Documentation
¶
Overview ¶
Package types is an extension of the CRD types.
Index ¶
- Constants
- type CapabilitiesCapabilityType
- type CapabilitiesType
- type Container
- type DefaultPosture
- type EndPoint
- type FileDirectoryType
- type FilePathType
- type FilePatternType
- type FileType
- type HostSecurityPolicy
- type HostSecuritySpec
- type K8sKubeArmorHostPolicies
- type K8sKubeArmorHostPolicy
- type K8sKubeArmorHostPolicyEvent
- type K8sKubeArmorPolicies
- type K8sKubeArmorPolicy
- type K8sKubeArmorPolicyEvent
- type K8sNodeEvent
- type K8sPod
- type K8sPodEvent
- type K8sPolicyStatus
- type KubeArmorHostPolicyEventCallback
- type Log
- type MatchExpressionType
- type MatchPolicies
- type MatchPolicy
- type MatchSourceType
- type Namespace
- type NetworkProtocolType
- type NetworkType
- type Node
- type NodeSelectorType
- type PidMap
- type PidNode
- type PodOwner
- type ProcessDirectoryType
- type ProcessPathType
- type ProcessPatternType
- type ProcessType
- type SELinuxRule
- type SecurityPolicy
- type SecuritySpec
- type SelectorType
- type SyscallFromSourceType
- type SyscallMatchPathType
- type SyscallMatchType
- type SyscallsType
- type Visibility
Constants ¶
View Source
const ( KubeArmorPolicyDisabled = 0 KubeArmorPolicyEnabled = 1 KubeArmorPolicyAudited = 2 )
KubeArmorPolicy Flags
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CapabilitiesCapabilityType ¶
type CapabilitiesCapabilityType struct {
Capability string `json:"capability"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
CapabilitiesCapabilityType Structure
type CapabilitiesType ¶
type CapabilitiesType struct {
MatchCapabilities []CapabilitiesCapabilityType `json:"matchCapabilities,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
CapabilitiesType Structure
type Container ¶
type Container struct {
ContainerID string `json:"containerID"`
ContainerName string `json:"containerName"`
ContainerImage string `json:"containerImage"`
NamespaceName string `json:"namespaceName"`
Owner PodOwner `json:"owner,omitempty"`
EndPointName string `json:"endPointName"`
Labels string `json:"labels"`
AppArmorProfile string `json:"apparmorProfile"`
Privileged bool `json:"privileged"`
PidNS uint32 `json:"pidns"`
MntNS uint32 `json:"mntns"`
NodeName string `json:"node_name"`
ProtocolPort string `json:"protocolPort"`
Status string `json:"status"`
ContainerIP string `json:"container_ip"`
LastUpdatedAt string `json:"last_updated_at"`
PolicyEnabled int `json:"policyEnabled"`
ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"`
FileVisibilityEnabled bool `json:"fileVisibilityEnabled"`
NetworkVisibilityEnabled bool `json:"networkVisibilityEnabled"`
CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}
Container Structure
type DefaultPosture ¶
type DefaultPosture struct {
FileAction string `json:"file,omitempty"`
NetworkAction string `json:"network,omitempty"`
CapabilitiesAction string `json:"capabilties,omitempty"`
}
DefaultPosture Structure
type EndPoint ¶
type EndPoint struct {
NamespaceName string `json:"namespaceName"`
EndPointName string `json:"endPointName"`
ContainerName string `json:"containerName"`
Labels map[string]string `json:"labels"`
Identities []string `json:"identities"`
Containers []string `json:"containers"`
AppArmorProfiles []string `json:"apparmorProfiles"`
SELinuxProfiles []string `json:"selinuxProfiles"`
SecurityPolicies []SecurityPolicy `json:"securityPolicies"`
// only needed for unorchestrated containers
PrivilegedContainers map[string]struct{} `json:"privilegdContainers"`
PolicyEnabled int `json:"policyEnabled"`
DefaultPosture DefaultPosture `json:"defaultPosture"`
ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"`
FileVisibilityEnabled bool `json:"fileVisibilityEnabled"`
NetworkVisibilityEnabled bool `json:"networkVisibilityEnabled"`
CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}
EndPoint Structure k8s: Endpoint ~= pod non-k8s: Endpoint ~= container
type FileDirectoryType ¶
type FileDirectoryType struct {
Directory string `json:"dir"`
ReadOnly bool `json:"readOnly,omitempty"`
Recursive bool `json:"recursive,omitempty"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
FileDirectoryType Structure
type FilePathType ¶
type FilePathType struct {
Path string `json:"path"`
ReadOnly bool `json:"readOnly,omitempty"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
FilePathType Structure
type FilePatternType ¶
type FilePatternType struct {
Pattern string `json:"pattern"`
ReadOnly bool `json:"readOnly,omitempty"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
FilePatternType Structure
type FileType ¶
type FileType struct {
MatchPaths []FilePathType `json:"matchPaths,omitempty"`
MatchDirectories []FileDirectoryType `json:"matchDirectories,omitempty"`
MatchPatterns []FilePatternType `json:"matchPatterns,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
FileType Structure
type HostSecurityPolicy ¶
type HostSecurityPolicy struct {
Metadata map[string]string `json:"metadata"`
Spec HostSecuritySpec `json:"spec"`
}
HostSecurityPolicy Structure
type HostSecuritySpec ¶
type HostSecuritySpec struct {
NodeSelector NodeSelectorType `json:"nodeSelector"`
Process ProcessType `json:"process,omitempty"`
File FileType `json:"file,omitempty"`
Network NetworkType `json:"network,omitempty"`
Capabilities CapabilitiesType `json:"capabilities,omitempty"`
Syscalls SyscallsType `json:"syscalls,omitempty"`
AppArmor string `json:"apparmor,omitempty"`
Severity int `json:"severity"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action"`
}
HostSecuritySpec Structure
type K8sKubeArmorHostPolicies ¶
type K8sKubeArmorHostPolicies struct {
Items []K8sKubeArmorHostPolicy `json:"items"`
}
K8sKubeArmorHostPolicies Structure
type K8sKubeArmorHostPolicy ¶
type K8sKubeArmorHostPolicy struct {
Metadata metav1.ObjectMeta `json:"metadata"`
Spec HostSecuritySpec `json:"spec"`
Status K8sPolicyStatus `json:"status,omitempty"`
}
K8sKubeArmorHostPolicy Structure
type K8sKubeArmorHostPolicyEvent ¶
type K8sKubeArmorHostPolicyEvent struct {
Type string `json:"type"`
Object K8sKubeArmorHostPolicy `json:"object"`
}
K8sKubeArmorHostPolicyEvent Structure
type K8sKubeArmorPolicies ¶
type K8sKubeArmorPolicies struct {
Items []K8sKubeArmorPolicy `json:"items"`
}
K8sKubeArmorPolicies Structure
type K8sKubeArmorPolicy ¶
type K8sKubeArmorPolicy struct {
Metadata metav1.ObjectMeta `json:"metadata"`
Spec SecuritySpec `json:"spec"`
Status K8sPolicyStatus `json:"status,omitempty"`
}
K8sKubeArmorPolicy Structure
type K8sKubeArmorPolicyEvent ¶
type K8sKubeArmorPolicyEvent struct {
Type string `json:"type"`
Object K8sKubeArmorPolicy `json:"object"`
}
K8sKubeArmorPolicyEvent Structure
type K8sNodeEvent ¶
K8sNodeEvent Structure
type K8sPod ¶
type K8sPod struct {
Metadata map[string]string
Annotations map[string]string
Labels map[string]string
Containers map[string]string
ContainerImages map[string]string
// using two maps here as it is inefficent to
// obtain either from just one
// for storing privilegd container names
PrivilegedContainers map[string]struct{}
// for storing privileged apparmor profile names
PrivilegedAppArmorProfiles map[string]struct{}
}
K8sPod Structure
type K8sPodEvent ¶
K8sPodEvent Structure
type K8sPolicyStatus ¶
type K8sPolicyStatus struct {
Status string `json:"status,omitempty"`
}
K8sPolicyStatus Structure
type KubeArmorHostPolicyEventCallback ¶
type KubeArmorHostPolicyEventCallback func(K8sKubeArmorHostPolicyEvent) pb.PolicyStatus
KubeArmorHostPolicyEventCallback Function
type Log ¶
type Log struct {
// updated time
Timestamp int64 `json:"timestamp"`
UpdatedTime string `json:"updatedTime"`
// host
ClusterName string `json:"clusterName,omitempty"`
HostName string `json:"hostName"`
// k8s
NamespaceName string `json:"namespaceName,omitempty"`
Owner *PodOwner `json:"owner,omitempty"`
PodName string `json:"podName,omitempty"`
Labels string `json:"labels,omitempty"`
// container
ContainerID string `json:"containerID,omitempty"`
ContainerName string `json:"containerName,omitempty"`
ContainerImage string `json:"containerImage,omitempty"`
// common
HostPPID int32 `json:"hostPPid"`
HostPID int32 `json:"hostPid"`
PPID int32 `json:"ppid"`
PID int32 `json:"pid"`
UID int32 `json:"uid"`
// process
ParentProcessName string `json:"parentProcessName"`
ProcessName string `json:"processName"`
// enforcer
Enforcer string `json:"enforcer,omitempty"`
// policy
PolicyName string `json:"policyName,omitempty"`
// severity, tags, message
Severity string `json:"severity,omitempty"`
Tags string `json:"tags,omitempty"`
ATags []string `json:"atags"`
Message string `json:"message,omitempty"`
// log
Type string `json:"type"`
Source string `json:"source"`
Operation string `json:"operation"`
Resource string `json:"resource"`
Cwd string `json:"cwd"`
TTY string `json:"tty,omitempty"`
OID int32 `json:"oid"`
Data string `json:"data,omitempty"`
Action string `json:"action,omitempty"`
Result string `json:"result"`
MaxAlertsPerSec int32 `json:"MaxAlertsPerSec,omitempty"`
DroppingAlertsInterval int32 `json:"DroppingAlertsInterval,omitempty"`
PolicyEnabled int `json:"policyEnabled,omitempty"`
ProcessVisibilityEnabled bool `json:"processVisibilityEnabled,omitempty"`
FileVisibilityEnabled bool `json:"fileVisibilityEnabled,omitempty"`
NetworkVisibilityEnabled bool `json:"networkVisibilityEnabled,omitempty"`
CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled,omitempty"`
}
Log Structure
type MatchExpressionType ¶
type MatchExpressionType struct {
Key string `json:"key,omitempty"`
Operator string `json:"operator,omitempty"`
Values []string `json:"values,omitempty"`
}
MatchExpressionType Structure
type MatchPolicy ¶
type MatchPolicy struct {
PolicyName string
Severity string
Tags []string
Message string
Source string
Operation string
ResourceType string
Resource string
IsFromSource bool
OwnerOnly bool
ReadOnly bool
Recursive bool
Regexp *regexp.Regexp
Native bool
Action string
}
MatchPolicy Structure
type MatchSourceType ¶
type MatchSourceType struct {
Path string `json:"path,omitempty"`
}
MatchSourceType Structure
type Namespace ¶
type Namespace struct {
Name string `json:"name,omitempty"`
Labels string `json:"labels,omitempty"`
KubearmorFilePosture string `json:"kubearmor_file_posture,omitempty"`
KubearmorNetworkPosture string `json:"kubearmor_network_posture,omitempty"`
LastUpdatedAt string `json:"last_updated_at,omitempty"`
ContainerCount int `json:"container_count,omitempty"`
}
Namespace struct
type NetworkProtocolType ¶
type NetworkProtocolType struct {
Protocol string `json:"protocol"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
NetworkProtocolType Structure
type NetworkType ¶
type NetworkType struct {
MatchProtocols []NetworkProtocolType `json:"matchProtocols,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
NetworkType Structure
type Node ¶
type Node struct {
ClusterName string `json:"clusterName"`
NodeName string `json:"nodeName"`
NodeIP string `json:"nodeIP"`
Annotations map[string]string `json:"annotations"`
Labels map[string]string `json:"labels"`
Identities []string `json:"identities"`
Architecture string `json:"architecture"`
OperatingSystem string `json:"operatingSystem"`
OSImage string `json:"osImage"`
KernelVersion string `json:"kernelVersion"`
KubeletVersion string `json:"kubeletVersion"`
ContainerRuntimeVersion string `json:"containerRuntimeVersion"`
LastUpdatedAt string `json:"last_updated_at"`
PolicyEnabled int `json:"policyEnabled"`
ProcessVisibilityEnabled bool `json:"processVisibilityEnabled"`
FileVisibilityEnabled bool `json:"fileVisibilityEnabled"`
NetworkVisibilityEnabled bool `json:"networkVisibilityEnabled"`
CapabilitiesVisibilityEnabled bool `json:"capabilitiesVisibilityEnabled"`
}
Node Structure
type NodeSelectorType ¶
type NodeSelectorType struct {
MatchLabels map[string]string `json:"matchLabels,omitempty"`
Identities []string `json:"identities,omitempty"` // set during policy update
}
NodeSelectorType Structure
type PidNode ¶
type PidNode struct {
PidID uint32
MntID uint32
HostPPID uint32
HostPID uint32
PPID uint32
PID uint32
UID uint32
ParentExecPath string
ExecPath string
Source string
Args string
Exited bool
ExitedTime time.Time
}
PidNode Structure
type PodOwner ¶
type PodOwner struct {
Ref string `json:"ref,omitempty"`
Name string `json:"name,omitempty"`
Namespace string `json:"namespace,omitempty"`
}
PodOwner struct
type ProcessDirectoryType ¶
type ProcessDirectoryType struct {
Directory string `json:"dir"`
Recursive bool `json:"recursive,omitempty"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
ProcessDirectoryType Structure
type ProcessPathType ¶
type ProcessPathType struct {
Path string `json:"path,omitempty"`
ExecName string `json:"execname,omitempty"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
FromSource []MatchSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
ProcessPathType Structure
type ProcessPatternType ¶
type ProcessPatternType struct {
Pattern string `json:"pattern"`
OwnerOnly bool `json:"ownerOnly,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
ProcessPatternType Structure
type ProcessType ¶
type ProcessType struct {
MatchPaths []ProcessPathType `json:"matchPaths,omitempty"`
MatchDirectories []ProcessDirectoryType `json:"matchDirectories,omitempty"`
MatchPatterns []ProcessPatternType `json:"matchPatterns,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action,omitempty"`
}
ProcessType Structure
type SELinuxRule ¶
type SELinuxRule struct {
SubjectLabel string
SubjectPath string
ObjectLabel string
ObjectPath string
Permissive bool
Directory bool
Recursive bool
Pattern bool
}
SELinuxRule Structure
type SecurityPolicy ¶
type SecurityPolicy struct {
Metadata map[string]string `json:"metadata"`
Spec SecuritySpec `json:"spec"`
}
SecurityPolicy Structure
type SecuritySpec ¶
type SecuritySpec struct {
Selector SelectorType `json:"selector"`
Process ProcessType `json:"process,omitempty"`
File FileType `json:"file,omitempty"`
Network NetworkType `json:"network,omitempty"`
Capabilities CapabilitiesType `json:"capabilities,omitempty"`
Syscalls SyscallsType `json:"syscalls,omitempty"`
AppArmor string `json:"apparmor,omitempty"`
Severity int `json:"severity"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
Action string `json:"action"`
}
SecuritySpec Structure
type SelectorType ¶
type SelectorType struct {
// for KubeArmorPolicy
MatchLabels map[string]string `json:"matchLabels,omitempty"`
Containers []string `json:"containers,omitempty"`
Identities []string `json:"identities,omitempty"` // set during policy update
// for KubeArmorClusterPolicy
MatchExpressions []MatchExpressionType `json:"matchExpressions,omitempty"`
NamespaceList []string `json:"namespaceList,omitempty"` // set during policy update
}
SelectorType Structure
type SyscallFromSourceType ¶
type SyscallFromSourceType struct {
Path string `json:"path,omitempty"`
Dir string `json:"dir,omitempty"`
Recursive bool `json:"recursive,omitempty"`
}
SyscallFromSourceType Structure
type SyscallMatchPathType ¶
type SyscallMatchPathType struct {
Path string `json:"path,omitempty"`
Recursive bool `json:"recursive,omitempty"`
Syscalls []string `json:"syscall,omitempty"`
FromSource []SyscallFromSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
}
SyscallMatchPathType Structure
type SyscallMatchType ¶
type SyscallMatchType struct {
Syscalls []string `json:"syscall,omitempty"`
FromSource []SyscallFromSourceType `json:"fromSource,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
}
SyscallMatchType Structure
type SyscallsType ¶
type SyscallsType struct {
MatchSyscalls []SyscallMatchType `json:"matchSyscalls,omitempty"`
MatchPaths []SyscallMatchPathType `json:"matchPaths,omitempty"`
Severity int `json:"severity,omitempty"`
Tags []string `json:"tags,omitempty"`
Message string `json:"message,omitempty"`
}
SyscallsType Structure
Source Files
Click to show internal directories.
Click to hide internal directories.