validate

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 7, 2022 License: MIT Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AddCapabilitiesValidationName  = "verify-add-container-capabilities"
	DropCapabilitiesValidationName = "verify-drop-container-capabilities"
)
View Source 
const (
	HostPIDValidationName     = "host-pid"
	HostIPCValidationName     = "host-ipc"
	HostNetworkValidationName = "host-network"
)
View Source 
const (
	ImageRegistryValidationName = "trusted-image-registry"
	ImageRegistryEnv            = "TRUSTED_IMAGE_REGISTRY"
	ImageRegistriesEnv          = "TRUSTED_IMAGE_REGISTRIES"
)
View Source 
const (
	RunAsNonRootValidationName             = "run-as-non-root"
	PrivilegedValidationName               = "privileged-container"
	AllowPrivilegeEscalationValidationName = "privilege-escalation-container"
)
View Source 
const (
	DefaultServiceAccountValidationName = "default-service-account"
)
View Source 
const SkipValidationEnvValue = "false"

Variables

View Source 
var (
	ErrContainerRequestAddCapabilities  = errors.New("unable to permit container adding escalated capabilities")
	ErrContainerMissingDropCapabilities = errors.New("unable to permit container missing either drop capabilities of ALL or NET_RAW")
)
View Source 
var (
	ErrPodHostPID     = errors.New("unable to permit pod with hostPID")
	ErrPodHostIPC     = errors.New("unable to permit pod with hostIPC")
	ErrPodHostNetwork = errors.New("unable to permit pod with hostNetwork")
)
View Source 
var (
	ErrPodRunAsNonRoot          = errors.New("unable to permit pod attempting to run as root")
	ErrContainerPrivileged      = errors.New("unable to permit privileged container")
	ErrContainerAllowPrivileged = errors.New("unable to permit container which allows privileged escalation")
)
View Source 
var (
	ErrPodDefaultServiceAccount = errors.New("unable to permit pod attempting to use the default service account")
	ErrPodMissingServiceAccount = errors.New("unable to permit pod attempting to use empty service account")
)
View Source 
var ErrPodImageRegistry = errors.New("unable to permit pod with images from an untrusted registry")

Functions

func AddCapabilities added in v0.1.0 

func AddCapabilities(validation *Validation) (bool, error)

AddCapabilities validates whether a pod spec has the appropriate drop capabilities set.

func AllowPrivilegeEscalation added in v0.1.0 

func AllowPrivilegeEscalation(validation *Validation) (bool, error)

AllowPrivilegeEscalation validates whether a container is allowing privilege escalation.

func DefaultServiceAccount added in v0.1.0 

func DefaultServiceAccount(validation *Validation) (bool, error)

DefaultServiceAccount validates whether a pod is attempting to launch with the namespace default service account.

func DropCapabilities added in v0.1.0 

func DropCapabilities(validation *Validation) (bool, error)

DropCapabilities validates whether a pod spec has the appropriate drop capabilities set.

func HostIPC added in v0.1.0 

func HostIPC(validation *Validation) (bool, error)

HostIPC validates whether a pod spec has the hostIPC value set.

func HostNetwork added in v0.1.0 

func HostNetwork(validation *Validation) (bool, error)

HostNetwork validates whether a pod is rquesting binding to the host network.

func HostPID added in v0.1.0 

func HostPID(validation *Validation) (bool, error)

HostPID validates whether a pod spec has the hostPID value set.

func ImageRegistry added in v0.1.0 

func ImageRegistry(validation *Validation) (bool, error)

ImageRegistry validates whether a pod spec has a valid registry.

func Privileged added in v0.1.0 

func Privileged(validation *Validation) (bool, error)

Privileged validates whether a pod spec has the privileged value set.

func RunAsNonRoot added in v0.1.0 

func RunAsNonRoot(validation *Validation) (bool, error)

RunAsNonRoot validates whether a container or pod is set to enforce running as a non-root user.

Types

type Validation 

type Validation struct {
	Name     string
	Resource client.Object
	PodSpec  *corev1.PodSpec
	Run      ValidationLogic
	Skip     bool
}

func NewValidation 

func NewValidation(name string, validateLogic ValidationLogic) *Validation

NewValidation return an instance of a new validation.

func (*Validation) AnnotationOverride 

func (validation *Validation) AnnotationOverride() string

AnnotationOverride returns the expected annotation variable override given the name of the validation.

func (*Validation) EnvironmetVariableOverride 

func (validation *Validation) EnvironmetVariableOverride() string

EnvironmetVariableOverride returns the expected environment variable override given the name of the validation.

func (*Validation) Execute 

func (validation *Validation) Execute() (bool, error)

Execute executes the validation logic.

func (*Validation) Failed 

func (validation *Validation) Failed(parentErr error, failedContainers ...corev1.Container) (bool, error)

Failed returns the error message for a failed validation and a false boolean to indicate that the validation logic has failed for a ValidationLogic function.

type ValidationLogic 

type ValidationLogic func(*Validation) (bool, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.