Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var PSS_controls = map[string][]restrictedField{ "privileged": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "hostPorts": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "procMount": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "capabilities_baseline": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "windowsHostProcess": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "seLinuxOptions": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "seccompProfile_baseline": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "seccompProfile_restricted": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "sysctls": { { // contains filtered or unexported fields }, }, "hostPathVolumes": { { // contains filtered or unexported fields }, }, "hostNamespaces": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "appArmorProfile": { { // contains filtered or unexported fields }, }, "restrictedVolumes": { { // contains filtered or unexported fields }, }, "runAsNonRoot": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "runAsUser": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "allowPrivilegeEscalation": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, "capabilities_restricted": { { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, { // contains filtered or unexported fields }, }, }
View Source
var PSS_controls_to_check_id = map[string][]string{
"Capabilities": {
"capabilities_baseline",
"capabilities_restricted",
},
"Seccomp": {
"seccompProfile_baseline",
"seccompProfile_restricted",
},
"Privileged Containers": {
"privileged",
},
"Host Ports": {
"hostPorts",
},
"/proc Mount Type": {
"procMount",
},
"procMount": {
"hostPorts",
},
"HostProcess": {
"windowsHostProcess",
},
"SELinux": {
"seLinuxOptions",
},
"Host Namespaces": {
"hostNamespaces",
},
"HostPath Volumes": {
"hostPathVolumes",
},
"Sysctls": {
"sysctls",
},
"AppArmor": {
"appArmorProfile",
},
"Privilege Escalation": {
"allowPrivilegeEscalation",
},
"Running as Non-root": {
"runAsNonRoot",
},
"Running as Non-root user": {
"runAsUser",
},
"Volume Types": {
"restrictedVolumes",
},
}
Translate PSS control to CheckResult.ID so that we can use PSS control in Kyverno policy For PSS controls see: https://kubernetes.io/docs/concepts/security/pod-security-standards/ For CheckResult.ID see: https://github.com/kubernetes/pod-security-admission/tree/master/policy
Functions ¶
func FormatChecksPrint ¶
func FormatChecksPrint(checks []PSSCheckResult) string
Types ¶
type PSSCheckResult ¶
type PSSCheckResult struct { ID string CheckResult policy.CheckResult RestrictedFields []restrictedField }
func EvaluatePod ¶
func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod, level *api.LevelVersion) (bool, []PSSCheckResult, error)
Check if the pod creation is allowed after exempting some PSS controls
Click to show internal directories.
Click to hide internal directories.