Documentation
¶
Index ¶
- Variables
- func Redact(fields []FieldPath, resource *unstructured.Unstructured)
- func RemoveTypedKeys(excludeAnnotKeys []*regexp.Regexp, m map[string]string)
- func RemoveUnstructuredKeys(excludeKeys []*regexp.Regexp, obj *unstructured.Unstructured, path ...string)
- func Select(fields []FieldPath, resource *unstructured.Unstructured) error
- type ConfigDynamic
- type DataGathererDynamic
- type FieldPath
Constants ¶
This section is empty.
Variables ¶
var ErrCacheSyncTimeout = fmt.Errorf("timed out waiting for Kubernetes cache to sync")
var RedactFields = []FieldPath{
{"metadata", "managedFields"},
{"metadata", "annotations", "kubectl.kubernetes.io/last-applied-configuration"},
}
RedactFields are removed from all objects
var RouteSelectedFields = []FieldPath{
{"kind"},
{"apiVersion"},
{"metadata", "annotations"},
{"metadata", "name"},
{"metadata", "namespace"},
{"metadata", "ownerReferences"},
{"metadata", "selfLink"},
{"metadata", "uid"},
{"metadata", "creationTimestamp"},
{"metadata", "deletionTimestamp"},
{"metadata", "resourceVersion"},
{"spec", "host"},
{"spec", "to", "kind"},
{"spec", "to", "name"},
{"spec", "to", "weight"},
{"spec", "tls", "termination"},
{"spec", "tls", "certificate"},
{"spec", "tls", "caCertificate"},
{"spec", "tls", "destinationCACertificate"},
{"spec", "tls", "insecureEdgeTerminationPolicy"},
{"spec", "wildcardPolicy"},
{"status"},
}
RouteSelectedFields is the list of fields sent from OpenShift Route objects to the backend. The Route resource is redacted because it may contain private keys for TLS.
TODO(wallrj): Find out if the `.tls.key` field is the only one that may contain sensitive data and if so, that field could be redacted instead selecting everything else, for consistency with Ingress or any of the other resources that are collected. Or alternatively add an comment to explain why for Route, the set of fields is allow-listed while for Ingress, all fields are collected. https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/network_apis/route-route-openshift-io-v1#spec-tls-3
var SecretSelectedFields = []FieldPath{
{"kind"},
{"apiVersion"},
{"metadata", "annotations"},
{"metadata", "labels"},
{"metadata", "name"},
{"metadata", "namespace"},
{"metadata", "ownerReferences"},
{"metadata", "selfLink"},
{"metadata", "uid"},
{"metadata", "creationTimestamp"},
{"metadata", "deletionTimestamp"},
{"metadata", "resourceVersion"},
{"immutable"},
{"type"},
{"data", "tls.crt"},
{"data", "ca.crt"},
{"data", "conjur-map"},
}
SecretSelectedFields is the list of fields sent from Secret objects to the backend. The `data` is redacted, to prevent private keys or sensitive data being collected. Only the following none-sensitive keys are retained: tls.crt, ca.crt. These keys are assumed to always contain public TLS certificates. The `conjur-map` key is also retained, as it is used to map Secrets to Conjur variables, and is not considered sensitive. See https://docs.cyberark.com/conjur-open-source/latest/en/content/integrations/k8s-ocp/cjr-secrets-provider-lp.htm
Functions ¶
func Redact ¶
func Redact(fields []FieldPath, resource *unstructured.Unstructured)
Redact removes the supplied fields from the resource
func RemoveTypedKeys ¶
Meant for typed clientset objects.
func RemoveUnstructuredKeys ¶
func RemoveUnstructuredKeys(excludeKeys []*regexp.Regexp, obj *unstructured.Unstructured, path ...string)
Meant for unstructured clientset objects. Removes the keys from the field given as input. For example, let's say we have the following object:
{
"metadata": {
"annotations": {
"key1": "value1",
"key2": "value2"
}
}
}
Then, the following call:
RemoveUnstructuredKeys("^key1$", obj, "metadata", "annotations")
Will result in:
{
"metadata": {
"annotations": {"key2": "value2"}
}
}
If the given path doesn't exist or leads to a non-map object, nothing happens. The leaf object must either be a map[string]interface{} (that's what's returned by the unstructured clientset) or a map[string]string (that's what's returned by the typed clientset).
func Select ¶
func Select(fields []FieldPath, resource *unstructured.Unstructured) error
Select removes all but the supplied fields from the resource
Types ¶
type ConfigDynamic ¶
type ConfigDynamic struct {
// KubeConfigPath is the path to the kubeconfig file. If empty, will assume it runs in-cluster.
KubeConfigPath string `yaml:"kubeconfig"`
// GroupVersionResource identifies the resource type to gather.
GroupVersionResource schema.GroupVersionResource
// ExcludeNamespaces is a list of namespaces to exclude.
ExcludeNamespaces []string `yaml:"exclude-namespaces"`
// IncludeNamespaces is a list of namespaces to include.
IncludeNamespaces []string `yaml:"include-namespaces"`
// FieldSelectors is a list of field selectors to use when listing this resource
FieldSelectors []string `yaml:"field-selectors"`
// LabelSelectors is a list of label selectors to use when listing this resource
LabelSelectors []string `yaml:"label-selectors"`
}
ConfigDynamic contains the configuration for the data-gatherer.
func (*ConfigDynamic) NewDataGatherer ¶
func (c *ConfigDynamic) NewDataGatherer(ctx context.Context) (datagatherer.DataGatherer, error)
NewDataGatherer constructs a new instance of the generic K8s data-gatherer for the provided
func (*ConfigDynamic) UnmarshalYAML ¶
func (c *ConfigDynamic) UnmarshalYAML(unmarshal func(any) error) error
UnmarshalYAML unmarshals the ConfigDynamic resolving GroupVersionResource.
type DataGathererDynamic ¶
type DataGathererDynamic struct {
ExcludeAnnotKeys []*regexp.Regexp
ExcludeLabelKeys []*regexp.Regexp
// Encryptor, if non-nil, will be used to envelope encrypt Secret data.
// If nil, Secret data will be redacted.
Encryptor envelope.Encryptor
// contains filtered or unexported fields
}
DataGathererDynamic is a generic gatherer for Kubernetes. It knows how to request a list of generic resources from the Kubernetes apiserver. It does not deserialize the objects into structured data, instead utilising the Kubernetes `Unstructured` type for data handling. This is to allow us to support arbitrary CRDs and resources that Preflight does not have registered as part of its `runtime.Scheme`.
func (*DataGathererDynamic) Fetch ¶
Fetch will fetch the requested data from the apiserver, or return an error if fetching the data fails.
func (*DataGathererDynamic) GVR ¶
func (g *DataGathererDynamic) GVR() schema.GroupVersionResource
func (*DataGathererDynamic) Run ¶
func (g *DataGathererDynamic) Run(ctx context.Context) error
Run starts the dynamic data gatherer's informers for resource collection. Returns error if the data gatherer informer wasn't initialized, Run blocks until the stopCh is closed.
func (*DataGathererDynamic) WaitForCacheSync ¶
func (g *DataGathererDynamic) WaitForCacheSync(ctx context.Context) error
WaitForCacheSync waits for the data gatherer's informers cache to sync before collecting the resources. Use errors.Is(err, ErrCacheSyncTimeout) to check if the cache sync failed.
Source Files