types

package

v0.0.0-...-c365bfc Latest Latest Go to latest Published: Oct 26, 2021 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chae-yc/KubeArmor

Documentation ¶

Index ¶

Constants
type AuditEventType
type AuditPolicy
type BPFPolicy
type BPFPolicyType
type CapabilitiesCapabilityType
type CapabilitiesType
type Container
type EndPoint
type FileDirectoryType
type FilePathType
type FilePatternType
type FileType
type HostSecurityPolicy
type HostSecuritySpec
type HostVolumeMount
type K8sAuditPolicySpec
type K8sAuditRuleType
type K8sEventType
type K8sKubeArmorAuditPolicies
type K8sKubeArmorAuditPolicy
type K8sKubeArmorAuditPolicyEvent
type K8sKubeArmorHostPolicies
type K8sKubeArmorHostPolicy
type K8sKubeArmorHostPolicyEvent
type K8sKubeArmorMacro
type K8sKubeArmorMacroEvent
type K8sKubeArmorMacroSpec
type K8sKubeArmorPolicies
type K8sKubeArmorPolicy
type K8sKubeArmorPolicyEvent
type K8sNodeEvent
type K8sPod
type K8sPodEvent
type K8sPolicyStatus
type KubeArmorMacroType
type Log
type MatchPolicies
type MatchPolicy
type MatchSourceType
type MatchVolumeMountType
type NetworkProtocolType
type NetworkType
type Node
type NodeSelectorType
type PidMap
type PidNode
type ProcessDirectoryType
type ProcessPathType
type ProcessPatternType
type ProcessType
type SELinuxType
type SecurityPolicy
type SecuritySpec
type SelectorType

Constants ¶

View Source

const (
	KubeArmorPolicyDisabled = 0
	KubeArmorPolicyEnabled  = 1
	KubeArmorPolicyAudited  = 2
)

KubeArmorPolicy Flags

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuditEventType ¶

type AuditEventType struct {
	Probe string `json:"probe"`
	Rate  string `json:"rate,omitempty"`

	Path      string `json:"path,omitempty"`
	Directory string `json:"dir,omitempty"`
	Mode      string `json:"mode,omitempty"`
	Flags     string `json:"flags,omitempty"`

	Protocol string `json:"protocol,omitempty"`
	Ipv4Addr string `json:"ipv4addr,omitempty"`
	Ipv6Addr string `json:"ipv6addr,omitempty"`
	Port     string `json:"port,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
}

AuditEventType Structure

type AuditPolicy ¶

type AuditPolicy struct {
	Selector SelectorType `json:"selector"`

	Process string           `json:"process,omitempty"`
	Events  []AuditEventType `json:"events"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
}

AuditPolicy Structure

type BPFPolicy ¶

type BPFPolicy struct {
	Type   BPFPolicyType
	Args   []string
	Action string
}

type BPFPolicyType ¶

type BPFPolicyType string

const (
	BPFPolicyTypeSocketConnect   BPFPolicyType = "socket_connect_prog"
	BPFPolicyTypeSocketSendmsg   BPFPolicyType = "socket_sendmsg_prog"
	BPFPolicyTypeInodePermission BPFPolicyType = "inode_permission_prog"
	BPFPolicyTypeInodeMkdir      BPFPolicyType = "inode_mkdir_prog"
	BPFPolicyTypeInodeRmdir      BPFPolicyType = "inode_rmdir_prog"
	BPFPolicyTypeInodeBPCKSEC    BPFPolicyType = "bprm_check_security_prog"
)

type CapabilitiesCapabilityType ¶

type CapabilitiesCapabilityType struct {
	Capability string            `json:"capability"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

CapabilitiesCapabilityType Structure

type CapabilitiesType ¶

type CapabilitiesType struct {
	MatchCapabilities []CapabilitiesCapabilityType `json:"matchCapabilities,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

CapabilitiesType Structure

type Container ¶

type Container struct {
	ContainerID   string `json:"containerID"`
	ContainerName string `json:"containerName"`

	NamespaceName string `json:"namespaceName"`
	EndPointName  string `json:"endPointName"`

	AppArmorProfile string `json:"apparmorProfile"`

	PidNS uint32 `json:"pidns"`
	MntNS uint32 `json:"mntns"`

	PolicyEnabled int `json:"policyEnabled"`

	ProcessVisibilityEnabled      bool `json:"processVisibilityEnabled"`
	FileVisibilityEnabled         bool `json:"fileVisibilityEnabled"`
	NetworkVisibilityEnabled      bool `json:"networkVisibilityEnabled"`
	CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}

Container Structure

type EndPoint ¶

type EndPoint struct {
	NamespaceName string `json:"namespaceName"`
	EndPointName  string `json:"endPointName"`

	Labels     map[string]string `json:"labels"`
	Identities []string          `json:"identities"`

	Containers       []string `json:"containers"`
	AppArmorProfiles []string `json:"apparmorProfiles"`

	SELinuxProfiles map[string]string `json:"selinuxProfiles"`
	HostVolumes     []HostVolumeMount `json:"hostVolumes"`

	SecurityPolicies []SecurityPolicy `json:"securityPolicies"`
	AuditPolicies    []AuditPolicy    `json:"auditPolicies"`

	// BPF-LSM //
	BPFPolicies []BPFPolicy `json:"bpfSecurityPolicies"`

	PolicyEnabled int `json:"policyEnabled"`

	ProcessVisibilityEnabled      bool `json:"processVisibilityEnabled"`
	FileVisibilityEnabled         bool `json:"fileVisibilityEnabled"`
	NetworkVisibilityEnabled      bool `json:"networkVisibilityEnabled"`
	CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}

EndPoint Structure

type FileDirectoryType ¶

type FileDirectoryType struct {
	Directory  string            `json:"dir"`
	ReadOnly   bool              `json:"readOnly,omitempty"`
	Recursive  bool              `json:"recursive,omitempty"`
	OwnerOnly  bool              `json:"ownerOnly,omitempty"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

FileDirectoryType Structure

type FilePathType ¶

type FilePathType struct {
	Path       string            `json:"path"`
	ReadOnly   bool              `json:"readOnly,omitempty"`
	OwnerOnly  bool              `json:"ownerOnly,omitempty"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

FilePathType Structure

type FilePatternType ¶

type FilePatternType struct {
	Pattern   string `json:"pattern"`
	ReadOnly  bool   `json:"readOnly,omitempty"`
	OwnerOnly bool   `json:"ownerOnly,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

FilePatternType Structure

type FileType ¶

type FileType struct {
	MatchPaths       []FilePathType      `json:"matchPaths,omitempty"`
	MatchDirectories []FileDirectoryType `json:"matchDirectories,omitempty"`
	MatchPatterns    []FilePatternType   `json:"matchPatterns,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

FileType Structure

type HostSecurityPolicy ¶

type HostSecurityPolicy struct {
	Metadata map[string]string `json:"metadata"`
	Spec     HostSecuritySpec  `json:"spec"`
}

HostSecurityPolicy Structure

type HostSecuritySpec ¶

type HostSecuritySpec struct {
	NodeSelector NodeSelectorType `json:"nodeSelector"`

	Process      ProcessType      `json:"process,omitempty"`
	File         FileType         `json:"file,omitempty"`
	Network      NetworkType      `json:"network,omitempty"`
	Capabilities CapabilitiesType `json:"capabilities,omitempty"`

	AppArmor string `json:"apparmor,omitempty"`
	BPFLSM   int    `json:"bpflsm,omitempty"`

	Severity int      `json:"severity"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action"`
}

HostSecuritySpec Structure

type HostVolumeMount ¶

type HostVolumeMount struct {
	Type                    string
	VolumeName              string
	PathName                string
	UsedByContainerPath     map[string]string // key: container name, val: mounted path
	UsedByContainerReadOnly map[string]bool   // key: container name, val: readOnly
}

HostVolumeMount Structure

type K8sAuditPolicySpec ¶

type K8sAuditPolicySpec struct {
	Selector   SelectorType       `json:"selector"`
	AuditRules []K8sAuditRuleType `json:"rules"`

	Severity string   `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
}

K8sAuditPolicySpec Structure

type K8sAuditRuleType ¶

type K8sAuditRuleType struct {
	Process string         `json:"process,omitempty"`
	Events  []K8sEventType `json:"events"`

	Severity string   `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
}

K8sAuditRuleType Structure

type K8sEventType ¶

type K8sEventType struct {
	Probe string `json:"probe"`
	Rate  string `json:"rate,omitempty"`

	Path      string `json:"path,omitempty"`
	Directory string `json:"dir,omitempty"`
	Mode      string `json:"mode,omitempty"`
	Flags     string `json:"flags,omitempty"`

	Protocol string `json:"protocol,omitempty"`
	Ipv4Addr string `json:"ipv4addr,omitempty"`
	Ipv6Addr string `json:"ipv6addr,omitempty"`
	Port     string `json:"port,omitempty"`
}

K8sEventType Structure

type K8sKubeArmorAuditPolicies ¶

type K8sKubeArmorAuditPolicies struct {
	Items []K8sKubeArmorAuditPolicy `json:"items"`
}

K8sKubeArmorAuditPolicies Structure

type K8sKubeArmorAuditPolicy ¶

type K8sKubeArmorAuditPolicy struct {
	Metadata metav1.ObjectMeta  `json:"metadata"`
	Spec     K8sAuditPolicySpec `json:"spec"`
	Status   K8sPolicyStatus    `json:"status,omitempty"`
}

K8sKubeArmorAuditPolicy Structure

type K8sKubeArmorAuditPolicyEvent ¶

type K8sKubeArmorAuditPolicyEvent struct {
	Type   string                  `json:"type"`
	Object K8sKubeArmorAuditPolicy `json:"object"`
}

K8sKubeArmorAuditPolicyEvent Structure

type K8sKubeArmorHostPolicies ¶

type K8sKubeArmorHostPolicies struct {
	Items []K8sKubeArmorHostPolicy `json:"items"`
}

K8sKubeArmorHostPolicies Structure

type K8sKubeArmorHostPolicy ¶

type K8sKubeArmorHostPolicy struct {
	Metadata metav1.ObjectMeta `json:"metadata"`
	Spec     HostSecuritySpec  `json:"spec"`
	Status   K8sPolicyStatus   `json:"status,omitempty"`
}

K8sKubeArmorHostPolicy Structure

type K8sKubeArmorHostPolicyEvent ¶

type K8sKubeArmorHostPolicyEvent struct {
	Type   string                 `json:"type"`
	Object K8sKubeArmorHostPolicy `json:"object"`
}

K8sKubeArmorHostPolicyEvent Structure

type K8sKubeArmorMacro ¶

type K8sKubeArmorMacro struct {
	Metadata metav1.ObjectMeta     `json:"metadata"`
	Spec     K8sKubeArmorMacroSpec `json:"spec"`
	Status   K8sPolicyStatus       `json:"status,omitempty"`
}

K8sKubeArmorMacro Structure

type K8sKubeArmorMacroEvent ¶

type K8sKubeArmorMacroEvent struct {
	Type   string            `json:"type"`
	Object K8sKubeArmorMacro `json:"object"`
}

K8sKubeArmorMacroEvent Structure

type K8sKubeArmorMacroSpec ¶

type K8sKubeArmorMacroSpec struct {
	Macros []KubeArmorMacroType `json:"macros"`
}

K8sKubeArmorMacroSpec Structure

type K8sKubeArmorPolicies ¶

type K8sKubeArmorPolicies struct {
	Items []K8sKubeArmorPolicy `json:"items"`
}

K8sKubeArmorPolicies Structure

type K8sKubeArmorPolicy ¶

type K8sKubeArmorPolicy struct {
	Metadata metav1.ObjectMeta `json:"metadata"`
	Spec     SecuritySpec      `json:"spec"`
	Status   K8sPolicyStatus   `json:"status,omitempty"`
}

K8sKubeArmorPolicy Structure

type K8sKubeArmorPolicyEvent ¶

type K8sKubeArmorPolicyEvent struct {
	Type   string             `json:"type"`
	Object K8sKubeArmorPolicy `json:"object"`
}

K8sKubeArmorPolicyEvent Structure

type K8sNodeEvent ¶

type K8sNodeEvent struct {
	Type   string  `json:"type"`
	Object v1.Node `json:"object"`
}

K8sNodeEvent Structure

type K8sPod ¶

type K8sPod struct {
	Metadata    map[string]string
	Annotations map[string]string
	Labels      map[string]string
	Containers  map[string]string
	HostVolumes []HostVolumeMount
}

K8sPod Structure

type K8sPodEvent ¶

type K8sPodEvent struct {
	Type   string `json:"type"`
	Object v1.Pod `json:"object"`
}

K8sPodEvent Structure

type K8sPolicyStatus ¶

type K8sPolicyStatus struct {
	Status string `json:"status,omitempty"`
}

K8sPolicyStatus Structure

type KubeArmorMacroType ¶

type KubeArmorMacroType struct {
	Name  string `json:"name"`
	Value string `json:"value"`
}

KubeArmorMacroType Structure

type Log ¶

type Log struct {
	// updated time
	Timestamp   int64  `json:"timestamp"`
	UpdatedTime string `json:"updatedTime"`

	// host
	ClusterName string `json:"clusterName,omitempty"`
	HostName    string `json:"hostName"`

	// k8s
	NamespaceName string `json:"namespaceName,omitempty"`
	PodName       string `json:"podName,omitempty"`

	// container
	ContainerID   string `json:"containerID,omitempty"`
	ContainerName string `json:"containerName,omitempty"`

	// common
	HostPID int32 `json:"hostPid"`
	PPID    int32 `json:"ppid"`
	PID     int32 `json:"pid"`
	UID     int32 `json:"uid"`

	// policy
	PolicyName string `json:"policyName,omitempty"`

	// severity, tags, message
	Severity string `json:"severity,omitempty"`
	Tags     string `json:"tags,omitempty"`
	Message  string `json:"message,omitempty"`

	// log
	Type      string `json:"type"`
	Source    string `json:"source"`
	Operation string `json:"operation"`
	Resource  string `json:"resource"`
	Data      string `json:"data,omitempty"`
	Action    string `json:"action,omitempty"`
	Result    string `json:"result"`

	PolicyEnabled int `json:"policyEnabled,omitempty"`

	ProcessVisibilityEnabled      bool `json:"processVisibilityEnabled,omitempty"`
	FileVisibilityEnabled         bool `json:"fileVisibilityEnabled,omitempty"`
	NetworkVisibilityEnabled      bool `json:"networkVisibilityEnabled,omitempty"`
	CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled,omitempty"`
}

Log Structure

type MatchPolicies ¶

type MatchPolicies struct {
	Policies []MatchPolicy
}

MatchPolicies Structure

type MatchPolicy ¶

type MatchPolicy struct {
	PolicyName string

	Severity string
	Tags     []string
	Message  string

	Source       string
	Operation    string
	ResourceType string
	Resource     string

	IsFromSource bool

	Regexp *regexp.Regexp
	Native bool

	Action string
}

MatchPolicy Structure

type MatchSourceType ¶

type MatchSourceType struct {
	Path string `json:"path,omitempty"`
}

MatchSourceType Structure

type MatchVolumeMountType ¶

type MatchVolumeMountType struct {
	Path      string `json:"path,omitempty"`
	Directory string `json:"dir,omitempty"`
	ReadOnly  bool   `json:"readOnly,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

MatchVolumeMountType Structure

type NetworkProtocolType ¶

type NetworkProtocolType struct {
	Protocol   string            `json:"protocol"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

NetworkProtocolType Structure

type NetworkType ¶

type NetworkType struct {
	MatchProtocols []NetworkProtocolType `json:"matchProtocols,omitempty"`
	SendIPs        []string              `json:"sendIPs,omitempty"`
	ConnectIPs     []string              `json:"connectIPs,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

NetworkType Structure

type Node ¶

type Node struct {
	NodeName string `json:"nodeName"`
	NodeIP   string `json:"nodeIP"`

	Annotations map[string]string `json:"annotations"`
	Labels      map[string]string `json:"labels"`

	Identities []string `json:"identities"`

	Architecture    string `json:"architecture"`
	OperatingSystem string `json:"operatingSystem"`
	OSImage         string `json:"osImage"`
	KernelVersion   string `json:"kernelVersion"`
	KubeletVersion  string `json:"kubeletVersion"`

	ContainerRuntimeVersion string `json:"containerRuntimeVersion"`

	EnableKubeArmorPolicy      bool `json:"enableKubeArmorPolicy"`
	EnableKubeArmorHostPolicy  bool `json:"enableKubeArmorHostPolicy"`
	EnableKubeArmorAuditPolicy bool `json:"enableKubeArmorAuditPolicy"`

	PolicyEnabled int `json:"policyEnabled"`

	ProcessVisibilityEnabled      bool `json:"processVisibilityEnabled"`
	FileVisibilityEnabled         bool `json:"fileVisibilityEnabled"`
	NetworkVisibilityEnabled      bool `json:"networkVisibilityEnabled"`
	CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}

Node Structure

type NodeSelectorType ¶

type NodeSelectorType struct {
	MatchLabels map[string]string `json:"matchLabels,omitempty"`
	Identities  []string          `json:"identities,omitempty"` // set during policy update
}

NodeSelectorType Structure

type PidMap ¶

type PidMap map[uint32]PidNode

PidMap for host pid -> process node

type PidNode ¶

type PidNode struct {
	PidID uint32
	MntID uint32

	HostPPID uint32
	HostPID  uint32

	PPID uint32
	PID  uint32
	UID  uint32

	Comm     string
	ExecPath string

	Exited     bool
	ExitedTime time.Time
}

PidNode Structure

type ProcessDirectoryType ¶

type ProcessDirectoryType struct {
	Directory  string            `json:"dir"`
	Recursive  bool              `json:"recursive,omitempty"`
	OwnerOnly  bool              `json:"ownerOnly,omitempty"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

ProcessDirectoryType Structure

type ProcessPathType ¶

type ProcessPathType struct {
	Path       string            `json:"path"`
	OwnerOnly  bool              `json:"ownerOnly,omitempty"`
	FromSource []MatchSourceType `json:"fromSource,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

ProcessPathType Structure

type ProcessPatternType ¶

type ProcessPatternType struct {
	Pattern   string `json:"pattern"`
	OwnerOnly bool   `json:"ownerOnly,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

ProcessPatternType Structure

type ProcessType ¶

type ProcessType struct {
	MatchPaths       []ProcessPathType      `json:"matchPaths,omitempty"`
	MatchDirectories []ProcessDirectoryType `json:"matchDirectories,omitempty"`
	MatchPatterns    []ProcessPatternType   `json:"matchPatterns,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

ProcessType Structure

type SELinuxType ¶

type SELinuxType struct {
	MatchVolumeMounts []MatchVolumeMountType `json:"matchVolumeMounts,omitempty"`

	Severity int      `json:"severity,omitempty"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action,omitempty"`
}

SELinuxType Structure

type SecurityPolicy ¶

type SecurityPolicy struct {
	Metadata map[string]string `json:"metadata"`
	Spec     SecuritySpec      `json:"spec"`
}

SecurityPolicy Structure

type SecuritySpec ¶

type SecuritySpec struct {
	Selector SelectorType `json:"selector"`

	Process      ProcessType      `json:"process,omitempty"`
	File         FileType         `json:"file,omitempty"`
	Network      NetworkType      `json:"network,omitempty"`
	Capabilities CapabilitiesType `json:"capabilities,omitempty"`

	AppArmor string      `json:"apparmor,omitempty"`
	SELinux  SELinuxType `json:"selinux,omitempty"`
	BPFLSM   int         `json:"bpflsm,omitempty"`

	Severity int      `json:"severity"`
	Tags     []string `json:"tags,omitempty"`
	Message  string   `json:"message,omitempty"`
	Action   string   `json:"action"`
}

SecuritySpec Structure

type SelectorType ¶

type SelectorType struct {
	MatchLabels map[string]string `json:"matchLabels,omitempty"`
	Identities  []string          `json:"identities,omitempty"` // set during policy update
}

SelectorType Structure

Source Files ¶

View all Source files

types.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL