Documentation ¶
Overview ¶
Package reimage provides tools for processing/updating the images listed in k8s manifests
Package reimage provides tools for processing/updating the images listed in k8s manifests
Package reimage provides tools for processing/updating the images listed in k8s manifests
Index ¶
- Variables
- func Process(w io.Writer, r io.Reader, u Updater) error
- type CheckRes
- type EnsureRemapper
- type GCPBinAuthzConcisePayload
- type GCPBinAuthzPayload
- type GrafeasAttester
- type GrafeasClient
- type GrafeasVulnChecker
- type History
- type IgnoreRemapper
- type ImageCheckError
- type ImageSetters
- type ImagesFinder
- type JSONImageFinderConfig
- type KMS
- type KMSClient
- type Keyer
- type Logger
- type MultiRemapper
- type QualifiedImage
- type RecorderRemapper
- type Remapper
- type RenameRemapper
- type RenameUpdater
- type RepoTemplateInput
- type Setter
- type StaticRemapper
- type Updater
- type VulnCheckerResult
Constants ¶
This section is empty.
Variables ¶
var ( // DefaultTemplateStr is a sensible default for importing images DefaultTemplateStr = `{{ .RemotePath }}/{{ .Registry }}/{{ .Repository }}:{{ .DigestHex }}` // DefaultRulesConfig is a set of additional, non-core rules for known existing image // locations DefaultRulesConfig = []JSONImageFinderConfig{ { Kind: "^Prometheus$", APIVersion: `^monitoring\.coreos\.com/v1$`, ImageJSONP: []string{"$.spec.image"}, }, } // ErrDiscoveryNotFound is returned when no Vulnerability checking Discovery is associated with an image ErrDiscoveryNotFound = errors.New("discovery not found in response") // ErrDiscoverNotFinished is returned when Vulnerability checking did not complete in time ErrDiscoverNotFinished = errors.New("vulnerability checking not completed") // ErrAttestationNotFound is return if no attestations are present for a given image digest ErrAttestationNotFound = errors.New("attestation not found in response") )
var DefaultLogger = Logger(slog.Default())
DefaultLogger is a quick shortcut to the slog default logger
var ErrSkip = errors.New("skip further processing")
Functions ¶
Types ¶
type CheckRes ¶ added in v0.2.0
type CheckRes struct { Ignored []string // CVEs that were present, but explicitly ignored by the checker Found []string // CVEs that were present, but under the max requested CVSS }
CheckRes is the result of a vulnerability check
type EnsureRemapper ¶ added in v0.2.0
type EnsureRemapper struct { NoClobber bool // If true, we'll refuse to overwrite remote images DryRun bool // If true, don't perform the any actual copies Logger }
EnsureRemapper is a mapper that will copy the original image reference to the latest, possibly remote, reference
func (*EnsureRemapper) ReMap ¶ added in v0.2.0
func (t *EnsureRemapper) ReMap(h *History) error
ReMap copies the original reference to the latest, potentially remote reference
type GCPBinAuthzConcisePayload ¶ added in v0.2.0
GCPBinAuthzConcisePayload is a convenient wrapper around GCPBinAuthzPayload it with json.Marshal to a GCPBinAuthzPayload with correctly set Type
func (*GCPBinAuthzConcisePayload) MarshalJSON ¶ added in v0.2.0
func (pl *GCPBinAuthzConcisePayload) MarshalJSON() ([]byte, error)
MarshalJSON marshals the provided type to JSON, but conforming to the structure of a GCPBinAuthzPayload
type GCPBinAuthzPayload ¶ added in v0.2.0
type GCPBinAuthzPayload struct { Critical struct { Identity struct { DockerReference string `json:"docker-reference"` } `json:"identitiy"` Image struct { DockerManifestDigest string `json:"docker-manifest-digest"` } `json:"image"` Type string `json:"type"` } `json:"critical"` }
GCPBinAuthzPayload is the mandated attestation note for signing Docker/OCI images for Google's Binauthz implementation
type GrafeasAttester ¶ added in v0.2.0
type GrafeasAttester struct { Grafeas GrafeasClient Parent string Keys Keyer NoteRef string Logger }
GrafeasAttester implements attestation creation and checking using Grafaes
func (*GrafeasAttester) Attest ¶ added in v0.2.0
Attest creates a NoteRef attestation for digest. It will skip this if one already exist
type GrafeasClient ¶ added in v0.2.0
type GrafeasClient interface { ListOccurrences(ctx context.Context, req *grafeaspb.ListOccurrencesRequest, opts ...gax.CallOption) *grafeas.OccurrenceIterator CreateOccurrence(ctx context.Context, req *grafeaspb.CreateOccurrenceRequest, opts ...gax.CallOption) (*grafeaspb.Occurrence, error) }
GrafeasClient still isn't mockable, need to wrap it
type GrafeasVulnChecker ¶ added in v0.2.0
type GrafeasVulnChecker struct { Grafeas GrafeasClient Parent string IgnoreImages *regexp.Regexp // do not look for CVEs in images matching this pattern MaxCVSS float32 // Maximum permitted CVSS score CVEIgnoreList []string // CVEs to explicitly ignore RetryMax int // Max attempts to retrieve vulnerability discovery results RetryDelay time.Duration // Max time to wait for vulnerability discovery results Logger sync.Mutex // contains filtered or unexported fields }
GrafeasVulnChecker checks that images have been scanned, and checks that they do not contain unexpected vulnerabilities
type History ¶
History is the full set of updates performed so far
func NewHistory ¶
NewHistory starts a history for a given reference
func (*History) AddDigest ¶ added in v0.2.0
AddDigest sets the known image digest for the image being tracked by this history
func (*History) LatestDigest ¶ added in v0.2.0
LatestDigest constructs a digest name for the latest reference, and the original digest
type IgnoreRemapper ¶ added in v0.6.0
func (*IgnoreRemapper) ReMap ¶ added in v0.6.0
func (t *IgnoreRemapper) ReMap(h *History) error
type ImageCheckError ¶ added in v0.2.0
ImageCheckError is returned by Check if unwanted vulnerabilities are found
func (*ImageCheckError) Error ¶ added in v0.2.0
func (ice *ImageCheckError) Error() string
type ImageSetters ¶
type ImageSetters []Setter
ImageSetters is list of one of more Setters
func (ImageSetters) Set ¶
func (ss ImageSetters) Set(img string)
Set all the image setters in the list to the provided image
type ImagesFinder ¶
type ImagesFinder interface {
FindImages(obj *unstructured.Unstructured) (map[string]ImageSetters, error)
}
ImagesFinder specifies any mechanism for finding images within any k8s Unstructured data. Each entry in the map is an image name that was found. Calling the Set method on the map values will replace the discovered image name with a replacement.
func CompileJSONImageFinders ¶
func CompileJSONImageFinders(jmCfgs []JSONImageFinderConfig) (ImagesFinder, error)
CompileJSONImageFinders builds an ImagesFinder than can find image configuration strings from arbitrary unstructured K8S JSON objects, using JSONP queries
type JSONImageFinderConfig ¶
type JSONImageFinderConfig struct { Kind string `json:"kind" yaml:"kind"` // regexp to match k8s kind APIVersion string `json:"apiVersion" yaml:"apiVersion"` // regexp to match k8s apiVersion ImageJSONP []string `json:"imageJSONP" yaml:"imageJSONP"` // jsonP queries to find individual image fields }
JSONImageFinderConfig describes the settings for finding arbitrary image fields in K8S types
type KMS ¶ added in v0.2.0
KMS uses Google Cloud KMS to sign and verify data. Only EC_SIGN_P256_SHA256 are supported at this time
type KMSClient ¶ added in v0.2.0
type KMSClient interface { AsymmetricSign(ctx context.Context, req *kmspb.AsymmetricSignRequest, opts ...gax.CallOption) (*kmspb.AsymmetricSignResponse, error) GetPublicKey(ctx context.Context, req *kmspb.GetPublicKeyRequest, opts ...gax.CallOption) (*kmspb.PublicKey, error) }
KMSClient describes all the methods we require for a Google compatible signing service
type Keyer ¶ added in v0.2.0
type Keyer interface { Sign(ctx context.Context, bs []byte) ([]byte, string, error) Verify(ctx context.Context, bs []byte, sig []byte) error }
Keyer is an interface to a private key, for signing and verifying blobs
type MultiRemapper ¶
type MultiRemapper []Remapper
MultiRemapper applies each remapper, passing results from one to the next.
func (MultiRemapper) ReMap ¶
func (t MultiRemapper) ReMap(h *History) error
ReMap applies each remapper, passing results from one to the next. An error is returned as soon as any remapper fails
type QualifiedImage ¶ added in v0.2.0
type QualifiedImage struct { Tag string `json:"tag"` Digest string `json:"digest"` IgnoredCVEs []string `json:"ignoredCVEs,omitempty"` FoundCVEs []string `json:"foundCVEs,omitempty"` }
QualifiedImage describes an image tag, at a specific digest
type RecorderRemapper ¶ added in v0.2.0
type RecorderRemapper struct {
// contains filtered or unexported fields
}
RecorderRemapper records all remappings up as they are seen
func (*RecorderRemapper) Mappings ¶ added in v0.2.0
func (r *RecorderRemapper) Mappings() (map[string]QualifiedImage, error)
Mappings returns the set of image original to final performed by all the remappers
func (*RecorderRemapper) ReMap ¶ added in v0.2.0
func (r *RecorderRemapper) ReMap(h *History) error
ReMap records all remappings so far, should usuually be used as the final remapper
type RenameRemapper ¶ added in v0.2.0
type RenameRemapper struct { Ignore *regexp.Regexp RemotePath string // used for the .RemotePath value in the template RemoteTmpl *template.Template // template to build the final image string Logger // contains filtered or unexported fields }
RenameRemapper is a Remapper implementation that can rename an image to a remote registry/repository path. The new path is built using RemoteTmpl, and the copy is performed using crane.Copy. reimage will then optionally copy the image to the new locatio
func (*RenameRemapper) ReMap ¶ added in v0.2.0
func (t *RenameRemapper) ReMap(h *History) error
ReMap copies an image from the original registry to a given new destination registry
type RenameUpdater ¶ added in v0.2.0
type RenameUpdater struct { Ignore *regexp.Regexp // Completely ignore images strings matching this regexp UnstructuredImagesFinder ImagesFinder Remapper Remapper ForceDigests bool }
RenameUpdater applies the Remapper to all images found in object passed to Update. For Objects of unknown types the UnstructuredImagesFinder is used. TODO(tcm): rename this thinger.
type RepoTemplateInput ¶
type RepoTemplateInput struct { RemotePath string // The request remote repository and registry prefix Digest string // The digest of the image DigestAlgo string // The hash algorithm of the image digest DigestHex string // The hex string of the digest hash Tag string // The image tag (TODO(tcm): not used at the moment) Registry string // The image registry Repository string // The image repository }
RepoTemplateInput is the input provied to the RemoteTmpl of the RepoRemapper
type Setter ¶
type Setter func(img string)
A Setter is used for setting the string description of an image
type StaticRemapper ¶ added in v0.2.0
type StaticRemapper struct { Mappings map[string]QualifiedImage AllowMissing bool }
StaticRemapper is a Remapper implementation that allows statically mapping incoming images to a pre-existing set of known target image names and digests
func NewStaticRemapper ¶ added in v0.2.0
func NewStaticRemapper(mps map[string]QualifiedImage, confirmDigest bool) (*StaticRemapper, error)
NewStaticRemapper creates a StaticRemapper. If confirmDigest is true, the constructor will check that all target image tags still map to the currently referenced digest
func (*StaticRemapper) ReMap ¶ added in v0.2.0
func (s *StaticRemapper) ReMap(h *History) error
ReMap looks up the incoming image in the provided mappings. If AllowMissing is false, attempts to look up images not in the static mappings will fail (if true, ReMap is a no-op)
type VulnCheckerResult ¶ added in v0.2.0
type VulnCheckerResult struct { Ignored map[string][]string // CVEs that were explicitly ignored Found map[string][]string // CVEs found that were under the max allowed score }
VulnCheckerResult tracks CVEs associated with an image, and those that have been explicitly ignored at the time of processing
func (VulnCheckerResult) AnnotateMappings ¶ added in v0.2.0
func (vcr VulnCheckerResult) AnnotateMappings(mappings map[string]QualifiedImage)
AnnotateMappings adds the Ignored/Found CVE lists to the provided mappings