pod_security_policy

package
v0.5.0-rc Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func SetPodSecurityPolicy 

func SetPodSecurityPolicy(p PodSecurityPolicy)

SetPodSecurityPolicy allows injection of a specific PodSecurityPolicy helper.

Types

type AzK8sConstraintTemplate 

type AzK8sConstraintTemplate struct {
	// contains filtered or unexported fields
}

AzK8sConstraintTemplate captures the Azure specific constraint templates that are the result of applying an Azure Policy which can be used to support PodSecurityPolicy like behaviour. Implements securitypolicyprovider and is the preferred way of determining constraints on an AKS cluster.

func NewAzK8sConstraintTemplate 

func NewAzK8sConstraintTemplate(k kubernetes.Kubernetes) *AzK8sConstraintTemplate

NewAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the supplied kubernetes instance.

func NewDefaultAzK8sConstraintTemplate 

func NewDefaultAzK8sConstraintTemplate() *AzK8sConstraintTemplate

NewDefaultAzK8sConstraintTemplate constructs a new AzK8sConstraintTemplate using the default kubernetes instance.

func (*AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction 

func (az *AzK8sConstraintTemplate) HasAllowPrivilegeEscalationRestriction() (*bool, error)

HasAllowPrivilegeEscalationRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction 

func (az *AzK8sConstraintTemplate) HasAllowedCapabilitiesRestriction() (*bool, error)

HasAllowedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction 

func (az *AzK8sConstraintTemplate) HasAssignedCapabilitiesRestriction() (*bool, error)

HasAssignedCapabilitiesRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostIPCRestriction 

func (az *AzK8sConstraintTemplate) HasHostIPCRestriction() (*bool, error)

HasHostIPCRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostNetworkRestriction 

func (az *AzK8sConstraintTemplate) HasHostNetworkRestriction() (*bool, error)

HasHostNetworkRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostPIDRestriction 

func (az *AzK8sConstraintTemplate) HasHostPIDRestriction() (*bool, error)

HasHostPIDRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasHostPortRestriction 

func (az *AzK8sConstraintTemplate) HasHostPortRestriction() (*bool, error)

HasHostPortRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasNETRAWRestriction 

func (az *AzK8sConstraintTemplate) HasNETRAWRestriction() (*bool, error)

HasNETRAWRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasPrivilegedAccessRestriction 

func (az *AzK8sConstraintTemplate) HasPrivilegedAccessRestriction() (*bool, error)

HasPrivilegedAccessRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasRootUserRestriction 

func (az *AzK8sConstraintTemplate) HasRootUserRestriction() (*bool, error)

HasRootUserRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasSeccompProfileRestriction 

func (az *AzK8sConstraintTemplate) HasSeccompProfileRestriction() (*bool, error)

HasSeccompProfileRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasSecurityPolicies 

func (az *AzK8sConstraintTemplate) HasSecurityPolicies() (*bool, error)

HasSecurityPolicies provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

func (*AzK8sConstraintTemplate) HasVolumeTypeRestriction 

func (az *AzK8sConstraintTemplate) HasVolumeTypeRestriction() (*bool, error)

HasVolumeTypeRestriction provides the AzK8sConstraintTemplate implementation of SecurityPolicyProvider.

type KubePodSecurityPolicyProvider 

type KubePodSecurityPolicyProvider struct {
	// contains filtered or unexported fields
}

KubePodSecurityPolicyProvider implements SecurityPolicyProvider and looks for kubernetes PodSecurityPolices.

func NewKubePodSecurityPolicyProvider 

func NewKubePodSecurityPolicyProvider(k kubernetes.Kubernetes) *KubePodSecurityPolicyProvider

NewKubePodSecurityPolicyProvider creates a new KubePodSecurityPolicyProvider with the supplied kubernetes instance.

func (*KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction 

func (p *KubePodSecurityPolicyProvider) HasAllowPrivilegeEscalationRestriction() (*bool, error)

HasAllowPrivilegeEscalationRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction 

func (p *KubePodSecurityPolicyProvider) HasAllowedCapabilitiesRestriction() (*bool, error)

HasAllowedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction 

func (p *KubePodSecurityPolicyProvider) HasAssignedCapabilitiesRestriction() (*bool, error)

HasAssignedCapabilitiesRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostIPCRestriction 

func (p *KubePodSecurityPolicyProvider) HasHostIPCRestriction() (*bool, error)

HasHostIPCRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostNetworkRestriction 

func (p *KubePodSecurityPolicyProvider) HasHostNetworkRestriction() (*bool, error)

HasHostNetworkRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostPIDRestriction 

func (p *KubePodSecurityPolicyProvider) HasHostPIDRestriction() (*bool, error)

HasHostPIDRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasHostPortRestriction 

func (p *KubePodSecurityPolicyProvider) HasHostPortRestriction() (*bool, error)

HasHostPortRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasNETRAWRestriction 

func (p *KubePodSecurityPolicyProvider) HasNETRAWRestriction() (*bool, error)

HasNETRAWRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction 

func (p *KubePodSecurityPolicyProvider) HasPrivilegedAccessRestriction() (*bool, error)

HasPrivilegedAccessRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasRootUserRestriction 

func (p *KubePodSecurityPolicyProvider) HasRootUserRestriction() (*bool, error)

HasRootUserRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasSeccompProfileRestriction 

func (p *KubePodSecurityPolicyProvider) HasSeccompProfileRestriction() (*bool, error)

HasSeccompProfileRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasSecurityPolicies 

func (p *KubePodSecurityPolicyProvider) HasSecurityPolicies() (*bool, error)

HasSecurityPolicies provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

func (*KubePodSecurityPolicyProvider) HasVolumeTypeRestriction 

func (p *KubePodSecurityPolicyProvider) HasVolumeTypeRestriction() (*bool, error)

HasVolumeTypeRestriction provides the KubePodSecurityPolicyProvider implementation of SecurityPolicyProvider.

type PSP 

type PSP struct {
	// contains filtered or unexported fields
}

PSP implements PodSecurityPolicy.

func NewDefaultPSP 

func NewDefaultPSP() *PSP

NewDefaultPSP creates a new PSP using the default kubernetes instance and the pre-defined SecurityPolicyProviders.

func NewPSP 

func NewPSP(k kubernetes.Kubernetes, sp *[]SecurityPolicyProvider) *PSP

NewPSP creates a new PSP using the supplied kubernetes instance and collection of SecurityPolicyProviders.

func (*PSP) AllowedCapabilitiesAreRestricted 

func (psp *PSP) AllowedCapabilitiesAreRestricted() (*bool, error)

AllowedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where allowed capabilities are restricted.

func (*PSP) AssignedCapabilitiesAreRestricted 

func (psp *PSP) AssignedCapabilitiesAreRestricted() (*bool, error)

AssignedCapabilitiesAreRestricted looks for a SecurityPolicyProvider where assigned capabilities are restricted.

func (*PSP) ClusterHasPSP 

func (psp *PSP) ClusterHasPSP() (*bool, error)

ClusterHasPSP determines if the cluster has any SecurityPolicyProvider's set.

func (*PSP) ClusterIsDeployed 

func (psp *PSP) ClusterIsDeployed() *bool

ClusterIsDeployed verifies that a suitable kubernetes cluster is deployed.

func (*PSP) CreateConfigMap 

func (psp *PSP) CreateConfigMap() error

CreateConfigMap creates a config map to support PSP testing.

func (*PSP) CreatePODSettingAttributes 

func (psp *PSP) CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool, probe *summary.Probe) (*apiv1.Pod, error)

CreatePODSettingAttributes creates a POD with attributes: hostPID *bool - set the hostPID flag, defaults to false hostIPC *bool - set the hostIPC flag, defaults to false hostNetwork *bool - set the hostNetwork flag, defaults to false

func (*PSP) CreatePODSettingCapabilities 

func (psp *PSP) CreatePODSettingCapabilities(c *[]string, probe *summary.Probe) (*apiv1.Pod, error)

CreatePODSettingCapabilities creates a pod with the supplied capabilities.

func (*PSP) CreatePODSettingSecurityContext 

func (psp *PSP) CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64, probe *summary.Probe) (*apiv1.Pod, error)

CreatePODSettingSecurityContext creates POD with a SecurityContext conforming to the parameters: pr *bool - set the Privileged flag. Defaults to false. pe *bool - set the Allow Privileged Escalation flag. Defaults to false. runAsUser *int64 - set RunAsUser. Defaults to 1000.

func (*PSP) CreatePodFromYaml 

func (psp *PSP) CreatePodFromYaml(y []byte, probe *summary.Probe) (*apiv1.Pod, error)

CreatePodFromYaml creates a pod from the supplied yaml.

func (*PSP) DeleteConfigMap 

func (psp *PSP) DeleteConfigMap() error

DeleteConfigMap deletes the config map supporting the PSP testing.

func (*PSP) ExecPSPProbeCmd 

func (psp *PSP) ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand, probe *summary.Probe) (*kubernetes.CmdExecutionResult, error)

ExecPSPProbeCmd executes the given PSPProbeCommand against the supplied pod name.

func (*PSP) HostIPCIsRestricted 

func (psp *PSP) HostIPCIsRestricted() (*bool, error)

HostIPCIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).

func (*PSP) HostNetworkIsRestricted 

func (psp *PSP) HostNetworkIsRestricted() (*bool, error)

HostNetworkIsRestricted looks for a SecurityPolicyProvider with 'HostIPC' set to false (i.e. NO Access to HostIPC ).

func (*PSP) HostPIDIsRestricted 

func (psp *PSP) HostPIDIsRestricted() (*bool, error)

HostPIDIsRestricted looks for a SecurityPolicyProvider with 'HostPID' set to false (i.e. NO Access to HostPID ).

func (*PSP) HostPortsAreRestricted 

func (psp *PSP) HostPortsAreRestricted() (*bool, error)

HostPortsAreRestricted looks for a SecurityPolicyProvider which has a HostPort restriction.

func (*PSP) NETRawIsRestricted 

func (psp *PSP) NETRawIsRestricted() (*bool, error)

NETRawIsRestricted looks for a SecurityPolicyProvider where the NET_RAW capability is restricted.

func (*PSP) PrivilegedAccessIsRestricted 

func (psp *PSP) PrivilegedAccessIsRestricted() (*bool, error)

PrivilegedAccessIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).

func (*PSP) PrivilegedEscalationIsRestricted 

func (psp *PSP) PrivilegedEscalationIsRestricted() (*bool, error)

PrivilegedEscalationIsRestricted looks for a SecurityPolicyProvider with 'Privileged' set to false (ie. NOT privileged).

func (*PSP) RootUserIsRestricted 

func (psp *PSP) RootUserIsRestricted() (*bool, error)

RootUserIsRestricted looks for a SecurityPolicyProvider which prevents root user access.

func (*PSP) SeccompProfilesAreRestricted 

func (psp *PSP) SeccompProfilesAreRestricted() (*bool, error)

SeccompProfilesAreRestricted looks for a SecurityPolicyProvider which restricts seccomp profiles.

func (*PSP) TeardownPodSecurityProbe 

func (psp *PSP) TeardownPodSecurityProbe(p string, e string) error

TeardownPodSecurityProbe deletes the given pod name in the PSP test namespace.

func (*PSP) VolumeTypesAreRestricted 

func (psp *PSP) VolumeTypesAreRestricted() (*bool, error)

VolumeTypesAreRestricted looks for a SecurityPolicyProvider which has a VolumeType restriction.

type PSPProbeCommand 

type PSPProbeCommand int

PSPProbeCommand type enumerating the commands that can be used to test pods for compliance with Pod Security Policies 

const (
	Chroot PSPProbeCommand = iota
	EnterHostPIDNS
	EnterHostIPCNS
	EnterHostNetworkNS
	VerifyNonRootUID
	NetRawProbe
	SpecialCapProbe
	NetCat
	Unshare
	Ls
)

enumn supporting PSPProbeCommand type

func (PSPProbeCommand) String 

func (c PSPProbeCommand) String() string

type PodSecurityPolicy 

type PodSecurityPolicy interface {
	ClusterIsDeployed() *bool
	ClusterHasPSP() (*bool, error)
	PrivilegedAccessIsRestricted() (*bool, error)
	HostPIDIsRestricted() (*bool, error)
	HostIPCIsRestricted() (*bool, error)
	HostNetworkIsRestricted() (*bool, error)
	PrivilegedEscalationIsRestricted() (*bool, error)
	RootUserIsRestricted() (*bool, error)
	NETRawIsRestricted() (*bool, error)
	AllowedCapabilitiesAreRestricted() (*bool, error)
	AssignedCapabilitiesAreRestricted() (*bool, error)
	HostPortsAreRestricted() (*bool, error)
	VolumeTypesAreRestricted() (*bool, error)
	SeccompProfilesAreRestricted() (*bool, error)
	CreatePODSettingSecurityContext(pr *bool, pe *bool, runAsUser *int64, probe *summary.Probe) (*apiv1.Pod, error)
	CreatePODSettingAttributes(hostPID *bool, hostIPC *bool, hostNetwork *bool, probe *summary.Probe) (*apiv1.Pod, error)
	CreatePODSettingCapabilities(c *[]string, probe *summary.Probe) (*apiv1.Pod, error)
	CreatePodFromYaml(y []byte, probe *summary.Probe) (*apiv1.Pod, error)
	ExecPSPProbeCmd(pName *string, cmd PSPProbeCommand, probe *summary.Probe) (*kubernetes.CmdExecutionResult, error)
	TeardownPodSecurityProbe(p string, e string) error
	CreateConfigMap() error
	DeleteConfigMap() error
}

PodSecurityPolicy interface defines a set of methods to support the testing of Pod Security Policies.

type PrivilegedAccess 

type PrivilegedAccess int

PrivilegedAccess type enumerating Privileged Access 

const (
	WithPrivilegedAccess PrivilegedAccess = iota
	WithoutPrivilegedAccess
)

PrivilegedAccess enum

type ProbeStruct 

type ProbeStruct struct{}
var Probe ProbeStruct

func (ProbeStruct) Name 

func (p ProbeStruct) Name() string

func (ProbeStruct) Path added in v0.5.0 

func (p ProbeStruct) Path() string

func (ProbeStruct) ProbeInitialize 

func (p ProbeStruct) ProbeInitialize(ctx *godog.TestSuiteContext)

pspProbeInitialize handles any overall Test Suite initialisation steps. This is registered with the test handler as part of the init() function.

func (ProbeStruct) ScenarioInitialize 

func (p ProbeStruct) ScenarioInitialize(ctx *godog.ScenarioContext)

pspScenarioInitialize initialises the specific test steps. This is essentially the creation of the test which reflects the tests described in the events directory. There must be a test step registered for each line in the feature files. Note: Godog will output stub steps and implementations if it doesn't find a step / function defined. See: https://github.com/cucumber/godog#example.

type SecurityPolicyProvider 

type SecurityPolicyProvider interface {
	HasSecurityPolicies() (*bool, error)
	HasPrivilegedAccessRestriction() (*bool, error)
	HasHostPIDRestriction() (*bool, error)
	HasHostIPCRestriction() (*bool, error)
	HasHostNetworkRestriction() (*bool, error)
	HasAllowPrivilegeEscalationRestriction() (*bool, error)
	HasRootUserRestriction() (*bool, error)
	HasNETRAWRestriction() (*bool, error)
	HasAllowedCapabilitiesRestriction() (*bool, error)
	HasAssignedCapabilitiesRestriction() (*bool, error)
	HasHostPortRestriction() (*bool, error)
	HasVolumeTypeRestriction() (*bool, error)
	HasSeccompProfileRestriction() (*bool, error)
}

SecurityPolicyProvider defines a set of methods for interrogating the security policies set on the kubernetes cluster.

type VerificationProbe 

type VerificationProbe struct {
	Cmd              PSPProbeCommand
	ExpectedExitCode int
}

PSPVerificationProbe encapsulates the command and expected result to be used in a Pod Security Policy probe.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.