utils

package
v1.13.2-rc.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 5, 2024 License: Apache-2.0 Imports: 2 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var PSS_baseline_control_names = []string{
	"HostProcess",
	"Host Namespaces",
	"Privileged Containers",
	"Capabilities",
	"HostPath Volumes",
	"Host Ports",
	"AppArmor",
	"SELinux",
	"/proc Mount Type",
	"Seccomp",
	"Sysctls",
}
View Source
var PSS_container_level_control = []string{
	"Capabilities",
	"Privileged Containers",
	"Host Ports",
	"/proc Mount Type",
	"Privilege Escalation",
}
View Source
var PSS_control_name_to_ids = map[string][]string{

	"Capabilities": {
		"capabilities_baseline",
		"capabilities_restricted",
	},

	"Seccomp": {
		"seccompProfile_baseline",
		"seccompProfile_restricted",
	},

	"Privileged Containers": {
		"privileged",
	},
	"Host Ports": {
		"hostPorts",
	},
	"/proc Mount Type": {
		"procMount",
	},

	"HostProcess": {
		"windowsHostProcess",
	},
	"SELinux": {
		"seLinuxOptions",
	},

	"Host Namespaces": {
		"hostNamespaces",
	},
	"HostPath Volumes": {
		"hostPathVolumes",
	},
	"Sysctls": {
		"sysctls",
	},

	"AppArmor": {
		"appArmorProfile",
	},

	"Privilege Escalation": {
		"allowPrivilegeEscalation",
	},

	"Running as Non-root": {
		"runAsNonRoot",
	},
	"Running as Non-root user": {
		"runAsUser",
	},

	"Volume Types": {
		"restrictedVolumes",
	},
}

Translate PSS control to CheckResult.ID so that we can use PSS control in Kyverno policy For PSS controls see: https://kubernetes.io/docs/concepts/security/pod-security-standards/ For CheckResult.ID see: https://github.com/kubernetes/pod-security-admission/tree/master/policy

View Source
var PSS_controls = map[string][]RestrictedField{

	"privileged": {
		{

			Path: "spec.containers[*].securityContext.privileged",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.privileged",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.privileged",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
	},
	"hostPorts": {
		{
			Path: "spec.containers[*].ports[*].hostPort",
			AllowedValues: []interface{}{
				false,
				0,
			},
		},
		{
			Path: "spec.initContainers[*].ports[*].hostPort",
			AllowedValues: []interface{}{
				false,
				0,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].ports[*].hostPort",
			AllowedValues: []interface{}{
				false,
				0,
			},
		},
	},
	"procMount": {
		{
			Path: "spec.containers[*].securityContext.procMount",
			AllowedValues: []interface{}{
				nil,
				"Default",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.procMount",
			AllowedValues: []interface{}{
				nil,
				"Default",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.procMount",
			AllowedValues: []interface{}{
				nil,
				"Default",
			},
		},
	},
	"capabilities_baseline": {
		{
			Path: "spec.containers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"AUDIT_WRITE",
				"CHOWN",
				"DAC_OVERRIDE",
				"FOWNER",
				"FSETID",
				"KILL",
				"MKNOD",
				"NET_BIND_SERVICE",
				"SETFCAP",
				"SETGID",
				"SETPCAP",
				"SETUID",
				"SYS_CHROOT",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"AUDIT_WRITE",
				"CHOWN",
				"DAC_OVERRIDE",
				"FOWNER",
				"FSETID",
				"KILL",
				"MKNOD",
				"NET_BIND_SERVICE",
				"SETFCAP",
				"SETGID",
				"SETPCAP",
				"SETUID",
				"SYS_CHROOT",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"AUDIT_WRITE",
				"CHOWN",
				"DAC_OVERRIDE",
				"FOWNER",
				"FSETID",
				"KILL",
				"MKNOD",
				"NET_BIND_SERVICE",
				"SETFCAP",
				"SETGID",
				"SETPCAP",
				"SETUID",
				"SYS_CHROOT",
			},
		},
	},

	"windowsHostProcess": {
		{
			Path: "spec.securityContext.windowsOptions.hostProcess",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.containers[*].securityContext.windowsOptions.hostProcess",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.windowsOptions.hostProcess",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
	},
	"seLinuxOptions": {

		{
			Path: "spec.securityContext.seLinuxOptions.type",
			AllowedValues: []interface{}{
				"",
				"container_t",
				"container_init_t",
				"container_kvm_t",
			},
		},
		{
			Path: "spec.containers[*].securityContext.seLinuxOptions.type",
			AllowedValues: []interface{}{
				"",
				"container_t",
				"container_init_t",
				"container_kvm_t",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.seLinuxOptions.type",
			AllowedValues: []interface{}{
				"",
				"container_t",
				"container_init_t",
				"container_kvm_t",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.seLinuxOptions.type",
			AllowedValues: []interface{}{
				"",
				"container_t",
				"container_init_t",
				"container_kvm_t",
			},
		},

		{
			Path: "spec.securityContext.seLinuxOptions.user",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.containers[*].securityContext.seLinuxOptions.user",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.seLinuxOptions.user",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].seLinuxOptions.user",
			AllowedValues: []interface{}{
				"",
			},
		},

		{
			Path: "spec.securityContext.seLinuxOptions.role",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.containers[*].securityContext.seLinuxOptions.role",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.seLinuxOptions.role",
			AllowedValues: []interface{}{
				"",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].seLinuxOptions.role",
			AllowedValues: []interface{}{
				"",
			},
		},
	},
	"seccompProfile_baseline": {
		{
			Path: "spec.securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				nil,
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.containers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				nil,
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				nil,
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				nil,
				"RuntimeDefault",
				"Localhost",
			},
		},
	},
	"seccompProfile_restricted": {
		{
			Path: "spec.securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.containers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				"RuntimeDefault",
				"Localhost",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.seccompProfile.type",
			AllowedValues: []interface{}{
				"RuntimeDefault",
				"Localhost",
			},
		},
	},

	"sysctls": {
		{
			Path: "spec.securityContext.sysctls[*].name",
			AllowedValues: []interface{}{
				"kernel.shm_rmid_forced",
				"net.ipv4.ip_local_port_range",
				"net.ipv4.tcp_syncookies",
				"net.ipv4.ping_group_range",
				"net.ipv4.ip_unprivileged_port_start",
			},
		},
	},
	"hostPathVolumes": {
		{
			Path: "spec.volumes[*].hostPath",
			AllowedValues: []interface{}{
				nil,
			},
		},
	},
	"hostNamespaces": {
		{
			Path: "spec.hostNetwork",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.hostPID",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.hostIPC",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
	},

	"appArmorProfile": {
		{
			Path: "metadata.annotations",
			AllowedValues: []interface{}{
				nil,
				"",
				"runtime/default",
				"localhost/*",
			},
		},
	},

	"restrictedVolumes": {
		{
			Path: "spec.volumes[*]",
			AllowedValues: []interface{}{
				"spec.volumes[*].configMap",
				"spec.volumes[*].downwardAPI",
				"spec.volumes[*].emptyDir",
				"spec.volumes[*].projected",
				"spec.volumes[*].secret",
				"spec.volumes[*].csi",
				"spec.volumes[*].persistentVolumeClaim",
				"spec.volumes[*].ephemeral",
			},
		},
	},
	"runAsNonRoot": {
		{
			Path: "spec.containers[*].securityContext.runAsNonRoot",
			AllowedValues: []interface{}{
				true,
				nil,
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.runAsNonRoot",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.runAsNonRoot",
			AllowedValues: []interface{}{
				false,
				nil,
			},
		},
	},
	"runAsUser": {
		{
			Path: "spec.securityContext.runAsUser",
			AllowedValues: []interface{}{
				"",
				nil,
			},
		},
		{
			Path: "spec.containers[*].securityContext.runAsUser",
			AllowedValues: []interface{}{
				"",
				nil,
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.runAsUser",
			AllowedValues: []interface{}{
				"",
				nil,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.runAsUser",
			AllowedValues: []interface{}{
				"",
				nil,
			},
		},
	},
	"allowPrivilegeEscalation": {
		{
			Path: "spec.containers[*].securityContext.allowPrivilegeEscalation",
			AllowedValues: []interface{}{
				false,
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.allowPrivilegeEscalation",
			AllowedValues: []interface{}{
				false,
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation",
			AllowedValues: []interface{}{
				false,
			},
		},
	},
	"capabilities_restricted": {
		{
			Path: "spec.containers[*].securityContext.capabilities.drop",
			AllowedValues: []interface{}{
				"ALL",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.capabilities.drop",
			AllowedValues: []interface{}{
				"ALL",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.capabilities.drop",
			AllowedValues: []interface{}{
				"ALL",
			},
		},
		{
			Path: "spec.containers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"NET_BIND_SERVICE",
			},
		},
		{
			Path: "spec.initContainers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"NET_BIND_SERVICE",
			},
		},
		{
			Path: "spec.ephemeralContainers[*].securityContext.capabilities.add",
			AllowedValues: []interface{}{
				nil,
				"NET_BIND_SERVICE",
			},
		},
	},
}
View Source
var PSS_pod_level_control = []string{
	"Host Namespaces",
	"HostPath Volumes",
	"Sysctls",
	"AppArmor",
	"Volume Types",
}
View Source
var PSS_restricted_control_names = []string{
	"Volume Types",
	"Privilege Escalation",
	"Running as Non-root",
	"Running as Non-root user",
	"Seccomp",
	"Capabilities",
}

Functions

func PSSControlIDToName added in v1.13.0

func PSSControlIDToName(id string) string

Types

type PSSCheckResult

type PSSCheckResult struct {
	ID               string
	CheckResult      policy.CheckResult
	RestrictedFields []RestrictedField
	Images           []string
}

type RestrictedField

type RestrictedField struct {
	Path          string
	AllowedValues []interface{}
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL