azdsecinfo

package

v0.0.0-...-035f276 Latest Latest Go to latest Published: Apr 11, 2022 License: MIT Imports: 19 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/Azure/AzureDefender-K8S-InClusterDefense

Links

Open Source Insights

Documentation ¶

Index ¶

type AzdSecInfoProvider
- func NewAzdSecInfoProvider(instrumentationProvider instrumentation.IInstrumentationProvider, ...) *AzdSecInfoProvider
- func (provider *AzdSecInfoProvider) GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)
type AzdSecInfoProviderCacheClient
- func NewAzdSecInfoProviderCacheClient(instrumentationProvider instrumentation.IInstrumentationProvider, ...) *AzdSecInfoProviderCacheClient
type AzdSecInfoProviderConfiguration
type IAzdSecInfoProvider
type IAzdSecInfoProviderCacheClient

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AzdSecInfoProvider ¶

type AzdSecInfoProvider struct {
	// contains filtered or unexported fields
}

AzdSecInfoProvider represents default implementation of IAzdSecInfoProvider interface

func NewAzdSecInfoProvider ¶

func NewAzdSecInfoProvider(instrumentationProvider instrumentation.IInstrumentationProvider,
	argDataProvider arg.IARGDataProvider,
	tag2digestResolver tag2digest.ITag2DigestResolver,
	GetContainersVulnerabilityScanInfoTimeoutDuration *utils.TimeoutConfiguration,
	cacheClient IAzdSecInfoProviderCacheClient) *AzdSecInfoProvider

NewAzdSecInfoProvider - AzdSecInfoProvider Ctor

func (*AzdSecInfoProvider) GetContainersVulnerabilityScanInfo ¶

func (provider *AzdSecInfoProvider) GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)

GetContainersVulnerabilityScanInfo receives api-resource pod spec containing containers, resource deployed metadata and kind Function returns evaluated ContainerVulnerabilityScanInfo for pod spec's container list (pod spec can be related to template of any resource creates pods eventually) Function Logic: 1. validate Arguments 2. Try to get ContainersVulnerabilityScanInfo from cache. If succeeded (got results from cache either valid results or invalid results and error) - return results 3. In a new thread, get ContainersVulnerabilityScanInfo. If it takes more than the defined timeout we must return a response to the API server. So if it is the first or second there is timeout for this podSpec - return unscanned result (meaning gatekeeper will block this request) Otherwise return an error and don't block the request If no timeout occurred - save the results in the cache, reset the timeout status and return the results For more information - see README

type AzdSecInfoProviderCacheClient ¶

type AzdSecInfoProviderCacheClient struct {
	// contains filtered or unexported fields
}

AzdSecInfoProviderCacheClient cache client designated for AzdSecInfoProvider It wraps ICache client

func NewAzdSecInfoProviderCacheClient ¶

func NewAzdSecInfoProviderCacheClient(instrumentationProvider instrumentation.IInstrumentationProvider, cacheClient cache.ICacheClient, azdSecInfoProviderConfiguration *AzdSecInfoProviderConfiguration) *AzdSecInfoProviderCacheClient

NewAzdSecInfoProviderCacheClient - AzdSecInfoProviderCacheClient Ctor

func (*AzdSecInfoProviderCacheClient) GetContainerVulnerabilityScanInfofromCache ¶

func (client *AzdSecInfoProviderCacheClient) GetContainerVulnerabilityScanInfofromCache(podSpecCacheKey string) ([]*contracts.ContainerVulnerabilityScanInfo, error, error)

GetContainerVulnerabilityScanInfofromCache try to get ContainerVulnerabilityScanInfo from cache. It gets the results from the cache and parse it to containerVulnerabilityCacheResultsWrapper object. Returns: []*contracts.ContainerVulnerabilityScanInfo - If scan results was STORED in cache as value from previous scans, otherwise nil error - If error was STORED in cache as value from previous scans, otherwise nil If there is an error with the cache or the value is invalid returns an error.

func (*AzdSecInfoProviderCacheClient) GetPodSpecCacheKey ¶

func (client *AzdSecInfoProviderCacheClient) GetPodSpecCacheKey(podSpec *admisionrequest.PodSpec) string

GetPodSpecCacheKey get the cache key without the prefix of a given podSpec The key is containerName:imageName as string seperate each containerName:imageName by comma. For example - 'myName1:alpine,myName2:nginx'

func (*AzdSecInfoProviderCacheClient) GetTimeOutStatus ¶

func (client *AzdSecInfoProviderCacheClient) GetTimeOutStatus(podSpecCacheKey string) (int, error)

GetTimeOutStatus gets the timeout status of the podSpec from cache - how many times timeout has occurred for this podSpec

func (*AzdSecInfoProviderCacheClient) ResetTimeOutInCacheAfterGettingScanResults ¶

func (client *AzdSecInfoProviderCacheClient) ResetTimeOutInCacheAfterGettingScanResults(podSpecCacheKey string) error

ResetTimeOutInCacheAfterGettingScanResults resets the timeout status in cache after scanResults was received. If scanResults was received the timeout is no longer relevant and needs to be reset. If no timeout occurred before, do nothing.

func (*AzdSecInfoProviderCacheClient) SetContainerVulnerabilityScanInfoInCache ¶

func (client *AzdSecInfoProviderCacheClient) SetContainerVulnerabilityScanInfoInCache(podSpecCacheKey string, containerVulnerabilityScanInfo []*contracts.ContainerVulnerabilityScanInfo, err error) error

SetContainerVulnerabilityScanInfoInCache set ContainerVulnerabilityScanInfo in cache No error is reported back, only tracing it

func (*AzdSecInfoProviderCacheClient) SetTimeOutStatusAfterEncounteredTimeout ¶

func (client *AzdSecInfoProviderCacheClient) SetTimeOutStatusAfterEncounteredTimeout(podSpecCacheKey string, timeOutStatus int) error

SetTimeOutStatusAfterEncounteredTimeout update the timeout status if already exist in cache or set for the first time timeout status

type AzdSecInfoProviderConfiguration ¶

type AzdSecInfoProviderConfiguration struct {
	// CacheExpirationTimeTimeout is the expiration time **IN MINUTES** for timout.
	CacheExpirationTimeTimeout int
	// CacheExpirationContainerVulnerabilityScanInfo is the expiration time **IN SECONDS** for ContainerVulnerabilityScanInfo.
	CacheExpirationContainerVulnerabilityScanInfo int
}

AzdSecInfoProviderConfiguration is configuration data for AzdSecInfoProvider

type IAzdSecInfoProvider ¶

type IAzdSecInfoProvider interface {
	// GetContainersVulnerabilityScanInfo receives pod template spec containing containers list, and returns their fetched ContainersVulnerabilityScanInfo
	GetContainersVulnerabilityScanInfo(workloadResource *admisionrequest.WorkloadResource) ([]*contracts.ContainerVulnerabilityScanInfo, error)
}

IAzdSecInfoProvider represents interface for providing azure defender security information

type IAzdSecInfoProviderCacheClient ¶

type IAzdSecInfoProviderCacheClient interface {
	// GetContainerVulnerabilityScanInfofromCache try to get ContainerVulnerabilityScanInfo from cache.
	// It gets the results from the cache and parse it to containerVulnerabilityCacheResultsWrapper object.
	// If there is an error with the cache or the value is invalid returns an error.
	GetContainerVulnerabilityScanInfofromCache(podSpecCacheKey string) ([]*contracts.ContainerVulnerabilityScanInfo, error, error)

	// SetContainerVulnerabilityScanInfoInCache set ContainerVulnerabilityScanInfo in cache
	// No error is reported back, only tracing it
	SetContainerVulnerabilityScanInfoInCache(podSpecCacheKey string, containerVulnerabilityScanInfo []*contracts.ContainerVulnerabilityScanInfo, err error) error

	// GetTimeOutStatus gets the timeout status of the podSpec from cache - how many times timeout has occurred for this podSpec
	GetTimeOutStatus(podSpecCacheKey string) (int, error)

	// SetTimeOutStatusAfterEncounteredTimeout update the timeout status if already exist in cache or set for the first time timeout status
	SetTimeOutStatusAfterEncounteredTimeout(podSpecCacheKey string, timeOutStatus int) error

	// ResetTimeOutInCacheAfterGettingScanResults resets the timeout status in cache after scanResults was received.
	// If scanResults was received the timeout is no longer relevant and needs to be reset.
	// If no timeout occurred before, do nothing.
	ResetTimeOutInCacheAfterGettingScanResults(podSpecCacheKey string) error

	// GetPodSpecCacheKey get the cache key without the prefix of a given podSpec
	GetPodSpecCacheKey(podSpec *admisionrequest.PodSpec) string
}

IAzdSecInfoProviderCacheClient cache client designated for AzdSecInfoProvider

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
contracts
metric
mocks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL