types

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 20, 2020 License: Apache-2.0 Imports: 7 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	Reduced   = -1
	NoChange  = 0
	Escalated = 1
)
View Source 
const (
	Role           = "Role"
	RoleBinding    = "RoleBinding"
	ServiceAccount = "ServiceAccount"
)
View Source 
const (
	Version1_11 = "v1.11"
)

Variables

View Source 
var (
	DefaultCaps = []string{
		"SETPCAP",
		"MKNOD",
		"AUDIT_WRITE",
		"CHOWN",
		"NET_RAW",
		"DAC_OVERRIDE",
		"FOWNER",
		"FSETID",
		"KILL",
		"SETGID",
		"SETUID",
		"NET_BIND_SERVICE",
		"SYS_CHROOT",
		"SETFCAP",
	}
)

Functions

This section is empty.

Types

type ContainerSecuritySpec 

type ContainerSecuritySpec struct {
	Metadata                 Metadata `json:"parentMetadata"`
	ContainerID              string   `json:"containerID"`
	ContainerName            string   `json:"containerName"`
	PodName                  string   `json:"podName"`
	Namespace                string   `json:"namespace"`
	ImageName                string   `json:"imageName"`
	ImageSHA                 string   `json:"imageSHA"`
	HostName                 string   `json:"hostName"`
	Capabilities             []string `json:"effectiveCapabilities,omitempty"`
	DroppedCap               []string `json:"droppedCapabilities,omitempty"`
	AddedCap                 []string `json:"addedCapabilities,omitempty"`
	Privileged               bool     `json:"privileged,omitempty"`
	ReadOnlyRootFS           bool     `json:"readOnlyRootFileSystem,omitempty"`
	RunAsNonRoot             *bool    `json:"runAsNonRoot,omitempty"`
	AllowPrivilegeEscalation *bool    `json:"allowPrivilegeEscalation,omitempty"`
	RunAsUser                *int64   `json:"runAsUser,omitempty"`
	RunAsGroup               *int64   `json:"runAsGroup,omitempty"`
	HostPorts                []int32  `json:"hostPorts,omitempty"`
	ServiceAccount           string   `json:"serviceAccount,omitempty"`
}

type ContainerSecuritySpecMap added in v1.7.0 

type ContainerSecuritySpecMap map[Metadata]ContainerSecuritySpec

func NewContainerSecuritySpecMap added in v1.7.0 

func NewContainerSecuritySpecMap(cssList []ContainerSecuritySpec) ContainerSecuritySpecMap

type Escalation added in v1.7.0 

type Escalation struct {
	Status        int        `json:"-"`
	StatusMessage string     `json:"status"`
	Previous      string     `json:"previous"`
	Current       string     `json:"current"`
	Workloads     []Metadata `json:"workloads"`
	WorkloadCount int        `json:"workloads_count"`
	// contains filtered or unexported fields
}

func InitEscalation added in v1.7.0 

func InitEscalation(status int, prev, cur string) *Escalation

InitEscalation returns an initialized escalation object

func (*Escalation) AddWorkload added in v1.7.0 

func (e *Escalation) AddWorkload(w Metadata)

func (*Escalation) ConsolidateWorkload added in v1.7.0 

func (e *Escalation) ConsolidateWorkload()

func (*Escalation) ConsolidateWorkloadImage added in v1.7.0 

func (e *Escalation) ConsolidateWorkloadImage()

func (*Escalation) IsEscalated added in v1.7.0 

func (e *Escalation) IsEscalated() bool

func (*Escalation) IsReduced added in v1.7.0 

func (e *Escalation) IsReduced() bool

func (*Escalation) NoChanges added in v1.7.0 

func (e *Escalation) NoChanges() bool

func (*Escalation) SetEscalation added in v1.7.0 

func (e *Escalation) SetEscalation(status int, prev, cur string)

SetEscalation set escalation status

func (*Escalation) UseSecurityContext added in v1.7.0 

func (e *Escalation) UseSecurityContext() bool

type LintReport added in v1.7.0 

type LintReport struct {
	TotalSourceWorkloads  int                    `json:"total_source_workloads"`
	TotalTargetWorkloads  int                    `json:"total_target_workloads"`
	TotalSourceImages     int                    `json:"total_source_images"`
	TotalTargetImages     int                    `json:"total_target_images"`
	TotalEscalation       int                    `json:"escalation_count"`
	TotalReduction        int                    `json:"reduction_count"`
	Escalations           []Metadata             `json:"escalations"`
	Reductions            []Metadata             `json:"reductions"`
	NewPrivileged         *Escalation            `json:"new_privileged"`
	RemovedPrivileged     *Escalation            `json:"removed_privileged"`
	NewHostIPC            *Escalation            `json:"new_hostIPC"`
	RemovedHostIPC        *Escalation            `json:"removed_hostIPC"`
	NewHostNetwork        *Escalation            `json:"new_hostNetwork"`
	RemovedHostNetwork    *Escalation            `json:"removed_hostNetwork"`
	NewHostPID            *Escalation            `json:"new_hostPID"`
	RemovedHostPID        *Escalation            `json:"removed_hostPID"`
	NewHostPaths          map[string]bool        `json:"-"`
	RemovedHostPaths      map[string]bool        `json:"-"`
	NewVolumeTypes        map[string]*Escalation `json:"new_volume_types"`
	RemovedVolumeTypes    map[string]*Escalation `json:"removed_volume_types"`
	NewCapabilities       map[string]*Escalation `json:"new_capabilities"`
	RemovedCapabilities   map[string]*Escalation `json:"reduced_capabilities"`
	NewRunUserAsRoot      *Escalation            `json:"new_run_user_as_root"`
	RemovedRunUserAsRoot  *Escalation            `json:"removed_run_user_as_root"`
	NewRunGroupAsRoot     *Escalation            `json:"new_run_group_as_root"`
	RemovedRunGroupAsRoot *Escalation            `json:"removed_run_group_as_root"`
	NewReadOnlyRootFS     *Escalation            `json:"new_read_only_root_fs"`
	RemovedReadOnlyRootFS *Escalation            `json:"removed_read_only_root_fs"`
}

func NewEscalationReport added in v1.6.0 

func NewEscalationReport() *LintReport

NewEscalationReport returns an escalation report object

func (*LintReport) AddedCapabilities added in v1.7.0 

func (er *LintReport) AddedCapabilities() bool

added capabilities

func (*LintReport) AddedVolumes added in v1.7.0 

func (er *LintReport) AddedVolumes() bool

newly added volume types

func (*LintReport) DroppedCapabilities added in v1.7.0 

func (er *LintReport) DroppedCapabilities() bool

dropped capabilities

func (*LintReport) Escalated added in v1.7.0 

func (er *LintReport) Escalated() bool

func (*LintReport) GenerateEscalationReportFromSecurityContext added in v1.7.0 

func (er *LintReport) GenerateEscalationReportFromSecurityContext(srcCssList, targetCssList []ContainerSecuritySpec, srcPssList, targetPssList []PodSecuritySpec)

GenerateEscalationReportFromSecurityContext returns a escalation report after comparing the source and target YAML files

func (*LintReport) HostIPCEscalated added in v1.7.0 

func (er *LintReport) HostIPCEscalated() bool

HostIPC

func (*LintReport) HostIPCNoChange added in v1.7.0 

func (er *LintReport) HostIPCNoChange() bool

HostIPC

func (*LintReport) HostIPCReduced added in v1.7.0 

func (er *LintReport) HostIPCReduced() bool

HostIPC

func (*LintReport) HostNetworkEscalated added in v1.7.0 

func (er *LintReport) HostNetworkEscalated() bool

HostNetwork

func (*LintReport) HostNetworkNoChange added in v1.7.0 

func (er *LintReport) HostNetworkNoChange() bool

HostNetwork

func (*LintReport) HostNetworkReduced added in v1.7.0 

func (er *LintReport) HostNetworkReduced() bool

HostNetwork

func (*LintReport) HostPIDEscalated added in v1.7.0 

func (er *LintReport) HostPIDEscalated() bool

HostPID

func (*LintReport) HostPIDNoChange added in v1.7.0 

func (er *LintReport) HostPIDNoChange() bool

HostPID

func (*LintReport) HostPIDReduced added in v1.7.0 

func (er *LintReport) HostPIDReduced() bool

HostPID

func (*LintReport) PrivilegedEscalated added in v1.7.0 

func (er *LintReport) PrivilegedEscalated() bool

privileged mode

func (*LintReport) PrivilegedNoChange added in v1.7.0 

func (er *LintReport) PrivilegedNoChange() bool

privileged mode

func (*LintReport) PrivilegedReduced added in v1.7.0 

func (er *LintReport) PrivilegedReduced() bool

privileged mode

func (*LintReport) ReadOnlyRootFSEscalated added in v1.7.0 

func (er *LintReport) ReadOnlyRootFSEscalated() bool

ReadOnlyRootFileSystem

func (*LintReport) ReadOnlyRootFSNoChange added in v1.7.0 

func (er *LintReport) ReadOnlyRootFSNoChange() bool

ReadOnlyRootFileSystem

func (*LintReport) ReadOnlyRootFSReduced added in v1.7.0 

func (er *LintReport) ReadOnlyRootFSReduced() bool

ReadOnlyRootFileSystem

func (*LintReport) Reduced added in v1.7.0 

func (er *LintReport) Reduced() bool

func (*LintReport) RemovedVolumes added in v1.7.0 

func (er *LintReport) RemovedVolumes() bool

removed volume types

func (*LintReport) RunGroupAsRootEscalated added in v1.7.0 

func (er *LintReport) RunGroupAsRootEscalated() bool

runAsGroup (non root -> root)

func (*LintReport) RunGroupAsRootNoChange added in v1.7.0 

func (er *LintReport) RunGroupAsRootNoChange() bool

runAsGroup

func (*LintReport) RunGroupAsRootReduced added in v1.7.0 

func (er *LintReport) RunGroupAsRootReduced() bool

runAsGroup (root -> non root)

func (*LintReport) RunUserAsRootEscalated added in v1.7.0 

func (er *LintReport) RunUserAsRootEscalated() bool

runAsUser (non root -> root)

func (*LintReport) RunUserAsRootNoChange added in v1.7.0 

func (er *LintReport) RunUserAsRootNoChange() bool

runAsUser

func (*LintReport) RunUserAsRootReduced added in v1.7.0 

func (er *LintReport) RunUserAsRootReduced() bool

runAsUser (root -> non root)

type Metadata 

type Metadata struct {
	Name      string `json:"name"`
	Kind      string `json:"kind"`
	Namespace string `json:"namespace"`
	YamlFile  string `json:"file,omitempty"`
	Image     string `json:"image,omitempty"`
}

type PSPGrant added in v1.2.0 

type PSPGrant struct {
	Comment           string
	PodSecurityPolicy *v1beta1.PodSecurityPolicy
	Role              *rbacv1.Role
	RoleBinding       *rbacv1.RoleBinding
	ServiceAccount    string
	Namespace         string
}

func (PSPGrant) Key added in v1.6.0 

func (pg PSPGrant) Key() string

type PSPGrantList added in v1.6.0 

type PSPGrantList []PSPGrant

func (PSPGrantList) ToMap added in v1.6.0 

func (pgl PSPGrantList) ToMap() map[string]PSPGrant

type PodSecuritySpec 

type PodSecuritySpec struct {
	Metadata       Metadata        `json:"metadata"`
	Namespace      string          `json:"namespace"`
	HostPID        bool            `json:"hostPID,omitempty"`
	HostNetwork    bool            `json:"hostNetwork,omitempty"`
	HostIPC        bool            `json:"hostIPC,omitempty"`
	VolumeTypes    []string        `json:"volumeTypes,omitempty"`
	MountHostPaths map[string]bool `json:"mountedHostPath,omitempty"`
	ServiceAccount string          `json:"serviceAccount,omitempty"`
}

type PodSecuritySpecMap added in v1.7.0 

type PodSecuritySpecMap map[Metadata]PodSecuritySpec

func NewPodSecuritySpecMap added in v1.7.0 

func NewPodSecuritySpecMap(pssList []PodSecuritySpec) PodSecuritySpecMap

type PortRange added in v1.8.0 

type PortRange struct {
	Min int32
	Max int32
}

func NewPortRange added in v1.8.0 

func NewPortRange(min, max int32) *PortRange

type PortRangeList added in v1.8.0 

type PortRangeList []*PortRange

func (PortRangeList) Consolidate added in v1.8.0 

func (pl PortRangeList) Consolidate() PortRangeList

func (PortRangeList) GetMax added in v1.8.0 

func (pl PortRangeList) GetMax() int32

func (PortRangeList) GetMin added in v1.8.0 

func (pl PortRangeList) GetMin() int32

func (PortRangeList) Len added in v1.8.0 

func (pl PortRangeList) Len() int

func (PortRangeList) Less added in v1.8.0 

func (pl PortRangeList) Less(i, j int) bool

func (PortRangeList) String added in v1.8.0 

func (pl PortRangeList) String() string

func (PortRangeList) Swap added in v1.8.0 

func (pl PortRangeList) Swap(i, j int)

type SASecuritySpec added in v1.2.0 

type SASecuritySpec struct {
	PSPName string // psp name

	ServiceAccount string // serviceAccount

	Namespace string // namespace

	ContainerSecuritySpecList []ContainerSecuritySpec

	PodSecuritySpecList []PodSecuritySpec
}

func NewSASecuritySpec added in v1.2.0 

func NewSASecuritySpec(ns, sa string) *SASecuritySpec

func (*SASecuritySpec) AddContainerSecuritySpec added in v1.2.0 

func (s *SASecuritySpec) AddContainerSecuritySpec(css ContainerSecuritySpec)

AddContainerSecuritySpec adds container security spec object to the associated service account

func (*SASecuritySpec) AddPodSecuritySpec added in v1.2.0 

func (s *SASecuritySpec) AddPodSecuritySpec(pss PodSecuritySpec)

AddPodSecuritySpec adds pod security spec object to the associated service account

func (*SASecuritySpec) GenerateComment added in v1.2.0 

func (s *SASecuritySpec) GenerateComment() string

GenerateComment generate comments for the psp grants (no psp will be created for default service account)

func (*SASecuritySpec) GeneratePSPName added in v1.2.0 

func (s *SASecuritySpec) GeneratePSPName() string

GeneratePSPName generates psp name

func (*SASecuritySpec) GenerateRole added in v1.2.0 

func (s *SASecuritySpec) GenerateRole() *rbacv1.Role

GenerateRole creates a role object contains the privilege to use the psp

func (*SASecuritySpec) GenerateRoleBinding added in v1.2.0 

func (s *SASecuritySpec) GenerateRoleBinding() *rbacv1.RoleBinding

GenerateRoleBinding creates a rolebinding for the service account to use the psp

func (*SASecuritySpec) GetWorkloadImages added in v1.2.0 

func (s *SASecuritySpec) GetWorkloadImages() []string

GetWorkloadImages returns a list of workload images in the format of "kind, Name, Image Name"

func (*SASecuritySpec) IsDefaultServiceAccount added in v1.2.0 

func (s *SASecuritySpec) IsDefaultServiceAccount() bool

IsDefaultServiceAccount returns whether the service account is default

func (*SASecuritySpec) Key added in v1.6.0 

func (s *SASecuritySpec) Key() string

type SASecuritySpecList added in v1.2.0 

type SASecuritySpecList []*SASecuritySpec

func (SASecuritySpecList) Len added in v1.2.0 

func (sl SASecuritySpecList) Len() int

func (SASecuritySpecList) Less added in v1.2.0 

func (sl SASecuritySpecList) Less(i, j int) bool

func (SASecuritySpecList) Swap added in v1.2.0 

func (sl SASecuritySpecList) Swap(i, j int)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.