cmd

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 16, 2019 License: MIT Imports: 36 Imported by: 2

Documentation

Index

Constants

View Source 
const (
	// The prefix to an annotation key specifying a container profile.
	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"

	// The profile specifying the runtime default.
	ProfileRuntimeDefault = "runtime/default"
	// The prefix for specifying profiles loaded on the node.
	ProfileNamePrefix = "localhost/"
)

As of Oct 1, 2018 these constants are not in the K8s API package, but once they are they should be replaced https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/pkg/security/apparmor/helpers.go#L25

View Source 
const (

	// KubeauditInternalError is an internal error which cannot be fixed by the user.
	KubeauditInternalError
	// ErrorAllowPrivilegeEscalationNil occurs when AllowPrivilegeEscalation is not set which allows privilege
	// escalation.
	ErrorAllowPrivilegeEscalationNil
	// ErrorAllowPrivilegeEscalationTrue occurs when AllowPrivilegeEscalation is set to true
	ErrorAllowPrivilegeEscalationTrue
	// ErrorAllowPrivilegeEscalationTrueAllowed occurs when AllowPrivilegeEscalation is allowed to be set to true.
	ErrorAllowPrivilegeEscalationTrueAllowed
	// ErrorAutomountServiceAccountTokenNilAndNoName occurs when automountServiceAccountToken is not set and
	// serviceAccountName is blank.
	ErrorAutomountServiceAccountTokenNilAndNoName
	// ErrorAutomountServiceAccountTokenTrueAllowed occurs when automountServiceAccountToken is allowed to be set
	// to true.
	ErrorAutomountServiceAccountTokenTrueAllowed
	// ErrorAutomountServiceAccountTokenTrueAndNoName occurs when automountServiceAccountToken is set as true and
	// serviceAccountName is blank.
	ErrorAutomountServiceAccountTokenTrueAndNoName
	// ErrorCapabilityAdded occurs when a capability is added that is not allowed
	ErrorCapabilityAdded
	// ErrorCapabilityAllowed occurs when a capability is allowed that is part of the toBeDropped list.
	ErrorCapabilityAllowed
	// ErrorCapabilityNotDropped occurs when a capability should be dropped but it isn't
	ErrorCapabilityNotDropped
	// ErrorImageTagIncorrect occurs when an incorrect image tag is provided.
	ErrorImageTagIncorrect
	// ErrorImageTagMissing occurs when there is no image tag provided.
	ErrorImageTagMissing
	// ErrorMisconfiguredKubeauditAllow occurs when the option to allow a setting is set to true but the option
	// itself is set to false or nil.
	ErrorMisconfiguredKubeauditAllow
	// ErrorPrivilegedNil occurs when Privileged is not set.
	ErrorPrivilegedNil
	// ErrorPrivilegedTrue occurs when Privileged is set to true.
	ErrorPrivilegedTrue
	// ErrorPrivilegedTrueAllowed occurs when Privileged is allowed to be set to true.
	ErrorPrivilegedTrueAllowed
	// ErrorReadOnlyRootFilesystemFalse occurs when ReadOnlyRootFilesystem is set to false.
	ErrorReadOnlyRootFilesystemFalse
	// ErrorReadOnlyRootFilesystemFalseAllowed occurs when ReadOnlyRootFilesystem is allowed to be set to false.
	ErrorReadOnlyRootFilesystemFalseAllowed
	// ErrorReadOnlyRootFilesystemNil occurs when ReadOnlyRootFilesystem is set to nil.
	ErrorReadOnlyRootFilesystemNil
	// ErrorResourcesLimitsCPUExceeded occurs when the CPU limit is exceeded.
	ErrorResourcesLimitsCPUExceeded
	// ErrorResourcesLimitsCPUNil occurs when the CPU limit is not set.
	ErrorResourcesLimitsCPUNil
	// ErrorResourcesLimitsMemoryExceeded occurs when the memory limit is exceeded.
	ErrorResourcesLimitsMemoryExceeded
	// ErrorResourcesLimitsMemoryNil occurs when the memory limit is not set.
	ErrorResourcesLimitsMemoryNil
	// ErrorResourcesLimitsNil occurs when the resource limit is set to nil.
	ErrorResourcesLimitsNil
	// ErrorRunAsNonRootPSCTrueCSCFalse occurs when RunAsNonRoot is set to false in the ContainerSecurityContext and to true/false in PodSecurityContext.
	ErrorRunAsNonRootPSCTrueFalseCSCFalse
	// ErrorRunAsNonRootPSCFalseCSCNil occurs when RunAsNonRoot is Nil in the ContainerSecurityContext and to false in Pod ecurityContext.
	ErrorRunAsNonRootPSCFalseCSCNil
	// ErrorRunAsNonRootFalseAllowed occurs when RunAsNonRoot is allowed to be set to false.
	ErrorRunAsNonRootFalseAllowed
	// ErrorRunAsNonRootNil occurs when RunAsNonRoot is not set in either PodSecurityContext or ContainerSecurityContext.
	ErrorRunAsNonRootPSCNilCSCNil
	// ErrorServiceAccountTokenDeprecated occurs when serviceAccount is used. ServiceAccount is a deprecated alias
	// for ServiceAccountName.
	ErrorServiceAccountTokenDeprecated
	// ErrorAppArmorDisabled occurs when the AppArmor annotation is set to a bad value.
	ErrorAppArmorDisabled
	// ErrorAppArmorAnnotationMissing occurs when there is no annotation enabling AppArmor on the pod.
	ErrorAppArmorAnnotationMissing
	// ErrorSeccompDisabledPod occurs when the Seccomp annotation is set to a bad value.
	ErrorSeccompDisabledPod
	// ErrorSeccompDisabled occurs when the Seccomp annotation is set to a bad value.
	ErrorSeccompDisabled
	// ErrorSeccompAnnotationMissing occurs when there is no annotation enabling Seccomp on the pod.
	ErrorSeccompAnnotationMissing
	// ErrorSeccompDeprecatedPod occurs when the Seccomp annotation is set to a deprecated value.
	ErrorSeccompDeprecatedPod
	// ErrorSeccompDeprecated occurs when the Seccomp annotation is set to a deprecated value.
	ErrorSeccompDeprecated
	// InfoImageCorrect occurs when an image tag is correct.
	InfoImageCorrect
	// ErrorMissingDefaultDenyIngressAndEgressNetworkPolicy missing a default deny egress and default deny egress NetworkPolicy but it's set to be allowed
	ErrorMissingDefaultDenyIngressAndEgressNetworkPolicy
	// ErrorMissingDefaultDenyIngressAndEgressNetworkPolicyAllowed occurs when missing a default deny egress and default deny egress NetworkPolicy but it's set to be allowed
	ErrorMissingDefaultDenyIngressAndEgressNetworkPolicyAllowed
	// ErrorMissingDefaultDenyEgressNetworkPolicy occurs when a namespace is missing a default deny egress NetworkPolicy
	ErrorMissingDefaultDenyEgressNetworkPolicy
	// ErrorMissingDefaultDenyEgressNetworkPolicyAllowed occurs when a namespace is missing a default deny egress NetworkPolicy but it's allowed
	ErrorMissingDefaultDenyEgressNetworkPolicyAllowed
	// ErrorMissingDefaultDenyEgressNetworkPolicy occurs when a namespace is missing a default deny ingress NetworkPolicy
	ErrorMissingDefaultDenyIngressNetworkPolicy
	// ErrorMissingDefaultDenyIngressNetworkPolicyAllowed  occurs when a namespace is missing a default deny ingress NetworkPolicy but it's allowed
	ErrorMissingDefaultDenyIngressNetworkPolicyAllowed
	//  ErrorNamespaceHostIPCTrue occurs when a hostIPC is set to true in PodSpec
	ErrorNamespaceHostIPCTrue
	//  ErrorNamespaceHostIPCTrueAllowed occurs when a hostIPC is set to true in PodSpec but it's allowed
	ErrorNamespaceHostIPCTrueAllowed
	//  ErrorNamespaceHostIPCTrue occurs when a hostNetwork is set to true in PodSpec
	ErrorNamespaceHostNetworkTrue
	//  ErrorNamespaceHostNetworkTrueAllowed occurs when a hostNetwork is set to true in PodSpec but it's allowed
	ErrorNamespaceHostNetworkTrueAllowed
	//  ErrorNamespaceHostIPCTrue occurs when a hostPID is set to true in PodSpec
	ErrorNamespaceHostPIDTrue
	//  ErrorNamespaceHostPIDTrueAllowed occurs when a hostPID is set to true in PodSpec but it's allowed
	ErrorNamespaceHostPIDTrueAllowed
	// InfoDefaultDenyNetworkPolicyExists occurs when a namespace has a default deny NetworkPolicy
	InfoDefaultDenyNetworkPolicyExists
	// WarningAllowAllIngressNetworkPolicyExists occurs when a namespace has an allow all ingress NetworkPolicy
	WarningAllowAllIngressNetworkPolicyExists
	// WarningAllowAllEgressNetworkPolicyExists occurs when a namespace has an allow all egress NetworkPolicy
	WarningAllowAllEgressNetworkPolicyExists
)

Error codes

View Source 
const (
	Error
	Warn
	Info
	Debug
)

Log levels

Variables

View Source 
var (
	Version   = "0.0.0"
	Commit    = "ffffffff"
	BuildDate = "2006-01-02T15:04:05Z07:00"
)

Placeholder values will be overridden by goreleaser or makefile.

View Source 
var ErrNoReadableKubeConfig = errors.New("unable to open kubeconfig file")

ErrNoReadableKubeConfig represents any error that prevents the client from opening a kubeconfig file.

View Source 
var KubeauditLogLevel = Info

KubeauditLogLevel is the default log level to be used by the logger. All log events with this log level and above will be logged.

View Source 
var KubeauditLogLevels = map[string]int{"ERROR": Error, "WARN": Warn, "INFO": Info}

KubeauditLogLevels represents an enum for the supported log levels.

View Source 
var RootCmd = &cobra.Command{
	Use:   "kubeaudit",
	Short: "A Kubernetes security auditor",
	Long: `kubeaudit is a program that checks security settings on your Kubernetes clusters.
#patcheswelcome`,
}

RootCmd defines the shell command usage for kubeaudit.

Functions

func Execute 

func Execute()

Execute is a wrapper for the RootCmd.Execute method which will exit the program if there is an error.

func IsNamespaceType added in v0.5.0 

func IsNamespaceType(obj Resource) bool

IsNamespaceType returns true if obj is of NamespaceV1 type

func IsSupportedGroupVersionKind added in v0.5.0 

func IsSupportedGroupVersionKind(obj Resource) bool

IsSupportedGroupVersionKind returns false if resource is of Supported Kind but not of supported Group Version Kind

func IsSupportedResourceType added in v0.3.0 

func IsSupportedResourceType(obj Resource) bool

IsSupportedResourceType returns true if obj is a supported Kubernetes resource type

func WriteToFile added in v0.3.0 

func WriteToFile(decode Resource, filename string) error

WriteToFile writes and then appends incoming resource

func WriteToTmpFile added in v0.4.0 

func WriteToTmpFile(decode Resource) (string, error)

WriteToTmpFile writes a single resource to a tmpfile, you are responsible for deleting the file afterwards, that's why the function returns the file name.

Types

type CapSet added in v0.3.0 

type CapSet map[CapabilityV1]bool

CapSet represents a set of capabilities.

func NewCapSetFromArray added in v0.3.0 

func NewCapSetFromArray(array []CapabilityV1) (set CapSet)

NewCapSetFromArray converts an array of capabilities into a CapSet.

type CapabilitiesV1 added in v0.4.0 

type CapabilitiesV1 = apiv1.Capabilities

CapabilitiesV1 is a type alias for the v1 version of the k8s API.

type CapabilityV1 added in v0.4.0 

type CapabilityV1 = apiv1.Capability

CapabilityV1 is a type alias for the v1 version of the k8s API.

type Client added in v0.4.0 

type Client interface {
	InClusterConfig() (*rest.Config, error)
}

Client abstracts the API to allow testing.

type ContainerV1 added in v0.4.0 

type ContainerV1 = apiv1.Container

ContainerV1 is a type alias for the v1 version of the k8s API.

type CronJobV1Beta1 added in v0.4.0 

type CronJobV1Beta1 = batchv1beta1.CronJob

CronJobV1Beta1 is a type alias for the v1beta1 version of the k8s batch API.

type DaemonSetListV1 added in v0.4.0 

type DaemonSetListV1 = appsv1.DaemonSetList

DaemonSetListV1 is a type alias for the v1 version of the k8s apps API.

type DaemonSetV1 added in v0.4.0 

type DaemonSetV1 = appsv1.DaemonSet

DaemonSetV1 is a type alias for the v1 version of the k8s API.

type DaemonSetV1Beta1 added in v0.4.0 

type DaemonSetV1Beta1 = extensionsv1beta1.DaemonSet

DaemonSetV1Beta1 is a type alias for the v1beta1 version of the k8s extensions API.

type DaemonSetV1Beta2 added in v0.5.1 

type DaemonSetV1Beta2 = appsv1beta2.DaemonSet

DaemonSetV1Beta2 is a type alias for the v1beta2 version of the k8s extensions API.

type DeploymentExtensionsV1Beta1 added in v0.3.0 

type DeploymentExtensionsV1Beta1 = extensionsv1beta1.Deployment

DeploymentExtensionsV1Beta1 is a type alias for the v1beta1 version of the k8s extensions API.

type DeploymentListV1 added in v0.4.0 

type DeploymentListV1 = appsv1.DeploymentList

DeploymentListV1 is a type alias for the v1 version of the k8s apps API.

type DeploymentV1 added in v0.4.0 

type DeploymentV1 = appsv1.Deployment

DeploymentV1 is a type alias for the v1 version of the k8s apps API.

type DeploymentV1Beta1 added in v0.3.0 

type DeploymentV1Beta1 = appsv1beta1.Deployment

DeploymentV1Beta1 is a type alias for the v1beta1 version of the k8s apps API.

type DeploymentV1Beta2 added in v0.3.0 

type DeploymentV1Beta2 = appsv1beta2.Deployment

DeploymentV1Beta2 is a type alias for the v1beta2 version of the k8s apps API.

type K8sClient added in v0.4.0 

type K8sClient struct{}

K8sClient wraps kubernetes client-go so it can be mocked.

func (K8sClient) InClusterConfig added in v0.4.0 

func (kc K8sClient) InClusterConfig() (*rest.Config, error)

InClusterConfig wraps the client-go method with the same name.

type KubeauditConfig added in v0.5.2 

type KubeauditConfig struct {
	APIVersion string               `yaml:"apiVersion"`
	Kind       string               `yaml:"kind"`
	Spec       *KubeauditConfigSpec `yaml:"spec"`
	Audit      bool                 `yaml:"audit"`
}

KubeauditConfig sets up config for kubeaudit from flag `config`

type KubeauditConfigCapabilities added in v0.5.2 

type KubeauditConfigCapabilities struct {
	NetAdmin       string `yaml:"NET_ADMIN"`
	SetPCAP        string `yaml:"SETPCAP"`
	MKNOD          string `yaml:"MKNOD"`
	AuditWrite     string `yaml:"AUDIT_WRITE"`
	Chown          string `yaml:"CHOWN"`
	NetRaw         string `yaml:"NET_RAW"`
	DacOverride    string `yaml:"DAC_OVERRIDE"`
	FOWNER         string `yaml:"FOWNER"`
	FSetID         string `yaml:"FSETID"`
	Kill           string `yaml:"KILL"`
	SetGID         string `yaml:"SETGID"`
	SetUID         string `yaml:"SETUID"`
	NetBindService string `yaml:"NET_BIND_SERVICE"`
	SYSChroot      string `yaml:"SYS_CHROOT"`
	SetFCAP        string `yaml:"SETFCAP"`
}

KubeauditConfigCapabilities contains list of capabilities supported

type KubeauditConfigManifest added in v0.5.2 

type KubeauditConfigManifest struct {
	Path string `yaml:"path"`
}

KubeauditConfigManifest contains path to the manifests to audit

type KubeauditConfigOverrides added in v0.5.2 

type KubeauditConfigOverrides struct {
	PrivilegeEscalation                string `yaml:"privilege-escalation"`
	Privileged                         string `yaml:"privileged"`
	RunAsRoot                          string `yaml:"run-as-root"`
	AutomountServiceAccountToken       string `yaml:"automount-service-account-token"`
	ReadOnlyRootFilesystemFalse        string `yaml:"read-only-root-filesystem-false"`
	NonDefaultDenyIngressNetworkPolicy string `yaml:"non-default-deny-ingress-network-policy"`
	NonDefaultDenyEgressNetworkPolicy  string `yaml:"non-default-deny-egress-network-policy"`
	HostNetwork                        string `yaml:"namespace-host-network"`
	HostPID                            string `yaml:"namespace-host-PID"`
	HostIPC                            string `yaml:"namespace-host-IPC"`
}

KubeauditConfigOverrides contains list of available overrides

type KubeauditConfigSpec added in v0.5.2 

type KubeauditConfigSpec struct {
	Manifest     []*KubeauditConfigManifest   `yaml:"manifest"`
	Capabilities *KubeauditConfigCapabilities `yaml:"capabilities"`
	Overrides    *KubeauditConfigOverrides    `yaml:"overrides"`
}

KubeauditConfigSpec contains Config Spec

type ListOptionsV1 added in v0.4.0 

type ListOptionsV1 = metav1.ListOptions

ListOptionsV1 is a type alias for the v1 version of the k8s meta API.

type Metadata added in v0.3.0 

type Metadata = map[string]string

Metadata holds metadata for a potential security issue.

type NamespaceListV1 added in v0.4.0 

type NamespaceListV1 = apiv1.NamespaceList

NamespaceListV1 is a type alias for the v1 version of the k8s API.

type NamespaceV1 added in v0.4.0 

type NamespaceV1 = apiv1.Namespace

NamespaceV1 is a type alias for the v1 version of the k8s API.

type NetworkPolicyListV1 added in v0.4.0 

type NetworkPolicyListV1 = networkingv1.NetworkPolicyList

NetworkPolicyListV1 is a type alias for the v1 version of the k8s networking API.

type NetworkPolicyV1 added in v0.4.0 

type NetworkPolicyV1 = networkingv1.NetworkPolicy

NetworkPolicyV1 is a type alias for the v1 version of the k8s API.

type ObjectMetaV1 added in v0.4.0 

type ObjectMetaV1 = metav1.ObjectMeta

ObjectMetaV1 is a type alias for the v1 version of the k8s API.

type Occurrence added in v0.2.0 

type Occurrence struct {
	// contains filtered or unexported fields
}

An Occurrence represents a potential security issue. There may be multiple Occurrences per resource and audit.

type PodListV1 added in v0.4.0 

type PodListV1 = apiv1.PodList

PodListV1 is a type alias for the v1 version of the k8s API.

type PodSpecV1 added in v0.4.0 

type PodSpecV1 = apiv1.PodSpec

PodSpecV1 is a type alias for the v1 version of the k8s API.

type PodV1 added in v0.4.0 

type PodV1 = apiv1.Pod

PodV1 is a type alias for the v1 version of the k8s API.

func NewPod added in v0.3.0 

func NewPod() *PodV1

NewPod returns a simple Pod resource

type ReplicationControllerListV1 added in v0.4.0 

type ReplicationControllerListV1 = apiv1.ReplicationControllerList

ReplicationControllerListV1 is a type alias for the v1 version of the k8s API.

type ReplicationControllerV1 added in v0.4.0 

type ReplicationControllerV1 = apiv1.ReplicationController

ReplicationControllerV1 is a type alias for the v1 version of the k8s API.

type Resource added in v0.4.0 

type Resource k8sRuntime.Object

Resource is a type alias for a runtime.Object.

func FixTestSetup added in v0.3.0 

func FixTestSetup(t *testing.T, file string, auditFunction func(Resource) []Result) (*assert.Assertions, Resource)

FixTestSetup allows kubeaudit to be used programmatically instead of via the shell. It is intended to be used for testing.

func FixTestSetupMultipleResources added in v0.5.0 

func FixTestSetupMultipleResources(t *testing.T, file string, auditFunction func(Resource) []Result) (*assert.Assertions, []Resource)

FixTestSetupMultipleResources allows kubeaudit to be used programmatically instead of via the shell for multiple Resources. It is intended to be used for testing.

func NewUnsupportedResource added in v0.5.0 

func NewUnsupportedResource() Resource

NewUnsupportedResource returns a fake unsupported resource for testing purposes

type Result 

type Result struct {
	CPULimitActual string
	CPULimitMax    string
	DSA            string
	Err            int
	ImageName      string
	ImageTag       string
	KubeType       string
	Labels         map[string]string
	MEMLimitActual string
	MEMLimitMax    string
	Name           string
	Namespace      string
	Occurrences    []Occurrence
	SA             string
	Token          *bool
}

Result stores information about a Kubernetes resource, including all audit results (Occurrences) related to that resource.

func (Result) Print added in v0.2.0 

func (res Result) Print()

Print logs all audit results to their respective log levels.

type SecurityContextV1 added in v0.4.0 

type SecurityContextV1 = apiv1.SecurityContext

SecurityContextV1 is a type alias for the v1 version of the k8s API.

type StatefulSetListV1 added in v0.4.0 

type StatefulSetListV1 = appsv1.StatefulSetList

StatefulSetListV1 is a type alias for the v1 version of the k8s apps API.

type StatefulSetV1 added in v0.4.0 

type StatefulSetV1 = appsv1.StatefulSet

StatefulSetV1 is a type alias for the v1 version of the k8s apps API.

type StatefulSetV1Beta1 added in v0.4.0 

type StatefulSetV1Beta1 = appsv1beta1.StatefulSet

StatefulSetV1Beta1 is a type alias for the v1beta1 version of the k8s API.

type UnsupportedType added in v0.5.0 

type UnsupportedType = apiv1.Binding

UnsupportedType is a type alias for v1 version of the k8s apps API, this is meant for testing

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.