Documentation
¶
Index ¶
- Variables
- func GetIDFromField(config interface{}, name string) string
- type Config
- type Configs
- type ErrorWarningLists
- type Exemption
- type HealthChecks
- type Images
- type Kube
- type Networking
- type PolarisConfiguration
- type ResourceRange
- type ResourceRanges
- type Resources
- type Security
- type SecurityCapabilities
- type SecurityCapabilityLists
- type Services
- type Severity
- type SupportedController
Constants ¶
This section is empty.
Variables ¶
var ControllerStrings = []string{
"Unsupported",
"Deployments",
"StatefulSets",
"DaemonSets",
"Jobs",
"CronJobs",
"ReplicationController",
}
ControllerStrings are strongly ordered to match the SupportedController enum
Functions ¶
func GetIDFromField ¶
GetIDFromField returns the JSON key associated with a particular field, which serves as the check ID.
Types ¶
type Config ¶
type Config struct {
Services Services `json:"services"`
Configs Configs `json:"configs"`
Kube Kube `json:"kube"`
}
PolarisConfiguration contains all of the config for the validation checks.
func ParseConfig ¶
ParseConfig parses config from a byte array.
func (*Config) GetPolarisPath ¶
type Configs ¶
type Configs struct {
Polaris string `json:"polaris"`
}
Configs contains names of config files
type ErrorWarningLists ¶
ErrorWarningLists provides lists of patterns to match or avoid in image tags.
type Exemption ¶
type Exemption struct {
Rules []string `json:"rules"`
ControllerNames []string `json:"controllerNames"`
}
Exemption represents an exemption to normal rules
type HealthChecks ¶
type HealthChecks struct {
ReadinessProbeMissing Severity `json:"readinessProbeMissing"`
LivenessProbeMissing Severity `json:"livenessProbeMissing"`
}
HealthChecks contains config for readiness and liveness probes.
type Images ¶
type Images struct {
TagNotSpecified Severity `json:"tagNotSpecified"`
PullPolicyNotAlways Severity `json:"pullPolicyNotAlways"`
Whitelist ErrorWarningLists `json:"whitelist"`
Blacklist ErrorWarningLists `json:"blacklist"`
}
Images contains the config for images.
type Networking ¶
type Networking struct {
HostNetworkSet Severity `json:"hostNetworkSet"`
HostPortSet Severity `json:"hostPortSet"`
}
Networking contains the config for networking validations.
type PolarisConfiguration ¶
type PolarisConfiguration struct {
DisplayName string `json:"displayName"`
Resources Resources `json:"resources"`
HealthChecks HealthChecks `json:"healthChecks"`
Images Images `json:"images"`
Networking Networking `json:"networking"`
Security Security `json:"security"`
ControllersToScan []SupportedController `json:"controllers_to_scan"`
Exemptions []Exemption `json:"exemptions"`
DisallowExemptions bool `json:"disallowExemptions"`
}
PolarisConfiguration contains all of the config for the validation checks.
func ParsePolaris ¶
func ParsePolaris(rawBytes []byte) (PolarisConfiguration, error)
ParsePolaris parses config from a byte array.
func ParsePolarisConfig ¶
func ParsePolarisConfig(path string) (PolarisConfiguration, error)
ParsePolarisConfig parses config from a file.
func (PolarisConfiguration) CheckIfKindIsConfiguredForValidation ¶
func (c PolarisConfiguration) CheckIfKindIsConfiguredForValidation(kind string) bool
CheckIfKindIsConfiguredForValidation takes a kind (in string format) and checks if Polaris is configured to scan this type of controller
func (*PolarisConfiguration) IsActionable ¶
func (conf *PolarisConfiguration) IsActionable(subConf interface{}, ruleName, controllerName string) bool
IsActionable determines whether a check is actionable given the current configuration
type ResourceRange ¶
type ResourceRange struct {
Below *resource.Quantity `json:"below"`
Above *resource.Quantity `json:"above"`
}
ResourceRange can contain below and above conditions for validation.
type ResourceRanges ¶
type ResourceRanges struct {
Warning ResourceRange `json:"warning"`
Error ResourceRange `json:"error"`
}
ResourceRanges contains config for requests or limits for a specific resource.
type Resources ¶
type Resources struct {
CPURequestsMissing Severity `json:"cpuRequestsMissing"`
CPURequestRanges ResourceRanges `json:"cpuRequestRanges"`
CPULimitsMissing Severity `json:"cpuLimitsMissing"`
CPULimitRanges ResourceRanges `json:"cpuLimitRanges"`
MemoryRequestsMissing Severity `json:"memoryRequestsMissing"`
MemoryRequestRanges ResourceRanges `json:"memoryRequestRanges"`
MemoryLimitsMissing Severity `json:"memoryLimitsMissing"`
MemoryLimitRanges ResourceRanges `json:"memoryLimitRanges"`
}
Resources contains config for resource requests and limits.
type Security ¶
type Security struct {
HostIPCSet Severity `json:"hostIPCSet"`
HostPIDSet Severity `json:"hostPIDSet"`
RunAsRootAllowed Severity `json:"runAsRootAllowed"`
RunAsPrivileged Severity `json:"runAsPrivileged"`
NotReadOnlyRootFileSystem Severity `json:"notReadOnlyRootFileSystem"`
PrivilegeEscalationAllowed Severity `json:"privilegeEscalationAllowed"`
Capabilities SecurityCapabilities `json:"capabilities"`
}
Security contains the config for security validations.
type SecurityCapabilities ¶
type SecurityCapabilities struct {
Error SecurityCapabilityLists `json:"error"`
Warning SecurityCapabilityLists `json:"warning"`
}
SecurityCapabilities contains the config for security capabilities validations.
type SecurityCapabilityLists ¶
type SecurityCapabilityLists struct {
IfAnyAdded []corev1.Capability `json:"ifAnyAdded"`
IfAnyAddedBeyond []corev1.Capability `json:"ifAnyAddedBeyond"`
IfAnyNotDropped []corev1.Capability `json:"ifAnyNotDropped"`
}
SecurityCapabilityLists contains the config for security capabilitie list validations.
type Services ¶
type Services struct {
ScannerUrl string `json:"scannerUrl"`
}
Services contains addresses of dependent services.
type Severity ¶
type Severity string
Severity represents the severity of action to take (Ignore, Warning, Error).
func (*Severity) IsActionable ¶
IsActionable returns true if the severity level is warning or error
type SupportedController ¶
type SupportedController int
SupportedController is a constant item of a controller that is supported for scanning pod specs
const ( // Unsupported is the default enum for non-defined controller types Unsupported SupportedController = iota // Deployments are a supported controller for scanning pod specs Deployments // StatefulSets are a supported controller for scanning pod specs StatefulSets // DaemonSets are a supported controller for scanning pod specs DaemonSets // Jobs are a supported controller for scanning pod specs Jobs // CronJobs are a supported controller for scanning pod specs CronJobs // ReplicationControllers are supported controllers for scanning pod specs ReplicationControllers )
func GetSupportedControllerFromString ¶
func GetSupportedControllerFromString(str string) (SupportedController, error)
GetSupportedControllerFromString fuzzy matches a string with a SupportedController Enum
func (SupportedController) ListSupportedAPIVersions ¶
func (s SupportedController) ListSupportedAPIVersions() []runtime.Object
ListSupportedAPIVersions for SupportedController returns all the apimachinery object type supported
func (SupportedController) MarshalJSON ¶
func (s SupportedController) MarshalJSON() ([]byte, error)
MarshalJSON manages writing the enum into json data or error on unsupported value
func (SupportedController) String ¶
func (s SupportedController) String() string
String returns the string name for a given SupportedController enum
func (*SupportedController) UnmarshalJSON ¶
func (s *SupportedController) UnmarshalJSON(b []byte) error
UnmarshalJSON handles reading json data into enum
Source Files