Documentation
¶
Overview ¶
Package policy manages TrustPolicy CRDs and policy evaluation.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CRDInstalled ¶
func CRDInstalled(disc discovery.DiscoveryInterface) bool
CRDInstalled checks if the TrustPolicy CRD is registered in the cluster.
func CRDManifest ¶
CRDManifest returns the raw YAML for the TrustPolicy CRD.
Types ¶
type Engine ¶
type Engine struct {
// contains filtered or unexported fields
}
Engine evaluates policy rules against findings and produces violations.
func NewEngine ¶
func NewEngine(policies []TrustPolicy) *Engine
NewEngine creates an engine with the given policies.
func (*Engine) Evaluate ¶
func (e *Engine) Evaluate(findings []store.CertFinding) []store.CertFinding
Evaluate runs all policy rules against the given findings and returns any POLICY_VIOLATION findings.
type RuleSpec ¶
type RuleSpec struct {
Name string `json:"name"`
Type string `json:"type"` // "minKeySize", "noSHA1", "requiredIssuer", "noSelfSigned"
Params map[string]string `json:"params,omitempty"`
Severity string `json:"severity,omitempty"`
}
RuleSpec defines a policy rule that findings are evaluated against.
type TargetSpec ¶
type TargetSpec struct {
Kind string `json:"kind"` // "Service", "External", "Secret"
Namespace string `json:"namespace,omitempty"`
Name string `json:"name,omitempty"`
SNI string `json:"sni,omitempty"`
Severity string `json:"severity,omitempty"`
Ports []int `json:"ports,omitempty"`
URLs []string `json:"urls,omitempty"`
}
TargetSpec defines a single monitoring target.
type ThresholdSpec ¶
type ThresholdSpec struct {
WarnBefore string `json:"warnBefore,omitempty"` // duration string, e.g. "720h"
CritBefore string `json:"critBefore,omitempty"`
}
ThresholdSpec overrides the global warn/crit thresholds for a policy.
type TrustPolicy ¶
type TrustPolicy struct {
Name string `json:"name"`
Namespace string `json:"namespace"`
Spec TrustPolicySpec `json:"spec"`
}
TrustPolicy represents a trust surface monitoring policy.
func LoadFromFile ¶ added in v0.3.0
func LoadFromFile(path string) ([]TrustPolicy, error)
LoadFromFile reads a YAML policy file and returns TrustPolicy objects.
func LoadPolicies ¶
func LoadPolicies(ctx context.Context, disc discovery.DiscoveryInterface, dynClient dynamic.Interface) ([]TrustPolicy, error)
LoadPolicies lists all TrustPolicy CRs from the cluster. Returns nil, nil if the CRD is not installed.
type TrustPolicySpec ¶
type TrustPolicySpec struct {
Targets []TargetSpec `json:"targets,omitempty"`
Thresholds ThresholdSpec `json:"thresholds,omitempty"`
Rules []RuleSpec `json:"rules,omitempty"`
}
TrustPolicySpec defines the targets, thresholds, and rules for a policy.