Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ControllerStrings = []string{
"Unsupported",
"Deployments",
"StatefulSets",
"DaemonSets",
"Jobs",
"CronJobs",
"ReplicationController",
}
ControllerStrings are strongly ordered to match the SupportedController enum
Functions ¶
This section is empty.
Types ¶
type Configuration ¶
type Configuration struct { DisplayName string `json:"displayName"` Resources Resources `json:"resources"` HealthChecks HealthChecks `json:"healthChecks"` Images Images `json:"images"` Networking Networking `json:"networking"` Security Security `json:"security"` ControllersToScan []SupportedController `json:"controllers_to_scan"` }
Configuration contains all of the config for the validation checks.
func Parse ¶
func Parse(rawBytes []byte) (Configuration, error)
Parse parses config from a byte array.
func ParseFile ¶
func ParseFile(path string) (Configuration, error)
ParseFile parses config from a file.
func (Configuration) CheckIfKindIsConfiguredForValidation ¶
func (c Configuration) CheckIfKindIsConfiguredForValidation(kind string) bool
CheckIfKindIsConfiguredForValidation takes a kind (in string format) and checks if Polaris is configured to scan this type of controller
type ErrorWarningLists ¶
ErrorWarningLists provides lists of patterns to match or avoid in image tags.
type HealthChecks ¶
type HealthChecks struct { ReadinessProbeMissing Severity `json:"readinessProbeMissing"` LivenessProbeMissing Severity `json:"livenessProbeMissing"` }
HealthChecks contains config for readiness and liveness probes.
type Images ¶
type Images struct { TagNotSpecified Severity `json:"tagNotSpecified"` PullPolicyNotAlways Severity `json:"pullPolicyNotAlways"` Whitelist ErrorWarningLists `json:"whitelist"` Blacklist ErrorWarningLists `json:"blacklist"` }
Images contains the config for images.
type Networking ¶
type Networking struct { HostNetworkSet Severity `json:"hostNetworkSet"` HostPortSet Severity `json:"hostPortSet"` }
Networking contains the config for networking validations.
type ResourceRange ¶
type ResourceRange struct { Below *resource.Quantity `json:"below"` Above *resource.Quantity `json:"above"` }
ResourceRange can contain below and above conditions for validation.
type ResourceRanges ¶
type ResourceRanges struct { Warning ResourceRange `json:"warning"` Error ResourceRange `json:"error"` }
ResourceRanges contains config for requests or limits for a specific resource.
type Resources ¶
type Resources struct { CPURequestsMissing Severity `json:"cpuRequestsMissing"` CPURequestRanges ResourceRanges `json:"cpuRequestRanges"` CPULimitsMissing Severity `json:"cpuLimitsMissing"` CPULimitRanges ResourceRanges `json:"cpuLimitRanges"` MemoryRequestsMissing Severity `json:"memoryRequestsMissing"` MemoryRequestRanges ResourceRanges `json:"memoryRequestRanges"` MemoryLimitsMissing Severity `json:"memoryLimitsMissing"` MemoryLimitRanges ResourceRanges `json:"memoryLimitRanges"` }
Resources contains config for resource requests and limits.
type Security ¶
type Security struct { HostIPCSet Severity `json:"hostIPCSet"` HostPIDSet Severity `json:"hostPIDSet"` RunAsRootAllowed Severity `json:"runAsRootAllowed"` RunAsPrivileged Severity `json:"RunAsPrivileged"` NotReadOnlyRootFileSystem Severity `json:"notReadOnlyRootFileSystem"` PrivilegeEscalationAllowed Severity `json:"privilegeEscalationAllowed"` Capabilities SecurityCapabilities `json:"capabilities"` }
Security contains the config for security validations.
type SecurityCapabilities ¶
type SecurityCapabilities struct { Error SecurityCapabilityLists `json:"error"` Warning SecurityCapabilityLists `json:"warning"` }
SecurityCapabilities contains the config for security capabilities validations.
type SecurityCapabilityLists ¶
type SecurityCapabilityLists struct { IfAnyAdded []corev1.Capability `json:"ifAnyAdded"` IfAnyAddedBeyond []corev1.Capability `json:"ifAnyAddedBeyond"` IfAnyNotDropped []corev1.Capability `json:"ifAnyNotDropped"` }
SecurityCapabilityLists contains the config for security capabilitie list validations.
type Severity ¶
type Severity string
Severity represents the severity of action to take (Ignore, Warning, Error).
func (*Severity) IsActionable ¶
IsActionable returns true if the severity level is warning or error
type SupportedController ¶
type SupportedController int
SupportedController is a constant item of a controller that is supported for scanning pod specs
const ( // Unsupported is the default enum for non-defined controller types Unsupported SupportedController = iota // Deployments are a supported controller for scanning pod specs Deployments // StatefulSets are a supported controller for scanning pod specs StatefulSets // DaemonSets are a supported controller for scanning pod specs DaemonSets // Jobs are a supported controller for scanning pod specs Jobs // CronJobs are a supported controller for scanning pod specs CronJobs // ReplicationControllers are supported controllers for scanning pod specs ReplicationControllers )
func GetSupportedControllerFromString ¶
func GetSupportedControllerFromString(str string) (SupportedController, error)
GetSupportedControllerFromString fuzzy matches a string with a SupportedController Enum
func (SupportedController) ListSupportedAPIVersions ¶
func (s SupportedController) ListSupportedAPIVersions() []runtime.Object
ListSupportedAPIVersions for SupportedController returns all the apimachinery object type supported
func (SupportedController) MarshalJSON ¶
func (s SupportedController) MarshalJSON() ([]byte, error)
MarshalJSON manages writing the enum into json data or error on unsupported value
func (SupportedController) String ¶
func (s SupportedController) String() string
String returns the string name for a given SupportedController enum
func (*SupportedController) UnmarshalJSON ¶
func (s *SupportedController) UnmarshalJSON(b []byte) error
UnmarshalJSON handles reading json data into enum