cmd

package
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2019 License: MIT Imports: 34 Imported by: 2

Documentation

Index

Constants

View Source 
const (

	// KubeauditInternalError is an internal error which cannot be fixed by the user.
	KubeauditInternalError
	// ErrorAllowPrivilegeEscalationNil occurs when AllowPrivilegeEscalation is not set which allows privilege
	// escalation.
	ErrorAllowPrivilegeEscalationNil
	// ErrorAllowPrivilegeEscalationTrue occurs when AllowPrivilegeEscalation is set to true
	ErrorAllowPrivilegeEscalationTrue
	// ErrorAllowPrivilegeEscalationTrueAllowed occurs when AllowPrivilegeEscalation is allowed to be set to true.
	ErrorAllowPrivilegeEscalationTrueAllowed
	// ErrorAutomountServiceAccountTokenNilAndNoName occurs when automountServiceAccountToken is not set and
	// serviceAccountName is blank.
	ErrorAutomountServiceAccountTokenNilAndNoName
	// ErrorAutomountServiceAccountTokenTrueAllowed occurs when automountServiceAccountToken is allowed to be set
	// to true.
	ErrorAutomountServiceAccountTokenTrueAllowed
	// ErrorAutomountServiceAccountTokenTrueAndNoName occurs when automountServiceAccountToken is set as true and
	// serviceAccountName is blank.
	ErrorAutomountServiceAccountTokenTrueAndNoName
	// ErrorCapabilityAdded occurs when a capability is added that is not allowed
	ErrorCapabilityAdded
	// ErrorCapabilityAllowed occurs when a capability is allowed that is part of the toBeDropped list.
	ErrorCapabilityAllowed
	// ErrorCapabilityNotDropped occurs when a capability should be dropped but it isn't
	ErrorCapabilityNotDropped
	// ErrorImageTagIncorrect occurs when an incorrect image tag is provided.
	ErrorImageTagIncorrect
	// ErrorImageTagMissing occurs when there is no image tag provided.
	ErrorImageTagMissing
	// ErrorMisconfiguredKubeauditAllow occurs when the option to allow a setting is set to true but the option
	// itself is set to false or nil.
	ErrorMisconfiguredKubeauditAllow
	// ErrorPrivilegedNil occurs when Privileged is not set.
	ErrorPrivilegedNil
	// ErrorPrivilegedTrue occurs when Privileged is set to true.
	ErrorPrivilegedTrue
	// ErrorPrivilegedTrueAllowed occurs when Privileged is allowed to be set to true.
	ErrorPrivilegedTrueAllowed
	// ErrorReadOnlyRootFilesystemFalse occurs when ReadOnlyRootFilesystem is set to false.
	ErrorReadOnlyRootFilesystemFalse
	// ErrorReadOnlyRootFilesystemFalseAllowed occurs when ReadOnlyRootFilesystem is allowed to be set to false.
	ErrorReadOnlyRootFilesystemFalseAllowed
	// ErrorReadOnlyRootFilesystemNil occurs when ReadOnlyRootFilesystem is set to nil.
	ErrorReadOnlyRootFilesystemNil
	// ErrorResourcesLimitsCPUExceeded occurs when the CPU limit is exceeded.
	ErrorResourcesLimitsCPUExceeded
	// ErrorResourcesLimitsCPUNil occurs when the CPU limit is not set.
	ErrorResourcesLimitsCPUNil
	// ErrorResourcesLimitsMemoryExceeded occurs when the memory limit is exceeded.
	ErrorResourcesLimitsMemoryExceeded
	// ErrorResourcesLimitsMemoryNil occurs when the memory limit is not set.
	ErrorResourcesLimitsMemoryNil
	// ErrorResourcesLimitsNil occurs when the resource limit is set to nil.
	ErrorResourcesLimitsNil
	// ErrorRunAsNonRootFalse occurs when RunAsNonRoot is set to false.
	ErrorRunAsNonRootFalse
	// ErrorRunAsNonRootFalseAllowed occurs when RunAsNonRoot is allowed to be set to false.
	ErrorRunAsNonRootFalseAllowed
	// ErrorRunAsNonRootNil occurs when RunAsNonRoot is not set.
	ErrorRunAsNonRootNil
	// ErrorServiceAccountTokenDeprecated occurs when serviceAccount is used. ServiceAccount is a deprecated alias
	// for ServiceAccountName.
	ErrorServiceAccountTokenDeprecated
	// InfoImageCorrect occurs when an image tag is correct.
	InfoImageCorrect
)

Error codes

View Source 
const (
	Error
	Warn
	Info
	Debug
)

Log levels

View Source 
const Version = "0.1.0"

Version is the semantic versioning number for kubeaudit.

Variables

View Source 
var ErrNoReadableKubeConfig = errors.New("unable to open kubeconfig file")

ErrNoReadableKubeConfig represents any error that prevents the client from opening a kubeconfig file.

View Source 
var KubeauditLogLevel = Info

KubeauditLogLevel is the default log level to be used by the logger. All log events with this log level and above will be logged.

View Source 
var KubeauditLogLevels = map[string]int{"ERROR": Error, "WARN": Warn, "INFO": Info, "DEBUG": Debug}

KubeauditLogLevels represents an enum for the supported log levels.

View Source 
var RootCmd = &cobra.Command{
	Use:   "kubeaudit",
	Short: "A Kubernetes security auditor",
	Long: `kubeaudit is a program that checks security settings on your Kubernetes clusters.
#patcheswelcome`,
}

RootCmd defines the shell command usage for kubeaudit.

Functions

func Execute 

func Execute()

Execute is a wrapper for the RootCmd.Execute method which will exit the program if there is an error.

func FixTestSetup added in v0.3.0 

func FixTestSetup(t *testing.T, file string, auditFunction func(k8sRuntime.Object) []Result) (*assert.Assertions, k8sRuntime.Object)

FixTestSetup allows kubeaudit to be used programmatically instead of via the shell. It is intended to be used for testing.

func IsSupportedResourceType added in v0.3.0 

func IsSupportedResourceType(obj runtime.Object) bool

IsSupportedResourceType returns true if obj is a supported Kubernetes resource type

func WriteToFile added in v0.3.0 

func WriteToFile(decode k8sRuntime.Object, filename string, toAppend bool) error

WriteToFile writes and then appends incoming resource

Types

type CapSet added in v0.3.0 

type CapSet map[Capability]bool

CapSet represents a set of capabilities.

func NewCapSetFromArray added in v0.3.0 

func NewCapSetFromArray(array []Capability) (set CapSet)

NewCapSetFromArray converts an array of capabilities into a CapSet.

type Capabilities added in v0.3.0 

type Capabilities = apiv1.Capabilities

Capabilities is a type alias for the v1 version of the k8s API.

type Capability added in v0.2.0 

type Capability = apiv1.Capability

Capability is a type alias for the v1 version of the k8s API.

type Container added in v0.2.0 

type Container = apiv1.Container

Container is a type alias for the v1 version of the k8s API.

type CronJob added in v0.3.0 

type CronJob = batchv1beta1.CronJob

CronJob is a type alias for the v1beta1 version of the k8s API.

type DaemonSet added in v0.2.0 

type DaemonSet = extensionsv1beta1.DaemonSet

DaemonSet is a type alias for the v1beta1 version of the k8s API.

type DaemonSetList added in v0.2.0 

type DaemonSetList = extensionsv1beta1.DaemonSetList

DaemonSetList is a type alias for the v1beta1 version of the k8s API.

type DebugHook 

type DebugHook struct{}

DebugHook is a log hook intended to be used for debug logging.

func NewDebugHook 

func NewDebugHook() *DebugHook

NewDebugHook creates a new DebugHook.

func (*DebugHook) Fire 

func (hook *DebugHook) Fire(entry *logrus.Entry) error

Fire is called when a log event is triggered having a log level specified by the Levels method.

func (*DebugHook) Levels 

func (hook *DebugHook) Levels() []logrus.Level

Levels returns the log levels for which DebugHook.Fire should be called. This method is called when the hook is first added to a logger instance.

type DeploymentExtensionsV1Beta1 added in v0.3.0 

type DeploymentExtensionsV1Beta1 = extensionsv1beta1.Deployment

DeploymentExtensionsV1Beta1 is a type alias for the v1beta1 version of the k8s API.

type DeploymentList added in v0.2.0 

type DeploymentList = v1beta1.DeploymentList

DeploymentList is a type alias for the v1beta1 version of the k8s API.

type DeploymentV1Beta1 added in v0.3.0 

type DeploymentV1Beta1 = v1beta1.Deployment

DeploymentV1Beta1 is a type alias for the v1beta1 version of the k8s API.

type DeploymentV1Beta2 added in v0.3.0 

type DeploymentV1Beta2 = v1beta2.Deployment

DeploymentV1Beta2 is a type alias for the v1beta2 version of the k8s API.

type ListOptions added in v0.2.0 

type ListOptions = metav1.ListOptions

ListOptions is a type alias for the v1 version of the k8s API.

type Metadata added in v0.3.0 

type Metadata = map[string]string

Metadata holds metadata for a potential security issue.

type NamespaceList added in v0.2.0 

type NamespaceList = apiv1.NamespaceList

NamespaceList is a type alias for the v1 version of the k8s API.

type NetworkPolicy added in v0.2.0 

type NetworkPolicy = networking.NetworkPolicy

NetworkPolicy is a type alias for the v1 version of the k8s API.

type NetworkPolicyList added in v0.2.0 

type NetworkPolicyList = networking.NetworkPolicyList

NetworkPolicyList is a type alias for the v1 version of the k8s API.

type ObjectMeta added in v0.3.0 

type ObjectMeta = metav1.ObjectMeta

ObjectMeta is a type alias for the v1 version of the k8s API.

type Occurrence added in v0.2.0 

type Occurrence struct {
	// contains filtered or unexported fields
}

An Occurrence represents a potential security issue. There may be multiple Occurrences per resource and audit.

type Pod added in v0.2.0 

type Pod = apiv1.Pod

Pod is a type alias for the v1 version of the k8s API.

func NewPod added in v0.3.0 

func NewPod() *Pod

NewPod returns a simple Pod resource

type PodList added in v0.2.0 

type PodList = apiv1.PodList

PodList is a type alias for the v1 version of the k8s API.

type PodSpec added in v0.3.0 

type PodSpec = apiv1.PodSpec

PodSpec is a type alias for the v1 version of the k8s API.

type ReplicationController added in v0.2.0 

type ReplicationController = apiv1.ReplicationController

ReplicationController is a type alias for the v1 version of the k8s API.

type ReplicationControllerList added in v0.2.0 

type ReplicationControllerList = apiv1.ReplicationControllerList

ReplicationControllerList is a type alias for the v1 version of the k8s API.

type Result 

type Result struct {
	CPULimitActual string
	CPULimitMax    string
	DSA            string
	Err            int
	ImageName      string
	ImageTag       string
	KubeType       string
	Labels         map[string]string
	MEMLimitActual string
	MEMLimitMax    string
	Name           string
	Namespace      string
	Occurrences    []Occurrence
	SA             string
	Token          *bool
}

Result stores information about a Kubernetes resource, including all audit results (Occurrences) related to that resource.

func (Result) Print added in v0.2.0 

func (res Result) Print()

Print logs all audit results to their respective log levels.

type SecurityContext added in v0.3.0 

type SecurityContext = apiv1.SecurityContext

SecurityContext is a type alias for the v1 version of the k8s API.

type StatefulSet added in v0.2.0 

type StatefulSet = v1beta1.StatefulSet

StatefulSet is a type alias for the v1beta1 version of the k8s API.

type StatefulSetList added in v0.2.0 

type StatefulSetList = v1beta1.StatefulSetList

StatefulSetList is a type alias for the v1beta1 version of the k8s API.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.