Affected by 
Documentation
¶
Index ¶
- Constants
- func GetAdmRuleTypeOptions(ruleType string) *api.RESTAdmCatOptions
- func GetCustomCriteriaOptions() []*api.RESTAdminCustomCriteriaOptions
- func GetCustomCriteriaTemplates() []*api.RESTAdminCriteriaTemplate
- type AdmContainerInfo
- type AdmCtrlAssessResult
- type AdmCtrlContainerImageInfo
- type AdmCtrlEvalContext
- type AdmCtrlMatchedImageInfo
- type AdmCtrlMatchedResult
- type AdmCtrlReqEvalResult
- type AdmResObject
- type AdmUriState
- type JSONAdmContainerInfo
- type K8sContainerType
- type LinuxCapabilities
- type SELinuxOptions
- type ScannedImageSummary
Constants ¶
View Source
const ( AdmCtrlActionAllow = iota AdmCtrlActionDeny )
View Source
const ( AuditLogPropMessage = "Message" AuditLogPropUser = "User" AuditLogPropImage = "Image" AuditLogPropImageID = "ImageID" AuditLogPropRegistry = "Registry" AuditLogPropRepository = "Repository" AuditLogPropTag = "Tag" AuditLogPropBaseOS = "BaseOS" AuditLogPropCriticalVulsCnt = "CriticalVulsCnt" AuditLogPropHighVulsCnt = "HighVulsCnt" AuditLogPropMedVulsCnt = "MedVulsCnt" AuditLogPropNamespace = "Namespace" AuditLogPropFirstLogAt = "FirstLogAt" AuditLogPropLastLogAt = "LastLogAt" AuditLogPropPVCName = "PVCName" AuditLogPVCStorageClassName = "PVCNameStorageClassName" )
View Source
const ( ReqAllowed = iota ReqDenied ReqErrored ReqIgnored )
Variables ¶
This section is empty.
Functions ¶
func GetAdmRuleTypeOptions ¶
func GetAdmRuleTypeOptions(ruleType string) *api.RESTAdmCatOptions
func GetCustomCriteriaOptions ¶
func GetCustomCriteriaOptions() []*api.RESTAdminCustomCriteriaOptions
func GetCustomCriteriaTemplates ¶
func GetCustomCriteriaTemplates() []*api.RESTAdminCriteriaTemplate
Types ¶
type AdmContainerInfo ¶
type AdmContainerInfo struct {
Name string `json:"name"`
Image string `json:"image"` // original spec.container.image value in the yaml file
ImageRegistry utils.Set `json:"image_registry"`
ImageRepo string `json:"image_repo"`
ImageTag string `json:"image_tag"`
Privileged bool `json:"privileged,omitempty"`
RunAsUser int64 `json:"run_as_user,omitempty"`
VolMounts utils.Set `json:"vol_mounts,omitempty"`
EnvVars map[string]string `json:"env_vars,omitempty"`
EnvSecrets []share.ScanSecretLog `json:"env_secrets,omitempty"`
HostNetwork bool `json:"host_network,omitempty"`
HostPID bool `json:"host_pid,omitempty"`
HostIPC bool `json:"host_ipc,omitempty"`
AllowPrivilegeEscalation bool `json:"allow_privilege_escalation,omitempty"`
CpuLimits float64 `json:"cpu_limits"`
CpuRequests float64 `json:"cpu_requests"`
MemoryLimits int64 `json:"memory_limits"`
MemoryRequests int64 `json:"memory_requests"`
Type K8sContainerType `json:"type"`
Capabilities LinuxCapabilities `json:"capabilities"`
Volumes []corev1.Volume `json:"volumes"`
HostPorts []int32 `json:"host_ports"`
AppArmorProfile *string `json:"app_armor_profile"`
SELinuxOptions SELinuxOptions `json:"se_linux_options"`
ProcMount string `json:"proc_mount"`
SeccompProfileType *corev1.SeccompProfileType `json:"seccomp_profile"`
Sysctls []string `json:"sysctls"`
RunAsNonRoot bool `json:"run_as_non_root"`
}
func (AdmContainerInfo) MarshalJSON ¶
func (info AdmContainerInfo) MarshalJSON() ([]byte, error)
type AdmCtrlAssessResult ¶
type AdmCtrlAssessResult struct {
ContainerImageInfo AdmCtrlContainerImageInfo
AssessAction string // ""/"allow"/"deny" : action matched for this assessment(container or pvc)
CriticalMatch *AdmCtrlMatchedResult // the match that decides "allow"/"deny" action (not including deny/monitor)
MatchedResults []*AdmCtrlMatchedResult // list of matched rules' info for this container. a rule could matched without action taken(i.e. "monitor").
}
type AdmCtrlContainerImageInfo ¶
type AdmCtrlContainerImageInfo struct {
ImageScanned bool // true when at least one image scan summary says so
Name string // container name specified in yaml
Image string // the image specified in yaml
Repository string
Tag string
CriticalVulsCnt int // the max critical vuls # in the (multiple) image scan summary
HighVulsCnt int // the max high vuls # in the (multiple) image scan summary
MedVulsCnt int // the max medium vuls # in the (multiple) image scan summary
}
type AdmCtrlEvalContext ¶
type AdmCtrlMatchedImageInfo ¶
type AdmCtrlMatchedImageInfo struct {
ImageScanned bool
ImageID string // starting from this field, the following fields are available when the scan result for the image is available
Registry string
BaseOS string
CriticalVulsCnt int // critical vuls # of the image that gets allow/deny action or monitor
HighVulsCnt int // high vuls # of the image that gets allow/deny action or monitor
MedVulsCnt int // medium vuls # of the image that gets allow/deny action or monitor
}
type AdmCtrlMatchedResult ¶
type AdmCtrlMatchedResult struct {
ContainerImage string
RuleID uint32 // matched rule's id
IsFedRule bool // whether the matched rule is a fed rule
IsDenyRuleType bool // whether the matched rule is a deny rule
IsMatchMonitor bool // whether the matched deny rule gets "monitor" action (neither "allow" nor "deny")
IsCriticalMatch bool // whether this result is from a matched rule that decides "allow"/"deny" action
Disabled bool // whether the matched rule is a disabled rule. for assessment, disabled rules are evaluated as well.
RuleDetails string // matched rule's criteria description in plain-text
RuleMode string // matched deny rule's per-rule mode. could be ""/"monitor"/"protect"
ImageInfo AdmCtrlMatchedImageInfo // info of the image that matches a rule
RuleCfgType share.TCfgType
}
AdmCtrlMatchedResult is for each matched occurrence. One rule could be matched multiple times when there are multiple containers in a request
func (AdmCtrlMatchedResult) IsMatchedMode ¶
func (r AdmCtrlMatchedResult) IsMatchedMode(globalMode, matchedMode string) bool
type AdmCtrlReqEvalResult ¶
type AdmCtrlReqEvalResult struct {
ReqAction string // ""/"allow"/"deny" : action matched for this request
User string
Msg string
UnscannedImages string // those images in the request that not scanned, no matter what the container-image match result is
AllContainerImages string // all images in the request
ContainersInReq int // total containers in this request
AllCriticalVulsCnt int // critical vuls count found for all containers in the request
AllHighVulsCnt int // high vuls count found for all containers in the request
AllMedVulsCnt int // medium vuls count found for all containers in the request
CriticalAssessment *AdmCtrlAssessResult // the container/pvc assessment that decides "allow"/"deny" action (not including deny/monitor)
AssessResults []*AdmCtrlAssessResult // list of assessment match results. one entry per-container/pvc
PVCName string
PVCStorageClassName string
}
type AdmResObject ¶
type AdmResObject struct {
ValidUntil int64 // seconds since the epoch
Kind string
Name string
Namespace string
UserName string
Groups utils.Set
OwnerUIDs []string
Labels map[string]string
Annotations map[string]string
AllContainers [3][]*AdmContainerInfo // containers info in this resource object in containers, initContainers, ephemeralContainers order
ServiceAccountName string
}
type AdmUriState ¶
type JSONAdmContainerInfo ¶
type JSONAdmContainerInfo struct {
Name string `json:"name"`
Image string `json:"image"`
ImageRegistry []string `json:"image_registry"`
ImageRepo string `json:"image_repo"`
ImageTag string `json:"image_tag"`
Privileged bool `json:"privileged,omitempty"`
RunAsUser int64 `json:"run_as_user,omitempty"`
VolMounts []string `json:"vol_mounts,omitempty"`
EnvVars map[string]string `json:"env_vars,omitempty"`
HostNetwork bool `json:"host_network,omitempty"`
HostPID bool `json:"host_pid,omitempty"`
HostIPC bool `json:"host_ipc,omitempty"`
AllowPrivilegeEscalation bool `json:"allow_privilege_escalation,omitempty"`
}
type K8sContainerType ¶
type K8sContainerType string
const ( K8sStandardContainer K8sContainerType = "standard" K8sInitContainer K8sContainerType = "init" K8SEphemeralContainer K8sContainerType = "ephemeral" )
type LinuxCapabilities ¶
type SELinuxOptions ¶
type ScannedImageSummary ¶
type ScannedImageSummary struct {
ImageID string
BaseOS string
Registry string
RegName string
Digest string
Author string
ScannedAt time.Time
Result int32
CriticalVuls int
HighVuls int
MedVuls int
CriticalVulsWithFix int
HighVulsWithFix int
VulScore float32
VulNames utils.Set
Scanned bool
Signed bool
Verifiers []string
RunAsRoot bool
EnvVars map[string]string
Labels map[string]string
CriticalVulInfo map[string]share.CLUSScannedVulInfo // key is vul name
HighVulInfo map[string]share.CLUSScannedVulInfo // key is vul name
MediumVulInfo map[string]share.CLUSScannedVulInfo // key is vul name
LowVulInfo []share.CLUSScannedVulInfoSimple // only care about score
SetIDPermCnt int // setuid and set gid from image scan
SecretsCnt int // secrets from image scan
Modules []*share.ScanModule
}
Source Files
Click to show internal directories.
Click to hide internal directories.