Documentation
¶
Index ¶
Constants ¶
const ExpectedContainers = 21
ExpectedContainers is the number of expected containers found when ValidateSecurityContexts is called on a TestManifest
Variables ¶
var ApplyClusterIngressSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) { securityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, Add: []corev1.Capability{"NET_BIND_SERVICE"}, } securityContext.ReadOnlyRootFilesystem = ptr.To(true) })
ApplyClusterIngressSecurityDefaults updates the security context to match the defaults for the ClusterIngress service
var ApplyDiscoverySecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) { securityContext.ReadOnlyRootFilesystem = ptr.To(true) securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser)) })
ApplyDiscoverySecurityDefaults will update the security context to match the defaults for the discovery container
var ApplyKnativeSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) { securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser)) securityContext.ReadOnlyRootFilesystem = ptr.To(true) securityContext.Capabilities = &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, Add: []corev1.Capability{"NET_BIND_SERVICE"}, } })
ApplyKnativeSecurityDefaults updates the security context to match the defaults for Knative services
var ApplyNilSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) {})
ApplyNilSecurityDefaults is a function that does nothing and can be used as a default value for ApplyContainerSecurityDefaults
var ApplyRunAsUserSecurityDefaults = ApplyContainerSecurityDefaults(func(securityContext *corev1.SecurityContext) { securityContext.RunAsUser = ptr.To(int64(defaultRunAsUser)) })
ApplyRunAsUserSecurityDefaults will update the runAsUser fields of the security context to the default value
var ContainerSecurityContextRoots = []string{
"accessLogger.accessLoggerContainerSecurityContext",
"discovery.deployment.discoveryContainerSecurityContext",
"gateway.certGenJob.containerSecurityContext",
"gatewayProxies.gatewayProxy.podTemplate.glooContainerSecurityContext",
"global.glooMtls.envoy.securityContext",
"global.glooMtls.istioProxy.securityContext",
"global.glooMtls.sds.securityContext",
"gloo.deployment.glooContainerSecurityContext",
"ingress.deployment.ingressContainerSecurityContext",
"ingressProxy.deployment.ingressProxyContainerSecurityContext",
"settings.integrations.knative.proxy.containerSecurityContext",
}
ContainerSecurityContextRoots is a list of paths to the root of the container security context in the Helm charts
var DefaultOverrides = map[string]map[string]ApplyContainerSecurityDefaults{ "gloo": { "gloo": ApplyDiscoverySecurityDefaults, "envoy-sidecar": ApplyRunAsUserSecurityDefaults, "sds": ApplyRunAsUserSecurityDefaults, }, "discovery": {"discovery": ApplyDiscoverySecurityDefaults}, "gateway-proxy": {"gateway-proxy": ApplyDiscoverySecurityDefaults}, "gloo-mtls-certgen": {"certgen": ApplyRunAsUserSecurityDefaults}, "gloo-resource-cleanup": {"kubectl": ApplyRunAsUserSecurityDefaults}, "gloo-resource-migration": {"kubectl": ApplyRunAsUserSecurityDefaults}, "gloo-resource-rollout-check": {"kubectl": ApplyRunAsUserSecurityDefaults}, "gloo-resource-rollout-cleanup": {"kubectl": ApplyRunAsUserSecurityDefaults}, "gloo-resource-rollout": {"kubectl": ApplyRunAsUserSecurityDefaults}, "prometheus-server-migration": {"prometheus-server-migration": ApplyRunAsUserSecurityDefaults}, "gateway-certgen": {"certgen": ApplyRunAsUserSecurityDefaults}, "ingress-proxy": {"ingress-proxy": ApplyKnativeSecurityDefaults}, "clusteringress-proxy": {"clusteringress-proxy": ApplyClusterIngressSecurityDefaults}, "knative-external-proxy": {"knative-external-proxy": ApplyKnativeSecurityDefaults}, "knative-internal-proxy": {"knative-internal-proxy": ApplyKnativeSecurityDefaults}, "gloo-mtls-certgen-cronjob": {"certgen": ApplyRunAsUserSecurityDefaults}, "gateway-certgen-cronjob": {"certgen": ApplyRunAsUserSecurityDefaults}, }
DefaultOverrides is a map of resource names to a map of container names to ApplyContainerSecurityDefaults functions Used to generated expected security contexts for specific containers in specific jobs and deployments
var GetDefaultRestrictedContainerSecurityContext = func(seccompType string, applyContainerDefaults ApplyContainerSecurityDefaults) *corev1.SecurityContext { if seccompType == "" { seccompType = "RuntimeDefault" } defaultRestrictedContainerSecurityContext := &corev1.SecurityContext{ RunAsNonRoot: ptr.To(true), AllowPrivilegeEscalation: ptr.To(false), Capabilities: &corev1.Capabilities{ Drop: []corev1.Capability{"ALL"}, }, SeccompProfile: &corev1.SeccompProfile{ Type: corev1.SeccompProfileType(seccompType), }, } applyContainerDefaults(defaultRestrictedContainerSecurityContext) return defaultRestrictedContainerSecurityContext }
GetDefaultRestrictedContainerSecurityContext applies the `applyContainerDefaults` function to the default restricted container security context and sets the SeccompProfile to the provided `seccompType.
Functions ¶
func FilterAndValidateSecurityContexts ¶
func FilterAndValidateSecurityContexts( testManifest TestManifest, validateContainer func(container corev1.Container, resourceName string), containerMatcher types.GomegaMatcher, filter func(resource *unstructured.Unstructured) bool, )
FilterAndValidateSecurityContexts will filter the resources in the TestManifest using the provided filter function and apply the passed validateContainer function to each container in the filtered resources. Returns the number of non-filtered containers found.
func ValidateSecurityContexts ¶
func ValidateSecurityContexts(testManifest TestManifest, validateContainer func(container corev1.Container, resourceName string), containerMatcher types.GomegaMatcher)
ValidateSecurityContexts passes through the TestManifest and validateContainer function to FilterAndValidateSecurityContexts and creates a filter used to select Deployment, Job, and CronJob resources for validation.
Types ¶
type ApplyContainerSecurityDefaults ¶
type ApplyContainerSecurityDefaults func(*corev1.SecurityContext)
ApplyContainerSecurityDefaults describes a function that modifies a SecurityContext These functions are used in testing to modify the default "expected" security context of a container to match the template-specific defaults
Source Files