Documentation
¶
Overview ¶
Package policy contains implementations of Pod Security Standards checks
Index ¶
- Constants
- type AggregateCheckResult
- type Check
- func CheckAllowPrivilegeEscalation() Check
- func CheckAppArmorProfile() Check
- func CheckCapabilitiesBaseline() Check
- func CheckCapabilitiesRestricted() Check
- func CheckHostNamespaces() Check
- func CheckHostPathVolumes() Check
- func CheckHostPorts() Check
- func CheckPrivileged() Check
- func CheckProcMount() Check
- func CheckRestrictedVolumes() Check
- func CheckRunAsNonRoot() Check
- func CheckSELinuxOptions() Check
- func CheckSeccompBaseline() Check
- func CheckSeccompProfileRestricted() Check
- func CheckSysctls() Check
- func CheckWindowsHostProcess() Check
- func DefaultChecks() []Check
- func ExperimentalChecks() []Check
- type CheckPodFn
- type CheckResult
- type ContainerVisitor
- type Evaluator
- type VersionedCheck
Constants ¶
const UnknownForbiddenReason = "unknown forbidden reason"
UnknownForbiddenReason is used as the placeholder forbidden reason for checks that incorrectly disallow without providing a reason.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AggregateCheckResult ¶
type AggregateCheckResult struct {
// Allowed indicates if all checks allowed the pod.
Allowed bool
// ForbiddenReasons is a slice of the forbidden reasons from all the forbidden checks. It should not include empty strings.
// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
ForbiddenReasons []string
// ForbiddenDetails is a slice of the forbidden details from all the forbidden checks. It may include empty strings.
// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
ForbiddenDetails []string
}
AggergateCheckResult holds the aggregate result of running CheckPod across multiple checks.
func AggregateCheckResults ¶
func AggregateCheckResults(results []CheckResult) AggregateCheckResult
AggregateCheckPod runs all the checks and aggregates the forbidden results into a single CheckResult. The aggregated reason is a comma-separated
func (*AggregateCheckResult) ForbiddenDetail ¶
func (a *AggregateCheckResult) ForbiddenDetail() string
ForbiddenDetail returns a detailed forbidden message, with non-empty details formatted in parentheses with the associated reason. Example: host ports (8080, 9090), privileged containers, non-default capabilities (NET_RAW)
func (*AggregateCheckResult) ForbiddenReason ¶
func (a *AggregateCheckResult) ForbiddenReason() string
ForbiddenReason returns a comma-separated string of of the forbidden reasons. Example: host ports, privileged containers, non-default capabilities
type Check ¶
type Check struct {
// ID is the unique ID of the check.
ID string
// Level is the policy level this check belongs to.
// Must be Baseline or Restricted.
// Baseline checks are evaluated for baseline and restricted namespaces.
// Restricted checks are only evaluated for restricted namespaces.
Level api.Level
// Versions contains one or more revisions of the check that apply to different versions.
// If the check is not yet assigned to a version, this must be a single-item list with a MinimumVersion of "".
// Otherwise, MinimumVersion of items must represent strictly increasing versions.
Versions []VersionedCheck
}
func CheckAllowPrivilegeEscalation ¶
func CheckAllowPrivilegeEscalation() Check
CheckAllowPrivilegeEscalation returns a restricted level check that requires allowPrivilegeEscalation=false in 1.8+
func CheckAppArmorProfile ¶
func CheckAppArmorProfile() Check
CheckAppArmorProfile returns a baseline level check that limits the value of AppArmor profiles in 1.0+
func CheckCapabilitiesBaseline ¶
func CheckCapabilitiesBaseline() Check
CheckCapabilitiesBaseline returns a baseline level check that limits the capabilities that can be added in 1.0+
func CheckCapabilitiesRestricted ¶
func CheckCapabilitiesRestricted() Check
CheckCapabilitiesRestricted returns a restricted level check that ensures ALL capabilities are dropped in 1.22+
func CheckHostNamespaces ¶
func CheckHostNamespaces() Check
CheckHostNamespaces returns a baseline level check that prohibits host namespaces in 1.0+
func CheckHostPathVolumes ¶
func CheckHostPathVolumes() Check
CheckHostPathVolumes returns a baseline level check that requires hostPath=undefined/null in 1.0+
func CheckHostPorts ¶
func CheckHostPorts() Check
CheckHostPorts returns a baseline level check that forbids any host ports in 1.0+
func CheckPrivileged ¶
func CheckPrivileged() Check
CheckPrivileged returns a baseline level check that forbids privileged=true in 1.0+
func CheckProcMount ¶
func CheckProcMount() Check
CheckProcMount returns a baseline level check that restricts setting the value of securityContext.procMount to DefaultProcMount in 1.0+
func CheckRestrictedVolumes ¶
func CheckRestrictedVolumes() Check
CheckRestrictedVolumes returns a restricted level check that limits usage of specific volume types in 1.0+
func CheckRunAsNonRoot ¶
func CheckRunAsNonRoot() Check
CheckRunAsNonRoot returns a restricted level check that requires runAsNonRoot=true in 1.0+
func CheckSELinuxOptions ¶
func CheckSELinuxOptions() Check
CheckSELinuxOptions returns a baseline level check that limits seLinuxOptions type, user, and role values in 1.0+
func CheckSeccompBaseline ¶
func CheckSeccompBaseline() Check
func CheckSeccompProfileRestricted ¶
func CheckSeccompProfileRestricted() Check
func CheckSysctls ¶
func CheckSysctls() Check
CheckSysctls returns a baseline level check that limits the value of sysctls in 1.0+
func CheckWindowsHostProcess ¶
func CheckWindowsHostProcess() Check
CheckWindowsHostProcess returns a baseline level check that forbids hostProcess=true in 1.0+
func DefaultChecks ¶
func DefaultChecks() []Check
DefaultChecks returns checks that are expected to be enabled by default. The results are mutually exclusive with ExperimentalChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.
func ExperimentalChecks ¶
func ExperimentalChecks() []Check
ExperimentalChecks returns checks that have not yet been assigned to policy versions. The results are mutually exclusive with DefaultChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.
type CheckPodFn ¶
type CheckPodFn func(*metav1.ObjectMeta, *corev1.PodSpec) CheckResult
type CheckResult ¶
type CheckResult struct {
// Allowed indicates if the check allowed the pod.
Allowed bool
// ForbiddenReason must be set if Allowed is false.
// ForbiddenReason should be as succinct as possible and is always output.
// Examples:
// - "host ports"
// - "privileged containers"
// - "non-default capabilities"
ForbiddenReason string
// ForbiddenDetail should only be set if Allowed is false, and is optional.
// ForbiddenDetail can include specific values that were disallowed and is used when checking an individual object.
// Examples:
// - list specific invalid host ports: "8080, 9090"
// - list specific invalid containers: "container1, container2"
// - list specific non-default capabilities: "CAP_NET_RAW"
ForbiddenDetail string
}
CheckResult contains the result of checking a pod and indicates whether the pod is allowed, and if not, why it was forbidden.
Example output for (false, "host ports", "8080, 9090"):
When checking all pods in a namespace: disallowed by policy "baseline": host ports, privileged containers, non-default capabilities When checking an individual pod: disallowed by policy "baseline": host ports (8080, 9090), privileged containers, non-default capabilities (CAP_NET_RAW)
type ContainerVisitor ¶
ContainerVisitor is called with each container and the field.Path to that container
type Evaluator ¶
type Evaluator interface {
// EvaluatePod evaluates the pod against the policy for the given level & version.
EvaluatePod(lv api.LevelVersion, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) []CheckResult
}
Evaluator holds the Checks that are used to validate a policy.
func NewEvaluator ¶
NewEvaluator constructs a new Evaluator instance from the list of checks. If the provided checks are invalid, an error is returned. A valid list of checks must meet the following requirements: 1. Check.ID is unique in the list 2. Check.Level must be either Baseline or Restricted 3. Checks must have a non-empty set of versions, sorted in a strictly increasing order 4. Check.Versions cannot include 'latest'
type VersionedCheck ¶
type VersionedCheck struct {
// MinimumVersion is the first policy version this check applies to.
// If unset, this check is not yet assigned to a policy version.
// If set, must not be "latest".
MinimumVersion api.Version
// CheckPod determines if the pod is allowed.
CheckPod CheckPodFn
}
Source Files
¶
- check_allowPrivilegeEscalation.go
- check_appArmorProfile.go
- check_capabilities_baseline.go
- check_capabilities_restricted.go
- check_hostNamespaces.go
- check_hostPathVolumes.go
- check_hostPorts.go
- check_privileged.go
- check_procMount.go
- check_restrictedVolumes.go
- check_runAsNonRoot.go
- check_seLinuxOptions.go
- check_seccompProfile_baseline.go
- check_seccompProfile_restricted.go
- check_sysctls.go
- check_windowsHostProcess.go
- checks.go
- doc.go
- helpers.go
- registry.go
- visitor.go