config

package
v0.0.0-...-70b66e7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 20, 2022 License: Apache-2.0 Imports: 18 Imported by: 4

Documentation

Index

Constants

View Source 
const LogLevelEnvKey = "ISHIELD_LOG_LEVEL"

Variables

View Source 
var DefaultDryRunNS = "ishield-dryrun-ns"
View Source 
var DefaultRequestFilterProfile = []byte(`
skipObjects:
- kind: ConfigMap
  name: kube-root-ca.crt
- kind: ConfigMap
  name: openshift-service-ca.crt
ignoreFields:
- fields:
  - spec.host
  objects:
  - kind: Route
- fields:
  - metadata.namespace
  objects:
  - kind: ClusterServiceVersion
- fields:
  - metadata.labels.app.kubernetes.io/instance
  - metadata.managedFields.*
  - metadata.resourceVersion
  - metadata.selfLink
  - metadata.annotations.control-plane.alpha.kubernetes.io/leader
  - metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
  - metadata.finalizers*
  - metadata.annotations.namespace
  - metadata.annotations.deprecated.daemonset.template.generation
  - metadata.creationTimestamp
  - metadata.uid
  - metadata.generation
  - status
  - metadata.annotations.deployment.kubernetes.io/revision
  - metadata.annotations.cosign.sigstore.dev/imageRef
  - metadata.annotations.cosign.sigstore.dev/bundle
  - metadata.annotations.cosign.sigstore.dev/message
  - metadata.annotations.cosign.sigstore.dev/certificate
  - metadata.annotations.cosign.sigstore.dev/signature
  objects:
  - name: '*'
- fields:
  - secrets.*.name
  - imagePullSecrets.*.name
  objects:
  - kind: ServiceAccount
- fields:
  - spec.ports.*.nodePort
  - spec.clusterIP
  - spec.clusterIPs.0
  objects:
  - kind: Service
- fields:
  - metadata.labels.olm.api.*
  - metadata.labels.operators.coreos.com/*
  - metadata.annotations.*
  - spec.install.spec.deployments.*.spec.template.spec.containers.*.resources.limits.cpu
  - spec.cleanup.enabled
  objects:
  - kind: ClusterServiceVersion
skipUsers:
- users: 
  - system:admin
  - system:apiserver
  - system:kube-scheduler
  - system:kube-controller-manager
  - system:serviceaccount:kube-system:generic-garbage-collector
  - system:serviceaccount:kube-system:attachdetach-controller
  - system:serviceaccount:kube-system:certificate-controller
  - system:serviceaccount:kube-system:clusterrole-aggregation-controller
  - system:serviceaccount:kube-system:cronjob-controller
  - system:serviceaccount:kube-system:disruption-controller
  - system:serviceaccount:kube-system:endpoint-controller
  - system:serviceaccount:kube-system:horizontal-pod-autoscaler
  - system:serviceaccount:kube-system:ibm-file-plugin
  - system:serviceaccount:kube-system:ibm-keepalived-watcher
  - system:serviceaccount:kube-system:ibmcloud-block-storage-plugin
  - system:serviceaccount:kube-system:job-controller
  - system:serviceaccount:kube-system:namespace-controller
  - system:serviceaccount:kube-system:node-controller
  - system:serviceaccount:kube-system:job-controller
  - system:serviceaccount:kube-system:pod-garbage-collector
  - system:serviceaccount:kube-system:pv-protection-controller
  - system:serviceaccount:kube-system:pvc-protection-controller
  - system:serviceaccount:kube-system:replication-controller
  - system:serviceaccount:kube-system:resourcequota-controller
  - system:serviceaccount:kube-system:service-account-controller
  - system:serviceaccount:kube-system:statefulset-controller
- objects: 
  - kind: ControllerRevision
  - kind: Pod
  users: 
  - system:serviceaccount:kube-system:daemon-set-controller
- objects: 
  - kind: Pod
  - kind: PersistentVolumeClaim
  users: 
  - system:serviceaccount:kube-system:persistent-volume-binder
- objects: 
  - kind: ReplicaSet
  users: 
  - system:serviceaccount:kube-system:deployment-controller
- objects: 
  - kind: Pod
  users:  
  - system:serviceaccount:kube-system:replicaset-controller
- objects: 
  - kind: PersistentVolumeClaim
  users: 
  - system:serviceaccount:kube-system:statefulset-controller
- objects: 
  - kind: ServiceAccount
  users: 
  - system:kube-controller-manager
- objects: 
  - kind: EndpointSlice
  users: 
  - system:serviceaccount:kube-system:endpointslice-controller
- objects: 
  - kind: Secret
  users: 
  - system:kube-controller-manager
- users: 
  - system:serviceaccount:openshift-marketplace:marketplace-operator
  - system:serviceaccount:openshift-monitoring:cluster-monitoring-operator
  - system:serviceaccount:openshift-network-operator:default
  - system:serviceaccount:openshift-monitoring:prometheus-operator
  - system:serviceaccount:openshift-cloud-credential-operator:default
  - system:serviceaccount:openshift-machine-config-operator:default
  - system:serviceaccount:openshift-infra:namespace-security-allocation-controller
  - system:serviceaccount:openshift-cluster-version:default
  - system:serviceaccount:openshift-authentication-operator:authentication-operator
  - system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
  - system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
  - system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
  - system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
  - system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
  - system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
  - system:serviceaccount:openshift-sdn:sdn-controller
  - system:serviceaccount:openshift-machine-api:cluster-autoscaler-operator
  - system:serviceaccount:openshift-machine-api:machine-api-operator
  - system:serviceaccount:openshift-machine-config-operator:machine-config-controller
  - system:serviceaccount:openshift-machine-api:machine-api-controllers
  - system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator
  - system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
  - system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
  - system:serviceaccount:openshift-etcd-operator:etcd-operator
  - system:serviceaccount:openshift-service-ca:service-ca
  - system:serviceaccount:openshift-config-operator:openshift-config-operator
  - system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
  - system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
- objects:
  - namespace: openshift-service-ca, openshift-network-operator
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-ca:configmap-cabundle-injector-sa
- objects: 
  - namespace: openshift-service-ca-operator
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-ca-operator:service-ca-operator
- objects: 
  - namespace: openshift-service-catalog-controller-manager-operator
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-catalog-controller-manager-operator:openshift-service-catalog-controller-manager-operator
- objects: 
  - namespace: openshift-console-operator, openshift-console
  users: 
  - system:serviceaccount:openshift-console-operator:console-operator
- objects: 
  - namespace: openshift-service-ca
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-ca:apiservice-cabundle-injector-sa
  - namespace: openshift-service-ca
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-ca:service-serving-cert-signer-sa
- objects: 
  - namespace: openshift-service-catalog-apiserver-operator
    kind: ConfigMap
  users: 
  - system:serviceaccount:openshift-service-catalog-apiserver-operator:openshift-service-catalog-apiserver-operator
- objects: 
  - namespace: openshift-operator-lifecycle-manager
  users: 
  - system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
- objects: 
  - namespace: openshift-cluster-node-tuning-operator
    kind: ConfigMap,DaemonSet
  users: 
  - system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
- objects: 
  - namespace: openshift
    kind: Secret
  users: 
  - system:serviceaccount:openshift-cluster-samples-operator:cluster-samples-operator
- objects: 
  - namespace: openshift-ingress
    kind: Deployment
  users: 
  - system:serviceaccount:openshift-ingress-operator:ingress-operator
- objects: 
  - kind: ServiceAccount, Secret
  users: 
  - system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller
- objects: 
  - namespace: openshift-marketplace
    kind: Pod
  users: 
  - system:node:*
- objects: 
  - kind: ServiceAccount, InstallPlan, OperatorGroup, Role, RoleBinding, Deployment
  users: 
  - system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
- objects: 
  - kind: InstallPlan, Role, RoleBinding, Deployment
  users: 
  - system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
`)
View Source 
var LogLevelMap = map[string]log.Level{
	"panic": log.PanicLevel,
	"fatal": log.FatalLevel,
	"error": log.ErrorLevel,
	"warn":  log.WarnLevel,
	"info":  log.InfoLevel,
	"debug": log.DebugLevel,
	"trace": log.TraceLevel,
}

Functions

func SetupLogger 

func SetupLogger(config LogConfig)

func ValidateManifestVerifyRule 

func ValidateManifestVerifyRule(p *ManifestVerifyRule) error

validate ManifestVerifyRule

Types

type Action 

type Action struct {
	Mode          string `json:"mode,omitempty"`
	AdmissionOnly bool   `json:"admissionOnly,omitempty"`
}

enforce/inform mode

type DecisionReporter 

type DecisionReporter struct {
	// contains filtered or unexported fields
}

func InitDecisionReporter 

func InitDecisionReporter(config DecisionReporterConfig) *DecisionReporter

func (*DecisionReporter) SendLog 

func (cxLogger *DecisionReporter) SendLog(logRecord map[string]interface{})

type DecisionReporterConfig 

type DecisionReporterConfig struct {
	Enabled   bool  `json:"enabled,omitempty"`
	LimitSize int64 `json:"limitSize,omitempty"`
	File      string
}

type ImageProfile 

type ImageProfile struct {
	KeyConfigs []KeyConfig  `json:"keyConfigs,omitempty"`
	Match      ImageRefList `json:"match,omitempty"`
	Exclude    ImageRefList `json:"exclude,omitempty"`
}

func (ImageProfile) Enabled 

func (p ImageProfile) Enabled() bool

if any profile condition is defined, image profile returns enabled = true

func (ImageProfile) MatchWith 

func (p ImageProfile) MatchWith(imageRef string) bool

returns if this profile matches the specified image ref or not

type ImageRef 

type ImageRef string

func (ImageRef) Match 

func (r ImageRef) Match(imageRef string) bool

type ImageRefList 

type ImageRefList []ImageRef

func (ImageRefList) Match 

func (l ImageRefList) Match(imageRef string) bool

type Key 

type Key struct {
	Name string `json:"name,omitempty"`
	PEM  string `json:"PEM,omitempty"`
}

type KeyConfig 

type KeyConfig struct {
	Key    Key       `json:"key,omitempty"`       // PEM encoded public key
	Secret KeySecret `json:"keySecret,omitempty"` // public key as a Kubernetes Secret
}

func (KeyConfig) ConvertToCosignKeyRef 

func (k KeyConfig) ConvertToCosignKeyRef() string

func (KeyConfig) ConvertToLocalFilePath 

func (k KeyConfig) ConvertToLocalFilePath(dir string) (string, error)

func (KeyConfig) LoadKeySecret 

func (k KeyConfig) LoadKeySecret() (string, error)

type KeySecret 

type KeySecret struct {
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
	Mount     bool   `json:"mount,omitempty"` // if true, save secret data as a file.
}

type LogConfig 

type LogConfig struct {
	Level                    string `json:"level,omitempty"`
	ManifestSigstoreLogLevel string `json:"manifestSigstoreLogLevel,omitempty"`
	Format                   string `json:"format,omitempty"`
}

type ManifestVerifyConfig 

type ManifestVerifyConfig struct {
	RequestFilterProfile *RequestFilterProfile `json:"requestFilterProfile,omitempty"`
	DryRunNamespcae      string                `json:"dryRunNamespcae,omitempty"`
}

func NewManifestVerifyConfig 

func NewManifestVerifyConfig(dryRunNs string) *ManifestVerifyConfig

type ManifestVerifyRule 

type ManifestVerifyRule struct {
	SignatureRef                     SignatureRef                    `json:"signatureRef,omitempty"`
	KeyConfigs                       []KeyConfig                     `json:"keyConfigs,omitempty"`
	InScopeObjects                   k8smanifest.ObjectReferenceList `json:"objectSelector,omitempty"`
	SkipUsers                        ObjectUserBindingList           `json:"skipUsers,omitempty"`
	InScopeUsers                     ObjectUserBindingList           `json:"inScopeUsers,omitempty"`
	k8smanifest.VerifyResourceOption `json:""`
}

func (*ManifestVerifyRule) DeepCopyInto 

func (p *ManifestVerifyRule) DeepCopyInto(p2 *ManifestVerifyRule)

type ObjectUserBinding 

type ObjectUserBinding struct {
	Objects k8smanifest.ObjectReferenceList `json:"objects,omitempty"`
	Users   []string                        `json:"users,omitempty"`
}

func (ObjectUserBinding) Match 

func (u ObjectUserBinding) Match(obj unstructured.Unstructured, username string) bool

type ObjectUserBindingList 

type ObjectUserBindingList []ObjectUserBinding

func (ObjectUserBindingList) Match 

func (l ObjectUserBindingList) Match(obj unstructured.Unstructured, username string) bool

type ParameterObject 

type ParameterObject struct {
	ConstraintName     string `json:"constraintName"`
	ManifestVerifyRule `json:""`
	ImageProfile       ImageProfile `json:"imageProfile,omitempty"`
	Action             *Action      `json:"action,omitempty"`
	GetProvenance      bool         `json:"getProvenance,omitempty"`
}

Parameter in constraint

func (*ParameterObject) DeepCopyInto 

func (p *ParameterObject) DeepCopyInto(p2 *ParameterObject)

type RequestFilterProfile 

type RequestFilterProfile struct {
	SkipObjects  k8smanifest.ObjectReferenceList    `json:"skipObjects,omitempty"`
	SkipUsers    ObjectUserBindingList              `json:"skipUsers,omitempty"`
	IgnoreFields k8smanifest.ObjectFieldBindingList `json:"ignoreFields,omitempty"`
}

type RequestHandlerConfig 

type RequestHandlerConfig struct {
	// KeyPathList             []string               `json:"keyPathList,omitempty"`
	RequestFilterProfile    *RequestFilterProfile  `json:"requestFilterProfile,omitempty"`
	Log                     LogConfig              `json:"log,omitempty"`
	DecisionReporterConfig  DecisionReporterConfig `json:"decisionReporterConfig,omitempty"`
	SideEffectConfig        SideEffectConfig       `json:"sideEffect,omitempty"`
	DefaultConstraintAction Action                 `json:"defaultConstraintAction,omitempty"`
	Options                 []string
}

func LoadRequestHandlerConfig 

func LoadRequestHandlerConfig() (*RequestHandlerConfig, error)

type ResourceRef 

type ResourceRef struct {
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
}

type SideEffectConfig 

type SideEffectConfig struct {
	// Event
	CreateDenyEvent bool `json:"createDenyEvent"`
}

type SignatureRef 

type SignatureRef struct {
	ImageRef              string      `json:"imageRef,omitempty"`
	SignatureResourceRef  ResourceRef `json:"signatureResourceRef,omitempty"`
	ProvenanceResourceRef ResourceRef `json:"provenanceResourceRef,omitempty"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.