resource

package
v0.0.0-test Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 40 Imported by: 21

Documentation

Index

Constants

View Source 
const (
	OperationAll string = "*"
	Create       string = "CREATE"
	Update       string = "UPDATE"
	Delete       string = "DELETE"
	Connect      string = "CONNECT"
)

for OperationType

View Source 
const (
	ServiceTypeClusterIP    string = "ClusterIP"
	ServiceTypeNodePort     string = "NodePort"
	ServiceTypeLoadBalancer string = "LoadBalancer"
	ServiceTypeExternalName string = "ExternalName"
)

for ServiceType

View Source 
const (
	Ignore string = "Ignore"
	Fail   string = "Fail"
)

for FailurePolicyType

View Source 
const (
	IgnoreLower string = "ignore"
	FailLower   string = "fail"
)
View Source 
const (
	SideEffectNone         string = "None"
	SideEffectSome         string = "Some"
	SideEffectNoneOnDryRun string = "NoneOnDryRun"
)

for SideEffectClass

View Source 
const (
	AwsSvcCloudformation  = "cloudformation"
	AwsSvcCloudWatch      = "cloudwatch"
	AwsSvcCognitoIdentity = "cognito-identity"
	AwsSvcCognitoSync     = "cognito-sync"
	AwsSvcDynamodb        = "dynamodb"
	AwsSvcEc2             = "ec2"
	AwsSvcEvents          = "events"
	AwsSvcIam             = "iam"
	AwsSvcIot             = "iot"
	AwsSvcKinesis         = "kinesis"
	AwsSvcKms             = "kms"
	AwsSvcLambda          = "lambda"
	AwsSvcLogs            = "logs"
	AwsSvcS3              = "s3"
	AwsSvcSns             = "sns"
	AwsSvcSqs             = "sqs"
	AwsSvcTag             = "tag"
	AwsSvcXray            = "xray"
)
View Source 
const (
	AwsResHigh = "High"
	AwsResMid  = "Medium"
	AwsResLow  = "Low"
)

Permession sensitive level

View Source 
const (
	SUBJECT_USER  = 0
	SUBJECT_GROUP = 1

	VERB_NONE  = 0
	VERB_READ  = 1
	VERB_WRITE = 2
)
View Source 
const (
	RiskyRole_ViewSecret        = 1 << iota // 1 << 0 00001
	RiskyRole_AnyActionWorkload             // 1 << 1
	RiskyRole_AnyActionRBAC
	RiskyRole_CreatePod
	RiskyRole_ExecContainer
)
View Source 
const (
	K8sApiVersionV1              = "v1"
	K8sApiVersionV1Beta1         = "v1beta1"
	K8sApiVersionV1Beta2         = "v1beta2"
	K8sResCronjobs               = "cronjobs"
	K8sResCronjobsFinalizer      = "cronjobs/finalizers"
	K8sResDaemonsets             = "daemonsets"
	K8sResDeployments            = "deployments"
	K8sResDeploymentConfigs      = "deploymentconfigs"
	K8sResJobs                   = "jobs"
	K8sResPods                   = "pods"
	K8sResNodes                  = "nodes"
	K8sResReplicationControllers = "replicationcontrollers"
	K8sResReplicasets            = "replicasets"
	K8sResServices               = "services"

	K8sResStatefulSets            = "statefulsets"
	K8sResRoles                   = "roles"
	K8sResRolebindings            = "rolebindings"
	K8sResClusterRoles            = "clusterroles"
	K8sResClusterRolebindings     = "clusterrolebindings"
	K8sResRbacRoles               = "roles.rbac.authorization.k8s.io"
	K8sResRbacClusterRoles        = "clusterroles.rbac.authorization.k8s.io"
	K8sResRbacRolebindings        = "rolebindings.rbac.authorization.k8s.io"
	K8sResRbacClusterRolebindings = "clusterrolebindings.rbac.authorization.k8s.io"
	K8sResPersistentVolumeClaims  = "persistentvolumeclaims"
)
View Source 
const (
	NvDeploymentName = "neuvector-controller-pod"
	NvDaemonSetName  = "neuvector-allinone-pod"
)
View Source 
const (
	NvAppRole = "neuvector-binding-app"

	NvRbacRole = "neuvector-binding-rbac"

	NvAdmCtrlRole = "neuvector-binding-admission"

	NvScannerRole        = "neuvector-binding-scanner"
	NvScannerRoleBinding = NvScannerRole
	NvSecretRole         = "neuvector-binding-secret"

	NvAdminRoleBinding = "neuvector-admin"

	NvJobCreationRole         = "neuvector-binding-job-creation"
	NvJobCreationRoleBinding  = NvJobCreationRole
	NvCertUpgraderRole        = "neuvector-binding-cert-upgrader"
	NvCertUpgraderRoleBinding = NvCertUpgraderRole
)
View Source 
const (
	NsSelectorKeyStatusNV  = "statusNeuvector" // written to only neuvector namespace's label
	NsSelectorKeySkipNV    = "skipNeuvectorAdmissionControl"
	NsSelectorKeyCtrlPlane = "control-plane" // AKS writes this label to kube-system ns & our validation webhook

	NsSelectorOpNotExist = "DoesNotExist"
	NsSelectorOpExists   = "Exists"
)
View Source 
const (
	AdmissionK8sIoV1      = "admission.k8s.io/v1"
	AdmissionK8sIoV1Beta1 = "admission.k8s.io/v1beta1"

	K8sKindAdmissionReview = "AdmissionReview"
)
View Source 
const (
	K8sRscTypeClusRole = "k8s-cluster-role"

	K8sRscTypeClusRoleBinding = "k8s-cluster-role-binding"
)
View Source 
const (
	// DefaultRollingTimeoutSeconds is the default TimeoutSeconds for RollingDeploymentStrategyParams.
	DefaultRollingTimeoutSeconds int64 = 10 * 60
	// DefaultRecreateTimeoutSeconds is the default TimeoutSeconds for RecreateDeploymentStrategyParams.
	DefaultRecreateTimeoutSeconds int64 = 10 * 60
	// DefaultRollingIntervalSeconds is the default IntervalSeconds for RollingDeploymentStrategyParams.
	DefaultRollingIntervalSeconds int64 = 1
	// DefaultRollingUpdatePeriodSeconds is the default PeriodSeconds for RollingDeploymentStrategyParams.
	DefaultRollingUpdatePeriodSeconds int64 = 1
	// MaxDeploymentDurationSeconds represents the maximum duration that a deployment is allowed to run.
	// This is set as the default value for ActiveDeadlineSeconds for the deployer pod.
	// Currently set to 6 hours.
	MaxDeploymentDurationSeconds int64 = 21600
	// DefaultRevisionHistoryLimit is the number of old ReplicationControllers to retain to allow for rollbacks.
	// This only applies to DeploymentConfigs created via the new group API resource, not the legacy resource.
	DefaultRevisionHistoryLimit int32 = 10
)

These constants represent defaults used in the deployment process.

View Source 
const (
	RscTypeNode                           = "node"
	RscTypeNamespace                      = "namespace"
	RscTypeService                        = "service"
	RscTypePod                            = "pod"
	RscTypeRBAC                           = "rbac"
	RscTypeImage                          = "image"
	RscTypeSecret                         = "secret"
	RscTypeCrd                            = "customresourcedefinition"
	RscTypeConfigMap                      = "configmap"
	RscTypeMutatingWebhookConfiguration   = "mutatingwebhookconfiguration"   // case sensitive!
	RscTypeValidatingWebhookConfiguration = "validatingwebhookconfiguration" // case sensitive!
	RscTypeCrdSecurityRule                = "nvsecurityrules"
	RscTypeCrdClusterSecurityRule         = "nvclustersecurityrules"
	RscTypeCrdAdmCtrlSecurityRule         = "nvadmissioncontrolsecurityrules"
	RscTypeCrdDlpSecurityRule             = "nvdlpsecurityrules"
	RscTypeCrdWafSecurityRule             = "nvwafsecurityrules"
	RscTypeCrdNvCspUsage                  = "cspadapterusagerecords" // case sensitive
	RscTypeCrdVulnProfile                 = "nvvulnerabilityprofiles"
	RscTypeCrdCompProfile                 = "nvcomplianceprofiles"
	RscTypeRbacRoles                      = "roles"
	RscTypeRbacClusterRoles               = "clusterroles"
	RscTypeRbacRolebindings               = "rolebindings"
	RscTypeRbacClusterRolebindings        = "clusterrolebindings"
	RscTypeDeployment                     = "deployment"
	RscTypeCronJob                        = "cronjob"
	RscTypeDaemonSet                      = "daemonset"
	RscTypeReplicaSet                     = "replicaset"
	RscTypeStatefulSet                    = "statefulset"
	RscTypePersistentVolumeClaim          = "persistentvolumeclaim"
)
View Source 
const (
	RscNameMutatingWebhookConfigurations   = "mutatingwebhookconfigurations"   // case sensitive!
	RscNameValidatingWebhookConfigurations = "validatingwebhookconfigurations" // case sensitive!
	RscNameCustomResourceDefinitions       = "customresourcedefinitions"       // case sensitive!

	RscKindMutatingWebhookConfiguration   = "MutatingWebhookConfiguration"   // case sensitive!
	RscKindValidatingWebhookConfiguration = "ValidatingWebhookConfiguration" // case sensitive!
)
View Source 
const (
	WatchEventAdd    = "ResourceAdd"
	WatchEventModify = "ResourceModify"
	WatchEventDelete = "ResourceDelete"
	WatchEventState  = "StateUpdate"
)
View Source 
const (
	ConnStateNone         = ""
	ConnStateConnected    = "connected"
	ConnStateDisconnected = "disconnected"
)
View Source 
const DefTimeoutSeconds = 30
View Source 
const NvAdmCtrlSecurityRuleKind = "NvAdmissionControlSecurityRule"
View Source 
const NvAdmCtrlSecurityRuleListKind = "NvAdmissionControlSecurityRuleList"
View Source 
const NvAdmCtrlSecurityRuleName = "nvadmissioncontrolsecurityrules.neuvector.com"
View Source 
const NvAdmCtrlSecurityRulePlural = "nvadmissioncontrolsecurityrules"
View Source 
const NvAdmCtrlSecurityRuleSingular = "nvadmissioncontrolsecurityrule"
View Source 
const NvAdmCtrlSecurityRuleVersion = "v1"
View Source 
const NvClusterSecurityRuleKind = "NvClusterSecurityRule"
View Source 
const NvClusterSecurityRuleListKind = "NvClusterSecurityRuleList"
View Source 
const NvClusterSecurityRuleName = "nvclustersecurityrules.neuvector.com"
View Source 
const NvClusterSecurityRulePlural = "nvclustersecurityrules"
View Source 
const NvClusterSecurityRuleScope = "Cluster"
View Source 
const NvClusterSecurityRuleSingular = "nvclustersecurityrule"
View Source 
const NvClusterSecurityRuleVersion = "v1"
View Source 
const NvCompProfileSecurityRuleKind = "NvComplianceProfile"
View Source 
const NvCompProfileSecurityRuleListKind = "NvComplianceProfileList"
View Source 
const NvCompProfileSecurityRuleName = "nvcomplianceprofiles.neuvector.com"
View Source 
const NvCompProfileSecurityRulePlural = "nvcomplianceprofiles"
View Source 
const NvCompProfileSecurityRuleSingular = "nvcomplianceprofile"
View Source 
const NvCompProfileSecurityRuleVersion = "v1"
View Source 
const NvCrdV1 = "v1"
View Source 
const NvCspUsageKind = "CspAdapterUsageRecord" // CR kind
View Source 
const NvCspUsageListKind = "CspAdapterUsageRecordList"
View Source 
const NvCspUsageName = "cspadapterusagerecords.susecloud.net"

csp billing adapter

View Source 
const NvCspUsagePlural = "cspadapterusagerecords"
View Source 
const NvCspUsageSingular = "cspadapterusagerecord"
View Source 
const NvDlpSecurityRuleKind = "NvDlpSecurityRule"
View Source 
const NvDlpSecurityRuleListKind = "NvDlpSecurityRuleList"
View Source 
const NvDlpSecurityRuleName = "nvdlpsecurityrules.neuvector.com"
View Source 
const NvDlpSecurityRulePlural = "nvdlpsecurityrules"
View Source 
const NvDlpSecurityRuleSingular = "nvdlpsecurityrule"
View Source 
const NvDlpSecurityRuleVersion = "v1"
View Source 
const NvSecurityRuleKind = "NvSecurityRule"
View Source 
const NvSecurityRuleListKind = "NvSecurityRuleList"
View Source 
const NvSecurityRuleName = "nvsecurityrules.neuvector.com"
View Source 
const NvSecurityRulePlural = "nvsecurityrules"
View Source 
const NvSecurityRuleScope = "Namespaced"
View Source 
const NvSecurityRuleSingular = "nvsecurityrule"
View Source 
const NvSecurityRuleVersion = "v1"
View Source 
const NvVulnProfileSecurityRuleKind = "NvVulnerabilityProfile"
View Source 
const NvVulnProfileSecurityRuleListKind = "NvVulnerabilityProfileList"
View Source 
const NvVulnProfileSecurityRuleName = "nvvulnerabilityprofiles.neuvector.com"
View Source 
const NvVulnProfileSecurityRulePlural = "nvvulnerabilityprofiles"
View Source 
const NvVulnProfileSecurityRuleSingular = "nvvulnerabilityprofile"
View Source 
const NvVulnProfileSecurityRuleVersion = "v1"
View Source 
const NvWafSecurityRuleKind = "NvWafSecurityRule"
View Source 
const NvWafSecurityRuleListKind = "NvWafSecurityRuleList"
View Source 
const NvWafSecurityRuleName = "nvwafsecurityrules.neuvector.com"
View Source 
const NvWafSecurityRulePlural = "nvwafsecurityrules"
View Source 
const NvWafSecurityRuleSingular = "nvwafsecurityrule"
View Source 
const NvWafSecurityRuleVersion = "v1"
View Source 
const RscCspUsageName = "neuvector-usage"

Variables

View Source 
var AdmResForOpsSettings = []*NvAdmRegRuleSetting{

	{
		ApiGroups:  allApiGroups,
		Operations: utils.NewSet(Create),
		Resources:  admResForCreateSet,
		Scope:      string(apiv1beta1.NamespacedScope),
	},
	{
		ApiGroups:  allApiGroups,
		Operations: utils.NewSet(Update),
		Resources:  admResForUpdateSet,
		Scope:      string(apiv1beta1.NamespacedScope),
	},
	{
		ApiGroups:  rbacApiGroups,
		Operations: opCreateDelete,
		Resources:  admRbacResForCreateUpdate1,
		Scope:      string(apiv1beta1.NamespacedScope),
	},
	{
		ApiGroups:  rbacApiGroups,
		Operations: opCreateDelete,
		Resources:  admRbacResForCreateUpdate2,
		Scope:      string(apiv1beta1.AllScopes),
	},
}
View Source 
var AwsSvcPolicyMap map[string]string = map[string]string{
	// contains filtered or unexported fields
}
View Source 
var AwsSvcResMap map[string]AwsSvcResource = map[string]AwsSvcResource{
	AwsSvcCloudformation: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"DescribeChangeSet":      AwsResLow,
			"DescribeStackResources": AwsResLow,
			"DescribeStacks":         AwsResLow,
			"GetTemplate":            AwsResLow,
			"ListStackResources":     AwsResLow,
		},
	},
	AwsSvcCloudWatch: {
		Sensitivity: AwsResLow,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcCognitoIdentity: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"ListIdentityPools": AwsResLow,
		},
	},
	AwsSvcCognitoSync: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"GetCognitoEvents": AwsResLow,
			"SetCognitoEvents": AwsResMid,
		},
	},
	AwsSvcDynamodb: {
		Sensitivity: AwsResHigh,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcEc2: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"DescribeSecurityGroups": AwsResLow,
			"DescribeSubnets":        AwsResLow,
			"DescribeVpcs":           AwsResLow,
		},
	},
	AwsSvcEvents: {
		Sensitivity: AwsResLow,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcIam: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"GetPolicy":                AwsResLow,
			"GetPolicyVersion":         AwsResLow,
			"GetRole":                  AwsResLow,
			"GetRolePolicy":            AwsResLow,
			"ListAttachedRolePolicies": AwsResLow,
			"ListRolePolicies":         AwsResLow,
			"ListRoles":                AwsResLow,
			"PassRole":                 AwsResMid,
		},
	},
	AwsSvcIot: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"AttachPrincipalPolicy":    AwsResMid,
			"AttachThingPrincipal":     AwsResMid,
			"CreateKeysAndCertificate": AwsResMid,
			"CreatePolicy":             AwsResMid,
			"CreateThing":              AwsResMid,
			"CreateTopicRule":          AwsResMid,
			"DescribeEndpoint":         AwsResLow,
			"GetTopicRule":             AwsResLow,
			"ListPolicies":             AwsResLow,
			"ListThings":               AwsResLow,
			"ListTopicRules":           AwsResLow,
			"ReplaceTopicRule":         AwsResMid,
		},
	},
	AwsSvcKinesis: {
		Sensitivity: AwsResMid,
		AllowAll:    false,
		DetailMap: map[string]string{
			"DescribeStream": AwsResLow,
			"ListStreams":    AwsResLow,
			"PutRecord":      AwsResMid,
		},
	},
	AwsSvcKms: {
		Sensitivity: AwsResHigh,
		AllowAll:    false,
		DetailMap: map[string]string{
			"ListAliases": AwsResLow,
		},
	},
	AwsSvcLambda: {
		Sensitivity: AwsResHigh,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcLogs: {
		Sensitivity: AwsResLow,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcS3: {
		Sensitivity: AwsResHigh,
		AllowAll:    true,
		DetailMap:   map[string]string{},
	},
	AwsSvcSns: {
		Sensitivity: AwsResMid,
		AllowAll:    false,
		DetailMap: map[string]string{
			"ListSubscriptions":        AwsResLow,
			"ListSubscriptionsByTopic": AwsResLow,
			"ListTopics":               AwsResLow,
			"Publish":                  AwsResMid,
			"Subscribe":                AwsResMid,
			"Unsubscribe":              AwsResLow,
			"ListQueues":               AwsResLow,
			"SendMessage":              AwsResMid,
		},
	},
	AwsSvcSqs: {
		Sensitivity: AwsResMid,
		AllowAll:    false,
		DetailMap: map[string]string{
			"ListQueues":  AwsResLow,
			"SendMessage": AwsResMid,
		},
	},
	AwsSvcTag: {
		Sensitivity: AwsResLow,
		AllowAll:    false,
		DetailMap: map[string]string{
			"GetResources": AwsResLow,
		},
	},
	AwsSvcXray: {
		Sensitivity: AwsResLow,
		AllowAll:    false,
		DetailMap: map[string]string{
			"PutTelemetryRecords": AwsResLow,
			"PutTraceSegments":    AwsResLow,
		},
	},
}
View Source 
var CrdResForOpsSettings = []*NvAdmRegRuleSetting{
	{
		ApiGroups:  allApiGroups,
		Operations: utils.NewSet(Create, Update, Delete),
		Resources:  crdResForAllOpSet,
		Scope:      string(apiv1beta1.AllScopes),
	},
}
View Source 
var ErrMethodNotSupported = errors.New("Method not supported")
View Source 
var ErrResourceNotSupported = errors.New("Method on resource not supported")
View Source 
var ErrUserNotFound = errors.New("User not found")
View Source 
var NvAdmMutatingName = "neuvector-mutating-admission-webhook" // ValidatingWebhookConfiguration resource instance metadata name

ValidatingWebhookConfiguration resource instance (neuvector-validating-admission-webhook) contains 2 webhooks:

  1. neuvector-validating-admission-webhook.neuvector.svc
  2. neuvector-validating-status-webhook.neuvector.svc
View Source 
var NvAdmMutatingWebhookName string

List all mutating application name here and join the list

View Source 
var NvAdmSvcName = "neuvector-svc-admission-webhook"
View Source 
var NvAdmSvcNamespace = "neuvector"
View Source 
var NvAdmValidatingName = "neuvector-validating-admission-webhook" // ValidatingWebhookConfiguration resource instance metadata name
View Source 
var NvAdmValidatingWebhookName string

List all validating application name here and join the list

View Source 
var NvCrdSvcName = "neuvector-svc-crd-webhook"
View Source 
var NvCrdValidatingName = "neuvector-validating-crd-webhook" // ValidatingWebhookConfiguration resource instance metadata name
View Source 
var NvCrdValidatingWebhookName string
View Source 
var NvListKind = "List"
View Source 
var NvMutatingWebhookNameList = []string{NvAdmMutatingWebhookName}
View Source 
var NvPruneValidatingName = "neuvector-prune-orphan-crd-groups" // for manually pruning orphan crd groups only
View Source 
var NvStatusValidatingWebhookName string
View Source 
var NvValidatingWebhookNameList []string
View Source 
var StatusResForOpsSettings = []*NvAdmRegRuleSetting{
	{
		ApiGroups:  allApiGroups,
		Operations: opCreateDelete,
		Resources:  statusResForCreateUpdateSet,
		Scope:      string(apiv1beta1.NamespacedScope),
	},
	{
		ApiGroups:  allApiGroups,
		Operations: utils.NewSet(Delete),
		Resources:  statusResForDeleteSet,
		Scope:      string(apiv1beta1.NamespacedScope),
	},
}

Functions

func AdjustAdmResForOC 

func AdjustAdmResForOC()

func AdjustAdmWebhookName 

func AdjustAdmWebhookName(f1 NvQueryK8sVerFunc, cspType_ share.TCspType)

func CreateNvCrdObject 

func CreateNvCrdObject(rt string) (interface{}, error)

func GetAllRiskyRolesByServiceAccount 

func GetAllRiskyRolesByServiceAccount(saName, namespace string) ([]int, error)

func GetCspConfig 

func GetCspConfig() api.RESTFedCspSupportResp

func GetK8sVersion 

func GetK8sVersion() (int, int)

func GetNvControllerPodsNumber 

func GetNvControllerPodsNumber()

func GetNvCtrlerServiceAccount 

func GetNvCtrlerServiceAccount(objFunc common.CacheEventFunc)

func GetSaFromJwtToken 

func GetSaFromJwtToken(tokenStr string) (string, error)

func GetTlsKeyCertPath 

func GetTlsKeyCertPath(svcName, ns string) (string, string)

func IsK8sNvWebhookConfigured 

func IsK8sNvWebhookConfigured(whName, failurePolicy string, wh *K8sAdmRegWebhook, checkNsSelector bool, revertCount *uint32,
	unexpectedMatchKeys utils.Set) bool

revertCount: how many times the ValidatingWebhookConfiguration resource has been reverted by this controller. 

if it's >= 1, do not revert the ValidatingWebhookConfiguration resource just becuase of unknown matchExpressions keys

func IsRancherFlavor 

func IsRancherFlavor() bool

func Register 

func Register(platform, flavor, network string) orchAPI.ResourceDriver

func RemoveRedundant 

func RemoveRedundant(allDomainRoles map[string]share.NvReservedUserRole, domainPermits map[string]share.NvFedPermissions, fedRole string) (
	map[string]string, map[string]share.NvFedPermissions)

extra fed access is not supported for namespace role/permission yet this function deletes those entries(for namespaces) in domainRole/domainPermits that are subset of the global domain's effective permissions

func RetrieveBootstrapPassword 

func RetrieveBootstrapPassword() string

func SetK8sVersion 

func SetK8sVersion(k8sVer string)

func UpdateDeploymentReplicates 

func UpdateDeploymentReplicates(name string, replicas int32) error

func VerifyNvK8sRBAC 

func VerifyNvK8sRBAC(flavor, csp string, existOnly bool) ([]string, []string, []string, []string)

func VerifyNvRbacRoleBindings 

func VerifyNvRbacRoleBindings(bindingNames []string, existOnly, logging bool) ([]string, bool)

func VerifyNvRbacRoles 

func VerifyNvRbacRoles(roleNames []string, existOnly bool) ([]string, bool)

https://kubernetes.io/docs/reference/using-api/deprecation-guide/ The rbac.authorization.k8s.io/v1beta1 API version of ClusterRole, ClusterRoleBinding, Role, and RoleBinding is no longer served as of v1.22.

Types

type AdmissionWebhookConfiguration 

type AdmissionWebhookConfiguration struct {
	AdmType string // "validate" (for ValidatingWebhookConfiguration) or "mutate" (for MutatingWebhookConfiguration)
	Name    string // k8s resource metadata name, like "neuvector-validating-admission-webhook" or "neuvector-validating-crd-webhook"
}

type AwsSvcResource 

type AwsSvcResource struct {
	Sensitivity string            `json:"sensitivity"`
	AllowAll    bool              `json:"allow_all"`
	DetailMap   map[string]string `json:"detail_map"`
}

type ConfigMap 

type ConfigMap struct {
	UID    string
	Name   string
	Domain string
	Data   map[string]string
}

type Container 

type Container struct {
	Id            string
	Name          string
	RequestMemory string
	LimitMemory   string
	Privileged    bool
	LivenessCmds  []string
	ReadinessCmds []string
}

type CronJob 

type CronJob struct {
	UID    string
	Name   string
	Domain string
	SA     string
}

type CustomDeploymentStrategyParams 

type CustomDeploymentStrategyParams struct {
	// Image specifies a Docker image which can carry out a deployment.
	Image string `json:"image"`
	// Environment holds the environment which will be given to the container for Image.
	Environment []kapi.EnvVar `json:"environment,omitempty"`
	// Command is optional and overrides CMD in the container Image.
	Command []string `json:"command,omitempty"`
}

CustomDeploymentStrategyParams are the input to the Custom deployment strategy.

type DaemonSet 

type DaemonSet struct {
	UID    string
	Name   string
	Domain string
	SA     string
}

type Deployment 

type Deployment struct {
	UID      string
	Name     string
	Domain   string
	Replicas int32
}

type DeploymentCause 

type DeploymentCause struct {
	// Type is the type of the trigger that resulted in the creation of a new deployment
	Type DeploymentTriggerType `json:"type"`
	// ImageTrigger contains the image trigger details, if this trigger was fired based on an image change
	ImageTrigger *DeploymentCauseImageTrigger `json:"imageTrigger,omitempty"`
}

DeploymentCause captures information about a particular cause of a deployment.

type DeploymentCauseImageTrigger 

type DeploymentCauseImageTrigger struct {
	// From is a reference to the changed object which triggered a deployment. The field may have
	// the kinds DockerImage, ImageStreamTag, or ImageStreamImage.
	From kapi.ObjectReference `json:"from"`
}

DeploymentCauseImageTrigger contains information about a deployment caused by an image trigger

type DeploymentCondition 

type DeploymentCondition struct {
	// Type of deployment condition.
	Type DeploymentConditionType `json:"type"`
	// Status of the condition, one of True, False, Unknown.
	Status kapi.ConditionStatus `json:"status"`
	// The last time this condition was updated.
	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
	// The last time the condition transitioned from one status to another.
	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
	// The reason for the condition's last transition.
	Reason DeploymentConditionReason `json:"reason"`
	// A human readable message indicating details about the transition.
	Message string `json:"message"`
}

DeploymentCondition describes the state of a deployment config at a certain point.

type DeploymentConditionReason 

type DeploymentConditionReason string

type DeploymentConditionType 

type DeploymentConditionType string

type DeploymentConfig 

type DeploymentConfig struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec represents a desired deployment state and how to deploy to it.
	Spec DeploymentConfigSpec `json:"spec"`

	// Status represents the current deployment state.
	Status DeploymentConfigStatus `json:"status"`
}

DeploymentConfig represents a configuration for a single deployment (represented as a ReplicationController). It also contains details about changes which resulted in the current state of the DeploymentConfig. Each change to the DeploymentConfig which should result in a new deployment results in an increment of LatestVersion.

type DeploymentConfigList 

type DeploymentConfigList struct {
	metav1.TypeMeta `json:",inline"`
	Metadata        metav1.ListMeta `json:"metadata,omitempty"`

	// Items is a list of deployment configs
	Items []DeploymentConfig `json:"items,omitempty"`
}

DeploymentConfigList is a collection of deployment configs.

type DeploymentConfigRollback 

type DeploymentConfigRollback struct {
	metav1.TypeMeta `json:",inline"`
	// Name of the deployment config that will be rolled back.
	Name string `json:"name"`
	// UpdatedAnnotations is a set of new annotations that will be added in the deployment config.
	UpdatedAnnotations map[string]string `json:"updatedAnnotations,omitempty"`
	// Spec defines the options to rollback generation.
	Spec DeploymentConfigRollbackSpec `json:"spec"`
}

DeploymentConfigRollback provides the input to rollback generation.

type DeploymentConfigRollbackSpec 

type DeploymentConfigRollbackSpec struct {
	// From points to a ReplicationController which is a deployment.
	From kapi.ObjectReference `json:"from"`
	// Revision to rollback to. If set to 0, rollback to the last revision.
	Revision int64 `json:"revision"`
	// IncludeTriggers specifies whether to include config Triggers.
	IncludeTriggers bool `json:"includeTriggers"`
	// IncludeTemplate specifies whether to include the PodTemplateSpec.
	IncludeTemplate bool `json:"includeTemplate"`
	// IncludeReplicationMeta specifies whether to include the replica count and selector.
	IncludeReplicationMeta bool `json:"includeReplicationmeta"`
	// IncludeStrategy specifies whether to include the deployment Strategy.
	IncludeStrategy bool `json:"includeStrategy"`
}

DeploymentConfigRollbackSpec represents the options for rollback generation.

type DeploymentConfigSpec 

type DeploymentConfigSpec struct {
	// Strategy describes how a deployment is executed.
	Strategy DeploymentStrategy `json:"strategy"`

	// MinReadySeconds is the minimum number of seconds for which a newly created pod should
	// be ready without any of its container crashing, for it to be considered available.
	// Defaults to 0 (pod will be considered available as soon as it is ready)
	MinReadySeconds int32 `json:"minReadySeconds"`

	// Triggers determine how updates to a DeploymentConfig result in new deployments. If no triggers
	// are defined, a new deployment can only occur as a result of an explicit client update to the
	// DeploymentConfig with a new LatestVersion.
	Triggers []DeploymentTriggerPolicy `json:"triggers,omitempty"`

	// Replicas is the number of desired replicas.
	Replicas int32 `json:"replicas"`

	// RevisionHistoryLimit is the number of old ReplicationControllers to retain to allow for rollbacks.
	// This field is a pointer to allow for differentiation between an explicit zero and not specified.
	// Defaults to 10. (This only applies to DeploymentConfigs created via the new group API resource, not the legacy resource.)
	RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`

	// Test ensures that this deployment config will have zero replicas except while a deployment is running. This allows the
	// deployment config to be used as a continuous deployment test - triggering on images, running the deployment, and then succeeding
	// or failing. Post strategy hooks and After actions can be used to integrate successful deployment with an action.
	Test bool `json:"test"`

	// Paused indicates that the deployment config is paused resulting in no new deployments on template
	// changes or changes in the template caused by other triggers.
	Paused bool `json:"paused"`

	// Selector is a label query over pods that should match the Replicas count.
	Selector map[string]string `json:"selector,omitempty"`

	// Template is the object that describes the pod that will be created if
	// insufficient replicas are detected.
	Template *kapi.PodTemplateSpec `json:"template,omitempty"`
}

DeploymentConfigSpec represents the desired state of the deployment.

type DeploymentConfigStatus 

type DeploymentConfigStatus struct {
	// LatestVersion is used to determine whether the current deployment associated with a deployment
	// config is out of sync.
	LatestVersion int64 `json:"latestVersion"`
	// ObservedGeneration is the most recent generation observed by the deployment config controller.
	ObservedGeneration int64 `json:"observedGeneration"`
	// Replicas is the total number of pods targeted by this deployment config.
	Replicas int32 `json:"replicas"`
	// UpdatedReplicas is the total number of non-terminated pods targeted by this deployment config
	// that have the desired template spec.
	UpdatedReplicas int32 `json:"updatedReplicas"`
	// AvailableReplicas is the total number of available pods targeted by this deployment config.
	AvailableReplicas int32 `json:"availableReplicas"`
	// UnavailableReplicas is the total number of unavailable pods targeted by this deployment config.
	UnavailableReplicas int32 `json:"unavailableReplicas"`
	// Details are the reasons for the update to this deployment config.
	// This could be based on a change made by the user or caused by an automatic trigger
	Details *DeploymentDetails `json:"details,omitempty"`
	// Conditions represents the latest available observations of a deployment config's current state.
	Conditions []DeploymentCondition `json:"conditions,omitempty"`
	// Total number of ready pods targeted by this deployment.
	ReadyReplicas int32 `json:"readyReplicas"`
}

DeploymentConfigStatus represents the current deployment state.

type DeploymentDetails 

type DeploymentDetails struct {
	// Message is the user specified change message, if this deployment was triggered manually by the user
	Message string `json:"message"`
	// Causes are extended data associated with all the causes for creating a new deployment
	Causes []DeploymentCause `json:"causes,omitempty"`
}

DeploymentDetails captures information about the causes of a deployment.

type DeploymentLog 

type DeploymentLog struct {
	metav1.TypeMeta `json:",inline"`
}

DeploymentLog represents the logs for a deployment

type DeploymentLogOptions 

type DeploymentLogOptions struct {
	metav1.TypeMeta `json:",inline"`

	// Container for which to return logs
	Container string `json:"container"`
	// Follow if true indicates that the deployment log should be streamed until
	// the deployment terminates.
	Follow bool `json:"follow"`
	// If true, return previous deployment logs
	Previous bool `json:"previous"`
	// A relative time in seconds before the current time from which to show logs. If this value
	// precedes the time a pod was started, only logs since the pod start will be returned.
	// If this value is in the future, no logs will be returned.
	// Only one of sinceSeconds or sinceTime may be specified.
	SinceSeconds *int64 `json:"sinceSeconds,omitempty"`
	// An RFC3339 timestamp from which to show logs. If this value
	// precedes the time a pod was started, only logs since the pod start will be returned.
	// If this value is in the future, no logs will be returned.
	// Only one of sinceSeconds or sinceTime may be specified.
	SinceTime *metav1.Time `json:"sinceTime,omitempty"`
	// If true, add an RFC3339 or RFC3339Nano timestamp at the beginning of every line
	// of log output.
	Timestamps bool `json:"timestamps"`
	// If set, the number of lines from the end of the logs to show. If not specified,
	// logs are shown from the creation of the container or sinceSeconds or sinceTime
	TailLines *int64 `json:"tailLines,omitempty"`
	// If set, the number of bytes to read from the server before terminating the
	// log output. This may not display a complete final line of logging, and may return
	// slightly more or slightly less than the specified limit.
	LimitBytes *int64 `json:"limitBytes,omitempty"`

	// NoWait if true causes the call to return immediately even if the deployment
	// is not available yet. Otherwise the server will wait until the deployment has started.
	NoWait bool `json:"noWait"`

	// Version of the deployment for which to view logs.
	Version *int64 `json:"version,omitempty"`
}

DeploymentLogOptions is the REST options for a deployment log

type DeploymentRequest 

type DeploymentRequest struct {
	metav1.TypeMeta `json:",inline"`
	// Name of the deployment config for requesting a new deployment.
	Name string `json:"name"`
	// Latest will update the deployment config with the latest state from all triggers.
	Latest bool `json:"latest"`
	// Force will try to force a new deployment to run. If the deployment config is paused,
	// then setting this to true will return an Invalid error.
	Force bool `json:"force"`
	// ExcludeTriggers instructs the instantiator to avoid processing the specified triggers.
	// This field overrides the triggers from latest and allows clients to control specific
	// logic.
	ExcludeTriggers []DeploymentTriggerType `json:"excludeTriggers,omitempty"`
}

DeploymentRequest is a request to a deployment config for a new deployment.

type DeploymentStrategy 

type DeploymentStrategy struct {
	// Type is the name of a deployment strategy.
	Type DeploymentStrategyType `json:"type"`

	// CustomParams are the input to the Custom deployment strategy, and may also
	// be specified for the Recreate and Rolling strategies to customize the execution
	// process that runs the deployment.
	CustomParams *CustomDeploymentStrategyParams `json:"customParams,omitempty"`
	// RecreateParams are the input to the Recreate deployment strategy.
	RecreateParams *RecreateDeploymentStrategyParams `json:"recreateParams,omitempty"`
	// RollingParams are the input to the Rolling deployment strategy.
	RollingParams *RollingDeploymentStrategyParams `json:"rollingParams,omitempty"`

	// Resources contains resource requirements to execute the deployment and any hooks.
	Resources kapi.ResourceRequirements `json:"resources"`
	// Labels is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
	Labels map[string]string `json:"labels,omitempty"`
	// Annotations is a set of key, value pairs added to custom deployer and lifecycle pre/post hook pods.
	Annotations map[string]string `json:"annotations,omitempty"`

	// ActiveDeadlineSeconds is the duration in seconds that the deployer pods for this deployment
	// config may be active on a node before the system actively tries to terminate them.
	ActiveDeadlineSeconds *int64 `json:"activeDeadlineSeconds,omitempty"`
}

DeploymentStrategy describes how to perform a deployment.

type DeploymentStrategyType 

type DeploymentStrategyType string

DeploymentStrategyType refers to a specific DeploymentStrategy implementation. 

const (
	// DeploymentStrategyTypeRecreate is a simple strategy suitable as a default.
	DeploymentStrategyTypeRecreate DeploymentStrategyType = "Recreate"
	// DeploymentStrategyTypeCustom is a user defined strategy.
	DeploymentStrategyTypeCustom DeploymentStrategyType = "Custom"
	// DeploymentStrategyTypeRolling uses the Kubernetes RollingUpdater.
	DeploymentStrategyTypeRolling DeploymentStrategyType = "Rolling"
)

type DeploymentTriggerImageChangeParams 

type DeploymentTriggerImageChangeParams struct {
	// Automatic means that the detection of a new tag value should result in an image update
	// inside the pod template.
	Automatic bool `json:"automatic"`
	// ContainerNames is used to restrict tag updates to the specified set of container names in a pod.
	ContainerNames []string `json:"containerNames,omitempty"`
	// From is a reference to an image stream tag to watch for changes. From.Name is the only
	// required subfield - if From.Namespace is blank, the namespace of the current deployment
	// trigger will be used.
	From kapi.ObjectReference `json:"from"`
	// LastTriggeredImage is the last image to be triggered.
	LastTriggeredImage string `json:"lastTriggeredImage"`
}

DeploymentTriggerImageChangeParams represents the parameters to the ImageChange trigger.

type DeploymentTriggerPolicy 

type DeploymentTriggerPolicy struct {
	// Type of the trigger
	Type DeploymentTriggerType `json:"type"`
	// ImageChangeParams represents the parameters for the ImageChange trigger.
	ImageChangeParams *DeploymentTriggerImageChangeParams `json:"imageChangeParams,omitempty"`
}

DeploymentTriggerPolicy describes a policy for a single trigger that results in a new deployment.

type DeploymentTriggerType 

type DeploymentTriggerType string

DeploymentTriggerType refers to a specific DeploymentTriggerPolicy implementation. 

const (
	// DeploymentTriggerManual is a placeholder implementation which does nothing.
	DeploymentTriggerManual DeploymentTriggerType = "Manual"
	// DeploymentTriggerOnImageChange will create new deployments in response to updated tags from
	// a Docker image repository.
	DeploymentTriggerOnImageChange DeploymentTriggerType = "ImageChange"
	// DeploymentTriggerOnConfigChange will create new deployments in response to changes to
	// the ControllerTemplate of a DeploymentConfig.
	DeploymentTriggerOnConfigChange DeploymentTriggerType = "ConfigChange"
)

type Event 

type Event struct {
	Event        string
	ResourceType string
	ResourceOld  interface{}
	ResourceNew  interface{}
	Status       string
	LastError    string
}

type ExecNewPodHook 

type ExecNewPodHook struct {
	// Command is the action command and its arguments.
	Command []string `json:"command,omitempty"`
	// Env is a set of environment variables to supply to the hook pod's container.
	Env []kapi.EnvVar `json:"env,omitempty"`
	// ContainerName is the name of a container in the deployment pod template
	// whose Docker image will be used for the hook pod's container.
	ContainerName string `json:"containerName"`
	// Volumes is a list of named volumes from the pod template which should be
	// copied to the hook pod. Volumes names not found in pod spec are ignored.
	// An empty list means no volumes will be copied.
	Volumes []string `json:"volumes,omitempty"`
}

ExecNewPodHook is a hook implementation which runs a command in a new pod based on the specified container which is assumed to be part of the deployment template.

type Image 

type Image struct {
	UID    string
	Name   string
	Domain string
	Repo   string
	Tags   []ImageTag
}

type ImageTag 

type ImageTag struct {
	Tag    string
	Serial string
}

type K8sAdmRegRule 

type K8sAdmRegRule struct {
	ApiGroups   []string
	ApiVersions []string
	Resources   []string
	Scope       *string
}

type K8sAdmRegRuleWithOperations 

type K8sAdmRegRuleWithOperations struct {
	Operations []string
	Rule       *K8sAdmRegRule
}

type K8sAdmRegServiceReference 

type K8sAdmRegServiceReference struct {
	Namespace string
	Name      string
	Path      *string
	Port      *int32
}

--- for generic types in admissionregistration v1/vebeta1

type K8sAdmRegValidatingWebhookConfiguration 

type K8sAdmRegValidatingWebhookConfiguration struct {
	Webhooks []*K8sAdmRegWebhook
}

type K8sAdmRegWebhook 

type K8sAdmRegWebhook struct {
	Name                    string
	AdmissionReviewVersions []string
	ClientConfig            *K8sAdmRegWebhookClientConfig
	Rules                   []*K8sAdmRegRuleWithOperations
	FailurePolicy           *string
	NamespaceSelector       *metav1.LabelSelector
	SideEffects             *string
}

type K8sAdmRegWebhookClientConfig 

type K8sAdmRegWebhookClientConfig struct {
	Url      *string
	Service  *K8sAdmRegServiceReference
	CaBundle []byte
}

type LifecycleHook 

type LifecycleHook struct {
	// FailurePolicy specifies what action to take if the hook fails.
	FailurePolicy LifecycleHookFailurePolicy `json:"failurePolicy"`

	// ExecNewPod specifies the options for a lifecycle hook backed by a pod.
	ExecNewPod *ExecNewPodHook `json:"execNewPod,omitempty"`

	// TagImages instructs the deployer to tag the current image referenced under a container onto an image stream tag.
	TagImages []TagImageHook `json:"tagImages,omitempty"`
}

LifecycleHook defines a specific deployment lifecycle action. Only one type of action may be specified at any time.

type LifecycleHookFailurePolicy 

type LifecycleHookFailurePolicy string

LifecycleHookFailurePolicy describes possibles actions to take if a hook fails. 

const (
	// LifecycleHookFailurePolicyRetry means retry the hook until it succeeds.
	LifecycleHookFailurePolicyRetry LifecycleHookFailurePolicy = "Retry"
	// LifecycleHookFailurePolicyAbort means abort the deployment.
	LifecycleHookFailurePolicyAbort LifecycleHookFailurePolicy = "Abort"
	// LifecycleHookFailurePolicyIgnore means ignore failure and continue the deployment.
	LifecycleHookFailurePolicyIgnore LifecycleHookFailurePolicy = "Ignore"
)

type Namespace 

type Namespace struct {
	UID    string
	Name   string
	Labels map[string]string
}

type Node 

type Node struct {
	UID              string
	Name             string
	IPNets           []net.IPNet
	Labels           map[string]string
	Annotations      map[string]string
	IBMCloudWorkerID string // for IBM cloud only: the hostname(before the 1st dot character) of the node
}

type NvAdmCtrlSecurityRule 

type NvAdmCtrlSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityAdmCtrlSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
type NvAdmCtrlSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              NvSecurityAdmCtrlSpec `json:"spec"`
}

type NvAdmCtrlSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty"`
	Items            []*NvAdmCtrlSecurityRule `json:"items"`
	XXX_unrecognized []byte                   `json:"-"`
}

type NvAdmCtrlSecurityRuleList 

type NvAdmCtrlSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvAdmCtrlSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte                  `json:"-"`
}

type NvAdmRegRuleSetting 

type NvAdmRegRuleSetting struct {
	ApiGroups  utils.Set
	Operations utils.Set
	Resources  utils.Set
	Scope      string
}

type NvClusterSecurityRule 

type NvClusterSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityRuleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvClusterSecurityRuleList 

type NvClusterSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvClusterSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte                  `json:"-"`
}

type NvCompProfileSecurityRule 

type NvCompProfileSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityCompProfileSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvCompProfileSecurityRuleList 

type NvCompProfileSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvCompProfileSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte                      `json:"-"`
}

type NvCrdAdmCtrlConfig 

type NvCrdAdmCtrlConfig struct {
	Enable        bool   `json:"enable"`
	Mode          string `json:"mode"`
	AdmClientMode string `json:"adm_client_mode"`
}

type NvCrdAdmCtrlRule 

type NvCrdAdmCtrlRule struct {
	ID         uint32                      `json:"id"`        // only set for default rules
	RuleType   string                      `json:"rule_type"` // ValidatingExceptRuleType / ValidatingDenyRuleType (see above)
	RuleMode   string                      `json:"rule_mode"` // "" / share.AdmCtrlModeMonitor / share.AdmCtrlModeProtect
	Comment    string                      `json:"comment"`
	Criteria   []*api.RESTAdmRuleCriterion `json:"criteria,omitempty"`
	Disabled   bool                        `json:"disabled"`
	Containers uint8                       `json:"containers,omitempty"`
}

type NvCrdCompProfileConfig 

type NvCrdCompProfileConfig struct {
	Templates *api.RESTComplianceProfileConfig `json:"profile"`
}

type NvCrdInfo 

type NvCrdInfo struct {
	RscType           string
	MetaName          string
	SpecScope         string
	SpecGroup         string
	SpecVersion       string
	SpecNamesPlural   string
	SpecNamesKind     string
	SpecNamesSingular string
	SpecNamesListKind string
	LockKey           string
	KvCrdKind         string
	ShortNames        []string
}

type NvCrdVulnProfileConfig 

type NvCrdVulnProfileConfig struct {
	Profile *api.RESTVulnerabilityProfileConfig `json:"profile"`
}

type NvCspUsage 

type NvCspUsage struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	ManagedNodeCount  int    `json:"managed_node_count"` // sum of all reachable clusters' nodes count. 0 means "do not report to CSP API"
	ReportingTime     string `json:"reporting_time"`
	BaseProduct       string `json:"base_product"`
	XXX_unrecognized  []byte `json:"-"`
}

csp billing adapter integration

type NvCspUsageList 

type NvCspUsageList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvCspUsage `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte       `json:"-"`
}

type NvDlpSecurityRule 

type NvDlpSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityDlpSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvDlpSecurityRuleList 

type NvDlpSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvDlpSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte              `json:"-"`
}

type NvQueryK8sVerFunc 

type NvQueryK8sVerFunc func()

type NvSecurityAdmCtrlConfig 

type NvSecurityAdmCtrlConfig struct {
	Enable        *bool   `json:"enable,omitempty"`
	Mode          *string `json:"mode,omitempty"`
	AdmClientMode *string `json:"client_mode" validate:"required"`
}

admission control CRD resourced are non-namespaced

type NvSecurityAdmCtrlRule 

type NvSecurityAdmCtrlRule struct {
	ID         *uint32                     `json:"id,omitempty"`
	Action     *string                     `json:"action,omitempty"`    // api.ValidatingAllowRuleType / api.ValidatingDenyRuleType
	RuleMode   *string                     `json:"rule_mode,omitempty"` // "" / share.AdmCtrlModeMonitor / share.AdmCtrlModeProtect
	Comment    *string                     `json:"comment,omitempty"`
	Disabled   *bool                       `json:"disabled,omitempty"`
	Containers []string                    `json:"containers,omitempty"`
	Criteria   []*api.RESTAdmRuleCriterion `json:"criteria,omitempty"`
}

type NvSecurityAdmCtrlRules 

type NvSecurityAdmCtrlRules struct {
	Rules []*NvSecurityAdmCtrlRule `json:"rules,omitempty"`
}

type NvSecurityAdmCtrlSpec 

type NvSecurityAdmCtrlSpec struct {
	Config *NvSecurityAdmCtrlConfig `json:"config,omitempty"`
	Rules  []*NvSecurityAdmCtrlRule `json:"rules,omitempty"`
}

type NvSecurityCompProfileSpec 

type NvSecurityCompProfileSpec struct {
	Templates *NvSecurityCompTemplates `json:"templates,omitempty"`
}

type NvSecurityCompTemplates 

type NvSecurityCompTemplates struct {
	DisableSystem bool                              `json:"disable_system"`
	Entries       []*api.RESTComplianceProfileEntry `json:"entries"`
}

compliance profile

type NvSecurityDlpGroup 

type NvSecurityDlpGroup struct {
	Status   bool                         `json:"status"`
	Settings []api.RESTCrdDlpGroupSetting `json:"settings"`
}

type NvSecurityDlpRule 

type NvSecurityDlpRule struct {
	Name     *string                    `json:"name"`
	Patterns []api.RESTDlpCriteriaEntry `json:"patterns"`
}

DLP

type NvSecurityDlpSensor 

type NvSecurityDlpSensor struct {
	Name     string               `json:"name"`
	Comment  *string              `json:"comment"`
	RuleList []*NvSecurityDlpRule `json:"rules"`
}

type NvSecurityDlpSpec 

type NvSecurityDlpSpec struct {
	Sensor *NvSecurityDlpSensor `json:"sensor"`
}

type NvSecurityFileRule 

type NvSecurityFileRule struct {
	Filter    string   `json:"filter"`
	Recursive bool     `json:"recursive"`
	Behavior  string   `json:"behavior"`
	App       []string `json:"app"`
}

type NvSecurityParse 

type NvSecurityParse struct {
	TargetName        string
	PolicyModeCfg     *api.RESTServiceConfig
	ProcessProfileCfg *api.RESTProcessProfile
	FileProfileCfg    *api.RESTFileMonitorProfile
	GroupCfgs         []api.RESTCrdGroupConfig
	RuleCfgs          []api.RESTPolicyRuleConfig
	DlpGroupCfg       *api.RESTCrdDlpGroupConfig // per-group's dlp sensor configuration
	WafGroupCfg       *api.RESTCrdWafGroupConfig // per-group's waf sensor configuration
	AdmCtrlCfg        *NvCrdAdmCtrlConfig
	AdmCtrlRulesCfg   map[string][]*NvCrdAdmCtrlRule // map key is "deny" / "exception"
	DlpSensorCfg      *api.RESTDlpSensorConfig       // dlp sensor defined by this crd object
	WafSensorCfg      *api.RESTWafSensorConfig       // waf sensor defined by this crd object
	VulnProfileCfg    *NvCrdVulnProfileConfig        // vulerability profile defined by this crd object
	CompProfileCfg    *NvCrdCompProfileConfig        // compliance profile defined by this crd object
	Uid               string                         // Metadata.Uid from AdmissionReview request
}

type NvSecurityProcessProfile 

type NvSecurityProcessProfile struct {
	Baseline *string `json:"baseline"`
	Mode     *string `json:"mode"` // added in 5.4.1 for process/file profiles
}

type NvSecurityProcessRule 

type NvSecurityProcessRule struct {
	Name            string `json:"name"`
	Path            string `json:"path"`
	Action          string `json:"action"`
	AllowFileUpdate bool   `json:"allow_update"`
}

type NvSecurityRule 

type NvSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityRuleSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvSecurityRuleDetail 

type NvSecurityRuleDetail struct {
	Selector     api.RESTCrdGroupConfig `json:"selector"`
	Applications []string               `json:"applications"`
	Ports        string                 `json:"ports"`
	Action       string                 `json:"action"`
	Name         string                 `json:"name"`
	Priority     uint32                 `json:"priority"`
}

type NvSecurityRuleList 

type NvSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte           `json:"-"`
}

type NvSecurityRulePartial 

type NvSecurityRulePartial struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	XXX_unrecognized  []byte `json:"-"`
}

type NvSecurityRuleSpec 

type NvSecurityRuleSpec struct {
	Target         NvSecurityTarget          `json:"target"`
	IngressRule    []NvSecurityRuleDetail    `json:"ingress"`
	EgressRule     []NvSecurityRuleDetail    `json:"egress"`
	ProcessProfile *NvSecurityProcessProfile `json:"process_profile,omitempty"`
	ProcessRule    []NvSecurityProcessRule   `json:"process"`
	FileRule       []NvSecurityFileRule      `json:"file"`
	DlpGroup       *NvSecurityDlpGroup       `json:"dlp,omitempty"` // per-group's dlp sensor mapping data
	WafGroup       *NvSecurityWafGroup       `json:"waf,omitempty"` // per-group's waf sensor mapping data
}

type NvSecurityTarget 

type NvSecurityTarget struct {
	PolicyMode *string                `json:"policymode,omitempty"`
	Selector   api.RESTCrdGroupConfig `json:"selector"`
}

type NvSecurityVulnProfile 

type NvSecurityVulnProfile struct {
	Entries []*NvSecurityVulnProfileEntry `json:"entries"`
}

type NvSecurityVulnProfileEntry 

type NvSecurityVulnProfileEntry struct {
	Name    string   `json:"name"`
	Comment *string  `json:"comment"`
	Days    *uint    `json:"days"` // Only used for 'recent' vuln entries
	Domains []string `json:"domains"`
	Images  []string `json:"images"`
}

vulnerability profile

type NvSecurityVulnProfileSpec 

type NvSecurityVulnProfileSpec struct {
	Profile *NvSecurityVulnProfile `json:"profile"`
}

type NvSecurityWafGroup 

type NvSecurityWafGroup struct {
	Status   bool                         `json:"status"`
	Settings []api.RESTCrdWafGroupSetting `json:"settings"`
}

type NvSecurityWafRule 

type NvSecurityWafRule struct {
	Name     *string                    `json:"name"`
	Patterns []api.RESTWafCriteriaEntry `json:"patterns"`
}

WAF

type NvSecurityWafSensor 

type NvSecurityWafSensor struct {
	Name     string               `json:"name"`
	Comment  *string              `json:"comment"`
	RuleList []*NvSecurityWafRule `json:"rules"`
}

type NvSecurityWafSpec 

type NvSecurityWafSpec struct {
	Sensor *NvSecurityWafSensor `json:"sensor"`
}

type NvVerifyK8sNsFunc 

type NvVerifyK8sNsFunc func(admCtrlEnabled bool, nsName string, nsLabels map[string]string)

type NvVulnProfileSecurityRule 

type NvVulnProfileSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityVulnProfileSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvVulnProfileSecurityRuleList 

type NvVulnProfileSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvVulnProfileSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte                      `json:"-"`
}

type NvWafSecurityRule 

type NvWafSecurityRule struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Spec              NvSecurityWafSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}

type NvWafSecurityRuleList 

type NvWafSecurityRuleList struct {
	metav1.TypeMeta  `json:",inline"`
	metav1.ListMeta  `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
	Items            []NvWafSecurityRule `json:"items" protobuf:"bytes,2,rep,name=items"`
	XXX_unrecognized []byte              `json:"-"`
}

type OpenShiftUser 

type OpenShiftUser struct {
	Kind       string   `json:"kind"`
	ApiVersion string   `json:"apiVersion"`
	Groups     []string `json:"groups"`
}

type Pod 

type Pod struct {
	UID          string
	Name         string
	Domain       string
	Node         string
	IPNet        net.IPNet
	HostNet      bool
	Running      bool
	OwnerUID     string
	OwnerName    string
	OwnerType    string
	Containers   []Container
	SA           string   // service account of this pod
	ContainerIDs []string // all workload id
	Labels       map[string]string
}

type RBAC 

type RBAC struct {
	Name          string
	Domain        string
	DomainRoles   map[string]string                 // domain -> nv reserved role
	DomainPermits map[string]share.NvFedPermissions // domain -> extra nv permissions. for Rancher SSO custom roles only
}

type RecreateDeploymentStrategyParams 

type RecreateDeploymentStrategyParams struct {
	// TimeoutSeconds is the time to wait for updates before giving up. If the
	// value is nil, a default will be used.
	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
	// Pre is a lifecycle hook which is executed before the strategy manipulates
	// the deployment. All LifecycleHookFailurePolicy values are supported.
	Pre *LifecycleHook `json:"pre,omitempty"`
	// Mid is a lifecycle hook which is executed while the deployment is scaled down to zero before the first new
	// pod is created. All LifecycleHookFailurePolicy values are supported.
	Mid *LifecycleHook `json:"mid,omitempty"`
	// Post is a lifecycle hook which is executed after the strategy has
	// finished all deployment logic. All LifecycleHookFailurePolicy values are supported.
	Post *LifecycleHook `json:"post,omitempty"`
}

RecreateDeploymentStrategyParams are the input to the Recreate deployment strategy.

type ReplicaSet 

type ReplicaSet struct {
	UID    string
	Name   string
	Domain string
}

type RollingDeploymentStrategyParams 

type RollingDeploymentStrategyParams struct {
	// UpdatePeriodSeconds is the time to wait between individual pod updates.
	// If the value is nil, a default will be used.
	UpdatePeriodSeconds *int64 `json:"failurePolicyFailurePolicy,omitempty"`
	// IntervalSeconds is the time to wait between polling deployment status
	// after update. If the value is nil, a default will be used.
	IntervalSeconds *int64 `json:"intervalSeconds,omitempty"`
	// TimeoutSeconds is the time to wait for updates before giving up. If the
	// value is nil, a default will be used.
	TimeoutSeconds *int64 `json:"timeoutSeconds,omitempty"`
	// MaxUnavailable is the maximum number of pods that can be unavailable
	// during the update. Value can be an absolute number (ex: 5) or a
	// percentage of total pods at the start of update (ex: 10%). Absolute
	// number is calculated from percentage by rounding down.
	//
	// This cannot be 0 if MaxSurge is 0. By default, 25% is used.
	//
	// Example: when this is set to 30%, the old RC can be scaled down by 30%
	// immediately when the rolling update starts. Once new pods are ready, old
	// RC can be scaled down further, followed by scaling up the new RC,
	// ensuring that at least 70% of original number of pods are available at
	// all times during the update.
	MaxUnavailable intstr.IntOrString `json:"maxUnavailable"`
	// MaxSurge is the maximum number of pods that can be scheduled above the
	// original number of pods. Value can be an absolute number (ex: 5) or a
	// percentage of total pods at the start of the update (ex: 10%). Absolute
	// number is calculated from percentage by rounding up.
	//
	// This cannot be 0 if MaxUnavailable is 0. By default, 25% is used.
	//
	// Example: when this is set to 30%, the new RC can be scaled up by 30%
	// immediately when the rolling update starts. Once old pods have been
	// killed, new RC can be scaled up further, ensuring that total number of
	// pods running at any time during the update is atmost 130% of original
	// pods.
	MaxSurge intstr.IntOrString `json:"maxSurge"`
	// Pre is a lifecycle hook which is executed before the deployment process
	// begins. All LifecycleHookFailurePolicy values are supported.
	Pre *LifecycleHook `json:"pre,omitempty"`
	// Post is a lifecycle hook which is executed after the strategy has
	// finished all deployment logic. All LifecycleHookFailurePolicy values
	// are supported.
	Post *LifecycleHook `json:"post,omitempty"`
}

RollingDeploymentStrategyParams are the input to the Rolling deployment strategy.

type Service 

type Service struct {
	UID         string
	Name        string
	Domain      string
	Labels      map[string]string
	IPs         []net.IP
	Selector    map[string]string
	Type        string
	ExternalIPs []net.IP
}

type StatefulSet 

type StatefulSet struct {
	UID    string
	Name   string
	Domain string
}

type TagImageHook 

type TagImageHook struct {
	// ContainerName is the name of a container in the deployment config whose image value will be used as the source of the tag. If there is only a single
	// container this value will be defaulted to the name of that container.
	ContainerName string `json:"containerName"`
	// To is the target ImageStreamTag to set the container's image onto.
	To kapi.ObjectReference `json:"to"`
}

TagImageHook is a request to tag the image in a particular container onto an ImageStreamTag.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.