Directories
¶
| Path | Synopsis |
|---|---|
|
Package admission implements the Fleetsweeper ValidatingAdmissionWebhook.
|
Package admission implements the Fleetsweeper ValidatingAdmissionWebhook. |
|
Package cohort partitions a fleet into groups of clusters that look like each other.
|
Package cohort partitions a fleet into groups of clusters that look like each other. |
|
Package compare produces a structured diff between two Fleetsweeper reports: what changed in the Fleet Score, which findings are new, which resolved, which persisted, and how cluster statuses moved.
|
Package compare produces a structured diff between two Fleetsweeper reports: what changed in the Fleet Score, which findings are new, which resolved, which persisted, and how cluster statuses moved. |
|
Package controller reconciles ClusterScan custom resources by triggering scans on the configured cadence and writing the outcome back to the resource status.
|
Package controller reconciles ClusterScan custom resources by triggering scans on the configured cadence and writing the outcome back to the resource status. |
|
Package cost correlates Fleetsweeper findings and per-cluster scores with a user-provided cost CSV.
|
Package cost correlates Fleetsweeper findings and per-cluster scores with a user-provided cost CSV. |
|
Package diagnose runs an end-to-end sanity check across every Fleetsweeper integration.
|
Package diagnose runs an end-to-end sanity check across every Fleetsweeper integration. |
|
Package explain provides operator-facing explanations for Fleetsweeper findings and scanners.
|
Package explain provides operator-facing explanations for Fleetsweeper findings and scanners. |
|
Package fleetdrift converts Fleetsweeper reports into FleetDriftReport Kubernetes custom resources, one per scanned cluster, and writes them to a local directory as YAML files.
|
Package fleetdrift converts Fleetsweeper reports into FleetDriftReport Kubernetes custom resources, one per scanned cluster, and writes them to a local directory as YAML files. |
|
Package integration contains integration tests that create real Kubernetes clusters using kind.
|
Package integration contains integration tests that create real Kubernetes clusters using kind. |
|
Package kube wraps client-go and provides Fleetsweeper's connection helpers for multi-cluster scans, including QPS/burst tuning, a user agent for apiserver audit trails, and concurrent ConnectAll fan-out.
|
Package kube wraps client-go and provides Fleetsweeper's connection helpers for multi-cluster scans, including QPS/burst tuning, a user agent for apiserver audit trails, and concurrent ConnectAll fan-out. |
|
Package leader provides a thin Kubernetes Lease-based leader election wrapper.
|
Package leader provides a thin Kubernetes Lease-based leader election wrapper. |
|
Package logutil ties a structured zap logger to a context.Context so handlers thread the same logger without explicit arguments.
|
Package logutil ties a structured zap logger to a context.Context so handlers thread the same logger without explicit arguments. |
|
Package policyreport converts Fleetsweeper findings into PolicyReport CRs using the wgpolicyk8s.io/v1alpha2 schema, the CNCF-standard format consumed by Kyverno, Trivy Operator, Falco Sidekick, and the Policy Reporter UI.
|
Package policyreport converts Fleetsweeper findings into PolicyReport CRs using the wgpolicyk8s.io/v1alpha2 schema, the CNCF-standard format consumed by Kyverno, Trivy Operator, Falco Sidekick, and the Policy Reporter UI. |
|
Package remediate turns a Fleetsweeper finding with an inline YAML remediation into a pull request against a GitOps repository.
|
Package remediate turns a Fleetsweeper finding with an inline YAML remediation into a pull request against a GitOps repository. |
|
admission
Package admission audits MutatingWebhookConfigurations and ValidatingWebhookConfigurations for two failure modes that silently break clusters: webhooks whose backing service has zero healthy endpoints, and webhooks whose caBundle is expiring soon.
|
Package admission audits MutatingWebhookConfigurations and ValidatingWebhookConfigurations for two failure modes that silently break clusters: webhooks whose backing service has zero healthy endpoints, and webhooks whose caBundle is expiring soon. |
|
certs
Package certs scans TLS Secrets, Ingress TLS references, and admission webhook caBundles for upcoming expiry.
|
Package certs scans TLS Secrets, Ingress TLS references, and admission webhook caBundles for upcoming expiry. |
|
clusterinfo
Package clusterinfo collects node OS, kernel, container runtime, kubelet and kube-proxy versions and reports drift within a single cluster.
|
Package clusterinfo collects node OS, kernel, container runtime, kubelet and kube-proxy versions and reports drift within a single cluster. |
|
crd
Package crd enumerates the CustomResourceDefinitions installed on a cluster and surfaces per-cluster CRD divergence as a scanner result.
|
Package crd enumerates the CustomResourceDefinitions installed on a cluster and surfaces per-cluster CRD divergence as a scanner result. |
|
deprecatedapis
Package deprecatedapis identifies in-use API versions that Kubernetes has deprecated or removed.
|
Package deprecatedapis identifies in-use API versions that Kubernetes has deprecated or removed. |
|
events
Package events scans the apiserver's recent Event stream and aggregates per-namespace warning counts, surfacing clusters whose signal-to-noise has degraded.
|
Package events scans the apiserver's recent Event stream and aggregates per-namespace warning counts, surfacing clusters whose signal-to-noise has degraded. |
|
geo
Package geo locates clusters on Earth from node region/zone labels.
|
Package geo locates clusters on Earth from node region/zone labels. |
|
imageaudit
Package imageaudit reports image hygiene across the fleet: digest pinning, latest-tag usage, distinct image counts, and optional registry probes for age and signature checks.
|
Package imageaudit reports image hygiene across the fleet: digest pinning, latest-tag usage, distinct image counts, and optional registry probes for age and signature checks. |
|
policyreportingest
Package policyreportingest reads wgpolicyk8s.io PolicyReport and ClusterPolicyReport custom resources written by other tools (Kyverno, Gatekeeper, Trivy, kube-bench) and aggregates their fail/warn results per cluster.
|
Package policyreportingest reads wgpolicyk8s.io PolicyReport and ClusterPolicyReport custom resources written by other tools (Kyverno, Gatekeeper, Trivy, kube-bench) and aggregates their fail/warn results per cluster. |
|
quota
Package quota inspects ResourceQuota and LimitRange coverage across namespaces.
|
Package quota inspects ResourceQuota and LimitRange coverage across namespaces. |
|
rbac
Package rbac scans the cluster's RBAC graph (ClusterRoles, RoleBindings, ServiceAccounts) and flags wildcard permissions and over-broad bindings.
|
Package rbac scans the cluster's RBAC graph (ClusterRoles, RoleBindings, ServiceAccounts) and flags wildcard permissions and over-broad bindings. |
|
security
Package security audits security-affecting workload configuration: PodSecurityStandards labels, default-deny NetworkPolicy presence, and similar fleet-wide hardening signals.
|
Package security audits security-affecting workload configuration: PodSecurityStandards labels, default-deny NetworkPolicy presence, and similar fleet-wide hardening signals. |
|
version
Package version reports the Kubernetes server version from each cluster and detects fleet-wide skew.
|
Package version reports the Kubernetes server version from each cluster and detects fleet-wide skew. |
|
vulnerabilities
Package vulnerabilities reads aquasecurity.github.io/v1alpha1 VulnerabilityReport custom resources produced by the Trivy Operator and aggregates their severity counts into a per-cluster baseline.
|
Package vulnerabilities reads aquasecurity.github.io/v1alpha1 VulnerabilityReport custom resources produced by the Trivy Operator and aggregates their severity counts into a per-cluster baseline. |
|
workloadcoverage
Package workloadcoverage reports on PDB and HPA coverage of replicated workloads.
|
Package workloadcoverage reports on PDB and HPA coverage of replicated workloads. |
|
Package seal provides HMAC-SHA256 sealing for scan reports.
|
Package seal provides HMAC-SHA256 sealing for scan reports. |
|
Package tracing wires up an OpenTelemetry tracer provider configured by the standard OTEL_EXPORTER_OTLP_ENDPOINT environment variable.
|
Package tracing wires up an OpenTelemetry tracer provider configured by the standard OTEL_EXPORTER_OTLP_ENDPOINT environment variable. |
|
Package webhooks loads a YAML config of outbound HTTP subscribers and dispatches matching findings to each one after every scan.
|
Package webhooks loads a YAML config of outbound HTTP subscribers and dispatches matching findings to each one after every scan. |
Click to show internal directories.
Click to hide internal directories.