kubernetes

package
v0.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2020 License: Apache-2.0 Imports: 30 Imported by: 0

Documentation

Overview

Package kubernetes provides functions for interacting with Kubernetes and is built using the kubernetes client-go (https://github.com/kubernetes/client-go).

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GenerateUniquePodName

func GenerateUniquePodName(baseName string) string

GenerateUniquePodName creates a unique pod name based on the format: 'baseName'-'nanosecond time'-'random int'.

Types

type AzK8sConstraintTemplate

type AzK8sConstraintTemplate struct {
	// contains filtered or unexported fields
}

AzK8sConstraintTemplate captures the Azure specific constraint templates that are the result of applying an Azure Policy which can be used to support PodSecurityPolicy like behaviour. Implements securitypolicyprovider and is the prefered way of determining constraints on an AKS cluster.

func NewAzK8sConstraintTemplate

func NewAzK8sConstraintTemplate(k Kubernetes) *AzK8sConstraintTemplate

NewAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the supplied kubernetes instance.

func NewDefaultAzK8sConstraintTemplate

func NewDefaultAzK8sConstraintTemplate() *AzK8sConstraintTemplate

NewDefaultAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the default kubernetes instance.

func (*AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction

func (az *AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction() (*bool, error)

HasAllowPrivilegeEscalationRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction

func (az *AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction() (*bool, error)

HasAllowedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction

func (az *AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction() (*bool, error)

HasAssignedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostIPCRestriction

func (az *AzK8sConstraintTemplate) HasHostIPCRestriction() (*bool, error)

HasHostIPCRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostNetworkRestriction

func (az *AzK8sConstraintTemplate) HasHostNetworkRestriction() (*bool, error)

HasHostNetworkRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostPIDRestriction

func (az *AzK8sConstraintTemplate) HasHostPIDRestriction() (*bool, error)

HasHostPIDRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostPortRestriction

func (az *AzK8sConstraintTemplate) HasHostPortRestriction() (*bool, error)

HasHostPortRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasNETRAWRestriction

func (az *AzK8sConstraintTemplate) HasNETRAWRestriction() (*bool, error)

HasNETRAWRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasPrivilegedAccessRestriction

func (az *AzK8sConstraintTemplate) HasPrivilegedAccessRestriction() (*bool, error)

HasPrivilegedAccessRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasRootUserRestriction

func (az *AzK8sConstraintTemplate) HasRootUserRestriction() (*bool, error)

HasRootUserRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasSeccompProfileRestriction

func (az *AzK8sConstraintTemplate) HasSeccompProfileRestriction() (*bool, error)

HasSeccompProfileRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasSecurityPolicies

func (az *AzK8sConstraintTemplate) HasSecurityPolicies() (*bool, error)

HasSecurityPolicies provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasVolumeTypeRestriction

func (az *AzK8sConstraintTemplate) HasVolumeTypeRestriction() (*bool, error)

HasVolumeTypeRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

type CRA

type CRA struct {
	// contains filtered or unexported fields
}

CRA implements the ContainerRegistryAccess interface.

func NewCRA

func NewCRA(k Kubernetes) *CRA

NewCRA creates a new CRA with the supplied kubernetes instance.

func NewDefaultCRA

func NewDefaultCRA() *CRA

NewDefaultCRA creates a new CRA using the default kubernetes instance.

func (*CRA) ClusterIsDeployed

func (c *CRA) ClusterIsDeployed() *bool

ClusterIsDeployed verifies if a cluster is deployed.

func (*CRA) SetupContainerAccessProbePod added in v0.3.0

func (c *CRA) SetupContainerAccessProbePod(r string) (*apiv1.Pod, *PodAudit, error)

SetupContainerAccessProbePod creates a pod with characteristics required for testing container access.

func (*CRA) TeardownContainerAccessProbePod added in v0.3.0

func (c *CRA) TeardownContainerAccessProbePod(p *string, e string) error

TeardownContainerAccessProbePod deletes the supplied test pod in the container registry access namespace.

type CmdExecutionResult

type CmdExecutionResult struct {
	Stdout string
	Stderr string

	Err      error
	Code     int
	Internal bool
}

CmdExecutionResult encapsulates the result from an exec call to the kubernetes cluster. This includes 'stdout', 'stderr', 'exit code' and any error details in the case of a non-zero exit code.

func (*CmdExecutionResult) String added in v0.3.0

func (e *CmdExecutionResult) String() string

type ContainerRegistryAccess

type ContainerRegistryAccess interface {
	ClusterIsDeployed() *bool
	SetupContainerAccessProbePod(r string) (*apiv1.Pod, *PodAudit, error)
	TeardownContainerAccessProbePod(p *string, e string) error
}

ContainerRegistryAccess interface defines the methods to support container registry access tests.

type IAM added in v0.3.0

type IAM struct {
	// contains filtered or unexported fields
}

IAM implements the IdentityAccessManagement interface.

func NewDefaultIAM added in v0.3.0

func NewDefaultIAM() *IAM

NewDefaultIAM creates a new IAM instance using the default kubernetes provider.

func (*IAM) AzureIdentityBindingExists added in v0.3.0

func (i *IAM) AzureIdentityBindingExists(useDefaultNS bool) (bool, error)

AzureIdentityBindingExists gets the AzureIdentityBindings and filter for namespace (if supplied)

func (*IAM) AzureIdentityExists added in v0.3.0

func (i *IAM) AzureIdentityExists(useDefaultNS bool) (bool, error)

AzureIdentityExists gets the AzureIdentityBindings and filter for namespace (if supplied)

func (*IAM) CreateAIB added in v0.3.0

func (i *IAM) CreateAIB(y []byte, ai string, n string, ns string) (bool, error)

CreateAIB creates an AzureIdentityBinding to the supplied AzureIdentity ai - name of the AzureIdentity n - name of AzureIdentityBinding ns - namespace in which to create the AIB

func (*IAM) CreateIAMProbePod added in v0.3.0

func (i *IAM) CreateIAMProbePod(y []byte, useDefaultNS bool) (*apiv1.Pod, error)

CreateIAMProbePod creates a pod configured for IAM test cases.

func (*IAM) DeleteIAMProbePod added in v0.3.0

func (i *IAM) DeleteIAMProbePod(n string, useDefaultNS bool, e string) error

DeleteIAMProbePod deletes the IAM test pod with the supplied name.

func (*IAM) ExecuteVerificationCmd added in v0.3.0

func (i *IAM) ExecuteVerificationCmd(pn string, cmd IAMProbeCommand, useDefaultNS bool) (*CmdExecutionResult, error)

ExecuteVerificationCmd executes a verification command against the supplied pod name.

func (*IAM) GetAccessToken added in v0.3.0

func (i *IAM) GetAccessToken(pn string, useDefaultNS bool) (*string, error)

GetAccessToken attempts to retrieve an access token by executing a curl command requesting a token for the Azure Resource Manager.

type IAMProbeCommand added in v0.3.0

type IAMProbeCommand int

IAMProbeCommand defines commands for use in testing IAM

const (
	CatAzJSON IAMProbeCommand = iota
	CurlAuthToken
)

enum supporting IAMProbeCommand

func (IAMProbeCommand) String added in v0.3.0

func (c IAMProbeCommand) String() string

type IAMVerification added in v0.3.0

type IAMVerification struct {
	PSPVerificationProbe
}

IAMVerification provides an IAM specific type wrapper extending PSPVerificationProbe.

type IdentityAccessManagement added in v0.3.0

type IdentityAccessManagement interface {
	AzureIdentityExists(useDefaultNS bool) (bool, error)
	AzureIdentityBindingExists(useDefaultNS bool) (bool, error)
	CreateAIB(y []byte, ai string, n string, ns string) (bool, error)
	CreateIAMProbePod(y []byte, useDefaultNS bool) (*apiv1.Pod, error)
	DeleteIAMProbePod(n string, useDefaultNS bool, e string) error
	ExecuteVerificationCmd(pn string, cmd IAMProbeCommand, useDefaultNS bool) (*CmdExecutionResult, error)
	GetAccessToken(pn string, useDefaultNS bool) (*string, error)
}

IdentityAccessManagement encapsulates functionality for querying and probing Identity and Access Management setup.

type K8SJSON added in v0.3.0

type K8SJSON struct {
	APIVersion string
	Items      []K8SJSONItem
}

K8SJSON encapsulates the response from a raw/rest call to the Kubernetes API

type K8SJSONItem added in v0.3.0

type K8SJSONItem struct {
	Kind     string
	Metadata map[string]string
}

K8SJSONItem encapsulates items returned from a raw/rest call to the Kubernetes API

type Kube

type Kube struct {
	// contains filtered or unexported fields
}

Kube provides an implementation of Kubernetes.

func GetKubeInstance

func GetKubeInstance() *Kube

GetKubeInstance returns a singleton instance of Kube.

func (*Kube) ClusterIsDeployed

func (k *Kube) ClusterIsDeployed() *bool

ClusterIsDeployed verifies if a cluster is deployed that can be contacted based on the current kubernetes config and context.

func (*Kube) CreateConfigMap

func (k *Kube) CreateConfigMap(n *string, ns *string) (*apiv1.ConfigMap, error)

CreateConfigMap creates a config map with the supplied name in the given namespace.

func (*Kube) CreatePod

func (k *Kube) CreatePod(podName string, ns string, containerName string, image string, wait bool, sc *apiv1.SecurityContext) (*apiv1.Pod, *PodAudit, error)

CreatePod creates a pod with the supplied parameters. A true value for 'wait' indicates that the function should wait (block) until the pod is in a running state.

func (*Kube) CreatePodFromObject

func (k *Kube) CreatePodFromObject(p *apiv1.Pod, pname string, ns string, w bool) (*apiv1.Pod, error)

CreatePodFromObject creates a pod from the supplied pod object with the given pod name and namespace. A true value for 'w' indicates that the function should wait (block) until the pod is in a running state.

func (*Kube) CreatePodFromYaml

func (k *Kube) CreatePodFromYaml(y []byte, pname string, ns string, image string, aadpodidbinding string, w bool) (*apiv1.Pod, error)

CreatePodFromYaml creates a pod for the supplied yaml. A true value for 'w' indicates that the function should wait (block) until the pod is in a running state.

func (*Kube) DeleteConfigMap

func (k *Kube) DeleteConfigMap(n *string, ns *string) error

DeleteConfigMap deletes the named config map in the given namespace.

func (*Kube) DeleteNamespace

func (k *Kube) DeleteNamespace(ns *string) error

DeleteNamespace deletes the supplied namespace.

func (*Kube) DeletePod

func (k *Kube) DeletePod(pname *string, ns *string, wait bool, probe string) error

DeletePod deletes the given pod in the specified namespace. Passing true for 'wait' causes the function to wait for pod deletion (not normally required).

func (*Kube) ExecCommand

func (k *Kube) ExecCommand(cmd, ns, pn *string) (s *CmdExecutionResult)

ExecCommand executes the supplied command on the given pod name in the specified namespace.

func (*Kube) GetClient

func (k *Kube) GetClient() (*kubernetes.Clientset, error)

GetClient gets a client connection to the Kubernetes cluster specifed via config.Vars.KubeConfigPath

func (*Kube) GetClusterRoles added in v0.1.4

func (k *Kube) GetClusterRoles() (*rbacv1.ClusterRoleList, error)

GetClusterRoles retrives all cluster roles associated with the active cluster.

func (*Kube) GetClusterRolesByResource added in v0.1.4

func (k *Kube) GetClusterRolesByResource(r string) (*[]rbacv1.ClusterRole, error)

GetClusterRolesByResource returns a collection of cluster roles filtered by the supplied resouce type.

func (*Kube) GetConstraintTemplates

func (k *Kube) GetConstraintTemplates(prefix string) (*map[string]interface{}, error)

GetConstraintTemplates returns the constraint templates associated with the active cluster.

func (*Kube) GetIdentityBindings added in v0.3.0

func (k *Kube) GetIdentityBindings(prefix string) (*map[string]interface{}, error)

GetIdentityBindings returns the identity bindings associated with the active cluster.

func (*Kube) GetPodObject

func (k *Kube) GetPodObject(pname string, ns string, cname string, image string, sc *apiv1.SecurityContext) *apiv1.Pod

GetPodObject constructs a simple pod object using kubernetes API types.

func (*Kube) GetPods

func (k *Kube) GetPods(ns string) (*apiv1.PodList, error)

GetPods returns a collection of pods on the target kubernetes cluster.

func (*Kube) GetRawResourcesByGrp added in v0.3.0

func (k *Kube) GetRawResourcesByGrp(g string) (*K8SJSON, error)

GetRawResourcesByGrp makes a 'raw' REST call to k8s to get the resources specified by the supplied group string, e.g. "apis/aadpodidentity.k8s.io/v1/azureidentitybindings". This is required to support resources that are not supported by typed API calls (e.g. "pods").

func (*Kube) GetRoles added in v0.1.4

func (k *Kube) GetRoles() (*rbacv1.RoleList, error)

GetRoles retrives all roles associated with the active cluster.

func (*Kube) GetRolesByResource added in v0.1.4

func (k *Kube) GetRolesByResource(r string) (*[]rbacv1.Role, error)

GetRolesByResource returns a collection of roles filtered by the supplied resouce type.

type KubePodSecurityPolicyProvider

type KubePodSecurityPolicyProvider struct {
	// contains filtered or unexported fields
}

KubePodSecurityPolicyProvider implements SecurityPolicyProvider and looks for kubernetes PodSecurityPolices.

func NewKubePodSecurityPolicyProvider

func NewKubePodSecurityPolicyProvider(k Kubernetes) *KubePodSecurityPolicyProvider

NewKubePodSecurityPolicyProvider creates a new KubePodSecurityPolicyProvider with the supplied kubernetes instance.

func (*KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction

func (p *KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction() (*bool, error)

HasAllowPrivilegeEscalationRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction

func (p *KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction() (*bool, error)

HasAllowedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction

func (p *KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction() (*bool, error)

HasAssignedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostIPCRestriction

func (p *KubePodSecurityPolicyProvider) HasHostIPCRestriction() (*bool, error)

HasHostIPCRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostNetworkRestriction

func (p *KubePodSecurityPolicyProvider) HasHostNetworkRestriction() (*bool, error)

HasHostNetworkRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostPIDRestriction

func (p *KubePodSecurityPolicyProvider) HasHostPIDRestriction() (*bool, error)

HasHostPIDRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostPortRestriction

func (p *KubePodSecurityPolicyProvider) HasHostPortRestriction() (*bool, error)

HasHostPortRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasNETRAWRestriction

func (p *KubePodSecurityPolicyProvider) HasNETRAWRestriction() (*bool, error)

HasNETRAWRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction

func (p *KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction() (*bool, error)

HasPrivilegedAccessRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasRootUserRestriction

func (p *KubePodSecurityPolicyProvider) HasRootUserRestriction() (*bool, error)

HasRootUserRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasSeccompProfileRestriction

func (p *KubePodSecurityPolicyProvider) HasSeccompProfileRestriction() (*bool, error)

HasSeccompProfileRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasSecurityPolicies

func (p *KubePodSecurityPolicyProvider) HasSecurityPolicies() (*bool, error)

HasSecurityPolicies provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasVolumeTypeRestriction

func (p *KubePodSecurityPolicyProvider) HasVolumeTypeRestriction() (*bool, error)

HasVolumeTypeRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

type Kubernetes

type Kubernetes interface {
	ClusterIsDeployed() *bool
	GetClient() (*kubernetes.Clientset, error)
	GetPods(ns string) (*apiv1.PodList, error)
	CreatePod(pname string, ns string, cname string, image string, w bool, sc *apiv1.SecurityContext) (*apiv1.Pod, *PodAudit, error)
	CreatePodFromObject(p *apiv1.Pod, pname string, ns string, w bool) (*apiv1.Pod, error)
	CreatePodFromYaml(y []byte, pname string, ns string, image string, aadpodidbinding string, w bool) (*apiv1.Pod, error)
	GetPodObject(pname string, ns string, cname string, image string, sc *apiv1.SecurityContext) *apiv1.Pod
	ExecCommand(cmd, ns, pn *string) *CmdExecutionResult
	DeletePod(pname *string, ns *string, w bool, e string) error
	DeleteNamespace(ns *string) error
	CreateConfigMap(n *string, ns *string) (*apiv1.ConfigMap, error)
	DeleteConfigMap(n *string, ns *string) error
	GetConstraintTemplates(prefix string) (*map[string]interface{}, error)
	GetRawResourcesByGrp(g string) (*K8SJSON, error)
	GetClusterRolesByResource(r string) (*[]rbacv1.ClusterRole, error)
	GetClusterRoles() (*rbacv1.ClusterRoleList, error)
}

Kubernetes interface defines the methods available to interact with the kubernetes cluster.

type NA

type NA struct {
	// contains filtered or unexported fields
}

NA implements NetworkAccess.

func NewDefaultNA

func NewDefaultNA() *NA

NewDefaultNA creates a new instance of NA using the default kubernetes instance.

func NewNA

func NewNA(k Kubernetes) *NA

NewNA creates a new instance of NA with the supplied kubernetes instance.

func (*NA) AccessURL

func (n *NA) AccessURL(pn *string, url *string) (int, error)

AccessURL calls the supplied URL and returns the http code

func (*NA) ClusterIsDeployed

func (n *NA) ClusterIsDeployed() *bool

ClusterIsDeployed verifies if a suitable cluster is deployed.

func (*NA) SetupNetworkAccessProbePod added in v0.3.0

func (n *NA) SetupNetworkAccessProbePod() (*apiv1.Pod, *PodAudit, error)

SetupNetworkAccessProbePod creates a pod with characteristics required for testing network access.

func (*NA) TeardownNetworkAccessProbePod added in v0.3.0

func (n *NA) TeardownNetworkAccessProbePod(p *string, e string) error

TeardownNetworkAccessProbePod deletes the test pod with the given name.

type NetworkAccess

type NetworkAccess interface {
	ClusterIsDeployed() *bool
	SetupNetworkAccessProbePod() (*apiv1.Pod, *PodAudit, error)
	TeardownNetworkAccessProbePod(p *string, e string) error
	AccessURL(pn *string, url *string) (int, error)
}

NetworkAccess defines functionality for supporting Network Access tests.

type PSP

type PSP struct {
	// contains filtered or unexported fields
}

PSP implements PodSecurityPolicy.

func NewDefaultPSP

func NewDefaultPSP() *PSP

NewDefaultPSP creates a new PSP using the default kubernetes instance and the pre-defined SecurityPolicyProviders.

func NewPSP

func NewPSP(k Kubernetes, sp *[]SecurityPolicyProvider) *PSP

NewPSP creates a new PSP using the supplied kubernetes instance and collection of SecurityPolicyProviders.

func (*PSP) AllowedCapabilitiesAreRestricted

func (psp *PSP) AllowedCapabilitiesAreRestricted() (*bool, error)

AllowedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where allowed capabilities are restricted.

func (*PSP) AssignedCapabilitiesAreRestricted

func (psp *PSP) AssignedCapabilitiesAreRestricted() (*bool, error)

AssignedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where assigned capabilities are restricted.

func (*PSP) ClusterHasPSP

func (psp *PSP) ClusterHasPSP() (*bool, error)

ClusterHasPSP determines if the cluster has any SecurityPolicyProvider's set.

func (*PSP) ClusterIsDeployed

func (psp *PSP) ClusterIsDeployed() *bool

ClusterIsDeployed verifies that a suitable kubernetes cluster is deployed.

func (*PSP) CreateConfigMap

func (psp *PSP) CreateConfigMap() error

CreateConfigMap creates a config map to support PSP testing.

func (*PSP) CreatePODSettingAttributes

func (psp *PSP) CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool) (*apiv1.Pod, error)

CreatePODSettingAttributes creates a POD with attributes: hostPID *bool - set the hostPID flag, defaults to false hostIPC *bool - set the hostIPC flag, defaults to false hostNetwork *bool - set the hostNetwork flag, defaults to false

func (*PSP) CreatePODSettingCapabilities

func (psp *PSP) CreatePODSettingCapabilities(c *[]string) (*apiv1.Pod, error)

CreatePODSettingCapabilities creates a pod with the supplied capabilities.

func (*PSP) CreatePODSettingSecurityContext

func (psp *PSP) CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64) (*apiv1.Pod, error)

CreatePODSettingSecurityContext creates POD with a SecurityContext conforming to the parameters: pr *bool - set the Privileged flag. Defaults to false. pe *bool - set the Allow Privileged Escalation flag. Defaults to false. runAsUser *int64 - set RunAsUser. Defaults to 1000.

func (*PSP) CreatePodFromYaml

func (psp *PSP) CreatePodFromYaml(y []byte) (*apiv1.Pod, error)

CreatePodFromYaml creates a pod from the supplied yaml.

func (*PSP) DeleteConfigMap

func (psp *PSP) DeleteConfigMap() error

DeleteConfigMap deletes the config map supporting the PSP testing.

func (*PSP) ExecPSPProbeCmd added in v0.3.0

func (psp *PSP) ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand) (*CmdExecutionResult, error)

ExecPSPProbeCmd executes the given PSPProbeCommand against the supplied pod name.

func (*PSP) HostIPCIsRestricted

func (psp *PSP) HostIPCIsRestricted() (*bool, error)

HostIPCIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).

func (*PSP) HostNetworkIsRestricted

func (psp *PSP) HostNetworkIsRestricted() (*bool, error)

HostNetworkIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).

func (*PSP) HostPIDIsRestricted

func (psp *PSP) HostPIDIsRestricted() (*bool, error)

HostPIDIsRestricted looks for a SecurityPolicyProvider with 'HostPID' set to false (i.e. NO Access to HostPID ).

func (*PSP) HostPortsAreRestricted

func (psp *PSP) HostPortsAreRestricted() (*bool, error)

HostPortsAreRestricted looks for a SecurityPolicyProvider which has a HostPort restriction.

func (*PSP) NETRawIsRestricted

func (psp *PSP) NETRawIsRestricted() (*bool, error)

NETRawIsRestricted looks for a SecurityPolicyProvider where the NET_RAW capability is restricted.

func (*PSP) PrivilegedAccessIsRestricted

func (psp *PSP) PrivilegedAccessIsRestricted() (*bool, error)

PrivilegedAccessIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).

func (*PSP) PrivilegedEscalationIsRestricted

func (psp *PSP) PrivilegedEscalationIsRestricted() (*bool, error)

PrivilegedEscalationIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).

func (*PSP) RootUserIsRestricted

func (psp *PSP) RootUserIsRestricted() (*bool, error)

RootUserIsRestricted looks for a SecurityPolicyProvider which prevents root user access.

func (*PSP) SeccompProfilesAreRestricted

func (psp *PSP) SeccompProfilesAreRestricted() (*bool, error)

SeccompProfilesAreRestricted looks for a SecurityPolicyProvider which restricts seccomp profiles.

func (*PSP) TeardownPodSecurityProbe added in v0.3.0

func (psp *PSP) TeardownPodSecurityProbe(p *string, e string) error

TeardownPodSecurityProbe deletes the given pod name in the PSP test namespace.

func (*PSP) VolumeTypesAreRestricted

func (psp *PSP) VolumeTypesAreRestricted() (*bool, error)

VolumeTypesAreRestricted looks for a SecurityPolicyProvider which has a VolumeType restriction.

type PSPProbeCommand added in v0.3.0

type PSPProbeCommand int

PSPProbeCommand type enumerating the commands that can be used to test pods for compliance with Pod Security Policies

const (
	Chroot PSPProbeCommand = iota
	EnterHostPIDNS
	EnterHostIPCNS
	EnterHostNetworkNS
	VerifyNonRootUID
	NetRawProbe
	SpecialCapProbe
	NetCat
	Unshare
	Ls
)

enumn supporting PSPProbeCommand type

func (PSPProbeCommand) String added in v0.3.0

func (c PSPProbeCommand) String() string

type PSPVerificationProbe

type PSPVerificationProbe struct {
	Cmd              PSPProbeCommand
	ExpectedExitCode int
}

PSPVerificationProbe encapsulates the command and expected result to be used in a Pod Security Policy probe.

type PodAudit added in v0.3.0

type PodAudit struct {
	PodName         string
	Namespace       string
	ContainerName   string
	Image           string
	SecurityContext *apiv1.SecurityContext
}

type PodCreationError

type PodCreationError struct {
	ReasonCodes map[PodCreationErrorReason]*PodCreationErrorReason
	// contains filtered or unexported fields
}

PodCreationError encapsulates the underlying pod creation error along with a map of platform agnostic PodCreationErrorReason codes. Note that there could be more that one PodCreationErrorReason. For example a pod may fail due to a 'psp-container-no-privilege' error and 'psp-host-network', in which case there would be two entires in the ReasonCodes map.

func (*PodCreationError) Error

func (p *PodCreationError) Error() string

type PodCreationErrorReason

type PodCreationErrorReason int

PodCreationErrorReason provides an CSP agnostic reason for errors encountered when creating pods.

const (
	UndefinedPodCreationErrorReason PodCreationErrorReason = iota
	PSPNoPrivilege
	PSPNoPrivilegeEscalation
	PSPAllowedUsersGroups
	PSPContainerAllowedImages
	PSPHostNamespace
	PSPHostNetwork
	PSPAllowedCapabilities
	PSPAllowedPortRange
	PSPAllowedVolumeTypes
	PSPSeccompProfile
	ImagePullError
	Blocked
	Unauthorized
)

enum values for PodCreationErrorReason

func (PodCreationErrorReason) String

func (r PodCreationErrorReason) String() string

type PodSecurityPolicy

type PodSecurityPolicy interface {
	ClusterIsDeployed() *bool
	ClusterHasPSP() (*bool, error)
	PrivilegedAccessIsRestricted() (*bool, error)
	HostPIDIsRestricted() (*bool, error)
	HostIPCIsRestricted() (*bool, error)
	HostNetworkIsRestricted() (*bool, error)
	PrivilegedEscalationIsRestricted() (*bool, error)
	RootUserIsRestricted() (*bool, error)
	NETRawIsRestricted() (*bool, error)
	AllowedCapabilitiesAreRestricted() (*bool, error)
	AssignedCapabilitiesAreRestricted() (*bool, error)
	HostPortsAreRestricted() (*bool, error)
	VolumeTypesAreRestricted() (*bool, error)
	SeccompProfilesAreRestricted() (*bool, error)
	CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64) (*apiv1.Pod, error)
	CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool) (*apiv1.Pod, error)
	CreatePODSettingCapabilities(c *[]string) (*apiv1.Pod, error)
	CreatePodFromYaml(y []byte) (*apiv1.Pod, error)
	ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand) (*CmdExecutionResult, error)
	TeardownPodSecurityProbe(p *string, e string) error
	CreateConfigMap() error
	DeleteConfigMap() error
}

PodSecurityPolicy interface defines a set of methods to support the testing of Pod Security Policies.

type PrivilegedAccess

type PrivilegedAccess int

PrivilegedAccess type enumerating Privileged Access

const (
	WithPrivilegedAccess PrivilegedAccess = iota
	WithoutPrivilegedAccess
)

PrivilegedAccess enum

type SecurityPolicyProvider

type SecurityPolicyProvider interface {
	HasSecurityPolicies() (*bool, error)
	HasPrivilegedAccessRestriction() (*bool, error)
	HasHostPIDRestriction() (*bool, error)
	HasHostIPCRestriction() (*bool, error)
	HasHostNetworkRestriction() (*bool, error)
	HasAllowPrivilegeEscalationRestriction() (*bool, error)
	HasRootUserRestriction() (*bool, error)
	HasNETRAWRestriction() (*bool, error)
	HasAllowedCapabilitiesRestriction() (*bool, error)
	HasAssignedCapabilitiesRestriction() (*bool, error)
	HasHostPortRestriction() (*bool, error)
	HasVolumeTypeRestriction() (*bool, error)
	HasSeccompProfileRestriction() (*bool, error)
}

SecurityPolicyProvider defines a set of methods for interograting the security policies set on the kubernetes cluster.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL