k8s

package

v1.0.2 Latest Latest Go to latest Published: May 18, 2023 License: Apache-2.0 Imports: 31 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/accuknox/spire

Documentation ¶

Rendered for

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func BuiltIn ¶

func BuiltIn() catalog.BuiltIn

Types ¶

type ContainerHelper ¶

type ContainerHelper interface {
	Configure(config *HCLConfig, log hclog.Logger) error
	GetOSSelectors(ctx context.Context, log hclog.Logger, containerStatus *corev1.ContainerStatus) ([]string, error)
	GetPodUIDAndContainerID(pID int32, log hclog.Logger) (types.UID, string, error)
}

type ExperimentalK8SConfig ¶

type ExperimentalK8SConfig struct {
	// Sigstore contains sigstore specific configs.
	Sigstore *SigstoreHCLConfig `hcl:"sigstore,omitempty"`
}

type HCLConfig ¶

type HCLConfig struct {
	// KubeletReadOnlyPort defines the read only port for the kubelet
	// (typically 10255). This option is mutally exclusive with
	// KubeletSecurePort.
	KubeletReadOnlyPort int `hcl:"kubelet_read_only_port"`

	// KubeletSecurePort defines the secure port for the kubelet (typically
	// 10250). This option is mutually exclusive with KubeletReadOnlyPort.
	KubeletSecurePort int `hcl:"kubelet_secure_port"`

	// MaxPollAttempts is the maximum number of polling attempts for the
	// container hosting the workload process.
	MaxPollAttempts int `hcl:"max_poll_attempts"`

	// PollRetryInterval is the time in between polling attempts.
	PollRetryInterval string `hcl:"poll_retry_interval"`

	// KubeletCAPath is the path to the CA certificate for authenticating the
	// kubelet over the secure port. Required when using the secure port unless
	// SkipKubeletVerification is set. Defaults to the cluster trust bundle.
	KubeletCAPath string `hcl:"kubelet_ca_path"`

	// SkipKubeletVerification controls whether or not the plugin will
	// verify the certificate presented by the kubelet.
	SkipKubeletVerification bool `hcl:"skip_kubelet_verification"`

	// TokenPath is the path to the bearer token used to authenticate to the
	// secure port. Defaults to the default service account token path unless
	// PrivateKeyPath and CertificatePath are specified.
	TokenPath string `hcl:"token_path"`

	// CertificatePath is the path to a certificate key used for client
	// authentication with the kubelet. Must be used with PrivateKeyPath.
	CertificatePath string `hcl:"certificate_path"`

	// PrivateKeyPath is the path to a private key used for client
	// authentication with the kubelet. Must be used with CertificatePath.
	PrivateKeyPath string `hcl:"private_key_path"`

	// UseAnonymousAuthentication controls whether or not communication to the
	// kubelet over the secure port is unauthenticated. This option is mutually
	// exclusive with other authentication configuration fields TokenPath,
	// CertificatePath, and PrivateKeyPath.
	UseAnonymousAuthentication bool `hcl:"use_anonymous_authentication"`

	// NodeNameEnv is the environment variable used to determine the node name
	// for contacting the kubelet. It defaults to "MY_NODE_NAME". If the
	// environment variable is not set, and NodeName is not specified, the
	// plugin will default to localhost (which requires host networking).
	NodeNameEnv string `hcl:"node_name_env"`

	// NodeName is the node name used when contacting the kubelet. If set, it
	// takes precedence over NodeNameEnv.
	NodeName string `hcl:"node_name"`

	// ReloadInterval controls how often TLS and token configuration is loaded
	// from the disk.
	ReloadInterval string `hcl:"reload_interval"`

	// DisableContainerSelectors disables the gathering of selectors for the
	// specific container running the workload. This allows attestation to
	// succeed with just pod related selectors when the workload pod is known
	// but the container may not be in a ready state at the time of attestation
	// (e.g. when a postStart hook has yet to complete).
	DisableContainerSelectors bool `hcl:"disable_container_selectors"`

	// Experimental enables experimental features.
	Experimental *ExperimentalK8SConfig `hcl:"experimental,omitempty"`
}

HCLConfig holds the configuration parsed from HCL

type Plugin ¶

type Plugin struct {
	workloadattestorv1.UnsafeWorkloadAttestorServer
	configv1.UnsafeConfigServer
	// contains filtered or unexported fields
}

func New ¶

func New() *Plugin

func (*Plugin) Attest ¶

func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error)

func (*Plugin) Configure ¶

func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error)

func (*Plugin) SetLogger ¶

func (p *Plugin) SetLogger(log hclog.Logger)

type SigstoreHCLConfig ¶

type SigstoreHCLConfig struct {
	// EnforceSCT is the parameter to be set as false in case of a private deployment not using the public CT
	EnforceSCT *bool `hcl:"enforce_sct, omitempty"`

	// RekorURL is the URL for the rekor server to use to verify signatures and public keys
	RekorURL *string `hcl:"rekor_url,omitempty"`

	// SkippedImages is a list of images that should skip sigstore verification
	SkippedImages []string `hcl:"skip_signature_verification_image_list"`

	// AllowedSubjects is a list of subjects that should be allowed after verification
	AllowedSubjects map[string][]string `hcl:"allowed_subjects_list"`
}

SigstoreHCLConfig holds the sigstore configuration parsed from HCL

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
sigstore

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL