k8s

package
v1.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2025 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package k8s provides datagatherers for different parts of the Kubernetes API.

Index

Constants

This section is empty.

Variables

View Source 
var ErrCacheSyncTimeout = fmt.Errorf("timed out waiting for Kubernetes cache to sync")
View Source 
var RedactFields = []FieldPath{
	{"metadata", "managedFields"},
	{"metadata", "annotations", "kubectl.kubernetes.io/last-applied-configuration"},
}

RedactFields are removed from all objects

View Source 
var RouteSelectedFields = []FieldPath{
	{"kind"},
	{"apiVersion"},
	{"metadata", "annotations"},
	{"metadata", "name"},
	{"metadata", "namespace"},
	{"metadata", "ownerReferences"},
	{"metadata", "selfLink"},
	{"metadata", "uid"},
	{"metadata", "creationTimestamp"},
	{"metadata", "deletionTimestamp"},
	{"metadata", "resourceVersion"},

	{"spec", "host"},
	{"spec", "to", "kind"},
	{"spec", "to", "name"},
	{"spec", "to", "weight"},
	{"spec", "tls", "termination"},
	{"spec", "tls", "certificate"},
	{"spec", "tls", "caCertificate"},
	{"spec", "tls", "destinationCACertificate"},
	{"spec", "tls", "insecureEdgeTerminationPolicy"},
	{"spec", "wildcardPolicy"},
	{"status"},
}

RouteSelectedFields is the list of fields sent from OpenShift Route objects to the backend. The Route resource is redacted because it may contain private keys for TLS.

TODO(wallrj): Find out if the `.tls.key` field is the only one that may contain sensitive data and if so, that field could be redacted instead selecting everything else, for consistency with Ingress or any of the other resources that are collected. Or alternatively add an comment to explain why for Route, the set of fields is allow-listed while for Ingress, all fields are collected. https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/network_apis/route-route-openshift-io-v1#spec-tls-3

View Source 
var SecretSelectedFields = []FieldPath{
	{"kind"},
	{"apiVersion"},
	{"metadata", "annotations"},
	{"metadata", "labels"},
	{"metadata", "name"},
	{"metadata", "namespace"},
	{"metadata", "ownerReferences"},
	{"metadata", "selfLink"},
	{"metadata", "uid"},
	{"metadata", "creationTimestamp"},
	{"metadata", "deletionTimestamp"},
	{"metadata", "resourceVersion"},
	{"immutable"},
	{"type"},
	{"data", "tls.crt"},
	{"data", "ca.crt"},
	{"data", "conjur-map"},
}

SecretSelectedFields is the list of fields sent from Secret objects to the backend. The `data` is redacted, to prevent private keys or sensitive data being collected. Only the following none-sensitive keys are retained: tls.crt, ca.crt. These keys are assumed to always contain public TLS certificates. The `conjur-map` key is also retained, as it is used to map Secrets to Conjur variables, and is not considered sensitive. See https://docs.cyberark.com/conjur-open-source/latest/en/content/integrations/k8s-ocp/cjr-secrets-provider-lp.htm

Functions

func NewClientSet added in v0.1.37 

func NewClientSet(kubeconfigPath string) (kubernetes.Interface, error)

NewClientSet creates a new kubernetes clientset using the provided kubeconfig. If kubeconfigPath is not set/empty, it will attempt to load configuration using the default loading rules.

func NewDiscoveryClient added in v0.1.17 

func NewDiscoveryClient(kubeconfigPath string) (*discovery.DiscoveryClient, error)

NewDiscoveryClient creates a new 'discovery' client using the provided kubeconfig. If kubeconfigPath is not set/empty, it will attempt to load configuration using the default loading rules.

func NewDynamicClient 

func NewDynamicClient(kubeconfigPath string) (dynamic.Interface, error)

NewDynamicClient creates a new 'dynamic' clientset using the provided kubeconfig. If kubeconfigPath is not set/empty, it will attempt to load configuration using the default loading rules.

func Redact added in v0.1.23 

func Redact(fields []FieldPath, resource *unstructured.Unstructured)

Redact removes the supplied fields from the resource

func RemoveTypedKeys added in v1.3.0 

func RemoveTypedKeys(excludeAnnotKeys []*regexp.Regexp, m map[string]string)

Meant for typed clientset objects.

func RemoveUnstructuredKeys added in v1.3.0 

func RemoveUnstructuredKeys(excludeKeys []*regexp.Regexp, obj *unstructured.Unstructured, path ...string)

Meant for unstructured clientset objects. Removes the keys from the field given as input. For example, let's say we have the following object: 

{
  "metadata": {
    "annotations": {
      "key1": "value1",
      "key2": "value2"
    }
  }
}

Then, the following call: 

RemoveUnstructuredKeys("^key1$", obj, "metadata", "annotations")

Will result in: 

{
  "metadata": {
    "annotations": {"key2": "value2"}
  }
}

If the given path doesn't exist or leads to a non-map object, nothing happens. The leaf object must either be a map[string]interface{} (that's what's returned by the unstructured clientset) or a map[string]string (that's what's returned by the typed clientset).

func Select added in v0.1.23 

func Select(fields []FieldPath, resource *unstructured.Unstructured) error

Select removes all but the supplied fields from the resource

Types

type ConfigDiscovery added in v0.1.17 

type ConfigDiscovery struct {
	// KubeConfigPath is the path to the kubeconfig file. If empty, will assume it runs in-cluster.
	KubeConfigPath string `yaml:"kubeconfig"`
}

ConfigDiscovery contains the configuration for the k8s-discovery data-gatherer

func (*ConfigDiscovery) NewDataGatherer added in v0.1.17 

func (c *ConfigDiscovery) NewDataGatherer(ctx context.Context) (datagatherer.DataGatherer, error)

NewDataGatherer constructs a new instance of the generic K8s data-gatherer for the provided GroupVersionResource. It gets the UID of the 'kube-system' namespace to use as the cluster ID, once at startup. The UID is assumed to be stable for the lifetime of the cluster. - https://github.com/kubernetes/kubernetes/issues/77487#issuecomment-489786023

func (*ConfigDiscovery) UnmarshalYAML added in v0.1.17 

func (c *ConfigDiscovery) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals the Config resolving GroupVersionResource.

type ConfigDynamic added in v0.1.17 

type ConfigDynamic struct {
	// KubeConfigPath is the path to the kubeconfig file. If empty, will assume it runs in-cluster.
	KubeConfigPath string `yaml:"kubeconfig"`
	// GroupVersionResource identifies the resource type to gather.
	GroupVersionResource schema.GroupVersionResource
	// ExcludeNamespaces is a list of namespaces to exclude.
	ExcludeNamespaces []string `yaml:"exclude-namespaces"`
	// IncludeNamespaces is a list of namespaces to include.
	IncludeNamespaces []string `yaml:"include-namespaces"`
	// FieldSelectors is a list of field selectors to use when listing this resource
	FieldSelectors []string `yaml:"field-selectors"`
}

ConfigDynamic contains the configuration for the data-gatherer.

func (*ConfigDynamic) NewDataGatherer added in v0.1.17 

func (c *ConfigDynamic) NewDataGatherer(ctx context.Context) (datagatherer.DataGatherer, error)

NewDataGatherer constructs a new instance of the generic K8s data-gatherer for the provided

func (*ConfigDynamic) UnmarshalYAML added in v0.1.17 

func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(any) error) error

UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.

type DataGathererDiscovery added in v0.1.17 

type DataGathererDiscovery struct {
	// contains filtered or unexported fields
}

DataGathererDiscovery stores the config for a k8s-discovery datagatherer

func (*DataGathererDiscovery) Fetch added in v0.1.17 

func (g *DataGathererDiscovery) Fetch() (any, int, error)

Fetch will fetch discovery data from the apiserver, or return an error

func (*DataGathererDiscovery) Run added in v0.1.29 

func (g *DataGathererDiscovery) Run(ctx context.Context) error

func (*DataGathererDiscovery) WaitForCacheSync added in v0.1.29 

func (g *DataGathererDiscovery) WaitForCacheSync(ctx context.Context) error

type DataGathererDynamic added in v0.1.17 

type DataGathererDynamic struct {
	ExcludeAnnotKeys []*regexp.Regexp
	ExcludeLabelKeys []*regexp.Regexp
	// contains filtered or unexported fields
}

DataGathererDynamic is a generic gatherer for Kubernetes. It knows how to request a list of generic resources from the Kubernetes apiserver. It does not deserialize the objects into structured data, instead utilising the Kubernetes `Unstructured` type for data handling. This is to allow us to support arbitrary CRDs and resources that Preflight does not have registered as part of its `runtime.Scheme`.

func (*DataGathererDynamic) Fetch added in v0.1.17 

func (g *DataGathererDynamic) Fetch() (any, int, error)

Fetch will fetch the requested data from the apiserver, or return an error if fetching the data fails.

func (*DataGathererDynamic) Run added in v0.1.29 

func (g *DataGathererDynamic) Run(ctx context.Context) error

Run starts the dynamic data gatherer's informers for resource collection. Returns error if the data gatherer informer wasn't initialized, Run blocks until the stopCh is closed.

func (*DataGathererDynamic) WaitForCacheSync added in v0.1.29 

func (g *DataGathererDynamic) WaitForCacheSync(ctx context.Context) error

WaitForCacheSync waits for the data gatherer's informers cache to sync before collecting the resources. Use errors.Is(err, ErrCacheSyncTimeout) to check if the cache sync failed.

type FieldPath added in v1.2.0 

type FieldPath []string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.