securitycontext

package
v1.17.21 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 8, 2025 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const ExpectedContainers = 21

ExpectedContainers is the number of expected containers found when ValidateSecurityContexts is called on a TestManifest

Variables

View Source
var ApplyClusterIngressSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {
	securityContext.Capabilities = &corev1.Capabilities{
		Drop: []corev1.Capability{"ALL"},
		Add:  []corev1.Capability{"NET_BIND_SERVICE"},
	}
	securityContext.ReadOnlyRootFilesystem = ptr.To(true)
})

ApplyClusterIngressSecurityDefaults updates the security context to match the defaults for the ClusterIngress service

View Source
var ApplyDiscoverySecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {
	securityContext.ReadOnlyRootFilesystem = ptr.To(true)
	securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser))
})

ApplyDiscoverySecurityDefaults will update the security context to match the defaults for the discovery container

View Source
var ApplyKnativeSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {
	securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser))
	securityContext.ReadOnlyRootFilesystem = ptr.To(true)
	securityContext.Capabilities = &corev1.Capabilities{
		Drop: []corev1.Capability{"ALL"},
		Add:  []corev1.Capability{"NET_BIND_SERVICE"},
	}
})

ApplyKnativeSecurityDefaults updates the security context to match the defaults for Knative services

View Source
var ApplyNilSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {})

ApplyNilSecurityDefaults is a function that does nothing and can be used as a default value for ApplyContainerSecurityDefaults

View Source
var ApplyRunAsUserSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {
	securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser))
})

ApplyRunAsUserSecurityDefaults will update the runAsUser fields of the security context to the default value

View Source
var ContainerSecurityContextRoots = []string{
	"accessLogger.accessLoggerContainerSecurityContext",
	"discovery.deployment.discoveryContainerSecurityContext",
	"gateway.certGenJob.containerSecurityContext",
	"gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext",
	"global.glooMtls.envoy.securityContext",
	"global.glooMtls.istioProxy.securityContext",
	"global.glooMtls.sds.securityContext",
	"gloo.deployment.glooContainerSecurityContext",
	"ingress.deployment.ingressContainerSecurityContext",
	"ingressProxy.deployment.ingressProxyContainerSecurityContext",
	"settings.integrations.knative.proxy.containerSecurityContext",
}

ContainerSecurityContextRoots is a list of paths to the root of the container security context in the Helm charts

View Source
var DefaultOverrides = map[string]map[string]ApplyContainerSecurityDefaults{
	"gloo": {
		"gloo":          ApplyDiscoverySecurityDefaults,
		"envoy-sidecar": ApplyRunAsUserSecurityDefaults,
		"sds":           ApplyRunAsUserSecurityDefaults,
	},
	"discovery":                     {"discovery": ApplyDiscoverySecurityDefaults},
	"gateway-proxy":                 {"gateway-proxy": ApplyDiscoverySecurityDefaults},
	"gloo-mtls-certgen":             {"certgen": ApplyRunAsUserSecurityDefaults},
	"gloo-resource-cleanup":         {"kubectl": ApplyRunAsUserSecurityDefaults},
	"gloo-resource-migration":       {"kubectl": ApplyRunAsUserSecurityDefaults},
	"gloo-resource-rollout-check":   {"kubectl": ApplyRunAsUserSecurityDefaults},
	"gloo-resource-rollout-cleanup": {"kubectl": ApplyRunAsUserSecurityDefaults},
	"gloo-resource-rollout":         {"kubectl": ApplyRunAsUserSecurityDefaults},
	"prometheus-server-migration":   {"prometheus-server-migration": ApplyRunAsUserSecurityDefaults},
	"gateway-certgen":               {"certgen": ApplyRunAsUserSecurityDefaults},
	"ingress-proxy":                 {"ingress-proxy": ApplyKnativeSecurityDefaults},
	"clusteringress-proxy":          {"clusteringress-proxy": ApplyClusterIngressSecurityDefaults},
	"knative-external-proxy":        {"knative-external-proxy": ApplyKnativeSecurityDefaults},
	"knative-internal-proxy":        {"knative-internal-proxy": ApplyKnativeSecurityDefaults},
	"gloo-mtls-certgen-cronjob":     {"certgen": ApplyRunAsUserSecurityDefaults},
	"gateway-certgen-cronjob":       {"certgen": ApplyRunAsUserSecurityDefaults},
}

DefaultOverrides is a map of resource names to a map of container names to ApplyContainerSecurityDefaults functions Used to generated expected security contexts for specific containers in specific jobs and deployments

View Source
var GetDefaultRestrictedContainerSecurityContext = func(seccompType string, applyContainerDefaults ApplyContainerSecurityDefaults) *corev1.SecurityContext {

	if seccompType == "" {
		seccompType = "RuntimeDefault"
	}

	defaultRestrictedContainerSecurityContext := &corev1.SecurityContext{
		RunAsNonRoot:             ptr.To(true),
		AllowPrivilegeEscalation: ptr.To(false),
		Capabilities: &corev1.Capabilities{
			Drop: []corev1.Capability{"ALL"},
		},
		SeccompProfile: &corev1.SeccompProfile{
			Type: corev1.SeccompProfileType(seccompType),
		},
	}
	applyContainerDefaults(defaultRestrictedContainerSecurityContext)
	return defaultRestrictedContainerSecurityContext
}

GetDefaultRestrictedContainerSecurityContext applies the `applyContainerDefaults` function to the default restricted container security context and sets the SeccompProfile to the provided `seccompType.

Functions

func FilterAndValidateSecurityContexts

func FilterAndValidateSecurityContexts(
	testManifest TestManifest,
	validateContainer func(container corev1.Container, resourceName string),
	containerMatcher types.GomegaMatcher,
	filter func(resource *unstructured.Unstructured) bool,
)

FilterAndValidateSecurityContexts will filter the resources in the TestManifest using the provided filter function and apply the passed validateContainer function to each container in the filtered resources. Returns the number of non-filtered containers found.

func ValidateSecurityContexts

func ValidateSecurityContexts(testManifest TestManifest, validateContainer func(container corev1.Container, resourceName string), containerMatcher types.GomegaMatcher)

ValidateSecurityContexts passes through the TestManifest and validateContainer function to FilterAndValidateSecurityContexts and creates a filter used to select Deployment, Job, and CronJob resources for validation.

Types

type ApplyContainerSecurityDefaults

type ApplyContainerSecurityDefaults func(*corev1.SecurityContext)

ApplyContainerSecurityDefaults describes a function that modifies a SecurityContext These functions are used in testing to modify the default "expected" security context of a container to match the template-specific defaults

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL