types

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 27, 2021 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Reduced   = -1
	NoChange  = 0
	Escalated = 1
)
View Source 
const (
	Role           = "Role"
	RoleBinding    = "RoleBinding"
	ServiceAccount = "ServiceAccount"
)
View Source 
const (
	Version1_11 = "v1.11"
)

Variables

View Source 
var (
	DefaultCaps = []string{
		"SETPCAP",
		"MKNOD",
		"AUDIT_WRITE",
		"CHOWN",
		"NET_RAW",
		"DAC_OVERRIDE",
		"FOWNER",
		"FSETID",
		"KILL",
		"SETGID",
		"SETUID",
		"NET_BIND_SERVICE",
		"SYS_CHROOT",
		"SETFCAP",
	}
)

Functions

This section is empty.

Types

type ContainerSecuritySpec 

type ContainerSecuritySpec struct {
	Metadata                 Metadata `json:"parentMetadata"`
	ContainerID              string   `json:"containerID"`
	ContainerName            string   `json:"containerName"`
	PodName                  string   `json:"podName"`
	Namespace                string   `json:"namespace"`
	ImageName                string   `json:"imageName"`
	ImageSHA                 string   `json:"imageSHA"`
	HostName                 string   `json:"hostName"`
	Capabilities             []string `json:"effectiveCapabilities,omitempty"`
	DroppedCap               []string `json:"droppedCapabilities,omitempty"`
	AddedCap                 []string `json:"addedCapabilities,omitempty"`
	Privileged               bool     `json:"privileged,omitempty"`
	ReadOnlyRootFS           bool     `json:"readOnlyRootFileSystem,omitempty"`
	RunAsNonRoot             *bool    `json:"runAsNonRoot,omitempty"`
	AllowPrivilegeEscalation *bool    `json:"allowPrivilegeEscalation,omitempty"`
	RunAsUser                *int64   `json:"runAsUser,omitempty"`
	RunAsGroup               *int64   `json:"runAsGroup,omitempty"`
	HostPorts                []int32  `json:"hostPorts,omitempty"`
	ServiceAccount           string   `json:"serviceAccount,omitempty"`
}

type ContainerSecuritySpecMap 

type ContainerSecuritySpecMap map[Metadata]ContainerSecuritySpec

func NewContainerSecuritySpecMap 

func NewContainerSecuritySpecMap(cssList []ContainerSecuritySpec) ContainerSecuritySpecMap

type Escalation 

type Escalation struct {
	Status        int        `json:"-"`
	StatusMessage string     `json:"status"`
	Previous      string     `json:"previous"`
	Current       string     `json:"current"`
	Workloads     []Metadata `json:"workloads"`
	WorkloadCount int        `json:"workloads_count"`
	// contains filtered or unexported fields
}

func InitEscalation 

func InitEscalation(status int, prev, cur string) *Escalation

InitEscalation returns an initialized escalation object

func (*Escalation) AddWorkload 

func (e *Escalation) AddWorkload(w Metadata)

func (*Escalation) ConsolidateWorkload 

func (e *Escalation) ConsolidateWorkload()

func (*Escalation) ConsolidateWorkloadImage 

func (e *Escalation) ConsolidateWorkloadImage()

func (*Escalation) IsEscalated 

func (e *Escalation) IsEscalated() bool

func (*Escalation) IsReduced 

func (e *Escalation) IsReduced() bool

func (*Escalation) NoChanges 

func (e *Escalation) NoChanges() bool

func (*Escalation) SetEscalation 

func (e *Escalation) SetEscalation(status int, prev, cur string)

SetEscalation set escalation status

func (*Escalation) UseSecurityContext 

func (e *Escalation) UseSecurityContext() bool

type LintReport 

type LintReport struct {
	TotalSourceWorkloads  int                    `json:"total_source_workloads"`
	TotalTargetWorkloads  int                    `json:"total_target_workloads"`
	TotalSourceImages     int                    `json:"total_source_images"`
	TotalTargetImages     int                    `json:"total_target_images"`
	TotalEscalation       int                    `json:"escalation_count"`
	TotalReduction        int                    `json:"reduction_count"`
	Escalations           []Metadata             `json:"escalations"`
	Reductions            []Metadata             `json:"reductions"`
	NewPrivileged         *Escalation            `json:"new_privileged"`
	RemovedPrivileged     *Escalation            `json:"removed_privileged"`
	NewHostIPC            *Escalation            `json:"new_hostIPC"`
	RemovedHostIPC        *Escalation            `json:"removed_hostIPC"`
	NewHostNetwork        *Escalation            `json:"new_hostNetwork"`
	RemovedHostNetwork    *Escalation            `json:"removed_hostNetwork"`
	NewHostPID            *Escalation            `json:"new_hostPID"`
	RemovedHostPID        *Escalation            `json:"removed_hostPID"`
	NewHostPaths          map[string]bool        `json:"-"`
	RemovedHostPaths      map[string]bool        `json:"-"`
	NewVolumeTypes        map[string]*Escalation `json:"new_volume_types"`
	RemovedVolumeTypes    map[string]*Escalation `json:"removed_volume_types"`
	NewCapabilities       map[string]*Escalation `json:"new_capabilities"`
	RemovedCapabilities   map[string]*Escalation `json:"reduced_capabilities"`
	NewRunUserAsRoot      *Escalation            `json:"new_run_user_as_root"`
	RemovedRunUserAsRoot  *Escalation            `json:"removed_run_user_as_root"`
	NewRunGroupAsRoot     *Escalation            `json:"new_run_group_as_root"`
	RemovedRunGroupAsRoot *Escalation            `json:"removed_run_group_as_root"`
	NewReadOnlyRootFS     *Escalation            `json:"new_read_only_root_fs"`
	RemovedReadOnlyRootFS *Escalation            `json:"removed_read_only_root_fs"`
}

func NewEscalationReport 

func NewEscalationReport() *LintReport

NewEscalationReport returns an escalation report object

func (*LintReport) AddedCapabilities 

func (er *LintReport) AddedCapabilities() bool

added capabilities

func (*LintReport) AddedVolumes 

func (er *LintReport) AddedVolumes() bool

newly added volume types

func (*LintReport) DroppedCapabilities 

func (er *LintReport) DroppedCapabilities() bool

dropped capabilities

func (*LintReport) Escalated 

func (er *LintReport) Escalated() bool

func (*LintReport) GenerateEscalationReportFromSecurityContext 

func (er *LintReport) GenerateEscalationReportFromSecurityContext(srcCssList, targetCssList []ContainerSecuritySpec, srcPssList, targetPssList []PodSecuritySpec)

GenerateEscalationReportFromSecurityContext returns a escalation report after comparing the source and target YAML files

func (*LintReport) HostIPCEscalated 

func (er *LintReport) HostIPCEscalated() bool

HostIPC

func (*LintReport) HostIPCNoChange 

func (er *LintReport) HostIPCNoChange() bool

HostIPC

func (*LintReport) HostIPCReduced 

func (er *LintReport) HostIPCReduced() bool

HostIPC

func (*LintReport) HostNetworkEscalated 

func (er *LintReport) HostNetworkEscalated() bool

HostNetwork

func (*LintReport) HostNetworkNoChange 

func (er *LintReport) HostNetworkNoChange() bool

HostNetwork

func (*LintReport) HostNetworkReduced 

func (er *LintReport) HostNetworkReduced() bool

HostNetwork

func (*LintReport) HostPIDEscalated 

func (er *LintReport) HostPIDEscalated() bool

HostPID

func (*LintReport) HostPIDNoChange 

func (er *LintReport) HostPIDNoChange() bool

HostPID

func (*LintReport) HostPIDReduced 

func (er *LintReport) HostPIDReduced() bool

HostPID

func (*LintReport) PrivilegedEscalated 

func (er *LintReport) PrivilegedEscalated() bool

privileged mode

func (*LintReport) PrivilegedNoChange 

func (er *LintReport) PrivilegedNoChange() bool

privileged mode

func (*LintReport) PrivilegedReduced 

func (er *LintReport) PrivilegedReduced() bool

privileged mode

func (*LintReport) ReadOnlyRootFSEscalated 

func (er *LintReport) ReadOnlyRootFSEscalated() bool

ReadOnlyRootFileSystem

func (*LintReport) ReadOnlyRootFSNoChange 

func (er *LintReport) ReadOnlyRootFSNoChange() bool

ReadOnlyRootFileSystem

func (*LintReport) ReadOnlyRootFSReduced 

func (er *LintReport) ReadOnlyRootFSReduced() bool

ReadOnlyRootFileSystem

func (*LintReport) Reduced 

func (er *LintReport) Reduced() bool

func (*LintReport) RemovedVolumes 

func (er *LintReport) RemovedVolumes() bool

removed volume types

func (*LintReport) RunGroupAsRootEscalated 

func (er *LintReport) RunGroupAsRootEscalated() bool

runAsGroup (non root -> root)

func (*LintReport) RunGroupAsRootNoChange 

func (er *LintReport) RunGroupAsRootNoChange() bool

runAsGroup

func (*LintReport) RunGroupAsRootReduced 

func (er *LintReport) RunGroupAsRootReduced() bool

runAsGroup (root -> non root)

func (*LintReport) RunUserAsRootEscalated 

func (er *LintReport) RunUserAsRootEscalated() bool

runAsUser (non root -> root)

func (*LintReport) RunUserAsRootNoChange 

func (er *LintReport) RunUserAsRootNoChange() bool

runAsUser

func (*LintReport) RunUserAsRootReduced 

func (er *LintReport) RunUserAsRootReduced() bool

runAsUser (root -> non root)

type Metadata 

type Metadata struct {
	Name      string `json:"name"`
	Kind      string `json:"kind"`
	Namespace string `json:"namespace"`
	YamlFile  string `json:"file,omitempty"`
	Image     string `json:"image,omitempty"`
}

type PSPGrant 

type PSPGrant struct {
	Comment           string
	PodSecurityPolicy *v1beta1.PodSecurityPolicy
	Role              *rbacv1.Role
	RoleBinding       *rbacv1.RoleBinding
	ServiceAccount    string
	Namespace         string
}

func (PSPGrant) Key 

func (pg PSPGrant) Key() string

type PSPGrantList 

type PSPGrantList []PSPGrant

func (PSPGrantList) ToMap 

func (pgl PSPGrantList) ToMap() map[string]PSPGrant

type PodSecuritySpec 

type PodSecuritySpec struct {
	Metadata       Metadata        `json:"metadata"`
	Namespace      string          `json:"namespace"`
	HostPID        bool            `json:"hostPID,omitempty"`
	HostNetwork    bool            `json:"hostNetwork,omitempty"`
	HostIPC        bool            `json:"hostIPC,omitempty"`
	VolumeTypes    []string        `json:"volumeTypes,omitempty"`
	VolumeMounts   map[string]bool `json:"volumeMounts,omitempty"` //--> NEW
	MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
	ServiceAccount string          `json:"serviceAccount,omitempty"`
	Sysctls        []string        `json:"sysctls,omitempty"`
}

type PodSecuritySpecMap 

type PodSecuritySpecMap map[Metadata]PodSecuritySpec

func NewPodSecuritySpecMap 

func NewPodSecuritySpecMap(pssList []PodSecuritySpec) PodSecuritySpecMap

type PortRange 

type PortRange struct {
	Min int32
	Max int32
}

func NewPortRange 

func NewPortRange(min, max int32) *PortRange

type PortRangeList 

type PortRangeList []*PortRange

func (PortRangeList) Consolidate 

func (pl PortRangeList) Consolidate() PortRangeList

func (PortRangeList) GetMax 

func (pl PortRangeList) GetMax() int32

func (PortRangeList) GetMin 

func (pl PortRangeList) GetMin() int32

func (PortRangeList) Len 

func (pl PortRangeList) Len() int

func (PortRangeList) Less 

func (pl PortRangeList) Less(i, j int) bool

func (PortRangeList) String 

func (pl PortRangeList) String() string

func (PortRangeList) Swap 

func (pl PortRangeList) Swap(i, j int)

type SASecuritySpec 

type SASecuritySpec struct {
	PSPName string // psp name

	ServiceAccount string // serviceAccount

	Namespace string // namespace

	ContainerSecuritySpecList []ContainerSecuritySpec

	PodSecuritySpecList []PodSecuritySpec
}

func NewSASecuritySpec 

func NewSASecuritySpec(ns, sa string) *SASecuritySpec

func (*SASecuritySpec) AddContainerSecuritySpec 

func (s *SASecuritySpec) AddContainerSecuritySpec(css ContainerSecuritySpec)

AddContainerSecuritySpec adds container security spec object to the associated service account

func (*SASecuritySpec) AddPodSecuritySpec 

func (s *SASecuritySpec) AddPodSecuritySpec(pss PodSecuritySpec)

AddPodSecuritySpec adds pod security spec object to the associated service account

func (*SASecuritySpec) GenerateComment 

func (s *SASecuritySpec) GenerateComment() string

GenerateComment generate comments for the psp grants (no psp will be created for default service account)

func (*SASecuritySpec) GeneratePSPName 

func (s *SASecuritySpec) GeneratePSPName() string

GeneratePSPName generates psp name

func (*SASecuritySpec) GenerateRole 

func (s *SASecuritySpec) GenerateRole() *rbacv1.Role

GenerateRole creates a role object contains the privilege to use the psp

func (*SASecuritySpec) GenerateRoleBinding 

func (s *SASecuritySpec) GenerateRoleBinding() *rbacv1.RoleBinding

GenerateRoleBinding creates a rolebinding for the service account to use the psp

func (*SASecuritySpec) GetWorkloadImages 

func (s *SASecuritySpec) GetWorkloadImages() []string

GetWorkloadImages returns a list of workload images in the format of "kind, Name, Image Name"

func (*SASecuritySpec) IsDefaultServiceAccount 

func (s *SASecuritySpec) IsDefaultServiceAccount() bool

IsDefaultServiceAccount returns whether the service account is default

func (*SASecuritySpec) Key 

func (s *SASecuritySpec) Key() string

type SASecuritySpecList 

type SASecuritySpecList []*SASecuritySpec

func (SASecuritySpecList) Len 

func (sl SASecuritySpecList) Len() int

func (SASecuritySpecList) Less 

func (sl SASecuritySpecList) Less(i, j int) bool

func (SASecuritySpecList) Swap 

func (sl SASecuritySpecList) Swap(i, j int)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.