kubelinter

package

v1.16.0 Latest Latest Go to latest Published: Aug 1, 2024 License: Apache-2.0 Imports: 82 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/castai/kvisor

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type Config
type Controller
- func NewController(log *logging.Logger, cfg Config, linter *Linter, castaiClient castaiClient) *Controller
type Linter
- func New(checks []string) (*Linter, error)
- func (l *Linter) Run(objects []lintcontext.Object) ([]LinterCheck, error)
- func (l *Linter) RunWithRules(objects []lintcontext.Object, rules []string) ([]LinterCheck, error)
type LinterCheck
type LinterRule
type LinterRuleSet
type ObjectMeta
type ObjectType
type Resource
- func (r Resource) ObjectKey() string

Constants ¶

This section is empty.

Variables ¶

View Source

var DanglingResourcesBundle = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
}

View Source

var GoodPracticesBundle = map[string]LinterRule{
	"sa-token-automount":               TokenAutomount,
	"exposed-services":                 ExposedService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-readiness-probe":               NoReadinessProbe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"default-service-account":          DefaultServiceAccount,
	"has-security-context":             HasSecurityContext,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"env-var-secret":                   EnvVarSecret,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
}

View Source

var HostIsolationBundle = map[string]LinterRule{
	"drop-net-raw-capability":        DropNetRawCapability,
	"host-ipc":                       HostIPC,
	"host-network":                   HostNetwork,
	"host-pid":                       HostPID,
	"privilege-escalation-container": PrivilegeEsxalationContainer,
	"privileged-container":           PrivilegedContainer,
	"run-as-non-root":                RunAsNonRoot,
	"unsafe-sysctls":                 UnsafeSysctls,
	"additional-capabilities":        AdditionalCapabilities,
	"no-read-only-root-fs":           NoReadOnlyRootFS,
	"privileged-ports":               PrivilegedProts,
}

View Source

var LinterRuleMap = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"docker-sock":                      DockerSock,
	"drop-net-raw-capability":          DropNetRawCapability,
	"env-var-secret":                   EnvVarSecret,
	"exposed-services":                 ExposedService,
	"host-ipc":                         HostIPC,
	"host-network":                     HostNetwork,
	"host-pid":                         HostPID,
	"invalid-target-ports":             InvalidTargetPorta,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-read-only-root-fs":             NoReadOnlyRootFS,
	"no-readiness-probe":               NoReadinessProbe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"privilege-escalation-container":   PrivilegeEsxalationContainer,
	"privileged-container":             PrivilegedContainer,
	"privileged-ports":                 PrivilegedProts,
	"run-as-non-root":                  RunAsNonRoot,
	"sensitive-host-mounts":            SensitiveHostMounts,
	"ssh-port":                         SSHPort,
	"unsafe-proc-mount":                UnsafeProcMount,
	"unsafe-sysctls":                   UnsafeSysctls,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"writable-host-mount":              WritableHostMount,
	"cluster-admin-role-binding":       ClusterAdminRoleBinding,
	"access-to-secrets":                AccessToSecrets,
	"wildcard-in-rules":                WildcardInRules,
	"access-to-create-pods":            AccessToCreatePods,
	"default-service-account":          DefaultServiceAccount,
	"sa-token-automount":               TokenAutomount,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"has-security-context":             HasSecurityContext,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
	"containerd-sock":                  ContainerdSock,
	"additional-capabilities":          AdditionalCapabilities,
}

View Source

var MountPointsBundle = map[string]LinterRule{
	"docker-sock":           DockerSock,
	"containerd-sock":       ContainerdSock,
	"writable-host-mount":   WritableHostMount,
	"unsafe-proc-mount":     UnsafeProcMount,
	"sensitive-host-mounts": SensitiveHostMounts,
}

View Source

var PortsBundle = map[string]LinterRule{
	"invalid-target-ports": InvalidTargetPorta,
	"ssh-port":             SSHPort,
}

View Source

var RBACBundle = map[string]LinterRule{
	"cluster-admin-role-binding": ClusterAdminRoleBinding,
	"access-to-secrets":          AccessToSecrets,
	"wildcard-in-rules":          WildcardInRules,
	"access-to-create-pods":      AccessToCreatePods,
}

Functions ¶

This section is empty.

Types ¶

type Config ¶

type Config struct {
	Enabled      bool
	ScanInterval time.Duration `validate:"required"`
	InitDelay    time.Duration
}

type Controller ¶

type Controller struct {
	// contains filtered or unexported fields
}

func NewController ¶

func NewController(log *logging.Logger, cfg Config, linter *Linter, castaiClient castaiClient) *Controller

func (*Controller) OnAdd ¶

func (c *Controller) OnAdd(obj kube.Object)

func (*Controller) OnDelete ¶

func (c *Controller) OnDelete(obj kube.Object)

func (*Controller) OnUpdate ¶

func (c *Controller) OnUpdate(obj kube.Object)

func (*Controller) RequiredTypes ¶

func (c *Controller) RequiredTypes() []reflect.Type

func (*Controller) Run ¶

func (c *Controller) Run(ctx context.Context) error

type Linter ¶

type Linter struct {
	// contains filtered or unexported fields
}

func New ¶

func New(checks []string) (*Linter, error)

func (*Linter) Run ¶

func (l *Linter) Run(objects []lintcontext.Object) ([]LinterCheck, error)

func (*Linter) RunWithRules ¶

func (l *Linter) RunWithRules(objects []lintcontext.Object, rules []string) ([]LinterCheck, error)

type LinterCheck ¶

type LinterCheck struct {
	ResourceID string         `json:"resourceID"`
	Passed     *LinterRuleSet `json:"passed"`
	Failed     *LinterRuleSet `json:"failed"`
}

type LinterRule ¶

type LinterRule int

const (
	DanglingService LinterRule = 1 << iota
	DeprecatedServiceAccountField
	DockerSock
	DropNetRawCapability
	EnvVarSecret
	ExposedService
	HostIPC
	HostNetwork
	HostPID
	InvalidTargetPorta
	LatestTag
	MismatchingSelector
	NoAntiAffinity
	NoLivenessProbe
	NoReadOnlyRootFS
	NoReadinessProbe
	NoRollingUpdateStrategy
	PrivilegeEsxalationContainer
	PrivilegedContainer
	PrivilegedProts
	RunAsNonRoot
	SensitiveHostMounts
	SSHPort
	UnsafeProcMount
	UnsafeSysctls
	UnsetMempryRequirements
	UseNamespace
	WritableHostMount
	ClusterAdminRoleBinding
	AccessToSecrets
	DefaultServiceAccount
	WildcardInRules
	AccessToCreatePods
	TokenAutomount
	ReadSecretFromEnvVar
	HasSecurityContext
	DanglingNetworkPolicy
	DanglingHPA
	DanglingIngress
	NetworkPolicyPerNamespace
	ContainerdSock
	AdditionalCapabilities
)

type LinterRuleSet ¶

type LinterRuleSet LinterRule

func (*LinterRuleSet) Add ¶

func (s *LinterRuleSet) Add(i LinterRule)

func (*LinterRuleSet) Has ¶

func (s *LinterRuleSet) Has(i LinterRule) bool

func (*LinterRuleSet) Rules ¶

func (s *LinterRuleSet) Rules() []string

type ObjectMeta ¶

type ObjectMeta struct {
	Namespace string `json:"namespace"`
	Name      string `json:"name"`
}

type ObjectType ¶

type ObjectType struct {
	APIVersion string `json:"APIVersion"`
	Kind       string `json:"kind"`
}

type Resource ¶

type Resource struct {
	ObjectMeta ObjectMeta
	ObjectType ObjectType
}

func (Resource) ObjectKey ¶

func (r Resource) ObjectKey() string

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
customchecks
additionalcapabilities
automount
containerdsock
networkpolicypernamespace
securitycontext
customobjectkinds

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL