kubelinter

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 29, 2024 License: Apache-2.0 Imports: 82 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var DanglingResourcesBundle = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
}
View Source
var GoodPracticesBundle = map[string]LinterRule{
	"sa-token-automount":               TokenAutomount,
	"exposed-services":                 ExposedService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-readiness-probe":               NoReadinessProe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"default-service-account":          DefaultServiceAccount,
	"has-security-context":             HasSecurityContext,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"env-var-secret":                   EnvVarSecret,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
}
View Source
var HostIsolationBundle = map[string]LinterRule{
	"drop-net-raw-capability":        DropNetRawCapability,
	"host-ipc":                       HostIPC,
	"host-network":                   HostNetwork,
	"host-pid":                       HostPID,
	"privilege-escalation-container": PrivilegeEsxalationContainer,
	"privileged-container":           PrivilegedContainer,
	"run-as-non-root":                RunAsNonRoot,
	"unsafe-sysctls":                 UnsafeSysctls,
	"additional-capabilities":        AdditionalCapabilities,
	"no-read-only-root-fs":           NoReadOnlyRootFS,
	"privileged-ports":               PrivilegedProts,
}
View Source
var LinterRuleMap = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"docker-sock":                      DockerSock,
	"drop-net-raw-capability":          DropNetRawCapability,
	"env-var-secret":                   EnvVarSecret,
	"exposed-services":                 ExposedService,
	"host-ipc":                         HostIPC,
	"host-network":                     HostNetwork,
	"host-pid":                         HostPID,
	"invalid-target-ports":             InvalidTargetPorta,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-read-only-root-fs":             NoReadOnlyRootFS,
	"no-readiness-probe":               NoReadinessProe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"privilege-escalation-container":   PrivilegeEsxalationContainer,
	"privileged-container":             PrivilegedContainer,
	"privileged-ports":                 PrivilegedProts,
	"run-as-non-root":                  RunAsNonRoot,
	"sensitive-host-mounts":            SensitiveHostMounts,
	"ssh-port":                         SSHPort,
	"unsafe-proc-mount":                UnsafeProcMount,
	"unsafe-sysctls":                   UnsafeSysctls,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"writable-host-mount":              WritableHostMount,
	"cluster-admin-role-binding":       ClusterAdminRoleBinding,
	"access-to-secrets":                AccessToSecrets,
	"wildcard-in-rules":                WildcardInRules,
	"access-to-create-pods":            AccessToCreatePods,
	"default-service-account":          DefaultServiceAccount,
	"sa-token-automount":               TokenAutomount,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"has-security-context":             HasSecurityContext,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
	"containerd-sock":                  ContainerdSock,
	"additional-capabilities":          AdditionalCapabilities,
}
View Source
var MountPointsBundle = map[string]LinterRule{
	"docker-sock":           DockerSock,
	"containerd-sock":       ContainerdSock,
	"writable-host-mount":   WritableHostMount,
	"unsafe-proc-mount":     UnsafeProcMount,
	"sensitive-host-mounts": SensitiveHostMounts,
}
View Source
var PortsBundle = map[string]LinterRule{
	"invalid-target-ports": InvalidTargetPorta,
	"ssh-port":             SSHPort,
}
View Source
var RBACBundle = map[string]LinterRule{
	"cluster-admin-role-binding": ClusterAdminRoleBinding,
	"access-to-secrets":          AccessToSecrets,
	"wildcard-in-rules":          WildcardInRules,
	"access-to-create-pods":      AccessToCreatePods,
}

Functions

This section is empty.

Types

type Config

type Config struct {
	Enabled      bool
	ScanInterval time.Duration `validate:"required"`
	InitDelay    time.Duration
}

type Controller

type Controller struct {
	// contains filtered or unexported fields
}

func NewController

func NewController(log *logging.Logger, cfg Config, linter *Linter, castaiClient castaiClient) *Controller

func (*Controller) OnAdd

func (c *Controller) OnAdd(obj kube.Object)

func (*Controller) OnDelete

func (c *Controller) OnDelete(obj kube.Object)

func (*Controller) OnUpdate

func (c *Controller) OnUpdate(obj kube.Object)

func (*Controller) RequiredTypes

func (c *Controller) RequiredTypes() []reflect.Type

func (*Controller) Run

func (c *Controller) Run(ctx context.Context) error

type Linter

type Linter struct {
	// contains filtered or unexported fields
}

func New

func New(checks []string) (*Linter, error)

func (*Linter) Run

func (l *Linter) Run(objects []lintcontext.Object) ([]LinterCheck, error)

func (*Linter) RunWithRules

func (l *Linter) RunWithRules(objects []lintcontext.Object, rules []string) ([]LinterCheck, error)

type LinterCheck

type LinterCheck struct {
	ResourceID string         `json:"resourceID"`
	Passed     *LinterRuleSet `json:"passed"`
	Failed     *LinterRuleSet `json:"failed"`
}

type LinterRule

type LinterRule int
const (
	DanglingService LinterRule = 1 << iota
	DeprecatedServiceAccountField
	DockerSock
	DropNetRawCapability
	EnvVarSecret
	ExposedService
	HostIPC
	HostNetwork
	HostPID
	InvalidTargetPorta
	LatestTag
	MismatchingSelector
	NoAntiAffinity
	NoLivenessProbe
	NoReadOnlyRootFS
	NoReadinessProe
	NoRollingUpdateStrategy
	PrivilegeEsxalationContainer
	PrivilegedContainer
	PrivilegedProts
	RunAsNonRoot
	SensitiveHostMounts
	SSHPort
	UnsafeProcMount
	UnsafeSysctls
	UnsetMempryRequirements
	UseNamespace
	WritableHostMount
	ClusterAdminRoleBinding
	AccessToSecrets
	DefaultServiceAccount
	WildcardInRules
	AccessToCreatePods
	TokenAutomount
	ReadSecretFromEnvVar
	HasSecurityContext
	DanglingNetworkPolicy
	DanglingHPA
	DanglingIngress
	NetworkPolicyPerNamespace
	ContainerdSock
	AdditionalCapabilities
)

type LinterRuleSet

type LinterRuleSet LinterRule

func (*LinterRuleSet) Add

func (s *LinterRuleSet) Add(i LinterRule)

func (*LinterRuleSet) Has

func (s *LinterRuleSet) Has(i LinterRule) bool

func (*LinterRuleSet) Rules

func (s *LinterRuleSet) Rules() []string

type ObjectMeta

type ObjectMeta struct {
	Namespace string `json:"namespace"`
	Name      string `json:"name"`
}

type ObjectType

type ObjectType struct {
	APIVersion string `json:"APIVersion"`
	Kind       string `json:"kind"`
}

type Resource

type Resource struct {
	ObjectMeta ObjectMeta
	ObjectType ObjectType
}

func (Resource) ObjectKey

func (r Resource) ObjectKey() string

Directories

Path Synopsis
customchecks

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL