Documentation ¶
Index ¶
- Constants
- Variables
- func MatchBigInt(pattern string, value *big.Int) bool
- func MatchPattern(pattern, value string) bool
- func MatchPatternWithArray(pattern string, valueArray []string) bool
- func MatchWithPatternArray(value string, patternArray []string) bool
- func SplitRule(rules string) []string
- type CheckError
- type IntegrityValue
- type MutationEvalResult
- type ObjectMetadata
- type Owner
- type OwnerList
- type ParsedRequest
- type ReasonCode
- type ReqContext
- func (reqc *ReqContext) GroupVersion() string
- func (rc *ReqContext) IsAppEnforcePolicyRequest() bool
- func (rc *ReqContext) IsCreateRequest() bool
- func (rc *ReqContext) IsCreator() bool
- func (rc *ReqContext) IsDeleteRequest() bool
- func (rc *ReqContext) IsEnforcePolicyRequest() bool
- func (rc *ReqContext) IsIEDefaultPolicyRequest() bool
- func (rc *ReqContext) IsIEPolicyRequest() bool
- func (rc *ReqContext) IsResourceSignatureRequest() bool
- func (rc *ReqContext) IsSecret() bool
- func (rc *ReqContext) IsServiceAccount() bool
- func (rc *ReqContext) IsSignPolicyRequest() bool
- func (rc *ReqContext) IsUpdateRequest() bool
- func (reqc *ReqContext) Map() map[string]string
- func (reqc *ReqContext) OwnerRef() *ResourceRef
- func (reqc *ReqContext) ResourceRef() *ResourceRef
- type ResolveOwnerResult
- type ResourceAnnotation
- type ResourceLabel
- type ResourceRef
- type SignPolicyEvalResult
- type SignatureAnnotation
- type SignerInfo
Constants ¶
View Source
const ( SignatureCustomResourceAPIVersion = "research.ibm.com/v1alpha1" SignatureCustomResourceKind = "ResourceSignature" PolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1" PolicyCustomResourceKind = "EnforcePolicy" IEPolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1" IEPolicyCustomResourceKind = "IntegrityEnforcerPolicy" DefaultPolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1" DefaultPolicyCustomResourceKind = "IEDefaultPolicy" SignerPolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1" SignerPolicyCustomResourceKind = "SignPolicy" AppPolicyCustomResourceAPIVersion = "research.ibm.com/v1alpha1" AppPolicyCustomResourceKind = "AppEnforcePolicy" )
View Source
const ( ResourceIntegrityLabelKey = "integrity-enforcer.ibm.com/resourceIntegrity" ReasonLabelKey = "integrity-enforcer.ibm.com/reason" LabelValueVerified = "verified" LabelValueUnverified = "unverified" )
View Source
const ( REASON_INTERNAL = iota // REASON_RULE_MATCH REASON_VALID_SIG REASON_VERIFIED_OWNER REASON_UPDATE_BY_SA REASON_VERIFIED_SA REASON_NO_MUTATION REASON_IE_ADMIN REASON_IGNORED_SA REASON_NOT_PROTECTED REASON_BLOCK_DELETE REASON_NOT_ENFORCED REASON_SKIP_DELETE REASON_ABORTED REASON_BREAK_GLASS REASON_DETECTION REASON_INVALID_SIG REASON_NO_SIG REASON_NO_POLICY REASON_UNEXPECTED REASON_ERROR )
View Source
const ( HashTypeDefault = "default" HashTypeHelmSecret = "helmSecret" HashTypeHelmResource = "helmResource" )
Variables ¶
View Source
var CommonMessageMask = []string{ fmt.Sprintf("metadata.labels.\"%s\"", ResourceIntegrityLabelKey), fmt.Sprintf("metadata.labels.\"%s\"", ReasonLabelKey), "metadata.annotations.sigOwnerApiVersion", "metadata.annotations.sigOwnerKind", "metadata.annotations.sigOwnerName", "metadata.annotations.signOwnerRefType", "metadata.annotations.resourceSignatureName", "metadata.annotations.message", "metadata.annotations.signature", "metadata.annotations.certificate", "metadata.annotations.signPaths", "metadata.annotations.namespace", "metadata.annotations.kubectl.\"kubernetes.io/last-applied-configuration\"", "metadata.managedFields", "metadata.creationTimestamp", "metadata.generation", "metadata.annotations.deprecated.daemonset.template.generation", "metadata.namespace", "metadata.resourceVersion", "metadata.selfLink", "metadata.uid", }
View Source
var ReasonCodeMap = map[int]ReasonCode{ REASON_INTERNAL: { Message: "internal request", Code: "internal", }, REASON_RULE_MATCH: { Message: "allowed by rule", Code: "rule-match", }, REASON_VALID_SIG: { Message: "allowed by valid signer's signature", Code: "valid-sig", }, REASON_VERIFIED_OWNER: { Message: "owned by verified owner", Code: "verified-owner", }, REASON_UPDATE_BY_SA: { Message: "updated by creator", Code: "updated-by-sa", }, REASON_VERIFIED_SA: { Message: "operated by verified sa", Code: "verified-sa", }, REASON_NO_MUTATION: { Message: "allowed because no mutation found", Code: "no-mutation", }, REASON_IE_ADMIN: { Message: "IE admin operation", Code: "ie-admin", }, REASON_IGNORED_SA: { Message: "ignored sa", Code: "ignored-sa", }, REASON_NOT_PROTECTED: { Message: "not protected", Code: "unprotected", }, REASON_BLOCK_DELETE: { Message: "block delete IE resouce", Code: "block-delete", }, REASON_SKIP_DELETE: { Message: "skip delete request", Code: "skip-delete", }, REASON_ABORTED: { Message: "aborted", Code: "aborted", }, REASON_BREAK_GLASS: { Message: "allowed by breakglass mode", Code: "breakglass", }, REASON_DETECTION: { Message: "allowed by detection mode", Code: "detection", }, REASON_INVALID_SIG: { Message: "Failed to verify signature", Code: "invalid-signature", }, REASON_NO_SIG: { Message: "No signature found", Code: "no-signature", }, REASON_NO_POLICY: { Message: "No signer policies", Code: "no-signer-policy", }, REASON_UNEXPECTED: { Message: "unexpected", Code: "unexpected", }, REASON_ERROR: { Message: "error", Code: "error", }, }
Functions ¶
func MatchPattern ¶
func MatchPatternWithArray ¶
func MatchWithPatternArray ¶
Types ¶
type CheckError ¶
type CheckError struct { Msg string `json:"msg"` Reason string `json:"reason"` Error error `json:"error"` }
func (*CheckError) MakeMessage ¶
func (self *CheckError) MakeMessage() string
type IntegrityValue ¶
type MutationEvalResult ¶
type MutationEvalResult struct { IsMutated bool `json:"isMutated"` Diff string `json:"diff"` Filtered string `json:"filtered"` Checked bool `json:"checked"` Error *CheckError `json:"error"` }
type ObjectMetadata ¶
type ObjectMetadata struct { K8sCreatedBy string `json:"k8sCreatedBy"` K8sServiceAccountName string `json:"k8sServiceAccountName"` K8sServiceAccountUid string `json:"k8sServiceAccountUid"` OwnerRef *ResourceRef `json:"ownerRef"` Annotations *ResourceAnnotation `json:"annotations"` Labels *ResourceLabel `json:"labels"` }
type Owner ¶
type Owner struct { Ref *ResourceRef OwnerRef *ResourceRef Annotation *ResourceAnnotation Label *ResourceLabel }
func (*Owner) IsIntegrityVerified ¶
type OwnerList ¶
type OwnerList struct {
Owners []*Owner
}
func (*OwnerList) OwnerRefs ¶
func (self *OwnerList) OwnerRefs() []ResourceRef
func (*OwnerList) VerifiedOwners ¶
type ParsedRequest ¶
func NewParsedRequest ¶
func NewParsedRequest(request *v1beta1.AdmissionRequest) *ParsedRequest
type ReasonCode ¶
type ReqContext ¶
type ReqContext struct { ResourceScope string `json:"resourceScope,omitempty"` DryRun bool `json:"dryRun"` RawObject []byte `json:"-"` RawOldObject []byte `json:"-"` RequestJsonStr string `json:"request"` RequestUid string `json:"requestUid"` Namespace string `json:"namespace"` Name string `json:"name"` ApiGroup string `json:"apiGroup"` ApiVersion string `json:"apiVersion"` Kind string `json:"kind"` Operation string `json:"operation"` IntegrityValue *IntegrityValue `json:"integrityValues"` OrgMetadata *ObjectMetadata `json:"orgMetadata"` ClaimedMetadata *ObjectMetadata `json:"claimedMetadata"` UserInfo string `json:"userInfo"` ObjLabels string `json:"objLabels"` ObjMetaName string `json:"objMetaName"` UserName string `json:"userName"` UserGroups []string `json:"userGroups"` Type string `json:"Type"` ObjectHashType string `json:"objectHashType"` ObjectHash string `json:"objectHash"` }
func NewReqContext ¶
func NewReqContext(req *v1beta1.AdmissionRequest) *ReqContext
func (*ReqContext) GroupVersion ¶
func (reqc *ReqContext) GroupVersion() string
func (*ReqContext) IsAppEnforcePolicyRequest ¶
func (rc *ReqContext) IsAppEnforcePolicyRequest() bool
func (*ReqContext) IsCreateRequest ¶
func (rc *ReqContext) IsCreateRequest() bool
func (*ReqContext) IsCreator ¶
func (rc *ReqContext) IsCreator() bool
func (*ReqContext) IsDeleteRequest ¶
func (rc *ReqContext) IsDeleteRequest() bool
func (*ReqContext) IsEnforcePolicyRequest ¶
func (rc *ReqContext) IsEnforcePolicyRequest() bool
func (*ReqContext) IsIEDefaultPolicyRequest ¶
func (rc *ReqContext) IsIEDefaultPolicyRequest() bool
func (*ReqContext) IsIEPolicyRequest ¶
func (rc *ReqContext) IsIEPolicyRequest() bool
func (*ReqContext) IsResourceSignatureRequest ¶
func (rc *ReqContext) IsResourceSignatureRequest() bool
func (*ReqContext) IsSecret ¶
func (rc *ReqContext) IsSecret() bool
func (*ReqContext) IsServiceAccount ¶
func (rc *ReqContext) IsServiceAccount() bool
func (*ReqContext) IsSignPolicyRequest ¶
func (rc *ReqContext) IsSignPolicyRequest() bool
func (*ReqContext) IsUpdateRequest ¶
func (rc *ReqContext) IsUpdateRequest() bool
func (*ReqContext) Map ¶
func (reqc *ReqContext) Map() map[string]string
func (*ReqContext) OwnerRef ¶
func (reqc *ReqContext) OwnerRef() *ResourceRef
func (*ReqContext) ResourceRef ¶
func (reqc *ReqContext) ResourceRef() *ResourceRef
type ResolveOwnerResult ¶
type ResolveOwnerResult struct { Owners *OwnerList `json:"owners"` Verified bool `json:"verified"` Checked bool `json:"checked"` Error *CheckError `json:"error"` }
type ResourceAnnotation ¶
type ResourceAnnotation struct {
// contains filtered or unexported fields
}
func NewResourceAnnotation ¶
func NewResourceAnnotation(values map[string]string) *ResourceAnnotation
func (*ResourceAnnotation) CreatedBy ¶
func (self *ResourceAnnotation) CreatedBy() string
func (*ResourceAnnotation) IntegrityVerified ¶
func (self *ResourceAnnotation) IntegrityVerified() bool
func (*ResourceAnnotation) SignatureAnnotations ¶
func (self *ResourceAnnotation) SignatureAnnotations() *SignatureAnnotation
type ResourceLabel ¶
type ResourceLabel struct {
// contains filtered or unexported fields
}
func NewResourceLabel ¶
func NewResourceLabel(values map[string]string) *ResourceLabel
func (*ResourceLabel) CreatedBy ¶
func (self *ResourceLabel) CreatedBy() string
func (*ResourceLabel) IntegrityVerified ¶
func (self *ResourceLabel) IntegrityVerified() bool
type ResourceRef ¶
func (*ResourceRef) Equals ¶
func (self *ResourceRef) Equals(ref *ResourceRef) bool
type SignPolicyEvalResult ¶
type SignPolicyEvalResult struct { Signer *SignerInfo `json:"signer"` SignerName string `json:"signerName"` Checked bool `json:"checked"` Allow bool `json:"allow"` MatchedPolicy string `json:"matchedPolicy"` Error *CheckError `json:"error"` }
func (*SignPolicyEvalResult) GetSignerName ¶
func (self *SignPolicyEvalResult) GetSignerName() string
type SignatureAnnotation ¶
type SignerInfo ¶
type SignerInfo struct { Email string Name string Comment string Uid string Country string Organization string OrganizationalUnit string Locality string Province string StreetAddress string PostalCode string CommonName string SerialNumber *big.Int }
func NewSignerInfoFromCert ¶
func NewSignerInfoFromCert(cert *x509.Certificate) *SignerInfo
func NewSignerInfoFromPKIXName ¶
func NewSignerInfoFromPKIXName(dn pkix.Name) *SignerInfo
func (*SignerInfo) GetName ¶
func (self *SignerInfo) GetName() string
Click to show internal directories.
Click to hide internal directories.