policy

package
v0.29.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 16, 2025 License: Apache-2.0 Imports: 9 Imported by: 12

Documentation

Overview

Package policy contains implementations of Pod Security Standards checks

Index

Constants

View Source
const UnknownForbiddenReason = "unknown forbidden reason"

UnknownForbiddenReason is used as the placeholder forbidden reason for checks that incorrectly disallow without providing a reason.

Variables

This section is empty.

Functions

func RelaxPolicyForUserNamespacePods added in v0.29.0

func RelaxPolicyForUserNamespacePods(relax bool)

RelaxPolicyForUserNamespacePods allows opting into relaxing runAsUser / runAsNonRoot restricted policies for user namespace pods, before the usernamespace feature has reached GA and propagated to the oldest supported nodes. This should only be opted into in clusters where the administrator ensures all nodes in the cluster enable the user namespace feature.

Types

type AggregateCheckResult

type AggregateCheckResult struct {
	// Allowed indicates if all checks allowed the pod.
	Allowed bool
	// ForbiddenReasons is a slice of the forbidden reasons from all the forbidden checks. It should not include empty strings.
	// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
	ForbiddenReasons []string
	// ForbiddenDetails is a slice of the forbidden details from all the forbidden checks. It may include empty strings.
	// ForbiddenReasons and ForbiddenDetails must have the same number of elements, and the indexes are for the same check.
	ForbiddenDetails []string
}

AggergateCheckResult holds the aggregate result of running CheckPod across multiple checks.

func AggregateCheckResults

func AggregateCheckResults(results []CheckResult) AggregateCheckResult

AggregateCheckPod runs all the checks and aggregates the forbidden results into a single CheckResult. The aggregated reason is a comma-separated

func (*AggregateCheckResult) ForbiddenDetail

func (a *AggregateCheckResult) ForbiddenDetail() string

ForbiddenDetail returns a detailed forbidden message, with non-empty details formatted in parentheses with the associated reason. Example: host ports (8080, 9090), privileged containers, non-default capabilities (NET_RAW)

func (*AggregateCheckResult) ForbiddenReason

func (a *AggregateCheckResult) ForbiddenReason() string

ForbiddenReason returns a comma-separated string of of the forbidden reasons. Example: host ports, privileged containers, non-default capabilities

type Check

type Check struct {
	// ID is the unique ID of the check.
	ID CheckID
	// Level is the policy level this check belongs to.
	// Must be Baseline or Restricted.
	// Baseline checks are evaluated for baseline and restricted namespaces.
	// Restricted checks are only evaluated for restricted namespaces.
	Level api.Level
	// Versions contains one or more revisions of the check that apply to different versions.
	// If the check is not yet assigned to a version, this must be a single-item list with a MinimumVersion of "".
	// Otherwise, MinimumVersion of items must represent strictly increasing versions.
	Versions []VersionedCheck
}

func CheckAllowPrivilegeEscalation

func CheckAllowPrivilegeEscalation() Check

CheckAllowPrivilegeEscalation returns a restricted level check that requires allowPrivilegeEscalation=false in 1.8+

func CheckAppArmorProfile

func CheckAppArmorProfile() Check

CheckAppArmorProfile returns a baseline level check that limits the value of AppArmor profiles in 1.0+

func CheckCapabilitiesBaseline

func CheckCapabilitiesBaseline() Check

CheckCapabilitiesBaseline returns a baseline level check that limits the capabilities that can be added in 1.0+

func CheckCapabilitiesRestricted

func CheckCapabilitiesRestricted() Check

CheckCapabilitiesRestricted returns a restricted level check that ensures ALL capabilities are dropped in 1.22+

func CheckHostNamespaces

func CheckHostNamespaces() Check

CheckHostNamespaces returns a baseline level check that prohibits host namespaces in 1.0+

func CheckHostPathVolumes

func CheckHostPathVolumes() Check

CheckHostPathVolumes returns a baseline level check that requires hostPath=undefined/null in 1.0+

func CheckHostPorts

func CheckHostPorts() Check

CheckHostPorts returns a baseline level check that forbids any host ports in 1.0+

func CheckPrivileged

func CheckPrivileged() Check

CheckPrivileged returns a baseline level check that forbids privileged=true in 1.0+

func CheckProcMount

func CheckProcMount() Check

CheckProcMount returns a baseline level check that restricts setting the value of securityContext.procMount to DefaultProcMount in 1.0+

func CheckRestrictedVolumes

func CheckRestrictedVolumes() Check

CheckRestrictedVolumes returns a restricted level check that limits usage of specific volume types in 1.0+

func CheckRunAsNonRoot

func CheckRunAsNonRoot() Check

CheckRunAsNonRoot returns a restricted level check that requires runAsNonRoot=true in 1.0+

func CheckRunAsUser added in v0.23.0

func CheckRunAsUser() Check

CheckRunAsUser returns a restricted level check that forbides runAsUser=0 in 1.23+

func CheckSELinuxOptions

func CheckSELinuxOptions() Check

CheckSELinuxOptions returns a baseline level check that limits seLinuxOptions type, user, and role values in 1.0+

func CheckSeccompBaseline

func CheckSeccompBaseline() Check

func CheckSeccompProfileRestricted

func CheckSeccompProfileRestricted() Check

func CheckSysctls

func CheckSysctls() Check

CheckSysctls returns a baseline level check that limits the value of sysctls in 1.0+

func CheckWindowsHostProcess

func CheckWindowsHostProcess() Check

CheckWindowsHostProcess returns a baseline level check that forbids hostProcess=true in 1.0+

func DefaultChecks

func DefaultChecks() []Check

DefaultChecks returns checks that are expected to be enabled by default. The results are mutually exclusive with ExperimentalChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.

func ExperimentalChecks

func ExperimentalChecks() []Check

ExperimentalChecks returns checks that have not yet been assigned to policy versions. The results are mutually exclusive with DefaultChecks. It returns a new copy of checks on each invocation and is expected to be called once at setup time.

type CheckID added in v0.24.0

type CheckID string

type CheckPodFn

type CheckPodFn func(*metav1.ObjectMeta, *corev1.PodSpec) CheckResult

type CheckResult

type CheckResult struct {
	// Allowed indicates if the check allowed the pod.
	Allowed bool
	// ForbiddenReason must be set if Allowed is false.
	// ForbiddenReason should be as succinct as possible and is always output.
	// Examples:
	// - "host ports"
	// - "privileged containers"
	// - "non-default capabilities"
	ForbiddenReason string
	// ForbiddenDetail should only be set if Allowed is false, and is optional.
	// ForbiddenDetail can include specific values that were disallowed and is used when checking an individual object.
	// Examples:
	// - list specific invalid host ports: "8080, 9090"
	// - list specific invalid containers: "container1, container2"
	// - list specific non-default capabilities: "CAP_NET_RAW"
	ForbiddenDetail string
}

CheckResult contains the result of checking a pod and indicates whether the pod is allowed, and if not, why it was forbidden.

Example output for (false, "host ports", "8080, 9090"):

When checking all pods in a namespace:
  disallowed by policy "baseline": host ports, privileged containers, non-default capabilities
When checking an individual pod:
  disallowed by policy "baseline": host ports (8080, 9090), privileged containers, non-default capabilities (CAP_NET_RAW)

type ContainerVisitor

type ContainerVisitor func(container *corev1.Container)

ContainerVisitor is called with each container and the field.Path to that container

type Evaluator

type Evaluator interface {
	// EvaluatePod evaluates the pod against the policy for the given level & version.
	EvaluatePod(lv api.LevelVersion, podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) []CheckResult
}

Evaluator holds the Checks that are used to validate a policy.

func NewEvaluator

func NewEvaluator(checks []Check) (Evaluator, error)

NewEvaluator constructs a new Evaluator instance from the list of checks. If the provided checks are invalid, an error is returned. A valid list of checks must meet the following requirements: 1. Check.ID is unique in the list 2. Check.Level must be either Baseline or Restricted 3. Checks must have a non-empty set of versions, sorted in a strictly increasing order 4. Check.Versions cannot include 'latest'

type VersionedCheck

type VersionedCheck struct {
	// MinimumVersion is the first policy version this check applies to.
	// If unset, this check is not yet assigned to a policy version.
	// If set, must not be "latest".
	MinimumVersion api.Version
	// CheckPod determines if the pod is allowed.
	CheckPod CheckPodFn
	// OverrideCheckIDs is an optional list of checks that should be skipped when this check is run.
	// Overrides may only be set on restricted checks, and may only override baseline checks.
	OverrideCheckIDs []CheckID
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL