Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var DanglingResourcesBundle = map[string]LinterRule{ "dangling-service": DanglingService, "dangling-networkpolicy": DanglingNetworkPolicy, "dangling-horizontalpodautoscaler": DanglingHPA, "dangling-ingress": DanglingIngress, }
View Source
var GoodPracticesBundle = map[string]LinterRule{ "sa-token-automount": TokenAutomount, "exposed-services": ExposedService, "deprecated-service-account-field": DeprecatedServiceAccountField, "latest-tag": LatestTag, "mismatching-selector": MismatchingSelector, "no-anti-affinity": NoAntiAffinity, "no-liveness-probe": NoLivenessProbe, "no-readiness-probe": NoReadinessProe, "no-rolling-update-strategy": NoRollingUpdateStrategy, "unset-memory-requirements": UnsetMempryRequirements, "use-namespace": UseNamespace, "default-service-account": DefaultServiceAccount, "has-security-context": HasSecurityContext, "read-secret-from-env-var": ReadSecretFromEnvVar, "env-var-secret": EnvVarSecret, "network-policy-per-namespace": NetworkPolicyPerNamespace, }
View Source
var HostIsolationBundle = map[string]LinterRule{ "drop-net-raw-capability": DropNetRawCapability, "host-ipc": HostIPC, "host-network": HostNetwork, "host-pid": HostPID, "privilege-escalation-container": PrivilegeEsxalationContainer, "privileged-container": PrivilegedContainer, "run-as-non-root": RunAsNonRoot, "unsafe-sysctls": UnsafeSysctls, "additional-capabilities": AdditionalCapabilities, "no-read-only-root-fs": NoReadOnlyRootFS, "privileged-ports": PrivilegedProts, }
View Source
var LinterRuleMap = map[string]LinterRule{ "dangling-service": DanglingService, "deprecated-service-account-field": DeprecatedServiceAccountField, "docker-sock": DockerSock, "drop-net-raw-capability": DropNetRawCapability, "env-var-secret": EnvVarSecret, "exposed-services": ExposedService, "host-ipc": HostIPC, "host-network": HostNetwork, "host-pid": HostPID, "invalid-target-ports": InvalidTargetPorta, "latest-tag": LatestTag, "mismatching-selector": MismatchingSelector, "no-anti-affinity": NoAntiAffinity, "no-liveness-probe": NoLivenessProbe, "no-read-only-root-fs": NoReadOnlyRootFS, "no-readiness-probe": NoReadinessProe, "no-rolling-update-strategy": NoRollingUpdateStrategy, "privilege-escalation-container": PrivilegeEsxalationContainer, "privileged-container": PrivilegedContainer, "privileged-ports": PrivilegedProts, "run-as-non-root": RunAsNonRoot, "sensitive-host-mounts": SensitiveHostMounts, "ssh-port": SSHPort, "unsafe-proc-mount": UnsafeProcMount, "unsafe-sysctls": UnsafeSysctls, "unset-memory-requirements": UnsetMempryRequirements, "use-namespace": UseNamespace, "writable-host-mount": WritableHostMount, "cluster-admin-role-binding": ClusterAdminRoleBinding, "access-to-secrets": AccessToSecrets, "wildcard-in-rules": WildcardInRules, "access-to-create-pods": AccessToCreatePods, "default-service-account": DefaultServiceAccount, "sa-token-automount": TokenAutomount, "read-secret-from-env-var": ReadSecretFromEnvVar, "has-security-context": HasSecurityContext, "dangling-networkpolicy": DanglingNetworkPolicy, "dangling-horizontalpodautoscaler": DanglingHPA, "dangling-ingress": DanglingIngress, "network-policy-per-namespace": NetworkPolicyPerNamespace, "containerd-sock": ContainerdSock, "additional-capabilities": AdditionalCapabilities, }
View Source
var MountPointsBundle = map[string]LinterRule{ "docker-sock": DockerSock, "containerd-sock": ContainerdSock, "writable-host-mount": WritableHostMount, "unsafe-proc-mount": UnsafeProcMount, "sensitive-host-mounts": SensitiveHostMounts, }
View Source
var PortsBundle = map[string]LinterRule{ "invalid-target-ports": InvalidTargetPorta, "ssh-port": SSHPort, }
View Source
var RBACBundle = map[string]LinterRule{ "cluster-admin-role-binding": ClusterAdminRoleBinding, "access-to-secrets": AccessToSecrets, "wildcard-in-rules": WildcardInRules, "access-to-create-pods": AccessToCreatePods, }
Functions ¶
This section is empty.
Types ¶
type Controller ¶
type Controller struct {
// contains filtered or unexported fields
}
func NewController ¶
func NewController(log *logging.Logger, cfg Config, linter *Linter, castaiClient castaiClient) *Controller
func (*Controller) OnAdd ¶
func (c *Controller) OnAdd(obj kube.Object)
func (*Controller) OnDelete ¶
func (c *Controller) OnDelete(obj kube.Object)
func (*Controller) OnUpdate ¶
func (c *Controller) OnUpdate(obj kube.Object)
func (*Controller) RequiredTypes ¶
func (c *Controller) RequiredTypes() []reflect.Type
type Linter ¶
type Linter struct {
// contains filtered or unexported fields
}
func (*Linter) Run ¶
func (l *Linter) Run(objects []lintcontext.Object) ([]LinterCheck, error)
func (*Linter) RunWithRules ¶
func (l *Linter) RunWithRules(objects []lintcontext.Object, rules []string) ([]LinterCheck, error)
type LinterCheck ¶
type LinterCheck struct { ResourceID string `json:"resourceID"` Passed *LinterRuleSet `json:"passed"` Failed *LinterRuleSet `json:"failed"` }
type LinterRule ¶
type LinterRule int
const ( DanglingService LinterRule = 1 << iota DeprecatedServiceAccountField DockerSock DropNetRawCapability EnvVarSecret ExposedService HostIPC HostNetwork HostPID InvalidTargetPorta LatestTag MismatchingSelector NoAntiAffinity NoLivenessProbe NoReadOnlyRootFS NoReadinessProe NoRollingUpdateStrategy PrivilegeEsxalationContainer PrivilegedContainer PrivilegedProts RunAsNonRoot SensitiveHostMounts SSHPort UnsafeProcMount UnsafeSysctls UnsetMempryRequirements UseNamespace WritableHostMount ClusterAdminRoleBinding AccessToSecrets DefaultServiceAccount WildcardInRules AccessToCreatePods TokenAutomount ReadSecretFromEnvVar HasSecurityContext DanglingNetworkPolicy DanglingHPA DanglingIngress NetworkPolicyPerNamespace ContainerdSock AdditionalCapabilities )
type LinterRuleSet ¶
type LinterRuleSet LinterRule
func (*LinterRuleSet) Add ¶
func (s *LinterRuleSet) Add(i LinterRule)
func (*LinterRuleSet) Has ¶
func (s *LinterRuleSet) Has(i LinterRule) bool
func (*LinterRuleSet) Rules ¶
func (s *LinterRuleSet) Rules() []string
type ObjectMeta ¶
type ObjectType ¶
type Resource ¶
type Resource struct { ObjectMeta ObjectMeta ObjectType ObjectType }
Click to show internal directories.
Click to hide internal directories.