k8s

package
v1.6.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 27, 2023 License: Apache-2.0 Imports: 31 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuiltIn 

func BuiltIn() catalog.BuiltIn

Types

type ContainerHelper added in v1.4.0 

type ContainerHelper interface {
	Configure(config *HCLConfig, log hclog.Logger) error
	GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error)
	GetPodUIDAndContainerID(pID int32, log hclog.Logger) (types.UID, string, error)
}

type ExperimentalK8SConfig added in v1.6.0 

type ExperimentalK8SConfig struct {
	// Sigstore contains sigstore specific configs.
	Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"`
}

type HCLConfig 

type HCLConfig struct {
	// KubeletReadOnlyPort defines the read only port for the kubelet
	// (typically 10255). This option is mutally exclusive with
	// KubeletSecurePort.
	KubeletReadOnlyPort int `hcl:"kubelet_read_only_port"`

	// KubeletSecurePort defines the secure port for the kubelet (typically
	// 10250). This option is mutually exclusive with KubeletReadOnlyPort.
	KubeletSecurePort int `hcl:"kubelet_secure_port"`

	// MaxPollAttempts is the maximum number of polling attempts for the
	// container hosting the workload process.
	MaxPollAttempts int `hcl:"max_poll_attempts"`

	// PollRetryInterval is the time in between polling attempts.
	PollRetryInterval string `hcl:"poll_retry_interval"`

	// KubeletCAPath is the path to the CA certificate for authenticating the
	// kubelet over the secure port. Required when using the secure port unless
	// SkipKubeletVerification is set. Defaults to the cluster trust bundle.
	KubeletCAPath string `hcl:"kubelet_ca_path"`

	// SkipKubeletVerification controls whether or not the plugin will
	// verify the certificate presented by the kubelet.
	SkipKubeletVerification bool `hcl:"skip_kubelet_verification"`

	// TokenPath is the path to the bearer token used to authenticate to the
	// secure port. Defaults to the default service account token path unless
	// PrivateKeyPath and CertificatePath are specified.
	TokenPath string `hcl:"token_path"`

	// CertificatePath is the path to a certificate key used for client
	// authentication with the kubelet. Must be used with PrivateKeyPath.
	CertificatePath string `hcl:"certificate_path"`

	// PrivateKeyPath is the path to a private key used for client
	// authentication with the kubelet. Must be used with CertificatePath.
	PrivateKeyPath string `hcl:"private_key_path"`

	// UseAnonymousAuthentication controls whether or not communication to the
	// kubelet over the secure port is unauthenticated. This option is mutually
	// exclusive with other authentication configuration fields TokenPath,
	// CertificatePath, and PrivateKeyPath.
	UseAnonymousAuthentication bool `hcl:"use_anonymous_authentication"`

	// NodeNameEnv is the environment variable used to determine the node name
	// for contacting the kubelet. It defaults to "MY_NODE_NAME". If the
	// environment variable is not set, and NodeName is not specified, the
	// plugin will default to localhost (which requires host networking).
	NodeNameEnv string `hcl:"node_name_env"`

	// NodeName is the node name used when contacting the kubelet. If set, it
	// takes precedence over NodeNameEnv.
	NodeName string `hcl:"node_name"`

	// ReloadInterval controls how often TLS and token configuration is loaded
	// from the disk.
	ReloadInterval string `hcl:"reload_interval"`

	// DisableContainerSelectors disables the gathering of selectors for the
	// specific container running the workload. This allows attestation to
	// succeed with just pod related selectors when the workload pod is known
	// but the container may not be in a ready state at the time of attestation
	// (e.g. when a postStart hook has yet to complete).
	DisableContainerSelectors bool `hcl:"disable_container_selectors"`

	// Experimental enables experimental features.
	Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"`
}

HCLConfig holds the configuration parsed from HCL

type Plugin 

type Plugin struct {
	workloadattestorv1.UnsafeWorkloadAttestorServer
	configv1.UnsafeConfigServer
	// contains filtered or unexported fields
}

func New 

func New() *Plugin

func (*Plugin) Attest 

func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error)

func (*Plugin) Configure 

func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error)

func (*Plugin) SetLogger 

func (p *Plugin) SetLogger(log hclog.Logger)

type SigstoreHCLConfig added in v1.6.0 

type SigstoreHCLConfig struct {
	// EnforceSCT is the parameter to be set as false in case of a private deployment not using the public CT
	EnforceSCT *bool `hcl:"enforce_sct, omitempty"`

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys
	RekorURL *string `hcl:"rekor_url,omitempty"`

	// SkippedImages is a list of images that should skip sigstore verification
	SkippedImages []string `hcl:"skip_signature_verification_image_list"`

	// AllowedSubjects is a list of subjects that should be allowed after verification
	AllowedSubjects map[string][]string `hcl:"allowed_subjects_list"`
}

SigstoreHCLConfig holds the sigstore configuration parsed from HCL

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.