Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var PSS_baseline_control_names = []string{
"HostProcess",
"Host Namespaces",
"Privileged Containers",
"Capabilities",
"HostPath Volumes",
"Host Ports",
"AppArmor",
"SELinux",
"/proc Mount Type",
"Seccomp",
"Sysctls",
}
View Source
var PSS_container_level_control = []string{
"Capabilities",
"Privileged Containers",
"Host Ports",
"/proc Mount Type",
"Privilege Escalation",
}
View Source
var PSS_control_name_to_ids = map[string][]string{
"Capabilities": {
"capabilities_baseline",
"capabilities_restricted",
},
"Seccomp": {
"seccompProfile_baseline",
"seccompProfile_restricted",
},
"Privileged Containers": {
"privileged",
},
"Host Ports": {
"hostPorts",
},
"/proc Mount Type": {
"procMount",
},
"HostProcess": {
"windowsHostProcess",
},
"SELinux": {
"seLinuxOptions",
},
"Host Namespaces": {
"hostNamespaces",
},
"HostPath Volumes": {
"hostPathVolumes",
},
"Sysctls": {
"sysctls",
},
"AppArmor": {
"appArmorProfile",
},
"Privilege Escalation": {
"allowPrivilegeEscalation",
},
"Running as Non-root": {
"runAsNonRoot",
},
"Running as Non-root user": {
"runAsUser",
},
"Volume Types": {
"restrictedVolumes",
},
}
Translate PSS control to CheckResult.ID so that we can use PSS control in Kyverno policy For PSS controls see: https://kubernetes.io/docs/concepts/security/pod-security-standards/ For CheckResult.ID see: https://github.com/kubernetes/pod-security-admission/tree/master/policy
View Source
var PSS_controls = map[string][]RestrictedField{ "privileged": { { Path: "spec.containers[*].securityContext.privileged", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.initContainers[*].securityContext.privileged", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.ephemeralContainers[*].securityContext.privileged", AllowedValues: []interface{}{ false, nil, }, }, }, "hostPorts": { { Path: "spec.containers[*].ports[*].hostPort", AllowedValues: []interface{}{ false, 0, }, }, { Path: "spec.initContainers[*].ports[*].hostPort", AllowedValues: []interface{}{ false, 0, }, }, { Path: "spec.ephemeralContainers[*].ports[*].hostPort", AllowedValues: []interface{}{ false, 0, }, }, }, "procMount": { { Path: "spec.containers[*].securityContext.procMount", AllowedValues: []interface{}{ nil, "Default", }, }, { Path: "spec.initContainers[*].securityContext.procMount", AllowedValues: []interface{}{ nil, "Default", }, }, { Path: "spec.ephemeralContainers[*].securityContext.procMount", AllowedValues: []interface{}{ nil, "Default", }, }, }, "capabilities_baseline": { { Path: "spec.containers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT", }, }, { Path: "spec.initContainers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT", }, }, { Path: "spec.ephemeralContainers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "AUDIT_WRITE", "CHOWN", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_BIND_SERVICE", "SETFCAP", "SETGID", "SETPCAP", "SETUID", "SYS_CHROOT", }, }, }, "windowsHostProcess": { { Path: "spec.securityContext.windowsOptions.hostProcess", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.containers[*].securityContext.windowsOptions.hostProcess", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.initContainers[*].securityContext.windowsOptions.hostProcess", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.ephemeralContainers[*].securityContext.windowsOptions.hostProcess", AllowedValues: []interface{}{ false, nil, }, }, }, "seLinuxOptions": { { Path: "spec.securityContext.seLinuxOptions.type", AllowedValues: []interface{}{ "", "container_t", "container_init_t", "container_kvm_t", }, }, { Path: "spec.containers[*].securityContext.seLinuxOptions.type", AllowedValues: []interface{}{ "", "container_t", "container_init_t", "container_kvm_t", }, }, { Path: "spec.initContainers[*].securityContext.seLinuxOptions.type", AllowedValues: []interface{}{ "", "container_t", "container_init_t", "container_kvm_t", }, }, { Path: "spec.ephemeralContainers[*].securityContext.seLinuxOptions.type", AllowedValues: []interface{}{ "", "container_t", "container_init_t", "container_kvm_t", }, }, { Path: "spec.securityContext.seLinuxOptions.user", AllowedValues: []interface{}{ "", }, }, { Path: "spec.containers[*].securityContext.seLinuxOptions.user", AllowedValues: []interface{}{ "", }, }, { Path: "spec.initContainers[*].securityContext.seLinuxOptions.user", AllowedValues: []interface{}{ "", }, }, { Path: "spec.ephemeralContainers[*].seLinuxOptions.user", AllowedValues: []interface{}{ "", }, }, { Path: "spec.securityContext.seLinuxOptions.role", AllowedValues: []interface{}{ "", }, }, { Path: "spec.containers[*].securityContext.seLinuxOptions.role", AllowedValues: []interface{}{ "", }, }, { Path: "spec.initContainers[*].securityContext.seLinuxOptions.role", AllowedValues: []interface{}{ "", }, }, { Path: "spec.ephemeralContainers[*].seLinuxOptions.role", AllowedValues: []interface{}{ "", }, }, }, "seccompProfile_baseline": { { Path: "spec.securityContext.seccompProfile.type", AllowedValues: []interface{}{ nil, "RuntimeDefault", "Localhost", }, }, { Path: "spec.containers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ nil, "RuntimeDefault", "Localhost", }, }, { Path: "spec.initContainers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ nil, "RuntimeDefault", "Localhost", }, }, { Path: "spec.ephemeralContainers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ nil, "RuntimeDefault", "Localhost", }, }, }, "seccompProfile_restricted": { { Path: "spec.securityContext.seccompProfile.type", AllowedValues: []interface{}{ "RuntimeDefault", "Localhost", }, }, { Path: "spec.containers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ "RuntimeDefault", "Localhost", }, }, { Path: "spec.initContainers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ "RuntimeDefault", "Localhost", }, }, { Path: "spec.ephemeralContainers[*].securityContext.seccompProfile.type", AllowedValues: []interface{}{ "RuntimeDefault", "Localhost", }, }, }, "sysctls": { { Path: "spec.securityContext.sysctls[*].name", AllowedValues: []interface{}{ "kernel.shm_rmid_forced", "net.ipv4.ip_local_port_range", "net.ipv4.tcp_syncookies", "net.ipv4.ping_group_range", "net.ipv4.ip_unprivileged_port_start", }, }, }, "hostPathVolumes": { { Path: "spec.volumes[*].hostPath", AllowedValues: []interface{}{ nil, }, }, }, "hostNamespaces": { { Path: "spec.hostNetwork", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.hostPID", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.hostIPC", AllowedValues: []interface{}{ false, nil, }, }, }, "appArmorProfile": { { Path: "metadata.annotations", AllowedValues: []interface{}{ nil, "", "runtime/default", "localhost/*", }, }, }, "restrictedVolumes": { { Path: "spec.volumes[*]", AllowedValues: []interface{}{ "spec.volumes[*].configMap", "spec.volumes[*].downwardAPI", "spec.volumes[*].emptyDir", "spec.volumes[*].projected", "spec.volumes[*].secret", "spec.volumes[*].csi", "spec.volumes[*].persistentVolumeClaim", "spec.volumes[*].ephemeral", }, }, }, "runAsNonRoot": { { Path: "spec.containers[*].securityContext.runAsNonRoot", AllowedValues: []interface{}{ true, nil, }, }, { Path: "spec.initContainers[*].securityContext.runAsNonRoot", AllowedValues: []interface{}{ false, nil, }, }, { Path: "spec.ephemeralContainers[*].securityContext.runAsNonRoot", AllowedValues: []interface{}{ false, nil, }, }, }, "runAsUser": { { Path: "spec.securityContext.runAsUser", AllowedValues: []interface{}{ "", nil, }, }, { Path: "spec.containers[*].securityContext.runAsUser", AllowedValues: []interface{}{ "", nil, }, }, { Path: "spec.initContainers[*].securityContext.runAsUser", AllowedValues: []interface{}{ "", nil, }, }, { Path: "spec.ephemeralContainers[*].securityContext.runAsUser", AllowedValues: []interface{}{ "", nil, }, }, }, "allowPrivilegeEscalation": { { Path: "spec.containers[*].securityContext.allowPrivilegeEscalation", AllowedValues: []interface{}{ false, }, }, { Path: "spec.initContainers[*].securityContext.allowPrivilegeEscalation", AllowedValues: []interface{}{ false, }, }, { Path: "spec.ephemeralContainers[*].securityContext.allowPrivilegeEscalation", AllowedValues: []interface{}{ false, }, }, }, "capabilities_restricted": { { Path: "spec.containers[*].securityContext.capabilities.drop", AllowedValues: []interface{}{ "ALL", }, }, { Path: "spec.initContainers[*].securityContext.capabilities.drop", AllowedValues: []interface{}{ "ALL", }, }, { Path: "spec.ephemeralContainers[*].securityContext.capabilities.drop", AllowedValues: []interface{}{ "ALL", }, }, { Path: "spec.containers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "NET_BIND_SERVICE", }, }, { Path: "spec.initContainers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "NET_BIND_SERVICE", }, }, { Path: "spec.ephemeralContainers[*].securityContext.capabilities.add", AllowedValues: []interface{}{ nil, "NET_BIND_SERVICE", }, }, }, }
View Source
var PSS_pod_level_control = []string{
"Host Namespaces",
"HostPath Volumes",
"Sysctls",
"AppArmor",
"Volume Types",
}
View Source
var PSS_restricted_control_names = []string{
"Volume Types",
"Privilege Escalation",
"Running as Non-root",
"Running as Non-root user",
"Seccomp",
"Capabilities",
}
Functions ¶
func PSSControlIDToName ¶ added in v1.13.0
Types ¶
type PSSCheckResult ¶
type PSSCheckResult struct { ID string CheckResult policy.CheckResult RestrictedFields []RestrictedField Images []string }
type RestrictedField ¶
type RestrictedField struct { Path string AllowedValues []interface{} }
Click to show internal directories.
Click to hide internal directories.