converter

package

v1.2.0 Latest Latest Go to latest Published: Nov 3, 2023 License: Apache-2.0 Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/DataDog/KubeHound

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
type GraphConverter
- func NewGraph(cfg *config.KubehoundConfig) *GraphConverter
type ObjectIDConverter
- func NewObjectID(cache cache.CacheReader) *ObjectIDConverter
- func (c *ObjectIDConverter) GraphID(ctx context.Context, storeID string) (int64, error)
type StoreConverter
- func NewStore(cfg *config.KubehoundConfig) *StoreConverter
- func NewStoreWithCache(cfg *config.KubehoundConfig, cache cache.CacheReader) *StoreConverter

Constants ¶

View Source

const (
	EmptyNamespace = ""
)

Variables ¶

View Source

var (
	ErrUnsupportedVolume     = errors.New("provided volume is not currently supported")
	ErrNoCacheInitialized    = errors.New("cache reader required for conversion")
	ErrDanglingRoleBinding   = errors.New("role binding found with no matching role")
	ErrProjectedDefaultToken = errors.New("projected volume grant no access (default serviceaccount)")
	ErrEndpointTarget        = errors.New("target reference for an endpoint could not be resolved")
	ErrRoleCacheMiss         = errors.New("missing role in cache")
	ErrRoleBindProperties    = errors.New("incorrect combination of (cluster) role and (cluster) role binding properties")
)

Functions ¶

This section is empty.

Types ¶

type GraphConverter ¶

type GraphConverter struct {
	// contains filtered or unexported fields
}

GraphConverter enables converting between an input store model to its equivalent graph model.

func NewGraph ¶

func NewGraph(cfg *config.KubehoundConfig) *GraphConverter

NewGraph returns a new graph converter instance.

func (*GraphConverter) Container ¶

func (c *GraphConverter) Container(input *store.Container, parent *store.Pod) (*graph.Container, error)

Container returns the graph representation of a container vertex from a store container model input.

func (*GraphConverter) Endpoint ¶

func (c *GraphConverter) Endpoint(input *store.Endpoint) (*graph.Endpoint, error)

Endpoint returns the graph representation of an endpoint vertex from a store endpoint model input.

func (*GraphConverter) Identity ¶

func (c *GraphConverter) Identity(input *store.Identity) (*graph.Identity, error)

Identity returns the graph representation of an identity vertex from a store identity model input.

func (*GraphConverter) Node ¶

func (c *GraphConverter) Node(input *store.Node) (*graph.Node, error)

Node returns the graph representation of a node vertex from a store node model input.

func (*GraphConverter) PermissionSet ¶

func (c *GraphConverter) PermissionSet(input *store.PermissionSet) (*graph.PermissionSet, error)

PermissionSet returns the graph representation of a role vertex from a store role model input.

func (*GraphConverter) Pod ¶

func (c *GraphConverter) Pod(input *store.Pod) (*graph.Pod, error)

Pod returns the graph representation of a pod vertex from a store pod model input.

func (*GraphConverter) Volume ¶

func (c *GraphConverter) Volume(input *store.Volume, parent *store.Pod) (*graph.Volume, error)

Volume returns the graph representation of a volume vertex from a store volume model input.

type ObjectIDConverter ¶

type ObjectIDConverter struct {
	// contains filtered or unexported fields
}

ObjectIDConverter enables converting between an store object ID and an existing graph vertex ID.

func NewObjectID ¶

func NewObjectID(cache cache.CacheReader) *ObjectIDConverter

NewObjectID creates a new ObjectIdConverter instance from the provided cache reader.

func (*ObjectIDConverter) GraphID ¶

func (c *ObjectIDConverter) GraphID(ctx context.Context, storeID string) (int64, error)

GraphID will return the graph vertex ID corresponding to the provided storer ID.

type StoreConverter ¶

type StoreConverter struct {
	// contains filtered or unexported fields
}

StoreConverter enables converting between an input K8s model to its equivalent store model.

func NewStore ¶

func NewStore(cfg *config.KubehoundConfig) *StoreConverter

NewStore returns a new store converter instance.

func NewStoreWithCache ¶

func NewStoreWithCache(cfg *config.KubehoundConfig, cache cache.CacheReader) *StoreConverter

NewStoreWithCache returns a new store converter instance with read access to the cache.

func (*StoreConverter) ClusterRole ¶

func (c *StoreConverter) ClusterRole(_ context.Context, input types.ClusterRoleType) (*store.Role, error)

ClusterRole returns the store representation of a K8s cluster role from an input K8s ClusterRole object.

func (*StoreConverter) ClusterRoleBinding ¶

func (c *StoreConverter) ClusterRoleBinding(ctx context.Context, input types.ClusterRoleBindingType) (*store.RoleBinding, error)

ClusterRoleBinding returns the store representation of a K8s cluster role binding from an input K8s ClusterRoleBinding object. NOTE: requires cache access (RoleKey).

func (*StoreConverter) Container ¶

func (c *StoreConverter) Container(_ context.Context, input types.ContainerType, parent *store.Pod) (*store.Container, error)

Container returns the store representation of a K8s container from an input K8s container object.

func (*StoreConverter) Endpoint ¶

func (c *StoreConverter) Endpoint(_ context.Context, addr discoveryv1.Endpoint,
	port discoveryv1.EndpointPort, parent types.EndpointType) (*store.Endpoint, error)

Endpoint returns the store representation of a K8s endpoint from an input Endpoint & EndpointPort objects (subfields of EndpointSlice). NOTE: store.Endpoint does not map directly to a K8s API object and instead derives from the elements of an EndpointSlice.

func (*StoreConverter) EndpointPrivate ¶

func (c *StoreConverter) EndpointPrivate(_ context.Context, port *corev1.ContainerPort,
	pod *store.Pod, container *store.Container) (*store.Endpoint, error)

EndpointPrivate returns the store representation of a K8s endpoint from an input port, container & pod. This variant handles the case when the provided container port does not match a known EndpointSlice. The generated endpoint will not be accessible from outside the cluster but can still provide value to an attacker with an presence inside the cluster.

func (*StoreConverter) Identity ¶

func (c *StoreConverter) Identity(_ context.Context, input *store.BindSubject, parent *store.RoleBinding) (*store.Identity, error)

Identity returns the store representation of a K8s identity role binding from an input store BindSubject (subfield of RoleBinding) object. NOTE: store.Identity does not map directly to a K8s API object and instead derives from the subject of a role binding.

func (*StoreConverter) Node ¶

func (c *StoreConverter) Node(ctx context.Context, input types.NodeType) (*store.Node, error)

Node returns the store representation of a K8s node from an input K8s node object.

func (*StoreConverter) PermissionSet ¶

func (c *StoreConverter) PermissionSet(ctx context.Context, roleBinding *store.RoleBinding) (*store.PermissionSet, error)

PermissionSet returns the store representation of a K8s role / rolebinding combination from input K8s objects. RBAC rules and limitation:

Roles and RoleBindings must exist in the same namespace.
RoleBindings can exist in separate namespaces to Service Accounts.
RoleBindings can link ClusterRoles, but they only grant access to the namespace of the RoleBinding.

func (*StoreConverter) PermissionSetCluster ¶

func (c *StoreConverter) PermissionSetCluster(ctx context.Context, clusterRoleBinding *store.RoleBinding) (*store.PermissionSet, error)

PermissionSet returns the store representation of a K8s role / rolebinding combination from input K8s objects. RBAC rules and limitation:

ClusterRoleBindings link accounts to ClusterRoles and grant access across all resources.
ClusterRoleBindings can not reference Roles.

func (*StoreConverter) Pod ¶

func (c *StoreConverter) Pod(ctx context.Context, input types.PodType) (*store.Pod, error)

Pod returns the store representation of a K8s pod from an input K8s pod object. NOTE: requires cache access (NodeKey).

func (*StoreConverter) Role ¶

func (c *StoreConverter) Role(_ context.Context, input types.RoleType) (*store.Role, error)

Role returns the store representation of a K8s role from an input K8s Role object.

func (*StoreConverter) RoleBinding ¶

func (c *StoreConverter) RoleBinding(ctx context.Context, input types.RoleBindingType) (*store.RoleBinding, error)

RoleBinding returns the store representation of a K8s role binding from an input K8s RoleBinding object. NOTE: requires cache access (RoleKey).

func (*StoreConverter) Volume ¶

func (c *StoreConverter) Volume(ctx context.Context, input types.VolumeMountType, pod *store.Pod,
	container *store.Container) (*store.Volume, error)

Volume returns the store representation of a K8s mounted volume from an input K8s volume object. NOTE: requires cache access (IdentityKey).

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL