GO-2022-0995: Talos worker join token can be used to get elevated access level to the Talos API in github.com/talos-systems/talos

cis

package

v0.3.0-alpha.8 Latest Latest Go to latest Published: Nov 15, 2019 License: MPL-2.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/talos-systems/talos

Documentation ¶

Index ¶

func CreateEncryptionToken() (string, error)
func EnforceAdmissionPluginsRequirements() error
func EnforceAuditingRequirements() error
func EnforceBootstrapMasterRequirements() error
func EnforceCommonMasterRequirements(aescbcEncryptionSecret string) (err error)
func EnforceExtraRequirements() error
func EnforceSecretRequirements() error
func EnforceTLSRequirements() error
func EnforceWorkerRequirements() error
func WriteAuditPolicyToDisk() (err error)
func WriteEncryptionConfigToDisk(aescbcEncryptionSecret string) error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateEncryptionToken ¶

func CreateEncryptionToken() (string, error)

CreateEncryptionToken generates an encryption token to be used for secrets.

func EnforceAdmissionPluginsRequirements ¶

func EnforceAdmissionPluginsRequirements() error

EnforceAdmissionPluginsRequirements enforces CIS requirements for admission plugins. TODO(andrewrynhard): Include any extra user specified plugins. TODO(andrewrynhard): Enable EventRateLimit. TODO(andrewrynhard): Enable AlwaysPullImages (See https://github.com/kubernetes/kubernetes/issues/64333).

func EnforceAuditingRequirements ¶

func EnforceAuditingRequirements() error

EnforceAuditingRequirements enforces CIS requirements for auditing.

func EnforceBootstrapMasterRequirements ¶

func EnforceBootstrapMasterRequirements() error

EnforceBootstrapMasterRequirements enforces the CIS requirements for master nodes.

func EnforceCommonMasterRequirements ¶

func EnforceCommonMasterRequirements(aescbcEncryptionSecret string) (err error)

EnforceCommonMasterRequirements enforces the CIS requirements for master nodes.

func EnforceExtraRequirements ¶

func EnforceExtraRequirements() error

EnforceExtraRequirements enforces miscellaneous CIS requirements. TODO(andrewrynhard): Enable anonymous-auth, see https://github.com/kubernetes/kubeadm/issues/798. TODO(andrewrynhard): Enable kubelet-certificate-authority, see https://github.com/kubernetes/kubeadm/issues/118#issuecomment-407202481.

func EnforceSecretRequirements ¶

func EnforceSecretRequirements() error

EnforceSecretRequirements enforces CIS requirements for secrets.

func EnforceTLSRequirements ¶

func EnforceTLSRequirements() error

EnforceTLSRequirements enforces CIS requirements for TLS.

func EnforceWorkerRequirements ¶

func EnforceWorkerRequirements() error

EnforceWorkerRequirements enforces the CIS requirements for master nodes.

func WriteAuditPolicyToDisk ¶

func WriteAuditPolicyToDisk() (err error)

WriteAuditPolicyToDisk writes the audit policy to disk.

func WriteEncryptionConfigToDisk ¶

func WriteEncryptionConfigToDisk(aescbcEncryptionSecret string) error

WriteEncryptionConfigToDisk writes an EncryptionConfig to disk.

Types ¶

This section is empty.

Source Files ¶

View all Source files

cis.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL