kube-cover

command module
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 21, 2016 License: Apache-2.0 Imports: 5 Imported by: 0

README

Kube Cover


Kube Cover is a short-term hack to enable security policies via the Kubernetes API. Presently, items such as privileged, host network, host, pid/ipc, host port range and docker capabilities are difficult or in some cases impossible to enforce a security policy. Kube Cover provide's a stepping stone into using those policies while we wait for the kubernetes project to resolve and release them. Note, the actually policies are based on a PR released into Openshift Origin

Usage

Usage of bin/kube-cover:
  -alsologtostderr          log to standard error as well as files
  -bind string              the interface and port for the service to listen on (default ":6444")
  -log_backtrace_at value   when logging hits line file:N, emit a stack trace (default :0)
  -log_dir string           If non-empty, write log files in this directory
  -logtostderr              log to standard error instead of files
  -policy-file string       the path to the policy file container authorization security policies
  -stderrthreshold value    logs at or above this threshold go to stderr
  -tls-cert string          the path to the tls cerfiicate for the service to use
  -tls-key string           the path to the tls private key for the service
  -url string               the url for the kubernetes upstream api service, must be https (default "https://127.0.0.1:6443")
  -v value                  log level for V logs
  -vmodule value            comma-separated list of pattern=N settings for file-filtered logging
Example Usage

[jest@starfury kube-cover]$ bin/kube-cover \
    -logtostderr=true -v=10 \
    -tls-cert=tests/kubeapi.pem \
    -tls-key=tests/kubeapi-key.pem \
    -policy-file=tests/policies.json \
    -url=https://the_url_for_the_k8s_api_must_be_https

[jest@starfury openvpn]$ kubectl get pods
NAME            READY     STATUS                                         RESTARTS   AGE
service-u6ea0   0/1       Image: nginx is ready, container is creating   0          2h
web-7jthn       1/1       Running                                        0          1d

I1116 16:34:49.748882   30023 server.go:32] create a new kube cover service
I1116 16:34:49.749001   30023 controller.go:41] loading the policies file: tests/policies.json
I1116 16:34:49.749355   30023 controller.go:46] found 1 polices in the file
[GIN] 2015/11/16 - 16:35:13 | 200 |  130.948277ms | 127.0.0.1 |   GET     /api
[GIN] 2015/11/16 - 16:35:13 | 200 |   28.218429ms | 127.0.0.1 |   GET     /api/v1/namespaces/default/pods

# attempt to create a pod with a hostpath mapped into /etc
[jest@starfury kube-cover]$ kubectl create -f tests/services/service-hostpaths.yml 
Error from server: error when creating "tests/services/service-hostpaths.yml": security policy violation, reason: host path /run/vault

# logging from the kube-cover proxy filter

[GIN] 2015/11/16 - 16:38:13 | 200 |   55.299491ms | 127.0.0.1 |   GET     /api
I1116 16:38:13.587799   30023 handlers.go:48] authorizating replication controller, namespace: default, name: service
I1116 16:38:13.587823   30023 controller.go:56] validating the pod spec, namespace: default
E1116 16:38:13.587832   30023 handlers.go:86] unauthorized request from: (127.0.0.1:44040), failure: host path /run/vault violation
E1116 16:38:13.587836   30023 handlers.go:87] failing specification: 

.. -> plus a insert of pod json which violated the policy

Security Policies

The security policy file is a single json file containing an array of PodSecurityPolicy types (which you can find in policy/acl/types.go)

At the moment the filter / matching for security policies is applied at a namespace level (since that's what were using use to segregate projects - we then use a auth-policy to enforce which namespaces a user has permissions to access. You could technically grab the user / group from a JWT or tokenfile, BUT, depends on how long it takes for k8s to merge the security policy proposal.

{
  "kind": "PodSecurityPolicyList",
  "apiVersion": "v1",
  "items": [
    {
      "kind": "PodSecurityPolicy",
      "version": "v1",
      "namespaces": [
        "*"
      ],
      "spec": {
        "privileged" : false,
        "hostNetwork" : false,
        "hostPID": false,
        "hostIPC": false,
        "volumes": {
          "hostPath": true,
          "hostPathAllowed": [
            "/var/data"
          ],
          "emptyDir": true,
          "gitRepo": true,
          "secret": true,
          "rbd": true,
          "downwardAPI": true
        }
      }
    }
  ]
}

Documentation

The Go Gopher

There is no documentation for this package.

Directories

Path Synopsis
Godeps
_workspace/src/github.com/beorn7/perks/quantile
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
Package quantile computes approximate quantiles over an unbounded data stream within low memory and CPU bounds.
_workspace/src/github.com/davecgh/go-spew/spew
Package spew implements a deep pretty printer for Go data structures to aid in debugging.
Package spew implements a deep pretty printer for Go data structures to aid in debugging.
_workspace/src/github.com/docker/docker/pkg/units
Package units provides helper function to parse and print size and time units in human-readable format.
Package units provides helper function to parse and print size and time units in human-readable format.
_workspace/src/github.com/golang/glog
Package glog implements logging analogous to the Google-internal C++ INFO/ERROR/V setup.
Package glog implements logging analogous to the Google-internal C++ INFO/ERROR/V setup.
_workspace/src/github.com/golang/protobuf/proto
Package proto converts data structures to and from the wire format of protocol buffers.
Package proto converts data structures to and from the wire format of protocol buffers.
_workspace/src/github.com/golang/protobuf/proto/proto3_proto
Package proto3_proto is a generated protocol buffer package.
Package proto3_proto is a generated protocol buffer package.
_workspace/src/github.com/google/gofuzz
Package fuzz is a library for populating go objects with random values.
Package fuzz is a library for populating go objects with random values.
_workspace/src/github.com/juju/ratelimit
The ratelimit package provides an efficient token bucket implementation that can be used to limit the rate of arbitrary things.
The ratelimit package provides an efficient token bucket implementation that can be used to limit the rate of arbitrary things.
_workspace/src/github.com/matttproud/golang_protobuf_extensions/pbutil
Package pbutil provides record length-delimited Protocol Buffer streaming.
Package pbutil provides record length-delimited Protocol Buffer streaming.
_workspace/src/github.com/pborman/uuid
The uuid package generates and inspects UUIDs.
The uuid package generates and inspects UUIDs.
_workspace/src/github.com/prometheus/client_golang/prometheus
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
Package prometheus provides embeddable metric primitives for servers and standardized exposition of telemetry through a web services interface.
_workspace/src/github.com/prometheus/client_model/go
Package io_prometheus_client is a generated protocol buffer package.
Package io_prometheus_client is a generated protocol buffer package.
_workspace/src/github.com/prometheus/common/expfmt
A package for reading and writing Prometheus metrics.
A package for reading and writing Prometheus metrics.
HTTP Content-Type Autonegotiation.
_workspace/src/github.com/prometheus/common/model
Package model contains common data structures that are shared across Prometheus componenets and libraries.
Package model contains common data structures that are shared across Prometheus componenets and libraries.
_workspace/src/github.com/prometheus/procfs
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
Package procfs provides functions to retrieve system, kernel and process metrics from the pseudo-filesystem proc.
_workspace/src/github.com/spf13/pflag
Package pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
Package pflag is a drop-in replacement for Go's flag package, implementing POSIX/GNU-style --flags.
_workspace/src/golang.org/x/crypto/ssh
Package ssh implements an SSH client and server.
Package ssh implements an SSH client and server.
_workspace/src/golang.org/x/crypto/ssh/agent
Package agent implements a client to an ssh-agent daemon.
Package agent implements a client to an ssh-agent daemon.
_workspace/src/golang.org/x/crypto/ssh/terminal
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
Package terminal provides support functions for dealing with terminals, as commonly found on UNIX systems.
_workspace/src/golang.org/x/crypto/ssh/test
This package contains integration tests for the golang.org/x/crypto/ssh package.
This package contains integration tests for the golang.org/x/crypto/ssh package.
_workspace/src/golang.org/x/net/context
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.
_workspace/src/golang.org/x/net/context/ctxhttp
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
Package ctxhttp provides helper functions for performing context-aware HTTP requests.
_workspace/src/gopkg.in/bluesuncorp/validator.v5
Package validator implements value validations for structs and individual fields based on tags.
Package validator implements value validations for structs and individual fields based on tags.
_workspace/src/gopkg.in/yaml.v2
Package yaml implements YAML support for the Go language.
Package yaml implements YAML support for the Go language.
_workspace/src/k8s.io/kubernetes/pkg/api
Package api contains the latest (or "internal") version of the Kubernetes API objects.
Package api contains the latest (or "internal") version of the Kubernetes API objects.
_workspace/src/k8s.io/kubernetes/pkg/api/errors
Package errors provides detailed error types for api field validation.
Package errors provides detailed error types for api field validation.
_workspace/src/k8s.io/kubernetes/pkg/api/errors/etcd
Package etcd provides conversion of etcd errors to API errors.
Package etcd provides conversion of etcd errors to API errors.
_workspace/src/k8s.io/kubernetes/pkg/api/install
Package install installs the v1 monolithic api, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the v1 monolithic api, making it available as an option to all of the API encoding/decoding machinery.
_workspace/src/k8s.io/kubernetes/pkg/api/latest
Package latest defines the default output serializations that code should use and imports the required schemas.
Package latest defines the default output serializations that code should use and imports the required schemas.
_workspace/src/k8s.io/kubernetes/pkg/api/meta
Package meta provides functions for retrieving API metadata from objects belonging to the Kubernetes API TODO: move everything in this file to pkg/api/rest
Package meta provides functions for retrieving API metadata from objects belonging to the Kubernetes API TODO: move everything in this file to pkg/api/rest
_workspace/src/k8s.io/kubernetes/pkg/api/registered
Package to keep track of API Versions that should be registered in api.Scheme.
Package to keep track of API Versions that should be registered in api.Scheme.
_workspace/src/k8s.io/kubernetes/pkg/api/rest
Package rest defines common logic around changes to Kubernetes resources.
Package rest defines common logic around changes to Kubernetes resources.
_workspace/src/k8s.io/kubernetes/pkg/api/testapi
Package testapi provides a helper for retrieving the KUBE_TEST_API environment variable.
Package testapi provides a helper for retrieving the KUBE_TEST_API environment variable.
_workspace/src/k8s.io/kubernetes/pkg/api/unversioned
Package unversioned contains API types that are common to all versions.
Package unversioned contains API types that are common to all versions.
_workspace/src/k8s.io/kubernetes/pkg/api/util
TODO: This GetVersion/GetGroup arrangement is temporary and will be replaced with a GroupAndVersion type.
TODO: This GetVersion/GetGroup arrangement is temporary and will be replaced with a GroupAndVersion type.
_workspace/src/k8s.io/kubernetes/pkg/api/v1
Package v1 is the v1 version of the API.
Package v1 is the v1 version of the API.
_workspace/src/k8s.io/kubernetes/pkg/api/validation
Package validation has functions for validating the correctness of api objects and explaining what is wrong with them when they aren't valid.
Package validation has functions for validating the correctness of api objects and explaining what is wrong with them when they aren't valid.
_workspace/src/k8s.io/kubernetes/pkg/auth/user
Package user contains utilities for dealing with simple user exchange in the auth packages.
Package user contains utilities for dealing with simple user exchange in the auth packages.
_workspace/src/k8s.io/kubernetes/pkg/conversion
Package conversion provides go object versioning and encoding/decoding mechanisms.
Package conversion provides go object versioning and encoding/decoding mechanisms.
_workspace/src/k8s.io/kubernetes/pkg/conversion/queryparams
Package queryparams provides conversion from versioned runtime objects to URL query values
Package queryparams provides conversion from versioned runtime objects to URL query values
_workspace/src/k8s.io/kubernetes/pkg/fields
Package fields implements a simple field system, parsing and matching selectors with sets of fields.
Package fields implements a simple field system, parsing and matching selectors with sets of fields.
_workspace/src/k8s.io/kubernetes/pkg/labels
Package labels implements a simple label system, parsing and matching selectors with sets of labels.
Package labels implements a simple label system, parsing and matching selectors with sets of labels.
_workspace/src/k8s.io/kubernetes/pkg/runtime
Defines conversions between generic types and structs to map query strings to struct objects.
Defines conversions between generic types and structs to map query strings to struct objects.
_workspace/src/k8s.io/kubernetes/pkg/types
Package types implements various generic types used throughout kubernetes.
Package types implements various generic types used throughout kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/util
Package util implements various utility functions used in both testing and implementation of Kubernetes.
Package util implements various utility functions used in both testing and implementation of Kubernetes.
_workspace/src/k8s.io/kubernetes/pkg/util/bandwidth
Package bandwidth provides utilities for bandwidth shaping
Package bandwidth provides utilities for bandwidth shaping
_workspace/src/k8s.io/kubernetes/pkg/util/config
Package config provides utility objects for decoupling sources of configuration and the actual configuration state.
Package config provides utility objects for decoupling sources of configuration and the actual configuration state.
_workspace/src/k8s.io/kubernetes/pkg/util/dbus
Package dbus provides an injectable interface and implementations for D-Bus communication
Package dbus provides an injectable interface and implementations for D-Bus communication
_workspace/src/k8s.io/kubernetes/pkg/util/errors
Package errors implements various utility functions and types around errors.
Package errors implements various utility functions and types around errors.
_workspace/src/k8s.io/kubernetes/pkg/util/exec
Package exec provides an injectable interface and implementations for running commands.
Package exec provides an injectable interface and implementations for running commands.
_workspace/src/k8s.io/kubernetes/pkg/util/flushwriter
Package flushwriter implements a wrapper for a writer that flushes on every write if that writer implements the io.Flusher interface
Package flushwriter implements a wrapper for a writer that flushes on every write if that writer implements the io.Flusher interface
_workspace/src/k8s.io/kubernetes/pkg/util/httpstream
Package httpstream adds multiplexed streaming support to HTTP requests and responses via connection upgrades.
Package httpstream adds multiplexed streaming support to HTTP requests and responses via connection upgrades.
_workspace/src/k8s.io/kubernetes/pkg/util/iptables
Package iptables provides an interface and implementations for running iptables commands.
Package iptables provides an interface and implementations for running iptables commands.
_workspace/src/k8s.io/kubernetes/pkg/util/jsonpath
package jsonpath is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/.
package jsonpath is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/.
_workspace/src/k8s.io/kubernetes/pkg/util/limitwriter
Package limitwriter provides a writer that only allows a certain number of bytes to be written.
Package limitwriter provides a writer that only allows a certain number of bytes to be written.
_workspace/src/k8s.io/kubernetes/pkg/util/mount
Package mount defines an interface to mounting filesystems.
Package mount defines an interface to mounting filesystems.
_workspace/src/k8s.io/kubernetes/pkg/util/oom
Package oom implements utility functions relating to out of memory management.
Package oom implements utility functions relating to out of memory management.
_workspace/src/k8s.io/kubernetes/pkg/util/procfs
Package procfs implements utility functions relating to the /proc mount.
Package procfs implements utility functions relating to the /proc mount.
_workspace/src/k8s.io/kubernetes/pkg/util/proxy
Package proxy provides transport and upgrade support for proxies
Package proxy provides transport and upgrade support for proxies
_workspace/src/k8s.io/kubernetes/pkg/util/rand
Package rand provides utilities related to randomization.
Package rand provides utilities related to randomization.
_workspace/src/k8s.io/kubernetes/pkg/util/slice
Package slice provides utility methods for common operations on slices.
Package slice provides utility methods for common operations on slices.
_workspace/src/k8s.io/kubernetes/pkg/util/wait
Package wait provides tools for polling or listening for changes to a condition.
Package wait provides tools for polling or listening for changes to a condition.
_workspace/src/k8s.io/kubernetes/pkg/util/workqueue
Package workqueue provides a simple queue that supports the following features: * Fair: items processed in the order in which they are added.
Package workqueue provides a simple queue that supports the following features: * Fair: items processed in the order in which they are added.
_workspace/src/k8s.io/kubernetes/third_party/forked/reflect
Package reflect is a fork of go's standard library reflection package, which allows for deep equal with equality functions defined.
Package reflect is a fork of go's standard library reflection package, which allows for deep equal with equality functions defined.
_workspace/src/speter.net/go/exp/math/dec/inf
Package inf (type inf.Dec) implements "infinite-precision" decimal arithmetic.
Package inf (type inf.Dec) implements "infinite-precision" decimal arithmetic.
acl

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL