Documentation
¶
Index ¶
- Constants
- func ApplyOverride(auditResult *kubeaudit.AuditResult, auditorName, containerName string, ...) *kubeaudit.AuditResult
- func GetContainerOverrideLabel(containerName, overrideLabel string) string
- func GetContainerOverrideReason(containerName string, resource k8s.Resource, overrideLabel string) (hasOverride bool, reason string)
- func GetDeprecatedContainerOverrideLabel(containerName, overrideLabel string) string
- func GetDeprecatedNamespaceOverrideLabel(overrideLabel string) string
- func GetDeprecatedPodOverrideLabel(overrideLabel string) string
- func GetOverriddenResultName(resultName string) string
- func GetOverrideLabel(overrideLabel string) string
- func GetResourceOverrideReason(resource k8s.Resource, auditorOverrideLabel string) (hasOverride bool, reason string)
- func NewRedundantOverrideResult(auditorName, containerName, overrideReason, overrideLabel string) *kubeaudit.AuditResult
Constants ¶
const ( // DeprecatedContainerOverrideLabelPrefix is used to disable an auditor for a specific container DeprecatedContainerOverrideLabelPrefix = "container.audit.kubernetes.io/" // DeprecatedPodOverrideLabelPrefix is used to disable an auditor for a specific pod DeprecatedPodOverrideLabelPrefix = "audit.kubernetes.io/pod." // DeprecatedNamespaceOverrideLabelPrefix is used to disable an auditor for a specific namespace resource DeprecatedNamespaceOverrideLabelPrefix = "audit.kubernetes.io/namespace." // ContainerOverrideLabelPrefix is used to disable an auditor for a specific container ContainerOverrideLabelPrefix = "container.kubeaudit.io/" // OverrideLabelPrefix is used to disable an auditor for either a pod or namespace OverrideLabelPrefix = "kubeaudit.io/" )
Variables ¶
This section is empty.
Functions ¶
func ApplyOverride ¶
func ApplyOverride(auditResult *kubeaudit.AuditResult, auditorName, containerName string, resource k8s.Resource, overrideLabel string) *kubeaudit.AuditResult
ApplyOverride checks if hasOverride is true. If it is, it changes the severity of the audit result from error to info, adds the override reason to the metadata and removes the pending fix
func GetContainerOverrideReason ¶
func GetContainerOverrideReason(containerName string, resource k8s.Resource, overrideLabel string) (hasOverride bool, reason string)
GetContainerOverrideReason returns true if the resource has a pod-level label disabling a given auditor and the value of the label which is meant to represent the reason for overriding the auditor
Container override labels disable the auditor for that specific container and have the following format:
container.kubeaudit.io/[container name].[auditor override label]
If there is no container override label, it calls GetResourceOverrideReason()
func GetDeprecatedPodOverrideLabel ¶
TODO: remove deprecated getters
func GetOverriddenResultName ¶
GetOverriddenResultName takes an audit result name and modifies it to indicate that the security issue was ignored by an override label
func GetOverrideLabel ¶
func GetResourceOverrideReason ¶
func GetResourceOverrideReason(resource k8s.Resource, auditorOverrideLabel string) (hasOverride bool, reason string)
GetResourceOverrideReason returns true if the resource has a label disabling a given auditor and the value of the label which is meant to represent the reason for overriding the auditor
Pod override labels disable the auditor for the pod and all containers within the pod and have the following format:
kubeaudit.io/[auditor override label]
Namespace override labels disable the auditor for the namespace resource and have the following format:
kubeaudit.io/[auditor override label]
func NewRedundantOverrideResult ¶
func NewRedundantOverrideResult(auditorName, containerName, overrideReason, overrideLabel string) *kubeaudit.AuditResult
NewRedundantOverrideResult creates a new AuditResult at warning level telling the user to remove the override label because there are no security issues found, so the label is redundant
Types ¶
This section is empty.
Source Files