policy

package
v0.28.14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 11, 2024 License: Apache-2.0 Imports: 8 Imported by: 12

Documentation

Overview

Package policy contains implementations of Pod Security Standards checks

Index

Constants

View Source
const UnknownForbiddenReason = "unknown forbidden reason"

UnknownForbiddenReason is used as the placeholder forbidden reason for checks that incorrectly disallow without providing a reason.

Variables

This section is empty.

Functions

This section is empty.

Types

type AggregateCheckResult

type AggregateCheckResult struct {
	// Allowed indicates if all checks allowed the pod.
	Allowed bool
	// ForbiddenReasons is a slice of the forbidden reasons from all the forbidden checks. It should not include empty strings.
	// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
	ForbiddenReasons []string
	// ForbiddenDetails is a slice of the forbidden details from all the forbidden checks. It may include empty strings.
	// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
	ForbiddenDetails []string
}

AggergateCheckResult holds the aggregate result of running CheckPod across multiple checks.

func AggregateCheckResults

func AggregateCheckResults(results []CheckResult) AggregateCheckResult

AggregateCheckPod runs all the checks and aggregates the forbidden results into a single CheckResult. The aggregated reason is a comma-separated

func (*AggregateCheckResult) ForbiddenDetail

func (a *AggregateCheckResult) ForbiddenDetail() string

ForbiddenDetail returns a detailed forbidden message, with non-empty details formatted in parentheses with the associated reason. Example: host ports (8080, 9090), privileged containers, non-default capabilities (NET_RAW)

func (*AggregateCheckResult) ForbiddenReason

func (a *AggregateCheckResult) ForbiddenReason() string

ForbiddenReason returns a comma-separated string of of the forbidden reasons. Example: host ports, privileged containers, non-default capabilities

type Check

type Check struct {
	// ID is the unique ID of the check.
	ID CheckID
	// Level is the policy level this check belongs to.
	// Must be Baseline or Restricted.
	// Baseline checks are evaluated for baseline and restricted namespaces.
	// Restricted checks are only evaluated for restricted namespaces.
	Level api.Level
	// Versions contains one or more revisions of the check that apply to different versions.
	// If the check is not yet assigned to a version, this must be a single-item list with a MinimumVersion of "".
	// Otherwise, MinimumVersion of items must represent strictly increasing versions.
	Versions []VersionedCheck
}

func CheckAllowPrivilegeEscalation

func CheckAllowPrivilegeEscalation() Check

CheckAllowPrivilegeEscalation returns a restricted level check that requires allowPrivilegeEscalation=false in 1.8+

func CheckAppArmorProfile

func CheckAppArmorProfile() Check

CheckAppArmorProfile returns a baseline level check that limits the value of AppArmor profiles in 1.0+

func CheckCapabilitiesBaseline

func CheckCapabilitiesBaseline() Check

CheckCapabilitiesBaseline returns a baseline level check that limits the capabilities that can be added in 1.0+

func CheckCapabilitiesRestricted

func CheckCapabilitiesRestricted() Check

CheckCapabilitiesRestricted returns a restricted level check that ensures ALL capabilities are dropped in 1.22+

func CheckHostNamespaces

func CheckHostNamespaces() Check

CheckHostNamespaces returns a baseline level check that prohibits host namespaces in 1.0+

func CheckHostPathVolumes

func CheckHostPathVolumes() Check

CheckHostPathVolumes returns a baseline level check that requires hostPath=undefined/null in 1.0+

func CheckHostPorts

func CheckHostPorts() Check

CheckHostPorts returns a baseline level check that forbids any host ports in 1.0+

func CheckPrivileged

func CheckPrivileged() Check

CheckPrivileged returns a baseline level check that forbids privileged=true in 1.0+

func CheckProcMount

func CheckProcMount() Check

CheckProcMount returns a baseline level check that restricts setting the value of securityContext.procMount to DefaultProcMount in 1.0+

func CheckRestrictedVolumes

func CheckRestrictedVolumes() Check

CheckRestrictedVolumes returns a restricted level check that limits usage of specific volume types in 1.0+

func CheckRunAsNonRoot

func CheckRunAsNonRoot() Check

CheckRunAsNonRoot returns a restricted level check that requires runAsNonRoot=true in 1.0+

func CheckRunAsUser added in v0.23.0

func CheckRunAsUser() Check

CheckRunAsUser returns a restricted level check that forbides runAsUser=0 in 1.23+

func CheckSELinuxOptions

func CheckSELinuxOptions() Check

CheckSELinuxOptions returns a baseline level check that limits seLinuxOptions type, user, and role values in 1.0+

func CheckSeccompBaseline

func CheckSeccompBaseline() Check

func CheckSeccompProfileRestricted

func CheckSeccompProfileRestricted() Check

func CheckSysctls

func CheckSysctls() Check

CheckSysctls returns a baseline level check that limits the value of sysctls in 1.0+

func CheckWindowsHostProcess

func CheckWindowsHostProcess() Check

CheckWindowsHostProcess returns a baseline level check that forbids hostProcess=true in 1.0+

func DefaultChecks

func DefaultChecks() []Check

DefaultChecks returns checks that are expected to be enabled by default. The results are mutually exclusive with ExperimentalChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.

func ExperimentalChecks

func ExperimentalChecks() []Check

ExperimentalChecks returns checks that have not yet been assigned to policy versions. The results are mutually exclusive with DefaultChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.

type CheckID added in v0.24.0

type CheckID string

type CheckPodFn

type CheckPodFn func(*metav1.ObjectMeta, *corev1.PodSpec) CheckResult

type CheckResult

type CheckResult struct {
	// Allowed indicates if the check allowed the pod.
	Allowed bool
	// ForbiddenReason must be set if Allowed is false.
	// ForbiddenReason should be as succinct as possible and is always output.
	// Examples:
	// - "host ports"
	// - "privileged containers"
	// - "non-default capabilities"
	ForbiddenReason string
	// ForbiddenDetail should only be set if Allowed is false, and is optional.
	// ForbiddenDetail can include specific values that were disallowed and is used when checking an individual object.
	// Examples:
	// - list specific invalid host ports: "8080, 9090"
	// - list specific invalid containers: "container1, container2"
	// - list specific non-default capabilities: "CAP_NET_RAW"
	ForbiddenDetail string
}

CheckResult contains the result of checking a pod and indicates whether the pod is allowed, and if not, why it was forbidden.

Example output for (false, "host ports", "8080, 9090"):

When checking all pods in a namespace:
  disallowed by policy "baseline": host ports, privileged containers, non-default capabilities
When checking an individual pod:
  disallowed by policy "baseline": host ports (8080, 9090), privileged containers, non-default capabilities (CAP_NET_RAW)

type ContainerVisitor

type ContainerVisitor func(container *corev1.Container)

ContainerVisitor is called with each container and the field.Path to that container

type Evaluator

type Evaluator interface {
	// EvaluatePod evaluates the pod against the policy for the given level & version.
	EvaluatePod(lv api.LevelVersion, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) []CheckResult
}

Evaluator holds the Checks that are used to validate a policy.

func NewEvaluator

func NewEvaluator(checks []Check) (Evaluator, error)

NewEvaluator constructs a new Evaluator instance from the list of checks. If the provided checks are invalid, an error is returned. A valid list of checks must meet the following requirements: 1. Check.ID is unique in the list 2. Check.Level must be either Baseline or Restricted 3. Checks must have a non-empty set of versions, sorted in a strictly increasing order 4. Check.Versions cannot include 'latest'

type VersionedCheck

type VersionedCheck struct {
	// MinimumVersion is the first policy version this check applies to.
	// If unset, this check is not yet assigned to a policy version.
	// If set, must not be "latest".
	MinimumVersion api.Version
	// CheckPod determines if the pod is allowed.
	CheckPod CheckPodFn
	// OverrideCheckIDs is an optional list of checks that should be skipped when this check is run.
	// Overrides may only be set on restricted checks, and may only override baseline checks.
	OverrideCheckIDs []CheckID
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL