Documentation
¶
Index ¶
- Constants
- Variables
- func SetupLogger(config LogConfig)
- func ValidateManifestVerifyRule(p *ManifestVerifyRule) error
- type Action
- type DecisionReporter
- type DecisionReporterConfig
- type ImageProfile
- type ImageRef
- type ImageRefList
- type Key
- type KeyConfig
- type KeySecret
- type LogConfig
- type ManifestVerifyConfig
- type ManifestVerifyRule
- type ObjectUserBinding
- type ObjectUserBindingList
- type ParameterObject
- type RequestFilterProfile
- type RequestHandlerConfig
- type ResourceRef
- type SideEffectConfig
- type SignatureRef
Constants ¶
View Source
const LogLevelEnvKey = "ISHIELD_LOG_LEVEL"
Variables ¶
View Source
var DefaultDryRunNS = "ishield-dryrun-ns"
View Source
var DefaultRequestFilterProfile = []byte(`
skipObjects:
- kind: ConfigMap
name: kube-root-ca.crt
- kind: ConfigMap
name: openshift-service-ca.crt
ignoreFields:
- fields:
- spec.host
objects:
- kind: Route
- fields:
- metadata.namespace
objects:
- kind: ClusterServiceVersion
- fields:
- metadata.labels.app.kubernetes.io/instance
- metadata.managedFields.*
- metadata.resourceVersion
- metadata.selfLink
- metadata.annotations.control-plane.alpha.kubernetes.io/leader
- metadata.annotations.kubectl.kubernetes.io/last-applied-configuration
- metadata.finalizers*
- metadata.annotations.namespace
- metadata.annotations.deprecated.daemonset.template.generation
- metadata.creationTimestamp
- metadata.uid
- metadata.generation
- status
- metadata.annotations.deployment.kubernetes.io/revision
- metadata.annotations.cosign.sigstore.dev/imageRef
- metadata.annotations.cosign.sigstore.dev/bundle
- metadata.annotations.cosign.sigstore.dev/message
- metadata.annotations.cosign.sigstore.dev/certificate
- metadata.annotations.cosign.sigstore.dev/signature
objects:
- name: '*'
- fields:
- secrets.*.name
- imagePullSecrets.*.name
objects:
- kind: ServiceAccount
- fields:
- spec.ports.*.nodePort
- spec.clusterIP
- spec.clusterIPs.0
objects:
- kind: Service
- fields:
- metadata.labels.olm.api.*
- metadata.labels.operators.coreos.com/*
- metadata.annotations.*
- spec.install.spec.deployments.*.spec.template.spec.containers.*.resources.limits.cpu
- spec.cleanup.enabled
objects:
- kind: ClusterServiceVersion
skipUsers:
- users:
- system:admin
- system:apiserver
- system:kube-scheduler
- system:kube-controller-manager
- system:serviceaccount:kube-system:generic-garbage-collector
- system:serviceaccount:kube-system:attachdetach-controller
- system:serviceaccount:kube-system:certificate-controller
- system:serviceaccount:kube-system:clusterrole-aggregation-controller
- system:serviceaccount:kube-system:cronjob-controller
- system:serviceaccount:kube-system:disruption-controller
- system:serviceaccount:kube-system:endpoint-controller
- system:serviceaccount:kube-system:horizontal-pod-autoscaler
- system:serviceaccount:kube-system:ibm-file-plugin
- system:serviceaccount:kube-system:ibm-keepalived-watcher
- system:serviceaccount:kube-system:ibmcloud-block-storage-plugin
- system:serviceaccount:kube-system:job-controller
- system:serviceaccount:kube-system:namespace-controller
- system:serviceaccount:kube-system:node-controller
- system:serviceaccount:kube-system:job-controller
- system:serviceaccount:kube-system:pod-garbage-collector
- system:serviceaccount:kube-system:pv-protection-controller
- system:serviceaccount:kube-system:pvc-protection-controller
- system:serviceaccount:kube-system:replication-controller
- system:serviceaccount:kube-system:resourcequota-controller
- system:serviceaccount:kube-system:service-account-controller
- system:serviceaccount:kube-system:statefulset-controller
- objects:
- kind: ControllerRevision
- kind: Pod
users:
- system:serviceaccount:kube-system:daemon-set-controller
- objects:
- kind: Pod
- kind: PersistentVolumeClaim
users:
- system:serviceaccount:kube-system:persistent-volume-binder
- objects:
- kind: ReplicaSet
users:
- system:serviceaccount:kube-system:deployment-controller
- objects:
- kind: Pod
users:
- system:serviceaccount:kube-system:replicaset-controller
- objects:
- kind: PersistentVolumeClaim
users:
- system:serviceaccount:kube-system:statefulset-controller
- objects:
- kind: ServiceAccount
users:
- system:kube-controller-manager
- objects:
- kind: EndpointSlice
users:
- system:serviceaccount:kube-system:endpointslice-controller
- objects:
- kind: Secret
users:
- system:kube-controller-manager
- users:
- system:serviceaccount:openshift-marketplace:marketplace-operator
- system:serviceaccount:openshift-monitoring:cluster-monitoring-operator
- system:serviceaccount:openshift-network-operator:default
- system:serviceaccount:openshift-monitoring:prometheus-operator
- system:serviceaccount:openshift-cloud-credential-operator:default
- system:serviceaccount:openshift-machine-config-operator:default
- system:serviceaccount:openshift-infra:namespace-security-allocation-controller
- system:serviceaccount:openshift-cluster-version:default
- system:serviceaccount:openshift-authentication-operator:authentication-operator
- system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
- system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
- system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
- system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
- system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
- system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
- system:serviceaccount:openshift-sdn:sdn-controller
- system:serviceaccount:openshift-machine-api:cluster-autoscaler-operator
- system:serviceaccount:openshift-machine-api:machine-api-operator
- system:serviceaccount:openshift-machine-config-operator:machine-config-controller
- system:serviceaccount:openshift-machine-api:machine-api-controllers
- system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator
- system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
- system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
- system:serviceaccount:openshift-etcd-operator:etcd-operator
- system:serviceaccount:openshift-service-ca:service-ca
- system:serviceaccount:openshift-config-operator:openshift-config-operator
- system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
- system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
- objects:
- namespace: openshift-service-ca, openshift-network-operator
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-ca:configmap-cabundle-injector-sa
- objects:
- namespace: openshift-service-ca-operator
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-ca-operator:service-ca-operator
- objects:
- namespace: openshift-service-catalog-controller-manager-operator
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-catalog-controller-manager-operator:openshift-service-catalog-controller-manager-operator
- objects:
- namespace: openshift-console-operator, openshift-console
users:
- system:serviceaccount:openshift-console-operator:console-operator
- objects:
- namespace: openshift-service-ca
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-ca:apiservice-cabundle-injector-sa
- namespace: openshift-service-ca
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-ca:service-serving-cert-signer-sa
- objects:
- namespace: openshift-service-catalog-apiserver-operator
kind: ConfigMap
users:
- system:serviceaccount:openshift-service-catalog-apiserver-operator:openshift-service-catalog-apiserver-operator
- objects:
- namespace: openshift-operator-lifecycle-manager
users:
- system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
- objects:
- namespace: openshift-cluster-node-tuning-operator
kind: ConfigMap,DaemonSet
users:
- system:serviceaccount:openshift-cluster-node-tuning-operator:cluster-node-tuning-operator
- objects:
- namespace: openshift
kind: Secret
users:
- system:serviceaccount:openshift-cluster-samples-operator:cluster-samples-operator
- objects:
- namespace: openshift-ingress
kind: Deployment
users:
- system:serviceaccount:openshift-ingress-operator:ingress-operator
- objects:
- kind: ServiceAccount, Secret
users:
- system:serviceaccount:openshift-infra:serviceaccount-pull-secrets-controller
- objects:
- namespace: openshift-marketplace
kind: Pod
users:
- system:node:*
- objects:
- kind: ServiceAccount, InstallPlan, OperatorGroup, Role, RoleBinding, Deployment
users:
- system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
- objects:
- kind: InstallPlan, Role, RoleBinding, Deployment
users:
- system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
`)
View Source
var LogLevelMap = map[string]log.Level{ "panic": log.PanicLevel, "fatal": log.FatalLevel, "error": log.ErrorLevel, "warn": log.WarnLevel, "info": log.InfoLevel, "debug": log.DebugLevel, "trace": log.TraceLevel, }
Functions ¶
func SetupLogger ¶
func SetupLogger(config LogConfig)
func ValidateManifestVerifyRule ¶
func ValidateManifestVerifyRule(p *ManifestVerifyRule) error
validate ManifestVerifyRule
Types ¶
type Action ¶
type Action struct {
Mode string `json:"mode,omitempty"`
AdmissionOnly bool `json:"admissionOnly,omitempty"`
}
enforce/inform mode
type DecisionReporter ¶
type DecisionReporter struct {
// contains filtered or unexported fields
}
func InitDecisionReporter ¶
func InitDecisionReporter(config DecisionReporterConfig) *DecisionReporter
func (*DecisionReporter) SendLog ¶
func (cxLogger *DecisionReporter) SendLog(logRecord map[string]interface{})
type DecisionReporterConfig ¶
type ImageProfile ¶
type ImageProfile struct {
KeyConfigs []KeyConfig `json:"keyConfigs,omitempty"`
Match ImageRefList `json:"match,omitempty"`
Exclude ImageRefList `json:"exclude,omitempty"`
}
func (ImageProfile) Enabled ¶
func (p ImageProfile) Enabled() bool
if any profile condition is defined, image profile returns enabled = true
func (ImageProfile) MatchWith ¶
func (p ImageProfile) MatchWith(imageRef string) bool
returns if this profile matches the specified image ref or not
type ImageRefList ¶
type ImageRefList []ImageRef
func (ImageRefList) Match ¶
func (l ImageRefList) Match(imageRef string) bool
type KeyConfig ¶
type KeyConfig struct {
Key Key `json:"key,omitempty"` // PEM encoded public key
Secret KeySecret `json:"keySecret,omitempty"` // public key as a Kubernetes Secret
}
func (KeyConfig) ConvertToCosignKeyRef ¶
func (KeyConfig) ConvertToLocalFilePath ¶
func (KeyConfig) LoadKeySecret ¶
type ManifestVerifyConfig ¶
type ManifestVerifyConfig struct {
RequestFilterProfile *RequestFilterProfile `json:"requestFilterProfile,omitempty"`
DryRunNamespcae string `json:"dryRunNamespcae,omitempty"`
}
func NewManifestVerifyConfig ¶
func NewManifestVerifyConfig(dryRunNs string) *ManifestVerifyConfig
type ManifestVerifyRule ¶
type ManifestVerifyRule struct {
SignatureRef SignatureRef `json:"signatureRef,omitempty"`
KeyConfigs []KeyConfig `json:"keyConfigs,omitempty"`
InScopeObjects k8smanifest.ObjectReferenceList `json:"objectSelector,omitempty"`
SkipUsers ObjectUserBindingList `json:"skipUsers,omitempty"`
InScopeUsers ObjectUserBindingList `json:"inScopeUsers,omitempty"`
k8smanifest.VerifyResourceOption `json:""`
}
func (*ManifestVerifyRule) DeepCopyInto ¶
func (p *ManifestVerifyRule) DeepCopyInto(p2 *ManifestVerifyRule)
type ObjectUserBinding ¶
type ObjectUserBinding struct {
Objects k8smanifest.ObjectReferenceList `json:"objects,omitempty"`
Users []string `json:"users,omitempty"`
}
func (ObjectUserBinding) Match ¶
func (u ObjectUserBinding) Match(obj unstructured.Unstructured, username string) bool
type ObjectUserBindingList ¶
type ObjectUserBindingList []ObjectUserBinding
func (ObjectUserBindingList) Match ¶
func (l ObjectUserBindingList) Match(obj unstructured.Unstructured, username string) bool
type ParameterObject ¶
type ParameterObject struct {
ConstraintName string `json:"constraintName"`
ManifestVerifyRule `json:""`
ImageProfile ImageProfile `json:"imageProfile,omitempty"`
Action *Action `json:"action,omitempty"`
GetProvenance bool `json:"getProvenance,omitempty"`
}
Parameter in constraint
func (*ParameterObject) DeepCopyInto ¶
func (p *ParameterObject) DeepCopyInto(p2 *ParameterObject)
type RequestFilterProfile ¶
type RequestFilterProfile struct {
SkipObjects k8smanifest.ObjectReferenceList `json:"skipObjects,omitempty"`
SkipUsers ObjectUserBindingList `json:"skipUsers,omitempty"`
IgnoreFields k8smanifest.ObjectFieldBindingList `json:"ignoreFields,omitempty"`
}
type RequestHandlerConfig ¶
type RequestHandlerConfig struct {
// KeyPathList []string `json:"keyPathList,omitempty"`
RequestFilterProfile *RequestFilterProfile `json:"requestFilterProfile,omitempty"`
Log LogConfig `json:"log,omitempty"`
DecisionReporterConfig DecisionReporterConfig `json:"decisionReporterConfig,omitempty"`
SideEffectConfig SideEffectConfig `json:"sideEffect,omitempty"`
DefaultConstraintAction Action `json:"defaultConstraintAction,omitempty"`
Options []string
}
func LoadRequestHandlerConfig ¶
func LoadRequestHandlerConfig() (*RequestHandlerConfig, error)
type ResourceRef ¶
type SideEffectConfig ¶
type SideEffectConfig struct {
// Event
CreateDenyEvent bool `json:"createDenyEvent"`
}
type SignatureRef ¶
type SignatureRef struct {
ImageRef string `json:"imageRef,omitempty"`
SignatureResourceRef ResourceRef `json:"signatureResourceRef,omitempty"`
ProvenanceResourceRef ResourceRef `json:"provenanceResourceRef,omitempty"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.