config

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 22, 2023 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// OperatorName is the name when referring to the operator.
	OperatorName = "security-profiles-operator"

	// SPOdName is the name of the default SPOd config instance.
	SPOdName = "spod"

	// Service Account for the security-profiles-operator daemon.
	SPOdServiceAccount = SPOdName

	// SPOdNameEnvKey allows one to query the name of the SPOd instance
	// from within the daemon.
	SPOdNameEnvKey = "SPOD_NAME"

	// HostRoot define the host files root mount path.
	HostRoot = "/host"

	// SeccompProfilesFolder defines the folder name where the seccomp
	// profiles are stored.
	SeccompProfilesFolder = "seccomp"

	// OperatorProfilesFolder defines the folder name where the operator
	// profiles are stored.
	OperatorProfilesFolder = "operator"

	// OperatorRoot is the root directory of the operator.
	OperatorRoot = "/var/lib/security-profiles-operator"

	// UserRootless is the user which runs the operator.
	UserRootless = 65535

	// DefaultKubeletPath specifies the default kubelet path.
	DefaultKubeletPath = "/var/lib/kubelet"

	// KubeletConfigFile specifies the name of the kubelet config file
	// which contains various configuration parameters of the kubelet.
	// This configuration file is created by the non-root enabler container
	// during the deamon initialization.
	KubeletConfigFile = "kubelet-config.json"

	// NodeNameEnvKey is the default environment variable key for retrieving
	// the name of the current node.
	NodeNameEnvKey = "NODE_NAME"

	// OperatorNamespaceEnvKey is the default environment variable key for retrieving
	// the operator's namespace.
	OperatorNamespaceEnvKey = "OPERATOR_NAMESPACE"

	// RestrictNamespaceEnvKey is the environment variable key for restricting
	// the operator to work on only a single Kubernetes namespace.
	RestrictNamespaceEnvKey = "RESTRICT_TO_NAMESPACE"

	// VerbosityEnvKey is the environment variable key for the logging verbosity.
	VerbosityEnvKey = "SPO_VERBOSITY"

	// EnableLogEnricherEnvKey is the environment variable key for enabling the log enricher.
	EnableLogEnricherEnvKey = "ENABLE_LOG_ENRICHER"

	// EnableBpfRecorderEnvKey is the environment variable key for enabling the BPF recorder.
	EnableBpfRecorderEnvKey = "ENABLE_BPF_RECORDER"

	// EnableRecordingEnvKey is the environment variable key to enabeling profile recording.
	EnableRecordingEnvKey = "ENABLE_RECORDING"

	// VerboseLevel is the increased verbosity log level.
	VerboseLevel = 1

	// ProfilingEnvKey is the environment variable key for enabling profiling
	// support.
	ProfilingEnvKey = "SPO_PROFILING"

	// ProfilingPortEnvKey is the environment variable key for choosing the
	// profiling port.
	ProfilingPortEnvKey = "SPO_PROFILING_PORT"

	// KubeletDirEnvKey is the environment variable key for custom kubelet directory.
	KubeletDirEnvKey = "KUBELET_DIR"

	// DefaultProfilingPort is the start port where the profiling endpoint runs.
	DefaultProfilingPort = 6060

	// SeccompProfileRecordLogsAnnotationKey is the annotation on a Pod that
	// triggers the internal log enricher to trace the syscalls of a Pod and
	// created a seccomp profile.
	SeccompProfileRecordLogsAnnotationKey = "io.containers.trace-logs/"

	// SeccompProfileRecordBpfAnnotationKey is the annotation on a Pod that
	// triggers the internal bpf module to trace the syscalls of a Pod and
	// created a seccomp profile.
	SeccompProfileRecordBpfAnnotationKey = "io.containers.trace-bpf/"

	// SelinuxProfileRecordLogsAnnotationKey is the annotation on a Pod that
	// triggers the internal log enricher to trace the AVC denials of a Pod and
	// created a selinux profile.
	SelinuxProfileRecordLogsAnnotationKey = "io.containers.trace-avcs/"

	// KubeletDirNodeLabelKey is the label on a Node that specifies
	// a custom kubelet root directory configured for this node. The directory
	// path is provided in the following format folder-subfolder-subfolder
	// which translates to /folder/subfolder/subfolder.
	KubeletDirNodeLabelKey = "kubelet.kubernetes.io/directory-location"

	// HealthProbePort is the port where the liveness probe will be served.
	HealthProbePort = 8085

	// AuditLogPath is the path to the auditd log file.
	AuditLogPath = "/var/log/audit/audit.log"

	// SyslogLogPath is the path to the syslog log file.
	SyslogLogPath = "/var/log/syslog"

	// LogEnricherProfile is the seccomp profile name for tracing syscalls from
	// the log enricher.
	LogEnricherProfile = "log-enricher-trace"

	// SelinuxPermissiveProfile is the selinux profile name for tracing AVC from
	// the log enricher.
	SelinuxPermissiveProfile = "selinuxrecording.process"

	// GRPCServerSocketMetrics is the socket path for the GRPC metrics server.
	GRPCServerSocketMetrics = "/var/run/grpc/metrics.sock"

	// GRPCServerSocketEnricher is the socket path for the GRPC enricher server.
	GRPCServerSocketEnricher = "/var/run/grpc/enricher.sock"

	// GRPCServerSocketBpfRecorder is the socket path for the GRPC bpf recorder server.
	GRPCServerSocketBpfRecorder = "/var/run/grpc/bpf-recorder.sock"

	// DefaultSpoProfilePath default path from where the security profiles are copied
	// by non-root enabler.
	DefaultSpoProfilePath = "/opt/spo-profiles"
)

Variables

View Source 
var ErrPodNamespaceEnvNotFound = errors.New("the env variable OPERATOR_NAMESPACE hasn't been set")
View Source 
var ProfileRecordingOutputPath = filepath.Join(os.TempDir(), "security-profiles-operator-recordings")

ProfileRecordingOutputPath is the path where the recorded profiles will be stored. Those profiles are going to be reconciled into native CRDs and therefore have a limited lifetime.

Functions

func GetOperatorNamespace added in v0.3.0 

func GetOperatorNamespace() string

GetOperatorNamespace gets the namespace that the operator is currently running on. Failure to get the namespace results in a panic.

func KubeletConfigFilePath added in v0.7.0 

func KubeletConfigFilePath() string

KubeletConfigFilePath returns the kubelet config file path.

func KubeletDir added in v0.7.0 

func KubeletDir() string

KubeletDir returns the kubelet directory either form a config file, an environment variable when is set or the default Kubernetes path.

func KubeletSeccompRootPath added in v0.3.0 

func KubeletSeccompRootPath() string

KubeletSeccompRootPath specifies the path where all kubelet seccomp profiles are stored.

func ProfilesRootPath 

func ProfilesRootPath() string

ProfilesRootPath specifies the path where the operator stores seccomp profiles.

func TryToGetOperatorNamespace added in v0.3.0 

func TryToGetOperatorNamespace() (string, error)

Types

type KubeletConfig added in v0.7.0 

type KubeletConfig struct {
	// KubeletDir kubelet root directory path
	KubeletDir string `json:"kubeletDir,omitempty"`
}

KubeletConfig stores various configuration parameters of the kubelet.

func GetKubeletConfigFromFile added in v0.7.0 

func GetKubeletConfigFromFile() (*KubeletConfig, error)

GetKubeletConfigFromFile reads the kubelet config from file.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.