Documentation ¶
Index ¶
- Variables
- func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error)
- func CreateUnstructuredObject(f *fuzz.ConsumeFuzzer, typeToCreate string) (*unstructured.Unstructured, error)
- func GetK8sString(ff *fuzz.ConsumeFuzzer) (string, error)
- func InitFuzz()
- func ShouldBlockContainerName(pod *corev1.Pod) (bool, error)
- func ShouldBlockContainerNameExistenceAnchor(pod *corev1.Pod) (bool, error)
- func ShouldBlockEquality(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfHostPathExists(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfHostnetworkOrPortAreSpecified(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfLessMemoryThanFirstContainer(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfNamespaceIsEmptyOrDefault(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfSupplementalGroupsExistAndAreLessThanZero(pod *corev1.Pod) (bool, error)
- func ShouldBlockIfSupplementalGroupsExistAndIsNotBetween(pod *corev1.Pod) (bool, error)
- func ShouldBlockImageTag(pod *corev1.Pod) (bool, error)
- func ShouldBlockSecurityPolicy(pod *corev1.Pod) (bool, error)
- type BypassChecker
- type DynamicFuzz
- type FuzzIDiscovery
- func (fid FuzzIDiscovery) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface
- func (fid FuzzIDiscovery) FindResources(group, version, kind, subresource string) (map[dclient.TopLevelApiDescription]metav1.APIResource, error)
- func (fid FuzzIDiscovery) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error)
- func (fid FuzzIDiscovery) GetGVRFromGVK(schema.GroupVersionKind) (schema.GroupVersionResource, error)
- func (fid FuzzIDiscovery) OpenAPISchema() (*openapiv2.Document, error)
- type FuzzInterface
- func (fi FuzzInterface) ApplyResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) ApplyStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) CreateResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) DeleteResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) error
- func (fi FuzzInterface) Discovery() dclient.IDiscovery
- func (fi FuzzInterface) GetDynamicInterface() dynamic.Interface
- func (fi FuzzInterface) GetEventsInterface() eventsv1.EventsV1Interface
- func (fi FuzzInterface) GetKubeClient() kubernetes.Interface
- func (fi FuzzInterface) GetResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.UnstructuredList, error)
- func (fi FuzzInterface) PatchResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) RawAbsPath(ctx context.Context, path string, method string, dataReader io.Reader) ([]byte, error)
- func (fi FuzzInterface) SetDiscovery(discoveryClient dclient.IDiscovery)
- func (fi FuzzInterface) UpdateResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- func (fi FuzzInterface) UpdateStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, ...) (*unstructured.Unstructured, error)
- type FuzzNamespaceableResource
- func (fr FuzzNamespaceableResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) Create(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, ...) error
- func (fr FuzzNamespaceableResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, ...) error
- func (fr FuzzNamespaceableResource) Get(ctx context.Context, name string, options metav1.GetOptions, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)
- func (fnr FuzzNamespaceableResource) Namespace(string) dynamic.ResourceInterface
- func (fr FuzzNamespaceableResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) Update(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzNamespaceableResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
- type FuzzResource
- func (fr FuzzResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) Create(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, ...) error
- func (fr FuzzResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, ...) error
- func (fr FuzzResource) Get(ctx context.Context, name string, options metav1.GetOptions, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)
- func (fr FuzzResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) Update(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, ...) (*unstructured.Unstructured, error)
- func (fr FuzzResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Constants ¶
This section is empty.
Variables ¶
View Source
var ( Policies map[int]*BypassChecker LatestImageTagPolicy = []byte(`{ "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "validate-image" }, "spec": { "rules": [ { "name": "validate-tag", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "An image tag is required", "pattern": { "spec": { "containers": [ { "image": "*:*" } ] } } } }, { "name": "validate-latest", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "If the image has 'latest' tag then imagePullPolicy must be 'Always'", "pattern": { "spec": { "containers": [ { "(image)": "*latest", "imagePullPolicy": "Always" } ] } } } } ] } } `) EqualityHostpathPolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "validate-host-path" }, "spec": { "rules": [ { "name": "validate-host-path", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "Host path '/var/lib/' is not allowed", "pattern": { "spec": { "volumes": [ { "=(hostPath)": { "path": "!/var/lib" } } ] } } } } ] } } `) SecurityContextPolicy = []byte(`{ "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-secaas-k8s" }, "spec": { "rules": [ { "name": "pod rule 2", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "pod: validate run as non root user", "pattern": { "spec": { "=(securityContext)": { "runAsNonRoot": true } } } } } ] } }`) ContainerNamePolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "fuzzPolicy" }, "spec": { "rules": [ { "name": "pod image rule", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "pattern": { "spec": { "=(containers)": [ { "name": "nginx" } ] } } } } ] } }`) PodExistencePolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-secaas-k8s" }, "spec": { "rules": [ { "name": "pod image rule", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "pattern": { "spec": { "^(containers)": [ { "name": "nginx" } ] } } } } ] } } `) HostPathCannotExistPolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "validate-host-path" }, "spec": { "rules": [ { "name": "validate-host-path", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "Host path is not allowed", "pattern": { "spec": { "volumes": [ { "name": "*", "X(hostPath)": null } ] } } } } ] } } `) NamespaceCannotBeEmptyOrDefaultPolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "validate-namespace" }, "spec": { "rules": [ { "name": "check-default-namespace", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "A namespace is required", "anyPattern": [ { "metadata": { "namespace": "?*" } }, { "metadata": { "namespace": "!default" } } ] } } ] } } `) HostnetworkAndPortNotAllowedPolicy = []byte(` { "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "validate-host-network-port" }, "spec": { "rules": [ { "name": "validate-host-network-port", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "Host network and port are not allowed", "pattern": { "spec": { "hostNetwork": false, "containers": [ { "name": "*", "ports": [ { "hostPort": null } ] } ] } } } } ] } } `) SupplementalGroupsShouldBeHigherThanZeroPolicy = []byte(`{ "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-secaas-k8s" }, "spec": { "rules": [ { "name": "pod rule 2", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "pod: validate run as non root user", "pattern": { "spec": { "=(supplementalGroups)": ">0" } } } } ] } } `) SupplementalGroupsShouldBeBetween = []byte(`{ "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-secaas-k8s" }, "spec": { "rules": [ { "name": "pod rule 2", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "pod: validate run as non root user", "pattern": { "spec": { "=(supplementalGroups)": [ ">0 & <100001" ] } } } } ] } } `) ShouldHaveMoreMemoryThanFirstContainer = []byte(`{ "apiVersion": "kyvernov1.io/v1", "kind": "ClusterPolicy", "metadata": { "name": "policy-secaas-k8s" }, "spec": { "rules": [ { "name": "validate-host-network-port", "match": { "resources": { "kinds": [ "Pod" ] } }, "validate": { "message": "Host network and port are not allowed", "pattern": { "spec":{ "containers":[ { "name":"*", "resources":{ "requests":{ "memory":"$(<=/spec/containers/0/resources/limits/memory)" }, "limits":{ "memory":"2048Mi" } } } ] } } } } ] } } `) )
Functions ¶
func CreatePolicySpec ¶
func CreatePolicySpec(ff *fuzz.ConsumeFuzzer) (kyvernov1.Spec, error)
func CreateUnstructuredObject ¶
func CreateUnstructuredObject(f *fuzz.ConsumeFuzzer, typeToCreate string) (*unstructured.Unstructured, error)
Creates an unstructured k8s object
func GetK8sString ¶
func GetK8sString(ff *fuzz.ConsumeFuzzer) (string, error)
Types ¶
type BypassChecker ¶
type DynamicFuzz ¶
type DynamicFuzz struct {
// contains filtered or unexported fields
}
func (DynamicFuzz) Resource ¶
func (df DynamicFuzz) Resource(resource schema.GroupVersionResource) dynamic.NamespaceableResourceInterface
type FuzzIDiscovery ¶
type FuzzIDiscovery struct {
// contains filtered or unexported fields
}
func (FuzzIDiscovery) CachedDiscoveryInterface ¶
func (fid FuzzIDiscovery) CachedDiscoveryInterface() discovery.CachedDiscoveryInterface
func (FuzzIDiscovery) FindResources ¶
func (fid FuzzIDiscovery) FindResources(group, version, kind, subresource string) (map[dclient.TopLevelApiDescription]metav1.APIResource, error)
func (FuzzIDiscovery) GetGVKFromGVR ¶
func (fid FuzzIDiscovery) GetGVKFromGVR(schema.GroupVersionResource) (schema.GroupVersionKind, error)
func (FuzzIDiscovery) GetGVRFromGVK ¶
func (fid FuzzIDiscovery) GetGVRFromGVK(schema.GroupVersionKind) (schema.GroupVersionResource, error)
func (FuzzIDiscovery) OpenAPISchema ¶
func (fid FuzzIDiscovery) OpenAPISchema() (*openapiv2.Document, error)
type FuzzInterface ¶
type FuzzInterface struct {
FF *fuzz.ConsumeFuzzer
}
func (FuzzInterface) ApplyResource ¶
func (fi FuzzInterface) ApplyResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzInterface) ApplyStatusResource ¶
func (fi FuzzInterface) ApplyStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, obj interface{}, dryRun bool, fieldManager string) (*unstructured.Unstructured, error)
func (FuzzInterface) CreateResource ¶
func (fi FuzzInterface) CreateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
func (FuzzInterface) DeleteResource ¶
func (FuzzInterface) Discovery ¶
func (fi FuzzInterface) Discovery() dclient.IDiscovery
func (FuzzInterface) GetDynamicInterface ¶
func (fi FuzzInterface) GetDynamicInterface() dynamic.Interface
func (FuzzInterface) GetEventsInterface ¶
func (fi FuzzInterface) GetEventsInterface() eventsv1.EventsV1Interface
func (FuzzInterface) GetKubeClient ¶
func (fi FuzzInterface) GetKubeClient() kubernetes.Interface
func (FuzzInterface) GetResource ¶
func (fi FuzzInterface) GetResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzInterface) ListResource ¶
func (fi FuzzInterface) ListResource(ctx context.Context, apiVersion string, kind string, namespace string, lselector *metav1.LabelSelector) (*unstructured.UnstructuredList, error)
func (FuzzInterface) PatchResource ¶
func (fi FuzzInterface) PatchResource(ctx context.Context, apiVersion string, kind string, namespace string, name string, patch []byte) (*unstructured.Unstructured, error)
func (FuzzInterface) RawAbsPath ¶
func (FuzzInterface) SetDiscovery ¶
func (fi FuzzInterface) SetDiscovery(discoveryClient dclient.IDiscovery)
func (FuzzInterface) UpdateResource ¶
func (fi FuzzInterface) UpdateResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzInterface) UpdateStatusResource ¶
func (fi FuzzInterface) UpdateStatusResource(ctx context.Context, apiVersion string, kind string, namespace string, obj interface{}, dryRun bool) (*unstructured.Unstructured, error)
type FuzzNamespaceableResource ¶
type FuzzNamespaceableResource struct {
// contains filtered or unexported fields
}
func (FuzzNamespaceableResource) Apply ¶
func (fr FuzzNamespaceableResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) ApplyStatus ¶
func (fr FuzzNamespaceableResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) Create ¶
func (fr FuzzNamespaceableResource) Create(ctx context.Context, obj *unstructured.Unstructured, options metav1.CreateOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) Delete ¶
func (fr FuzzNamespaceableResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, subresources ...string) error
func (FuzzNamespaceableResource) DeleteCollection ¶
func (fr FuzzNamespaceableResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, listOptions metav1.ListOptions) error
func (FuzzNamespaceableResource) Get ¶
func (fr FuzzNamespaceableResource) Get(ctx context.Context, name string, options metav1.GetOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) List ¶
func (fr FuzzNamespaceableResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)
func (FuzzNamespaceableResource) Namespace ¶
func (fnr FuzzNamespaceableResource) Namespace(string) dynamic.ResourceInterface
func (FuzzNamespaceableResource) Patch ¶
func (fr FuzzNamespaceableResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, options metav1.PatchOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) Update ¶
func (fr FuzzNamespaceableResource) Update(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) UpdateStatus ¶
func (fr FuzzNamespaceableResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions) (*unstructured.Unstructured, error)
func (FuzzNamespaceableResource) Watch ¶
func (fr FuzzNamespaceableResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
type FuzzResource ¶
type FuzzResource struct {
// contains filtered or unexported fields
}
func (FuzzResource) Apply ¶
func (fr FuzzResource) Apply(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzResource) ApplyStatus ¶
func (fr FuzzResource) ApplyStatus(ctx context.Context, name string, obj *unstructured.Unstructured, options metav1.ApplyOptions) (*unstructured.Unstructured, error)
func (FuzzResource) Create ¶
func (fr FuzzResource) Create(ctx context.Context, obj *unstructured.Unstructured, options metav1.CreateOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzResource) Delete ¶
func (fr FuzzResource) Delete(ctx context.Context, name string, options metav1.DeleteOptions, subresources ...string) error
func (FuzzResource) DeleteCollection ¶
func (fr FuzzResource) DeleteCollection(ctx context.Context, options metav1.DeleteOptions, listOptions metav1.ListOptions) error
func (FuzzResource) Get ¶
func (fr FuzzResource) Get(ctx context.Context, name string, options metav1.GetOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzResource) List ¶
func (fr FuzzResource) List(ctx context.Context, opts metav1.ListOptions) (*unstructured.UnstructuredList, error)
func (FuzzResource) Patch ¶
func (fr FuzzResource) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, options metav1.PatchOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzResource) Update ¶
func (fr FuzzResource) Update(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions, subresources ...string) (*unstructured.Unstructured, error)
func (FuzzResource) UpdateStatus ¶
func (fr FuzzResource) UpdateStatus(ctx context.Context, obj *unstructured.Unstructured, options metav1.UpdateOptions) (*unstructured.Unstructured, error)
func (FuzzResource) Watch ¶
func (fr FuzzResource) Watch(ctx context.Context, opts metav1.ListOptions) (watch.Interface, error)
Click to show internal directories.
Click to hide internal directories.