pss

package
v1.8.0-rc2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 12, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var PSS_controls = map[string][]restrictedField{

	"privileged": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"hostPorts": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"procMount": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"capabilities_baseline": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},

	"windowsHostProcess": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"seLinuxOptions": {

		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},

		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},

		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"seccompProfile_baseline": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"seccompProfile_restricted": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},

	"sysctls": {
		{
			// contains filtered or unexported fields
		},
	},
	"hostPathVolumes": {
		{
			// contains filtered or unexported fields
		},
	},
	"hostNamespaces": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},

	"appArmorProfile": {
		{
			// contains filtered or unexported fields
		},
	},

	"restrictedVolumes": {
		{
			// contains filtered or unexported fields
		},
	},
	"runAsNonRoot": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"runAsUser": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"allowPrivilegeEscalation": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
	"capabilities_restricted": {
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
		{
			// contains filtered or unexported fields
		},
	},
}
View Source 
var PSS_controls_to_check_id = map[string][]string{

	"Capabilities": {
		"capabilities_baseline",
		"capabilities_restricted",
	},
	"Seccomp": {
		"seccompProfile_baseline",
		"seccompProfile_restricted",
	},

	"Privileged Containers": {
		"privileged",
	},
	"Host Ports": {
		"hostPorts",
	},
	"/proc Mount Type": {
		"procMount",
	},
	"procMount": {
		"hostPorts",
	},

	"HostProcess": {
		"windowsHostProcess",
	},
	"SELinux": {
		"seLinuxOptions",
	},

	"Host Namespaces": {
		"hostNamespaces",
	},
	"HostPath Volumes": {
		"hostPathVolumes",
	},
	"Sysctls": {
		"sysctls",
	},

	"AppArmor": {
		"appArmorProfile",
	},

	"Privilege Escalation": {
		"allowPrivilegeEscalation",
	},
	"Running as Non-root": {
		"runAsNonRoot",
	},
	"Running as Non-root user": {
		"runAsUser",
	},

	"Volume Types": {
		"restrictedVolumes",
	},
}

Translate PSS control to CheckResult.ID so that we can use PSS control in Kyverno policy For PSS controls see: https://kubernetes.io/docs/concepts/security/pod-security-standards/ For CheckResult.ID see: https://github.com/kubernetes/pod-security-admission/tree/master/policy

Functions

func FormatChecksPrint 

func FormatChecksPrint(checks []PSSCheckResult) string

Types

type PSSCheckResult 

type PSSCheckResult struct {
	ID               string
	CheckResult      policy.CheckResult
	RestrictedFields []restrictedField
}

func EvaluatePod 

func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod, level *api.LevelVersion) (bool, []PSSCheckResult, error)

Check if the pod creation is allowed after exempting some PSS controls

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.