types

package

v1.4.6 Latest Latest Go to latest Published: Jan 17, 2020 License: Apache-2.0 Imports: 5 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sysdiglabs/kube-psp-advisor

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type ContainerSecuritySpec
type Metadata
type PSPGrant
type PodSecuritySpec
type SASecuritySpec
- func NewSASecuritySpec(ns, sa string) *SASecuritySpec
type SASecuritySpecList

Constants ¶

View Source

const (
	Role           = "Role"
	RoleBinding    = "RoleBinding"
	ServiceAccount = "ServiceAccount"
)

View Source

const (
	Version1_11 = "v1.11"
)

Variables ¶

View Source

var (
	DefaultCaps = []string{
		"SETPCAP",
		"MKNOD",
		"AUDIT_WRITE",
		"CHOWN",
		"NET_RAW",
		"DAC_OVERRIDE",
		"FOWNER",
		"FSETID",
		"KILL",
		"SETGID",
		"SETUID",
		"NET_BIND_SERVICE",
		"SYS_CHROOT",
		"SETFCAP",
	}
)

Functions ¶

This section is empty.

Types ¶

type ContainerSecuritySpec ¶

type ContainerSecuritySpec struct {
	Metadata                 Metadata `json:"parentMetadata"`
	ContainerID              string   `json:"containerID"`
	ContainerName            string   `json:"containerName"`
	PodName                  string   `json:"podName"`
	Namespace                string   `json:"namespace"`
	ImageName                string   `json:"imageName"`
	ImageSHA                 string   `json:"imageSHA"`
	HostName                 string   `json:"hostName"`
	Capabilities             []string `json:"effectiveCapabilities,omitempty"`
	DroppedCap               []string `json:"droppedCapabilities,omitempty"`
	AddedCap                 []string `json:"addedCapabilities,omitempty"`
	Privileged               bool     `json:"privileged,omitempty"`
	ReadOnlyRootFS           bool     `json:"readOnlyRootFileSystem,omitempty"`
	RunAsNonRoot             *bool    `json:"runAsNonRoot,omitempty"`
	AllowPrivilegeEscalation *bool    `json:"allowPrivilegeEscalation,omitempty"`
	RunAsUser                *int64   `json:"runAsUser,omitempty"`
	RunAsGroup               *int64   `json:"runAsGroup,omitempty"`
	HostPorts                []int32  `json:"hostPorts,omitempty"`
	ServiceAccount           string   `json:"serviceAccount,omitempty"`
}

type Metadata ¶

type Metadata struct {
	Name string `json:"name"`
	Kind string `json:"kind"`
}

type PSPGrant ¶ added in v1.2.0

type PSPGrant struct {
	Comment           string
	PodSecurityPolicy *v1beta1.PodSecurityPolicy
	Role              *v1rbac.Role
	RoleBinding       *v1rbac.RoleBinding
}

type PodSecuritySpec ¶

type PodSecuritySpec struct {
	Metadata       Metadata        `json:"metadata"`
	Namespace      string          `json:"namespace"`
	HostPID        bool            `json:"hostPID,omitempty"`
	HostNetwork    bool            `json:"hostNetwork,omitempty"`
	HostIPC        bool            `json:"hostIPC,omitempty"`
	VolumeTypes    []string        `json:"volumeTypes,omitempty"`
	MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
	ServiceAccount string          `json:"serviceAccount,omitempty"`
}

type SASecuritySpec ¶ added in v1.2.0

type SASecuritySpec struct {
	PSPName string // psp name

	ServiceAccount string // serviceAccount

	Namespace string // namespace

	ContainerSecuritySpecList []ContainerSecuritySpec

	PodSecuritySpecList []PodSecuritySpec
}

func NewSASecuritySpec ¶ added in v1.2.0

func NewSASecuritySpec(ns, sa string) *SASecuritySpec

func (*SASecuritySpec) AddContainerSecuritySpec ¶ added in v1.2.0

func (s *SASecuritySpec) AddContainerSecuritySpec(css ContainerSecuritySpec)

AddContainerSecuritySpec adds container security spec object to the associated service account

func (*SASecuritySpec) AddPodSecuritySpec ¶ added in v1.2.0

func (s *SASecuritySpec) AddPodSecuritySpec(pss PodSecuritySpec)

AddPodSecuritySpec adds pod security spec object to the associated service account

func (*SASecuritySpec) GenerateComment ¶ added in v1.2.0

func (s *SASecuritySpec) GenerateComment() string

GenerateComment generate comments for the psp grants (no psp will be created for default service account)

func (*SASecuritySpec) GeneratePSPName ¶ added in v1.2.0

func (s *SASecuritySpec) GeneratePSPName() string

GeneratePSPName generates psp name

func (*SASecuritySpec) GenerateRole ¶ added in v1.2.0

func (s *SASecuritySpec) GenerateRole() *v1rbac.Role

GenerateRole creates a role object contains the privilege to use the psp

func (*SASecuritySpec) GenerateRoleBinding ¶ added in v1.2.0

func (s *SASecuritySpec) GenerateRoleBinding() *v1rbac.RoleBinding

GenerateRoleBinding creates a rolebinding for the service account to use the psp

func (*SASecuritySpec) GetWorkloadImages ¶ added in v1.2.0

func (s *SASecuritySpec) GetWorkloadImages() []string

GetWorkloadImages returns a list of workload images in the format of "kind, Name, Image Name"

func (*SASecuritySpec) IsDefaultServiceAccount ¶ added in v1.2.0

func (s *SASecuritySpec) IsDefaultServiceAccount() bool

IsDefaultServiceAccount returns whether the service account is default

type SASecuritySpecList ¶ added in v1.2.0

type SASecuritySpecList []*SASecuritySpec

func (SASecuritySpecList) Len ¶ added in v1.2.0

func (sl SASecuritySpecList) Len() int

func (SASecuritySpecList) Less ¶ added in v1.2.0

func (sl SASecuritySpecList) Less(i, j int) bool

func (SASecuritySpecList) Swap ¶ added in v1.2.0

func (sl SASecuritySpecList) Swap(i, j int)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL