kubelinter

package
v1.43.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2025 License: Apache-2.0 Imports: 93 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DanglingResourcesBundle = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
}
View Source 
var GoodPracticesBundle = map[string]LinterRule{
	"sa-token-automount":               TokenAutomount,
	"exposed-services":                 ExposedService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-readiness-probe":               NoReadinessProbe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"default-service-account":          DefaultServiceAccount,
	"has-security-context":             HasSecurityContext,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"env-var-secret":                   EnvVarSecret,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
}
View Source 
var HostIsolationBundle = map[string]LinterRule{
	"drop-net-raw-capability":        DropNetRawCapability,
	"host-ipc":                       HostIPC,
	"host-network":                   HostNetwork,
	"host-pid":                       HostPID,
	"privilege-escalation-container": PrivilegeEsxalationContainer,
	"privileged-container":           PrivilegedContainer,
	"run-as-non-root":                RunAsNonRoot,
	"unsafe-sysctls":                 UnsafeSysctls,
	"additional-capabilities":        AdditionalCapabilities,
	"no-read-only-root-fs":           NoReadOnlyRootFS,
	"privileged-ports":               PrivilegedProts,
}
View Source 
var LinterRuleMap = map[string]LinterRule{
	"dangling-service":                 DanglingService,
	"deprecated-service-account-field": DeprecatedServiceAccountField,
	"docker-sock":                      DockerSock,
	"drop-net-raw-capability":          DropNetRawCapability,
	"env-var-secret":                   EnvVarSecret,
	"exposed-services":                 ExposedService,
	"host-ipc":                         HostIPC,
	"host-network":                     HostNetwork,
	"host-pid":                         HostPID,
	"invalid-target-ports":             InvalidTargetPorta,
	"latest-tag":                       LatestTag,
	"mismatching-selector":             MismatchingSelector,
	"no-anti-affinity":                 NoAntiAffinity,
	"no-liveness-probe":                NoLivenessProbe,
	"no-read-only-root-fs":             NoReadOnlyRootFS,
	"no-readiness-probe":               NoReadinessProbe,
	"no-rolling-update-strategy":       NoRollingUpdateStrategy,
	"privilege-escalation-container":   PrivilegeEsxalationContainer,
	"privileged-container":             PrivilegedContainer,
	"privileged-ports":                 PrivilegedProts,
	"run-as-non-root":                  RunAsNonRoot,
	"sensitive-host-mounts":            SensitiveHostMounts,
	"ssh-port":                         SSHPort,
	"unsafe-proc-mount":                UnsafeProcMount,
	"unsafe-sysctls":                   UnsafeSysctls,
	"unset-memory-requirements":        UnsetMempryRequirements,
	"use-namespace":                    UseNamespace,
	"writable-host-mount":              WritableHostMount,
	"cluster-admin-role-binding":       ClusterAdminRoleBinding,
	"access-to-secrets":                AccessToSecrets,
	"wildcard-in-rules":                WildcardInRules,
	"access-to-create-pods":            AccessToCreatePods,
	"default-service-account":          DefaultServiceAccount,
	"sa-token-automount":               TokenAutomount,
	"read-secret-from-env-var":         ReadSecretFromEnvVar,
	"has-security-context":             HasSecurityContext,
	"dangling-networkpolicy":           DanglingNetworkPolicy,
	"dangling-horizontalpodautoscaler": DanglingHPA,
	"dangling-ingress":                 DanglingIngress,
	"network-policy-per-namespace":     NetworkPolicyPerNamespace,
	"containerd-sock":                  ContainerdSock,
	"additional-capabilities":          AdditionalCapabilities,
	"system-masters":                   SystemMasters,
	"system-anonymous":                 SystemAnonymous,
	"system-authenticated":             SystemAuthenticated,
	"system-unauthenticated":           SystemUnauthenticated,
	"privesc-verbs":                    PrivescVerbs,
}
View Source 
var MountPointsBundle = map[string]LinterRule{
	"docker-sock":           DockerSock,
	"containerd-sock":       ContainerdSock,
	"writable-host-mount":   WritableHostMount,
	"unsafe-proc-mount":     UnsafeProcMount,
	"sensitive-host-mounts": SensitiveHostMounts,
}
View Source 
var PortsBundle = map[string]LinterRule{
	"invalid-target-ports": InvalidTargetPorta,
	"ssh-port":             SSHPort,
}
View Source 
var RBACBundle = map[string]LinterRule{
	"cluster-admin-role-binding": ClusterAdminRoleBinding,
	"access-to-secrets":          AccessToSecrets,
	"wildcard-in-rules":          WildcardInRules,
	"access-to-create-pods":      AccessToCreatePods,
}

Functions

This section is empty.

Types

type Config 

type Config struct {
	Enabled      bool          `json:"enabled"`
	ScanInterval time.Duration `validate:"required" json:"scanInterval"`
	InitDelay    time.Duration `json:"initDelay"`
}

type Controller 

type Controller struct {
	// contains filtered or unexported fields
}

func NewController 

func NewController(log *logging.Logger, cfg Config, linter *Linter, castaiClient castaiClient) *Controller

func (*Controller) OnAdd 

func (c *Controller) OnAdd(obj kube.Object)

func (*Controller) OnDelete 

func (c *Controller) OnDelete(obj kube.Object)

func (*Controller) OnUpdate 

func (c *Controller) OnUpdate(obj kube.Object)

func (*Controller) RequiredTypes 

func (c *Controller) RequiredTypes() []reflect.Type

func (*Controller) Run 

func (c *Controller) Run(ctx context.Context) error

type Linter 

type Linter struct {
	// contains filtered or unexported fields
}

func New 

func New(checks []string) (*Linter, error)

func (*Linter) Run 

func (l *Linter) Run(objects []lintcontext.Object) ([]LinterCheck, error)

func (*Linter) RunWithRules 

func (l *Linter) RunWithRules(objects []lintcontext.Object, rules []string) ([]LinterCheck, error)

type LinterCheck 

type LinterCheck struct {
	ResourceID string         `json:"resourceID"`
	Passed     *LinterRuleSet `json:"passed"`
	Failed     *LinterRuleSet `json:"failed"`
}

type LinterRule 

type LinterRule int
const (
	DanglingService LinterRule = 1 << iota
	DeprecatedServiceAccountField
	DockerSock
	DropNetRawCapability
	EnvVarSecret
	ExposedService
	HostIPC
	HostNetwork
	HostPID
	InvalidTargetPorta
	LatestTag
	MismatchingSelector
	NoAntiAffinity
	NoLivenessProbe
	NoReadOnlyRootFS
	NoReadinessProbe
	NoRollingUpdateStrategy
	PrivilegeEsxalationContainer
	PrivilegedContainer
	PrivilegedProts
	RunAsNonRoot
	SensitiveHostMounts
	SSHPort
	UnsafeProcMount
	UnsafeSysctls
	UnsetMempryRequirements
	UseNamespace
	WritableHostMount
	ClusterAdminRoleBinding
	AccessToSecrets
	DefaultServiceAccount
	WildcardInRules
	AccessToCreatePods
	TokenAutomount
	ReadSecretFromEnvVar
	HasSecurityContext
	DanglingNetworkPolicy
	DanglingHPA
	DanglingIngress
	NetworkPolicyPerNamespace
	ContainerdSock
	AdditionalCapabilities
	SystemMasters
	SystemAnonymous
	SystemAuthenticated
	SystemUnauthenticated
	PrivescVerbs
)

type LinterRuleSet 

type LinterRuleSet LinterRule

func (*LinterRuleSet) Add 

func (s *LinterRuleSet) Add(i LinterRule)

func (*LinterRuleSet) Has 

func (s *LinterRuleSet) Has(i LinterRule) bool

func (*LinterRuleSet) Rules 

func (s *LinterRuleSet) Rules() []string

type ObjectMeta 

type ObjectMeta struct {
	Namespace string `json:"namespace"`
	Name      string `json:"name"`
}

type ObjectType 

type ObjectType struct {
	APIVersion string `json:"APIVersion"`
	Kind       string `json:"kind"`
}

type Resource 

type Resource struct {
	ObjectMeta ObjectMeta
	ObjectType ObjectType
}

func (Resource) ObjectKey 

func (r Resource) ObjectKey() string

Source Files

View all Source files

Directories

Path Synopsis
customchecks
additionalcapabilities
automount
bindings
containerdsock
networkpolicypernamespace
privescverbs
securitycontext

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.