Documentation
¶
Index ¶
- Constants
- Variables
- func AddOrRemoveVolume(src *[]corev1.Volume, dest *[]corev1.Volume, action string)
- func AddOrRemoveVolumeMount(src *[]corev1.VolumeMount, dest *[]corev1.VolumeMount, action string)
- func AddOrReplaceArg(add, replace string, args *[]string)
- func CopyStrMap(src map[string]string) map[string]string
- func GenerateCA() (*x509.Certificate, *rsa.PrivateKey, error)
- func GenerateCSR(namespace string, serviceName string) (*x509.Certificate, *rsa.PrivateKey, error)
- func GeneratePki(namespace string, serviceName string) (*bytes.Buffer, *bytes.Buffer, *bytes.Buffer, error)
- func GetApplicationImage(app string) string
- func GetFreeRandSuffix(c *kubernetes.Clientset, namespace string) (suffix string, err error)
- func GetOperatorNamespace() string
- func GetTlsState() bool
- func IsCertifiedOperator() bool
- func ShortSHA(s string) string
- func SignCSR(caCrt *x509.Certificate, caKey *rsa.PrivateKey, csrCrt *x509.Certificate, ...) ([]byte, error)
Constants ¶
View Source
const ( // constants for CRD status CREATED string = "Created" PENDING string = "Pending" RUNNING string = "Running" UPDATING string = "Updating" ERROR string = "Error" // Status Messages CREATED_MSG string = "Installation has been created" PENDING_MSG string = "Kubearmor Installation is in-progress" RUNNING_MSG string = "Kubearmor Application is Up and Running" UPDATING_MSG string = "Updating the Application Configuration" // Error Messages INSTALLATION_ERR_MSG string = "Failed to install KubeArmor component(s)" MULTIPLE_CRD_ERR_MSG string = "There's already a CRD exists to manage KubeArmor" UPDATION_FAILED_ERR_MSG string = "Failed to update KubeArmor configuration" )
Variables ¶
View Source
var ( // node labels EnforcerLabel string = "kubearmor.io/enforcer" RuntimeLabel string = "kubearmor.io/runtime" SocketLabel string = "kubearmor.io/socket" RandLabel string = "kubearmor.io/rand" OsLabel string = "kubernetes.io/os" ArchLabel string = "kubernetes.io/arch" BTFLabel string = "kubearmor.io/btf" ApparmorFsLabel string = "kubearmor.io/apparmorfs" SecurityFsLabel string = "kubearmor.io/securityfs" SeccompLabel string = "kubearmor.io/seccomp" // node taints label NotreadyTaint string = "node.kubernetes.io/not-ready" UnreachableTaint string = "node.kubernetes.io/unreachable" UnschedulableTaint string = "node.kubernetes.io/unschedulable" // if any node with securityfs/lsm present IfNodeWithSecurtiyFs bool = false DeleteAction string = "DELETE" AddAction string = "ADD" Namespace string = "kubearmor" Privileged bool = false HostPID bool = false SnitchName string = "kubearmor-snitch" SnitchImage string = "kubearmor/kubearmor-snitch" SnitchImageTag string = "latest" KubeArmorSnitchRoleName string = "kubearmor-snitch" // ConfigMap Data ConfigGRPC string = "gRPC" ConfigVisibility string = "visibility" ConfigCluster string = "cluster" ConfigDefaultFilePosture string = "defaultFilePosture" ConfigDefaultCapabilitiesPosture string = "defaultCapabilitiesPosture" ConfigDefaultNetworkPosture string = "defaultNetworkPosture" ConfigDefaultPostureLogs string = "defaultPostureLogs" ConfigAlertThrottling string = "alertThrottling" ConfigMaxAlertPerSec string = "maxAlertPerSec" ConfigThrottleSec string = "throttleSec" EnableStdOutAlerts string = "enableStdOutAlerts" EnableStdOutLogs string = "enableStdOutLogs" EnableStdOutMsgs string = "enableStdOutMsgs" // Images KubeArmorName string = "kubearmor" KubeArmorImage string = "kubearmor/kubearmor:stable" KubeArmorImagePullPolicy string = "Always" KubeArmorInitName string = "kubearmor-init" KubeArmorInitImage string = "kubearmor/kubearmor-init:stable" KubeArmorInitImagePullPolicy string = "Always" KubeArmorRelayName string = "kubearmor-relay" KubeArmorRelayImage string = "kubearmor/kubearmor-relay-server:latest" KubeArmorRelayImagePullPolicy string = "Always" KubeArmorControllerName string = "kubearmor-controller" KubeArmorControllerImage string = "kubearmor/kubearmor-controller:latest" KubeArmorControllerImagePullPolicy string = "Always" KubeRbacProxyName string = "kube-rbac-proxy" KubeRbacProxyImage string = "gcr.io/kubebuilder/kube-rbac-proxy:v0.15.0" KubeRbacProxyImagePullPolicy string = "Always" SeccompProfile = "kubearmor-seccomp.json" SeccompInitProfile = "kubearmor-init-seccomp.json" // tls EnableTls bool = false ExtraDnsNames []string = []string{"localhost"} ExtraIpAddresses []string = []string{"127.0.0.1"} KubeArmorCaSecretName string = "kubearmor-ca" KubeArmorClientSecretName string = "kubearmor-client-certs" KubeArmorRelayServerSecretName string = "kubearmor-relay-server-certs" DefaultTlsCertPath string = "/var/lib/kubearmor/tls" DefaultMode int32 = 420 // deciaml representation of octal value 644 // throttling AlertThrottling bool = true DefaultMaxAlertPerSec string = "10" DefaultThrottleSec string = "30" )
View Source
var BPFVolumes = []corev1.Volume{ { Name: "bpf", VolumeSource: corev1.VolumeSource{ EmptyDir: &corev1.EmptyDirVolumeSource{}, }, }, }
View Source
var BPFVolumesMount = []corev1.VolumeMount{
{
Name: "bpf",
MountPath: "/opt/kubearmor/BPF",
},
}
View Source
var CommonVolumes = []corev1.Volume{ { Name: "sys-kernel-debug-path", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/sys/kernel/debug", Type: &HostPathDirectory, }, }, }, { Name: "proc-fs-mount", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/proc", Type: &HostPathDirectory, }, }, }, }
View Source
var CommonVolumesMount = []corev1.VolumeMount{ { Name: "sys-kernel-debug-path", MountPath: "/sys/kernel/debug", }, { Name: "proc-fs-mount", MountPath: "/host/procfs", ReadOnly: true, }, }
View Source
var ConfigDefaultSeccompEnabled = "false"
View Source
var ConfigMapData = map[string]string{ ConfigGRPC: "32767", ConfigCluster: "default", ConfigDefaultFilePosture: "audit", ConfigDefaultCapabilitiesPosture: "audit", ConfigDefaultNetworkPosture: "audit", ConfigVisibility: "process,network,capabilities", ConfigDefaultPostureLogs: "true", ConfigAlertThrottling: "true", ConfigMaxAlertPerSec: "10", ConfigThrottleSec: "30", }
View Source
var ContainerRuntimeSocketMap = map[string][]string{
"docker": {
"/run/containerd/containerd.sock",
"/var/run/containerd/containerd.sock",
"/var/run/docker.sock",
"/run/docker.sock",
},
"containerd": {
"/var/snap/microk8s/common/run/containerd.sock",
"/run/k0s/containerd.sock",
"/run/k3s/containerd/containerd.sock",
"/run/containerd/containerd.sock",
"/var/run/containerd/containerd.sock",
"/run/dockershim.sock",
},
"cri-o": {
"/var/run/crio/crio.sock",
"/run/crio/crio.sock",
},
}
View Source
var EnforcerVolumes = map[string][]corev1.Volume{ "apparmor": { { Name: "etc-apparmor-d-path", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/etc/apparmor.d", Type: &HostPathDirectory, }, }, }, }, }
View Source
var EnforcerVolumesMounts = map[string][]corev1.VolumeMount{
"apparmor": {
{
Name: "etc-apparmor-d-path",
MountPath: "/etc/apparmor.d",
},
},
}
View Source
var HostPathDirectory = corev1.HostPathDirectory
View Source
var HostPathDirectoryOrCreate = corev1.HostPathDirectoryOrCreate
View Source
var HostPathFile = corev1.HostPathFile
View Source
var HostPathSocket = corev1.HostPathSocket
View Source
var KernelHeaderVolumes = []corev1.Volume{ { Name: "lib-modules-path", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/lib/modules", Type: &HostPathDirectory, }, }, }, { Name: "usr-src-path", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/usr/src", Type: &HostPathDirectory, }, }, }, { Name: "os-release-path", VolumeSource: corev1.VolumeSource{ HostPath: &corev1.HostPathVolumeSource{ Path: "/etc/os-release", Type: &HostPathFile, }, }, }, }
View Source
var KernelHeaderVolumesMount = []corev1.VolumeMount{ { Name: "usr-src-path", MountPath: "/usr/src", ReadOnly: true, }, { Name: "lib-modules-path", MountPath: "/lib/modules", ReadOnly: true, }, { Name: "os-release-path", MountPath: "/media/root/etc/os-release", ReadOnly: true, }, }
View Source
var KubeArmorCaVolume = []corev1.Volume{ { Name: "kubearmor-ca-secret", VolumeSource: corev1.VolumeSource{ Secret: &corev1.SecretVolumeSource{ SecretName: KubeArmorCaSecretName, Items: []corev1.KeyToPath{ { Key: "tls.crt", Path: "ca.crt", }, { Key: "tls.key", Path: "ca.key", }, }, DefaultMode: &DefaultMode, }, }, }, }
View Source
var KubeArmorCaVolumeMount = []corev1.VolumeMount{ { Name: "kubearmor-ca-secret", MountPath: DefaultTlsCertPath, ReadOnly: true, }, }
View Source
var KubeArmorRelayTlsVolume = []corev1.Volume{ { Name: "kubearmor-relay-certs-secrets", VolumeSource: corev1.VolumeSource{ Projected: &corev1.ProjectedVolumeSource{ Sources: []corev1.VolumeProjection{ { Secret: &corev1.SecretProjection{ LocalObjectReference: corev1.LocalObjectReference{ Name: KubeArmorClientSecretName, }, Items: []corev1.KeyToPath{ { Key: "tls.crt", Path: "client.crt", }, { Key: "tls.key", Path: "client.key", }, }, }, }, { Secret: &corev1.SecretProjection{ LocalObjectReference: corev1.LocalObjectReference{ Name: KubeArmorRelayServerSecretName, }, Items: []corev1.KeyToPath{ { Key: "tls.crt", Path: "server.crt", }, { Key: "tls.key", Path: "server.key", }, { Key: "ca.crt", Path: "ca.crt", }, }, }, }, }, DefaultMode: &DefaultMode, }, }, }, }
View Source
var KubeArmorRelayTlsVolumeMount = []corev1.VolumeMount{ { Name: "kubearmor-relay-certs-secrets", MountPath: DefaultTlsCertPath, ReadOnly: true, }, }
View Source
var KubearmorRelayEnvMap = map[string]string{ EnableStdOutAlerts: "false", EnableStdOutLogs: "false", EnableStdOutMsgs: "false", }
View Source
var OperatorConfigCrd *opv1.KubeArmorConfig
View Source
var RuntimeSocketLocation = map[string]string{
"docker": "/var/run/docker.sock",
"containerd": "/var/run/containerd/containerd.sock",
"cri-o": "/var/run/crio/crio.sock",
}
Functions ¶
func AddOrRemoveVolume ¶
func AddOrRemoveVolumeMount ¶
func AddOrRemoveVolumeMount(src *[]corev1.VolumeMount, dest *[]corev1.VolumeMount, action string)
func AddOrReplaceArg ¶
func GenerateCA ¶
func GenerateCA() (*x509.Certificate, *rsa.PrivateKey, error)
GenerateCA - generate private key and a cert for a CA
func GenerateCSR ¶
func GenerateCSR(namespace string, serviceName string) (*x509.Certificate, *rsa.PrivateKey, error)
GenerateCSR - generate certificate signing request
func GeneratePki ¶
func GeneratePki(namespace string, serviceName string) (*bytes.Buffer, *bytes.Buffer, *bytes.Buffer, error)
GeneratePki - generate pub/priv keypair
func GetApplicationImage ¶
func GetFreeRandSuffix ¶
func GetFreeRandSuffix(c *kubernetes.Clientset, namespace string) (suffix string, err error)
func GetOperatorNamespace ¶
func GetOperatorNamespace() string
func GetTlsState ¶
func GetTlsState() bool
func IsCertifiedOperator ¶
func IsCertifiedOperator() bool
func SignCSR ¶
func SignCSR(caCrt *x509.Certificate, caKey *rsa.PrivateKey, csrCrt *x509.Certificate, csrKey *rsa.PrivateKey) ([]byte, error)
SignCSR - signs a certificate signing request essentially approving it using the given CA
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.