Documentation ¶
Overview ¶
Package kubernetes provides functions for interacting with Kubernetes and is built using the kubernetes client-go (https://github.com/kubernetes/client-go).
Index ¶
- func GenerateUniquePodName(baseName string) string
- type AzK8sConstraintTemplate
- func (az *AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasHostIPCRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasHostNetworkRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasHostPIDRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasHostPortRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasNETRAWRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasPrivilegedAccessRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasRootUserRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasSeccompProfileRestriction() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasSecurityPolicies() (*bool, error)
- func (az *AzK8sConstraintTemplate) HasVolumeTypeRestriction() (*bool, error)
- type CRA
- type CmdExecutionResult
- type ContainerRegistryAccess
- type IAM
- func (i *IAM) AzureIdentityBindingExists(useDefaultNS bool) (bool, error)
- func (i *IAM) AzureIdentityExists(useDefaultNS bool) (bool, error)
- func (i *IAM) CreateAIB(y []byte, ai string, n string, ns string) (bool, error)
- func (i *IAM) CreateIAMProbePod(y []byte, useDefaultNS bool) (*apiv1.Pod, error)
- func (i *IAM) DeleteIAMProbePod(n string, useDefaultNS bool, e string) error
- func (i *IAM) ExecuteVerificationCmd(pn string, cmd IAMProbeCommand, useDefaultNS bool) (*CmdExecutionResult, error)
- func (i *IAM) GetAccessToken(pn string, useDefaultNS bool) (*string, error)
- type IAMProbeCommand
- type IAMVerification
- type IdentityAccessManagement
- type K8SJSON
- type K8SJSONItem
- type Kube
- func (k *Kube) ClusterIsDeployed() *bool
- func (k *Kube) CreateConfigMap(n *string, ns *string) (*apiv1.ConfigMap, error)
- func (k *Kube) CreatePod(podName string, ns string, containerName string, image string, wait bool, ...) (*apiv1.Pod, *PodAudit, error)
- func (k *Kube) CreatePodFromObject(p *apiv1.Pod, pname string, ns string, w bool) (*apiv1.Pod, error)
- func (k *Kube) CreatePodFromYaml(y []byte, pname string, ns string, image string, aadpodidbinding string, ...) (*apiv1.Pod, error)
- func (k *Kube) DeleteConfigMap(n *string, ns *string) error
- func (k *Kube) DeleteNamespace(ns *string) error
- func (k *Kube) DeletePod(pname *string, ns *string, wait bool, probe string) error
- func (k *Kube) ExecCommand(cmd, ns, pn *string) (s *CmdExecutionResult)
- func (k *Kube) GetClient() (*kubernetes.Clientset, error)
- func (k *Kube) GetClusterRoles() (*rbacv1.ClusterRoleList, error)
- func (k *Kube) GetClusterRolesByResource(r string) (*[]rbacv1.ClusterRole, error)
- func (k *Kube) GetConstraintTemplates(prefix string) (*map[string]interface{}, error)
- func (k *Kube) GetIdentityBindings(prefix string) (*map[string]interface{}, error)
- func (k *Kube) GetPodObject(pname string, ns string, cname string, image string, sc *apiv1.SecurityContext) *apiv1.Pod
- func (k *Kube) GetPods(ns string) (*apiv1.PodList, error)
- func (k *Kube) GetRawResourcesByGrp(g string) (*K8SJSON, error)
- func (k *Kube) GetRoles() (*rbacv1.RoleList, error)
- func (k *Kube) GetRolesByResource(r string) (*[]rbacv1.Role, error)
- type KubePodSecurityPolicyProvider
- func (p *KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasHostIPCRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasHostNetworkRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasHostPIDRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasHostPortRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasNETRAWRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasRootUserRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasSeccompProfileRestriction() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasSecurityPolicies() (*bool, error)
- func (p *KubePodSecurityPolicyProvider) HasVolumeTypeRestriction() (*bool, error)
- type Kubernetes
- type NA
- type NetworkAccess
- type PSP
- func (psp *PSP) AllowedCapabilitiesAreRestricted() (*bool, error)
- func (psp *PSP) AssignedCapabilitiesAreRestricted() (*bool, error)
- func (psp *PSP) ClusterHasPSP() (*bool, error)
- func (psp *PSP) ClusterIsDeployed() *bool
- func (psp *PSP) CreateConfigMap() error
- func (psp *PSP) CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool) (*apiv1.Pod, error)
- func (psp *PSP) CreatePODSettingCapabilities(c *[]string) (*apiv1.Pod, error)
- func (psp *PSP) CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64) (*apiv1.Pod, error)
- func (psp *PSP) CreatePodFromYaml(y []byte) (*apiv1.Pod, error)
- func (psp *PSP) DeleteConfigMap() error
- func (psp *PSP) ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand) (*CmdExecutionResult, error)
- func (psp *PSP) HostIPCIsRestricted() (*bool, error)
- func (psp *PSP) HostNetworkIsRestricted() (*bool, error)
- func (psp *PSP) HostPIDIsRestricted() (*bool, error)
- func (psp *PSP) HostPortsAreRestricted() (*bool, error)
- func (psp *PSP) NETRawIsRestricted() (*bool, error)
- func (psp *PSP) PrivilegedAccessIsRestricted() (*bool, error)
- func (psp *PSP) PrivilegedEscalationIsRestricted() (*bool, error)
- func (psp *PSP) RootUserIsRestricted() (*bool, error)
- func (psp *PSP) SeccompProfilesAreRestricted() (*bool, error)
- func (psp *PSP) TeardownPodSecurityProbe(p *string, e string) error
- func (psp *PSP) VolumeTypesAreRestricted() (*bool, error)
- type PSPProbeCommand
- type PSPVerificationProbe
- type PodAudit
- type PodCreationError
- type PodCreationErrorReason
- type PodSecurityPolicy
- type PrivilegedAccess
- type SecurityPolicyProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GenerateUniquePodName ¶
GenerateUniquePodName creates a unique pod name based on the format: 'baseName'-'nanosecond time'-'random int'.
Types ¶
type AzK8sConstraintTemplate ¶
type AzK8sConstraintTemplate struct {
// contains filtered or unexported fields
}
AzK8sConstraintTemplate captures the Azure specific constraint templates that are the result of applying an Azure Policy which can be used to support PodSecurityPolicy like behaviour. Implements securitypolicyprovider and is the prefered way of determining constraints on an AKS cluster.
func NewAzK8sConstraintTemplate ¶
func NewAzK8sConstraintTemplate(k Kubernetes) *AzK8sConstraintTemplate
NewAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the supplied kubernetes instance.
func NewDefaultAzK8sConstraintTemplate ¶
func NewDefaultAzK8sConstraintTemplate() *AzK8sConstraintTemplate
NewDefaultAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the default kubernetes instance.
func (*AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction ¶
func (az *AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction() (*bool, error)
HasAllowPrivilegeEscalationRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction ¶
func (az *AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction() (*bool, error)
HasAllowedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction ¶
func (az *AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction() (*bool, error)
HasAssignedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasHostIPCRestriction ¶
func (az *AzK8sConstraintTemplate) HasHostIPCRestriction() (*bool, error)
HasHostIPCRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasHostNetworkRestriction ¶
func (az *AzK8sConstraintTemplate) HasHostNetworkRestriction() (*bool, error)
HasHostNetworkRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasHostPIDRestriction ¶
func (az *AzK8sConstraintTemplate) HasHostPIDRestriction() (*bool, error)
HasHostPIDRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasHostPortRestriction ¶
func (az *AzK8sConstraintTemplate) HasHostPortRestriction() (*bool, error)
HasHostPortRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasNETRAWRestriction ¶
func (az *AzK8sConstraintTemplate) HasNETRAWRestriction() (*bool, error)
HasNETRAWRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasPrivilegedAccessRestriction ¶
func (az *AzK8sConstraintTemplate) HasPrivilegedAccessRestriction() (*bool, error)
HasPrivilegedAccessRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasRootUserRestriction ¶
func (az *AzK8sConstraintTemplate) HasRootUserRestriction() (*bool, error)
HasRootUserRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasSeccompProfileRestriction ¶
func (az *AzK8sConstraintTemplate) HasSeccompProfileRestriction() (*bool, error)
HasSeccompProfileRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasSecurityPolicies ¶
func (az *AzK8sConstraintTemplate) HasSecurityPolicies() (*bool, error)
HasSecurityPolicies provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
func (*AzK8sConstraintTemplate) HasVolumeTypeRestriction ¶
func (az *AzK8sConstraintTemplate) HasVolumeTypeRestriction() (*bool, error)
HasVolumeTypeRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.
type CRA ¶
type CRA struct {
// contains filtered or unexported fields
}
CRA implements the ContainerRegistryAccess interface.
func NewCRA ¶
func NewCRA(k Kubernetes) *CRA
NewCRA creates a new CRA with the supplied kubernetes instance.
func NewDefaultCRA ¶
func NewDefaultCRA() *CRA
NewDefaultCRA creates a new CRA using the default kubernetes instance.
func (*CRA) ClusterIsDeployed ¶
ClusterIsDeployed verifies if a cluster is deployed.
func (*CRA) SetupContainerAccessProbePod ¶ added in v0.3.0
SetupContainerAccessProbePod creates a pod with characteristics required for testing container access.
type CmdExecutionResult ¶
CmdExecutionResult encapsulates the result from an exec call to the kubernetes cluster. This includes 'stdout', 'stderr', 'exit code' and any error details in the case of a non-zero exit code.
func (*CmdExecutionResult) String ¶ added in v0.3.0
func (e *CmdExecutionResult) String() string
type ContainerRegistryAccess ¶
type ContainerRegistryAccess interface { ClusterIsDeployed() *bool SetupContainerAccessProbePod(r string) (*apiv1.Pod, *PodAudit, error) TeardownContainerAccessProbePod(p *string, e string) error }
ContainerRegistryAccess interface defines the methods to support container registry access tests.
type IAM ¶ added in v0.3.0
type IAM struct {
// contains filtered or unexported fields
}
IAM implements the IdentityAccessManagement interface.
func NewDefaultIAM ¶ added in v0.3.0
func NewDefaultIAM() *IAM
NewDefaultIAM creates a new IAM instance using the default kubernetes provider.
func (*IAM) AzureIdentityBindingExists ¶ added in v0.3.0
AzureIdentityBindingExists gets the AzureIdentityBindings and filter for namespace (if supplied)
func (*IAM) AzureIdentityExists ¶ added in v0.3.0
AzureIdentityExists gets the AzureIdentityBindings and filter for namespace (if supplied)
func (*IAM) CreateAIB ¶ added in v0.3.0
CreateAIB creates an AzureIdentityBinding to the supplied AzureIdentity ai - name of the AzureIdentity n - name of AzureIdentityBinding ns - namespace in which to create the AIB
func (*IAM) CreateIAMProbePod ¶ added in v0.3.0
CreateIAMProbePod creates a pod configured for IAM test cases.
func (*IAM) DeleteIAMProbePod ¶ added in v0.3.0
DeleteIAMProbePod deletes the IAM test pod with the supplied name.
func (*IAM) ExecuteVerificationCmd ¶ added in v0.3.0
func (i *IAM) ExecuteVerificationCmd(pn string, cmd IAMProbeCommand, useDefaultNS bool) (*CmdExecutionResult, error)
ExecuteVerificationCmd executes a verification command against the supplied pod name.
type IAMProbeCommand ¶ added in v0.3.0
type IAMProbeCommand int
IAMProbeCommand defines commands for use in testing IAM
const ( CatAzJSON IAMProbeCommand = iota CurlAuthToken )
enum supporting IAMProbeCommand
func (IAMProbeCommand) String ¶ added in v0.3.0
func (c IAMProbeCommand) String() string
type IAMVerification ¶ added in v0.3.0
type IAMVerification struct {
PSPVerificationProbe
}
IAMVerification provides an IAM specific type wrapper extending PSPVerificationProbe.
type IdentityAccessManagement ¶ added in v0.3.0
type IdentityAccessManagement interface { AzureIdentityExists(useDefaultNS bool) (bool, error) AzureIdentityBindingExists(useDefaultNS bool) (bool, error) CreateAIB(y []byte, ai string, n string, ns string) (bool, error) CreateIAMProbePod(y []byte, useDefaultNS bool) (*apiv1.Pod, error) DeleteIAMProbePod(n string, useDefaultNS bool, e string) error ExecuteVerificationCmd(pn string, cmd IAMProbeCommand, useDefaultNS bool) (*CmdExecutionResult, error) GetAccessToken(pn string, useDefaultNS bool) (*string, error) }
IdentityAccessManagement encapsulates functionality for querying and probing Identity and Access Management setup.
type K8SJSON ¶ added in v0.3.0
type K8SJSON struct { APIVersion string Items []K8SJSONItem }
K8SJSON encapsulates the response from a raw/rest call to the Kubernetes API
type K8SJSONItem ¶ added in v0.3.0
K8SJSONItem encapsulates items returned from a raw/rest call to the Kubernetes API
type Kube ¶
type Kube struct {
// contains filtered or unexported fields
}
Kube provides an implementation of Kubernetes.
func GetKubeInstance ¶
func GetKubeInstance() *Kube
GetKubeInstance returns a singleton instance of Kube.
func (*Kube) ClusterIsDeployed ¶
ClusterIsDeployed verifies if a cluster is deployed that can be contacted based on the current kubernetes config and context.
func (*Kube) CreateConfigMap ¶
CreateConfigMap creates a config map with the supplied name in the given namespace.
func (*Kube) CreatePod ¶
func (k *Kube) CreatePod(podName string, ns string, containerName string, image string, wait bool, sc *apiv1.SecurityContext) (*apiv1.Pod, *PodAudit, error)
CreatePod creates a pod with the supplied parameters. A true value for 'wait' indicates that the function should wait (block) until the pod is in a running state.
func (*Kube) CreatePodFromObject ¶
func (k *Kube) CreatePodFromObject(p *apiv1.Pod, pname string, ns string, w bool) (*apiv1.Pod, error)
CreatePodFromObject creates a pod from the supplied pod object with the given pod name and namespace. A true value for 'w' indicates that the function should wait (block) until the pod is in a running state.
func (*Kube) CreatePodFromYaml ¶
func (k *Kube) CreatePodFromYaml(y []byte, pname string, ns string, image string, aadpodidbinding string, w bool) (*apiv1.Pod, error)
CreatePodFromYaml creates a pod for the supplied yaml. A true value for 'w' indicates that the function should wait (block) until the pod is in a running state.
func (*Kube) DeleteConfigMap ¶
DeleteConfigMap deletes the named config map in the given namespace.
func (*Kube) DeleteNamespace ¶
DeleteNamespace deletes the supplied namespace.
func (*Kube) DeletePod ¶
DeletePod deletes the given pod in the specified namespace. Passing true for 'wait' causes the function to wait for pod deletion (not normally required).
func (*Kube) ExecCommand ¶
func (k *Kube) ExecCommand(cmd, ns, pn *string) (s *CmdExecutionResult)
ExecCommand executes the supplied command on the given pod name in the specified namespace.
func (*Kube) GetClient ¶
func (k *Kube) GetClient() (*kubernetes.Clientset, error)
GetClient gets a client connection to the Kubernetes cluster specifed via config.Vars.KubeConfigPath
func (*Kube) GetClusterRoles ¶ added in v0.1.4
func (k *Kube) GetClusterRoles() (*rbacv1.ClusterRoleList, error)
GetClusterRoles retrives all cluster roles associated with the active cluster.
func (*Kube) GetClusterRolesByResource ¶ added in v0.1.4
func (k *Kube) GetClusterRolesByResource(r string) (*[]rbacv1.ClusterRole, error)
GetClusterRolesByResource returns a collection of cluster roles filtered by the supplied resouce type.
func (*Kube) GetConstraintTemplates ¶
GetConstraintTemplates returns the constraint templates associated with the active cluster.
func (*Kube) GetIdentityBindings ¶ added in v0.3.0
GetIdentityBindings returns the identity bindings associated with the active cluster.
func (*Kube) GetPodObject ¶
func (k *Kube) GetPodObject(pname string, ns string, cname string, image string, sc *apiv1.SecurityContext) *apiv1.Pod
GetPodObject constructs a simple pod object using kubernetes API types.
func (*Kube) GetRawResourcesByGrp ¶ added in v0.3.0
GetRawResourcesByGrp makes a 'raw' REST call to k8s to get the resources specified by the supplied group string, e.g. "apis/aadpodidentity.k8s.io/v1/azureidentitybindings". This is required to support resources that are not supported by typed API calls (e.g. "pods").
type KubePodSecurityPolicyProvider ¶
type KubePodSecurityPolicyProvider struct {
// contains filtered or unexported fields
}
KubePodSecurityPolicyProvider implements SecurityPolicyProvider and looks for kubernetes PodSecurityPolices.
func NewKubePodSecurityPolicyProvider ¶
func NewKubePodSecurityPolicyProvider(k Kubernetes) *KubePodSecurityPolicyProvider
NewKubePodSecurityPolicyProvider creates a new KubePodSecurityPolicyProvider with the supplied kubernetes instance.
func (*KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction() (*bool, error)
HasAllowPrivilegeEscalationRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction() (*bool, error)
HasAllowedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction() (*bool, error)
HasAssignedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasHostIPCRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasHostIPCRestriction() (*bool, error)
HasHostIPCRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasHostNetworkRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasHostNetworkRestriction() (*bool, error)
HasHostNetworkRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasHostPIDRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasHostPIDRestriction() (*bool, error)
HasHostPIDRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasHostPortRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasHostPortRestriction() (*bool, error)
HasHostPortRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasNETRAWRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasNETRAWRestriction() (*bool, error)
HasNETRAWRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction() (*bool, error)
HasPrivilegedAccessRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasRootUserRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasRootUserRestriction() (*bool, error)
HasRootUserRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasSeccompProfileRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasSeccompProfileRestriction() (*bool, error)
HasSeccompProfileRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasSecurityPolicies ¶
func (p *KubePodSecurityPolicyProvider) HasSecurityPolicies() (*bool, error)
HasSecurityPolicies provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
func (*KubePodSecurityPolicyProvider) HasVolumeTypeRestriction ¶
func (p *KubePodSecurityPolicyProvider) HasVolumeTypeRestriction() (*bool, error)
HasVolumeTypeRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.
type Kubernetes ¶
type Kubernetes interface { ClusterIsDeployed() *bool GetClient() (*kubernetes.Clientset, error) GetPods(ns string) (*apiv1.PodList, error) CreatePod(pname string, ns string, cname string, image string, w bool, sc *apiv1.SecurityContext) (*apiv1.Pod, *PodAudit, error) CreatePodFromObject(p *apiv1.Pod, pname string, ns string, w bool) (*apiv1.Pod, error) CreatePodFromYaml(y []byte, pname string, ns string, image string, aadpodidbinding string, w bool) (*apiv1.Pod, error) GetPodObject(pname string, ns string, cname string, image string, sc *apiv1.SecurityContext) *apiv1.Pod ExecCommand(cmd, ns, pn *string) *CmdExecutionResult DeletePod(pname *string, ns *string, w bool, e string) error DeleteNamespace(ns *string) error CreateConfigMap(n *string, ns *string) (*apiv1.ConfigMap, error) DeleteConfigMap(n *string, ns *string) error GetConstraintTemplates(prefix string) (*map[string]interface{}, error) GetRawResourcesByGrp(g string) (*K8SJSON, error) GetClusterRolesByResource(r string) (*[]rbacv1.ClusterRole, error) GetClusterRoles() (*rbacv1.ClusterRoleList, error) }
Kubernetes interface defines the methods available to interact with the kubernetes cluster.
type NA ¶
type NA struct {
// contains filtered or unexported fields
}
NA implements NetworkAccess.
func NewDefaultNA ¶
func NewDefaultNA() *NA
NewDefaultNA creates a new instance of NA using the default kubernetes instance.
func NewNA ¶
func NewNA(k Kubernetes) *NA
NewNA creates a new instance of NA with the supplied kubernetes instance.
func (*NA) ClusterIsDeployed ¶
ClusterIsDeployed verifies if a suitable cluster is deployed.
func (*NA) SetupNetworkAccessProbePod ¶ added in v0.3.0
SetupNetworkAccessProbePod creates a pod with characteristics required for testing network access.
type NetworkAccess ¶
type NetworkAccess interface { ClusterIsDeployed() *bool SetupNetworkAccessProbePod() (*apiv1.Pod, *PodAudit, error) TeardownNetworkAccessProbePod(p *string, e string) error AccessURL(pn *string, url *string) (int, error) }
NetworkAccess defines functionality for supporting Network Access tests.
type PSP ¶
type PSP struct {
// contains filtered or unexported fields
}
PSP implements PodSecurityPolicy.
func NewDefaultPSP ¶
func NewDefaultPSP() *PSP
NewDefaultPSP creates a new PSP using the default kubernetes instance and the pre-defined SecurityPolicyProviders.
func NewPSP ¶
func NewPSP(k Kubernetes, sp *[]SecurityPolicyProvider) *PSP
NewPSP creates a new PSP using the supplied kubernetes instance and collection of SecurityPolicyProviders.
func (*PSP) AllowedCapabilitiesAreRestricted ¶
AllowedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where allowed capabilities are restricted.
func (*PSP) AssignedCapabilitiesAreRestricted ¶
AssignedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where assigned capabilities are restricted.
func (*PSP) ClusterHasPSP ¶
ClusterHasPSP determines if the cluster has any SecurityPolicyProvider's set.
func (*PSP) ClusterIsDeployed ¶
ClusterIsDeployed verifies that a suitable kubernetes cluster is deployed.
func (*PSP) CreateConfigMap ¶
CreateConfigMap creates a config map to support PSP testing.
func (*PSP) CreatePODSettingAttributes ¶
func (psp *PSP) CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool) (*apiv1.Pod, error)
CreatePODSettingAttributes creates a POD with attributes: hostPID *bool - set the hostPID flag, defaults to false hostIPC *bool - set the hostIPC flag, defaults to false hostNetwork *bool - set the hostNetwork flag, defaults to false
func (*PSP) CreatePODSettingCapabilities ¶
CreatePODSettingCapabilities creates a pod with the supplied capabilities.
func (*PSP) CreatePODSettingSecurityContext ¶
func (psp *PSP) CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64) (*apiv1.Pod, error)
CreatePODSettingSecurityContext creates POD with a SecurityContext conforming to the parameters: pr *bool - set the Privileged flag. Defaults to false. pe *bool - set the Allow Privileged Escalation flag. Defaults to false. runAsUser *int64 - set RunAsUser. Defaults to 1000.
func (*PSP) CreatePodFromYaml ¶
CreatePodFromYaml creates a pod from the supplied yaml.
func (*PSP) DeleteConfigMap ¶
DeleteConfigMap deletes the config map supporting the PSP testing.
func (*PSP) ExecPSPProbeCmd ¶ added in v0.3.0
func (psp *PSP) ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand) (*CmdExecutionResult, error)
ExecPSPProbeCmd executes the given PSPProbeCommand against the supplied pod name.
func (*PSP) HostIPCIsRestricted ¶
HostIPCIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).
func (*PSP) HostNetworkIsRestricted ¶
HostNetworkIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).
func (*PSP) HostPIDIsRestricted ¶
HostPIDIsRestricted looks for a SecurityPolicyProvider with 'HostPID' set to false (i.e. NO Access to HostPID ).
func (*PSP) HostPortsAreRestricted ¶
HostPortsAreRestricted looks for a SecurityPolicyProvider which has a HostPort restriction.
func (*PSP) NETRawIsRestricted ¶
NETRawIsRestricted looks for a SecurityPolicyProvider where the NET_RAW capability is restricted.
func (*PSP) PrivilegedAccessIsRestricted ¶
PrivilegedAccessIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).
func (*PSP) PrivilegedEscalationIsRestricted ¶
PrivilegedEscalationIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).
func (*PSP) RootUserIsRestricted ¶
RootUserIsRestricted looks for a SecurityPolicyProvider which prevents root user access.
func (*PSP) SeccompProfilesAreRestricted ¶
SeccompProfilesAreRestricted looks for a SecurityPolicyProvider which restricts seccomp profiles.
func (*PSP) TeardownPodSecurityProbe ¶ added in v0.3.0
TeardownPodSecurityProbe deletes the given pod name in the PSP test namespace.
func (*PSP) VolumeTypesAreRestricted ¶
VolumeTypesAreRestricted looks for a SecurityPolicyProvider which has a VolumeType restriction.
type PSPProbeCommand ¶ added in v0.3.0
type PSPProbeCommand int
PSPProbeCommand type enumerating the commands that can be used to test pods for compliance with Pod Security Policies
const ( Chroot PSPProbeCommand = iota EnterHostPIDNS EnterHostIPCNS EnterHostNetworkNS VerifyNonRootUID NetRawProbe SpecialCapProbe NetCat Ls )
enumn supporting PSPProbeCommand type
func (PSPProbeCommand) String ¶ added in v0.3.0
func (c PSPProbeCommand) String() string
type PSPVerificationProbe ¶
type PSPVerificationProbe struct { Cmd PSPProbeCommand ExpectedExitCode int }
PSPVerificationProbe encapsulates the command and expected result to be used in a Pod Security Policy probe.
type PodCreationError ¶
type PodCreationError struct { ReasonCodes map[PodCreationErrorReason]*PodCreationErrorReason // contains filtered or unexported fields }
PodCreationError encapsulates the underlying pod creation error along with a map of platform agnostic PodCreationErrorReason codes. Note that there could be more that one PodCreationErrorReason. For example a pod may fail due to a 'psp-container-no-privilege' error and 'psp-host-network', in which case there would be two entires in the ReasonCodes map.
func (*PodCreationError) Error ¶
func (p *PodCreationError) Error() string
type PodCreationErrorReason ¶
type PodCreationErrorReason int
PodCreationErrorReason provides an CSP agnostic reason for errors encountered when creating pods.
const ( UndefinedPodCreationErrorReason PodCreationErrorReason = iota PSPNoPrivilege PSPNoPrivilegeEscalation PSPAllowedUsersGroups PSPContainerAllowedImages PSPHostNamespace PSPHostNetwork PSPAllowedCapabilities PSPAllowedPortRange PSPAllowedVolumeTypes PSPSeccompProfile ImagePullError Blocked )
enum values for PodCreationErrorReason
func (PodCreationErrorReason) String ¶
func (r PodCreationErrorReason) String() string
type PodSecurityPolicy ¶
type PodSecurityPolicy interface { ClusterIsDeployed() *bool ClusterHasPSP() (*bool, error) PrivilegedAccessIsRestricted() (*bool, error) HostPIDIsRestricted() (*bool, error) HostIPCIsRestricted() (*bool, error) HostNetworkIsRestricted() (*bool, error) PrivilegedEscalationIsRestricted() (*bool, error) RootUserIsRestricted() (*bool, error) NETRawIsRestricted() (*bool, error) AllowedCapabilitiesAreRestricted() (*bool, error) AssignedCapabilitiesAreRestricted() (*bool, error) HostPortsAreRestricted() (*bool, error) VolumeTypesAreRestricted() (*bool, error) SeccompProfilesAreRestricted() (*bool, error) CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64) (*apiv1.Pod, error) CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool) (*apiv1.Pod, error) CreatePODSettingCapabilities(c *[]string) (*apiv1.Pod, error) CreatePodFromYaml(y []byte) (*apiv1.Pod, error) ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand) (*CmdExecutionResult, error) TeardownPodSecurityProbe(p *string, e string) error CreateConfigMap() error DeleteConfigMap() error }
PodSecurityPolicy interface defines a set of methods to support the testing of Pod Security Policies.
type PrivilegedAccess ¶
type PrivilegedAccess int
PrivilegedAccess type enumerating Privileged Access
const ( WithPrivilegedAccess PrivilegedAccess = iota WithoutPrivilegedAccess )
PrivilegedAccess enum
type SecurityPolicyProvider ¶
type SecurityPolicyProvider interface { HasSecurityPolicies() (*bool, error) HasPrivilegedAccessRestriction() (*bool, error) HasHostPIDRestriction() (*bool, error) HasHostIPCRestriction() (*bool, error) HasHostNetworkRestriction() (*bool, error) HasAllowPrivilegeEscalationRestriction() (*bool, error) HasRootUserRestriction() (*bool, error) HasNETRAWRestriction() (*bool, error) HasAllowedCapabilitiesRestriction() (*bool, error) HasAssignedCapabilitiesRestriction() (*bool, error) HasHostPortRestriction() (*bool, error) HasVolumeTypeRestriction() (*bool, error) HasSeccompProfileRestriction() (*bool, error) }
SecurityPolicyProvider defines a set of methods for interograting the security policies set on the kubernetes cluster.