function

package
v0.0.0-...-148ef26 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 12, 2020 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package function contains library units for the amazon-ecr-repository-compliance-webhook Lambda function.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrFailedCompliance = errors.New("webhook: repository fails ecr criteria")
	ErrImagesNotFound   = errors.New("webhook: no ecr images found in pod specification")
)

Errors returned when a validation expectation fails.

Functions

This section is empty.

Types

type Container

type Container struct {
	ECR ecriface.ECRAPI
}

Container contains the dependencies and business logic for the amazon-ecr-repository-compliance-webhook Lambda function.

func NewContainer

func NewContainer(ecrSvc ecriface.ECRAPI) *Container

NewContainer creates a new function Container.

func (*Container) BatchCheckRepositoryCompliance

func (c *Container) BatchCheckRepositoryCompliance(ctx context.Context, images []string) (bool, error)

BatchCheckRepositoryCompliance checks the compliance of a given set of ECR images. False is returned if a single repository is not compliant.

func (*Container) CheckRepositoryCompliance

func (c *Container) CheckRepositoryCompliance(ctx context.Context, image string) (bool, error)

CheckRepositoryCompliance checks if the container image that was sent to the webhook: 1. Comes from an ECR repository 2. Has image tag immutability enabled 3. Has image scan on push enabled 4. Does not contain any critical vulnerabilities

func (*Container) Handler

func (c *Container) Handler() Handler

Handler returns the function handler for the amazon-ecr-repository-compliance-webhook. 1. Extract the POST request's body that ValidatingWebhookConfiguration admission controller made to API Gateway 2. Using the request, create a response. The response must contain the same UID that we received from the cluster 3. Using the request, extract the Pod object into the same Go data type used by Kubernetes 4. Using the Pod, check if the requested creation namespace is a critical one (e.g. kube-system). 5. Using the Pod, extract all of the unique container images that are in the specification

  • If no images in the specification come from ECR, deny the admission immediately

6. For every image provided, check our 4 requirements 7. If a single image didn't meet our requirements, deny the admission 8. All requirements satisfied, allow the Pod for admission

func (*Container) HasCriticalVulnerabilities

func (c *Container) HasCriticalVulnerabilities(ctx context.Context, image string) (bool, error)

HasCriticalVulnerabilities checks if a container image contains 'CRITICAL' vulnerabilities.

type Handler

Handler is a type alias for the Lambda handler's function signature.

func (Handler) WithLogging

func (h Handler) WithLogging() Handler

WithLogging is a logging middleware for the Lambda handler.

func (Handler) WithProxiedResponse

func (h Handler) WithProxiedResponse() ProxiedHandler

WithProxiedResponse integrates the AdmissionReview response into an acceptable format for API Gateway proxy integrated Lambda functions.

type ProxiedHandler

ProxiedHandler is a handler that has been wrapped to respond with an API Gateway Proxy Integration. TODO: Refactor to use interface, return type of WithProxiedResponse middleware will be cleaner

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL