler"
	LabelOpenShiftEtcd              = "etcd"
	LabelKbom                       = "trivy-operator.aquasecurity.github.io/sbom-type"
)
View Source
const (
	AnnotationContainerImages = "trivy-operator.container-images"
)

Variables

This section is empty.

Functions

func GetPluginConfigMapName

func GetPluginConfigMapName(pluginName string) string

GetPluginConfigMapName returns the name of a ConfigMap used to configure a plugin with the given name. TODO Rename to GetPluginConfigObjectName as this method is used to determine the name of ConfigMaps and Secrets.

func GetVersionFromImageRef

func GetVersionFromImageRef(imageRef string) (string, error)

GetVersionFromImageRef returns the image identifier for the specified image reference.

func LinuxNodeAffinity

func LinuxNodeAffinity() *corev1.Affinity

LinuxNodeAffinity constructs a new Affinity resource with linux supported nodes.

func NewScheme

func NewScheme() *runtime.Scheme

Types

type BuildInfo

type BuildInfo struct {
	Version    string
	Commit     string
	Date       string
	Executable string
}

BuildInfo holds build info such as Git revision, Git SHA-1, build datetime, and the name of the executable binary.

type ConfigData

type ConfigData map[string]string

ConfigData holds Trivy-operator configuration settings as a set of key-value pairs.

func GetDefaultConfig

func GetDefaultConfig() ConfigData

GetDefaultConfig returns the default configuration settings.

func (ConfigData) ComplianceFailEntriesLimit

func (c ConfigData) ComplianceFailEntriesLimit() int

func (ConfigData) CompressLogs added in v0.5.0

func (c ConfigData) CompressLogs() bool

CompressLogs returns if scan job output should be compressed

func (ConfigData) ExposedSecretsScannerEnabled added in v0.1.7

func (c ConfigData) ExposedSecretsScannerEnabled() bool

ExposedSecretsScannerEnabled returns if the vulnerability scanners is enabled/disablsed

func (ConfigData) GeTrivyServerURL added in v0.7.0

func (c ConfigData) GeTrivyServerURL() string

func (ConfigData) GenerateSbomEnabled added in v0.15.0

func (c ConfigData) GenerateSbomEnabled() bool

GenerateSbomEnabled returns if the sbom generation is enabled

func (ConfigData) GetAdditionalReportLabels added in v0.13.0

func (c ConfigData) GetAdditionalReportLabels() (labels.Set, error)

func (ConfigData) GetConfigAuditReportsScanner

func (c ConfigData) GetConfigAuditReportsScanner() Scanner

func (ConfigData) GetGetNodeCollectorVolumeMounts added in v0.13.0

func (c ConfigData) GetGetNodeCollectorVolumeMounts() ([]corev1.VolumeMount, error)

func (ConfigData) GetMetricsResourceLabelsPrefix added in v0.5.0

func (c ConfigData) GetMetricsResourceLabelsPrefix() string

func (ConfigData) GetNodeCollectorExcludeNodes added in v0.14.0

func (c ConfigData) GetNodeCollectorExcludeNodes() (map[string]string, error)

func (ConfigData) GetNodeCollectorImagePullsecret added in v0.13.1

func (c ConfigData) GetNodeCollectorImagePullsecret() []corev1.LocalObjectReference

func (ConfigData) GetNodeCollectorVolumes added in v0.13.0

func (c ConfigData) GetNodeCollectorVolumes() ([]corev1.Volume, error)

func (ConfigData) GetReportResourceLabels added in v0.5.0

func (c ConfigData) GetReportResourceLabels() []string

func (ConfigData) GetRequiredData

func (c ConfigData) GetRequiredData(key string) (string, error)

func (ConfigData) GetScanJobAffinity added in v0.19.1

func (c ConfigData) GetScanJobAffinity() (*corev1.Affinity, error)

func (ConfigData) GetScanJobAnnotations

func (c ConfigData) GetScanJobAnnotations() (map[string]string, error)

func (ConfigData) GetScanJobAutomountServiceAccountToken added in v0.5.0

func (c ConfigData) GetScanJobAutomountServiceAccountToken() bool

func (ConfigData) GetScanJobContainerSecurityContext added in v0.2.0

func (c ConfigData) GetScanJobContainerSecurityContext() (*corev1.SecurityContext, error)

func (ConfigData) GetScanJobNodeSelector added in v0.2.0

func (c ConfigData) GetScanJobNodeSelector() (map[string]string, error)

func (ConfigData) GetScanJobPodPriorityClassName added in v0.13.0

func (c ConfigData) GetScanJobPodPriorityClassName() (string, error)

func (ConfigData) GetScanJobPodSecurityContext added in v0.1.6

func (c ConfigData) GetScanJobPodSecurityContext() (*corev1.PodSecurityContext, error)

func (ConfigData) GetScanJobPodTemplateLabels

func (c ConfigData) GetScanJobPodTemplateLabels() (labels.Set, error)

func (ConfigData) GetScanJobTolerations

func (c ConfigData) GetScanJobTolerations() ([]corev1.Toleration, error)

func (ConfigData) GetSkipInitContainers added in v0.16.0

func (c ConfigData) GetSkipInitContainers() bool

func (ConfigData) GetSkipResourceByLabels added in v0.7.0

func (c ConfigData) GetSkipResourceByLabels() []string

func (ConfigData) GetVulnerabilityReportsScanner

func (c ConfigData) GetVulnerabilityReportsScanner() (Scanner, error)

func (ConfigData) NodeCollectorImageRef added in v0.12.0

func (c ConfigData) NodeCollectorImageRef() string

func (ConfigData) PolicyBundleOciPassword added in v0.19.0

func (c ConfigData) PolicyBundleOciPassword() string

func (ConfigData) PolicyBundleOciRef added in v0.19.0

func (c ConfigData) PolicyBundleOciRef() string

func (ConfigData) PolicyBundleOciUser added in v0.19.0

func (c ConfigData) PolicyBundleOciUser() string

func (ConfigData) ReportRecordFailedChecksOnly added in v0.7.0

func (c ConfigData) ReportRecordFailedChecksOnly() bool

func (ConfigData) Set added in v0.1.7

func (c ConfigData) Set(key, value string)

Set sets a key on config data

func (ConfigData) UseNodeCollectorNodeSelector added in v0.18.2

func (c ConfigData) UseNodeCollectorNodeSelector() bool

func (ConfigData) VulnerabilityScanJobsInSameNamespace

func (c ConfigData) VulnerabilityScanJobsInSameNamespace() bool

func (ConfigData) VulnerabilityScannerEnabled added in v0.1.7

func (c ConfigData) VulnerabilityScannerEnabled() bool

VulnerabilityScannerEnabled returns if the vulnerability scanners is enabled/disablsed

type ConfigManager

type ConfigManager interface {
	EnsureDefault(ctx context.Context) error
	Read(ctx context.Context) (ConfigData, error)
	Delete(ctx context.Context) error
}

ConfigManager defines methods for managing ConfigData.

func NewConfigManager

func NewConfigManager(client kubernetes.Interface, namespace string) ConfigManager

NewConfigManager constructs a new ConfigManager that is using kubernetes.Interface to manage ConfigData backed by the ConfigMap stored in the specified namespace.

type PluginConfig

type PluginConfig struct {
	Data       map[string]string
	SecretData map[string][]byte
}

PluginConfig holds plugin configuration settings.

func (PluginConfig) GetRequiredData

func (c PluginConfig) GetRequiredData(key string) (string, error)

type PluginContext

type PluginContext interface {
	// GetName returns the name of the plugin.
	GetName() string
	// GetConfig returns the PluginConfig object that holds configuration settings of the plugin.
	GetConfig() (PluginConfig, error)
	// EnsureConfig ensures the PluginConfig, typically when a plugin is initialized.
	EnsureConfig(config PluginConfig) error
	// GetNamespace return the name of the K8s Namespace where Trivy-operator creates Jobs
	// and other helper objects.
	GetNamespace() string
	// GetServiceAccountName return the name of the K8s Service Account used to run workloads
	// created by Trivy-operator.
	GetServiceAccountName() string
	// GetTrivyOperatorConfig returns trivyoperator configuration.
	GetTrivyOperatorConfig() ConfigData
}

PluginContext is plugin's execution context within the Trivy-operator toolkit. The context is used to grant access to other methods so that this plugin can interact with the toolkit.

type PluginContextBuilder

type PluginContextBuilder struct {
	// contains filtered or unexported fields
}

func NewPluginContext

func NewPluginContext() *PluginContextBuilder

func (*PluginContextBuilder) Get

func (*PluginContextBuilder) WithClient

func (*PluginContextBuilder) WithName

func (*PluginContextBuilder) WithNamespace

func (b *PluginContextBuilder) WithNamespace(namespace string) *PluginContextBuilder

func (*PluginContextBuilder) WithServiceAccountName

func (b *PluginContextBuilder) WithServiceAccountName(name string) *PluginContextBuilder

func (*PluginContextBuilder) WithTrivyOperatorConfig

func (b *PluginContextBuilder) WithTrivyOperatorConfig(config ConfigData) *PluginContextBuilder

type Scanner

type Scanner string

Scanner represents unique, human-readable identifier of a security scanner.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL