tunnel

package
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 22, 2023 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package tunnel provides primitives for working with Tunnel.

Index

Constants

View Source 
const (
	AWSECR_Image_Regex        = "^\\d+\\.dkr\\.ecr\\.(\\w+-\\w+-\\d+)\\.amazonaws\\.com\\/"
	SupportedConfigAuditKinds = "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
	// SkipDirsAnnotation annotation  example: tunnel-operator.khulnasoft.github.io/skip-dirs: "/tmp,/home"
	SkipDirsAnnotation = "tunnel-operator.khulnasoft.github.io/skip-dirs"
	// SkipFilesAnnotation example: tunnel-operator.khulnasoft.github.io/skip-files: "/src/Gemfile.lock,/examplebinary"
	SkipFilesAnnotation = "tunnel-operator.khulnasoft.github.io/skip-files"
)
View Source 
const (
	DefaultImageRepository  = "ghcr.io/aquasecurity/trivy"
	DefaultDBRepository     = "ghcr.io/khulnasoft-lab/tunnel-db"
	DefaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db"
	DefaultSeverity         = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
)
View Source 
const (
	FsSharedVolumeName           = "tunneloperator"
	SharedVolumeLocationOfTunnel = "/var/tunneloperator/tunnel"
	SslCertDir                   = "/var/ssl-cert"
)
View Source 
const (
	KeyTunnelSeverity = "tunnel.severity"
)
View Source 
const (
	// Plugin the name of this plugin.
	Plugin = "Tunnel"
)

Variables

This section is empty.

Functions

func CheckAwsEcrPrivateRegistry 

func CheckAwsEcrPrivateRegistry(ImageUrl string) string

func ConfigWorkloadAnnotationEnvVars 

func ConfigWorkloadAnnotationEnvVars(workload client.Object, annotation string, envVarName string, tunnelConfigName string, configKey string) corev1.EnvVar

func GetCvssV3 

func GetCvssV3(findingCvss types.VendorCVSS) map[string]*CVSS

func GetMirroredImage 

func GetMirroredImage(image string, mirrors map[string]string) (string, error)

func GetScoreFromCVSS 

func GetScoreFromCVSS(CVSSs map[string]*CVSS) *float64

func MultiSecretSupport 

func MultiSecretSupport(c Config) bool

MultiSecretSupport validate if tunnel multi secret support

func NewPlugin 

func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) vulnerabilityreport.Plugin

NewPlugin constructs a new vulnerabilityreport.Plugin, which is using an upstream Tunnel container image to scan Kubernetes workloads.

The plugin supports Image and Filesystem commands. The Filesystem command may be used to scan workload images cached on cluster nodes by scheduling scan jobs on a particular node.

The Image command supports both Standalone and ClientServer modes depending on the settings returned by Config.GetMode. The ClientServer mode is usually more performant, however it requires a Tunnel server accessible at the configurable Config.GetServerURL.

func NewTunnelConfigAuditPlugin 

func NewTunnelConfigAuditPlugin(clock ext.Clock, idGenerator ext.IDGenerator, objectResolver *kube.ObjectResolver) configauditreport.PluginInMemory

NewTunnelConfigAuditPlugin constructs a new configAudit.Plugin, which is using an upstream Tunnel config audit scanner lib.

func Scanners 

func Scanners(c Config) string

Scanners use scanners flag

func SkipDBUpdate 

func SkipDBUpdate(c Config) string

SkipDBUpdate skip update flag

func SkipJavaDBUpdate 

func SkipJavaDBUpdate(c Config) string

SkipJavaDBUpdate skip update flag

func Slow 

func Slow(c Config) string

Slow determine if to use the slow flag (improve memory footprint)

Types

type AdditionalFields 

type AdditionalFields struct {
	Description bool
	Links       bool
	CVSS        bool
	Target      bool
	Class       bool
	PackageType bool
	PkgPath     bool
}

type CVSS 

type CVSS struct {
	V3Score *float64 `json:"V3Score,omitempty"`
}

type Command 

type Command string

Command to scan image or filesystem. 

const (
	Filesystem Command = "filesystem"
	Image      Command = "image"
	Rootfs     Command = "rootfs"
)

type Config 

type Config struct {
	tunneloperator.PluginConfig
}

Config defines configuration params for this plugin.

func (Config) FindIgnorePolicyKey 

func (c Config) FindIgnorePolicyKey(workload client.Object) string

func (Config) GenerateIgnoreFileVolumeIfAvailable 

func (c Config) GenerateIgnoreFileVolumeIfAvailable(tunnelConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateIgnorePolicyVolumeIfAvailable 

func (c Config) GenerateIgnorePolicyVolumeIfAvailable(tunnelConfigName string, workload client.Object) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GenerateSslCertDirVolumeIfAvailable 

func (c Config) GenerateSslCertDirVolumeIfAvailable(tunnelConfigName string) (*corev1.Volume, *corev1.VolumeMount)

func (Config) GetAdditionalVulnerabilityReportFields 

func (c Config) GetAdditionalVulnerabilityReportFields() AdditionalFields

func (Config) GetClientServerSkipUpdate 

func (c Config) GetClientServerSkipUpdate() bool

func (Config) GetCommand 

func (c Config) GetCommand() (Command, error)

func (Config) GetDBRepository 

func (c Config) GetDBRepository() (string, error)

func (Config) GetDBRepositoryInsecure 

func (c Config) GetDBRepositoryInsecure() bool

func (Config) GetImagePullSecret 

func (c Config) GetImagePullSecret() []corev1.LocalObjectReference

func (Config) GetImageRef 

func (c Config) GetImageRef() (string, error)

GetImageRef returns upstream Tunnel container image reference.

func (Config) GetImageTag 

func (c Config) GetImageTag() (string, error)

GetImageTag returns upstream Tunnel container image tag.

func (Config) GetInsecureRegistries 

func (c Config) GetInsecureRegistries() map[string]bool

func (Config) GetMirrors 

func (c Config) GetMirrors() map[string]string

func (Config) GetMode 

func (c Config) GetMode() (Mode, error)

func (Config) GetNonSSLRegistries 

func (c Config) GetNonSSLRegistries() map[string]bool

func (Config) GetResourceRequirements 

func (c Config) GetResourceRequirements() (corev1.ResourceRequirements, error)

GetResourceRequirements creates ResourceRequirements from the Config.

func (Config) GetServerInsecure 

func (c Config) GetServerInsecure() bool

func (Config) GetServerURL 

func (c Config) GetServerURL() (string, error)

func (Config) GetSeverity 

func (c Config) GetSeverity() string

func (Config) GetSkipJavaDBUpdate 

func (c Config) GetSkipJavaDBUpdate() bool

func (Config) GetSlow 

func (c Config) GetSlow() bool

func (Config) GetSslCertDir 

func (c Config) GetSslCertDir() string

func (Config) GetSupportedConfigAuditKinds 

func (c Config) GetSupportedConfigAuditKinds() []string

func (Config) GetUseBuiltinRegoPolicies 

func (c Config) GetUseBuiltinRegoPolicies() bool

func (Config) GetVulnType 

func (c Config) GetVulnType() string

func (Config) IgnoreFileExists 

func (c Config) IgnoreFileExists() bool

func (Config) IgnoreUnfixed 

func (c Config) IgnoreUnfixed() bool

func (Config) OfflineScan 

func (c Config) OfflineScan() bool

type Mode 

type Mode string

Mode in which Tunnel client operates. 

const (
	Standalone   Mode = "Standalone"
	ClientServer Mode = "ClientServer"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.