Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ControllerStrings = []string{
"Unsupported",
"Deployments",
"StatefulSets",
"DaemonSets",
"Jobs",
"CronJobs",
"ReplicationController",
}
ControllerStrings are strongly ordered to match the SupportedController enum
Functions ¶
This section is empty.
Types ¶
type Configuration ¶
type Configuration struct {
DisplayName string `json:"displayName"`
Resources Resources `json:"resources"`
HealthChecks HealthChecks `json:"healthChecks"`
Images Images `json:"images"`
Networking Networking `json:"networking"`
Security Security `json:"security"`
ControllersToScan []SupportedController `json:"controllers_to_scan"`
}
Configuration contains all of the config for the validation checks.
func Parse ¶
func Parse(rawBytes []byte) (Configuration, error)
Parse parses config from a byte array.
func ParseFile ¶
func ParseFile(path string) (Configuration, error)
ParseFile parses config from a file.
func (Configuration) CheckIfKindIsConfiguredForValidation ¶
func (c Configuration) CheckIfKindIsConfiguredForValidation(kind string) bool
CheckIfKindIsConfiguredForValidation takes a kind (in string format) and checks if Polaris is configured to scan this type of controller
type ErrorWarningLists ¶
ErrorWarningLists provides lists of patterns to match or avoid in image tags.
type HealthChecks ¶
type HealthChecks struct {
ReadinessProbeMissing Severity `json:"readinessProbeMissing"`
LivenessProbeMissing Severity `json:"livenessProbeMissing"`
}
HealthChecks contains config for readiness and liveness probes.
type Images ¶
type Images struct {
TagNotSpecified Severity `json:"tagNotSpecified"`
PullPolicyNotAlways Severity `json:"pullPolicyNotAlways"`
Whitelist ErrorWarningLists `json:"whitelist"`
Blacklist ErrorWarningLists `json:"blacklist"`
}
Images contains the config for images.
type Networking ¶
type Networking struct {
HostNetworkSet Severity `json:"hostNetworkSet"`
HostPortSet Severity `json:"hostPortSet"`
}
Networking contains the config for networking validations.
type ResourceRange ¶
type ResourceRange struct {
Below *resource.Quantity `json:"below"`
Above *resource.Quantity `json:"above"`
}
ResourceRange can contain below and above conditions for validation.
type ResourceRanges ¶
type ResourceRanges struct {
Warning ResourceRange `json:"warning"`
Error ResourceRange `json:"error"`
}
ResourceRanges contains config for requests or limits for a specific resource.
type Resources ¶
type Resources struct {
CPURequestsMissing Severity `json:"cpuRequestsMissing"`
CPURequestRanges ResourceRanges `json:"cpuRequestRanges"`
CPULimitsMissing Severity `json:"cpuLimitsMissing"`
CPULimitRanges ResourceRanges `json:"cpuLimitRanges"`
MemoryRequestsMissing Severity `json:"memoryRequestsMissing"`
MemoryRequestRanges ResourceRanges `json:"memoryRequestRanges"`
MemoryLimitsMissing Severity `json:"memoryLimitsMissing"`
MemoryLimitRanges ResourceRanges `json:"memoryLimitRanges"`
}
Resources contains config for resource requests and limits.
type Security ¶
type Security struct {
HostIPCSet Severity `json:"hostIPCSet"`
HostPIDSet Severity `json:"hostPIDSet"`
RunAsRootAllowed Severity `json:"runAsRootAllowed"`
RunAsPrivileged Severity `json:"RunAsPrivileged"`
NotReadOnlyRootFileSystem Severity `json:"notReadOnlyRootFileSystem"`
PrivilegeEscalationAllowed Severity `json:"privilegeEscalationAllowed"`
Capabilities SecurityCapabilities `json:"capabilities"`
}
Security contains the config for security validations.
type SecurityCapabilities ¶
type SecurityCapabilities struct {
Error SecurityCapabilityLists `json:"error"`
Warning SecurityCapabilityLists `json:"warning"`
}
SecurityCapabilities contains the config for security capabilities validations.
type SecurityCapabilityLists ¶
type SecurityCapabilityLists struct {
IfAnyAdded []corev1.Capability `json:"ifAnyAdded"`
IfAnyAddedBeyond []corev1.Capability `json:"ifAnyAddedBeyond"`
IfAnyNotDropped []corev1.Capability `json:"ifAnyNotDropped"`
}
SecurityCapabilityLists contains the config for security capabilitie list validations.
type Severity ¶
type Severity string
Severity represents the severity of action to take (Ignore, Warning, Error).
func (*Severity) IsActionable ¶
IsActionable returns true if the severity level is warning or error
type SupportedController ¶
type SupportedController int
SupportedController is a constant item of a controller that is supported for scanning pod specs
const ( // Unsupported is the default enum for non-defined controller types Unsupported SupportedController = iota // Deployments are a supported controller for scanning pod specs Deployments // StatefulSets are a supported controller for scanning pod specs StatefulSets // DaemonSets are a supported controller for scanning pod specs DaemonSets // Jobs are a supported controller for scanning pod specs Jobs // CronJobs are a supported controller for scanning pod specs CronJobs // ReplicationControllers are supported controllers for scanning pod specs ReplicationControllers )
func GetSupportedControllerFromString ¶
func GetSupportedControllerFromString(str string) (SupportedController, error)
GetSupportedControllerFromString fuzzy matches a string with a SupportedController Enum
func (SupportedController) ListSupportedAPIVersions ¶
func (s SupportedController) ListSupportedAPIVersions() []runtime.Object
ListSupportedAPIVersions for SupportedController returns all the apimachinery object type supported
func (SupportedController) MarshalJSON ¶
func (s SupportedController) MarshalJSON() ([]byte, error)
MarshalJSON manages writing the enum into json data or error on unsupported value
func (SupportedController) String ¶
func (s SupportedController) String() string
String returns the string name for a given SupportedController enum
func (*SupportedController) UnmarshalJSON ¶
func (s *SupportedController) UnmarshalJSON(b []byte) error
UnmarshalJSON handles reading json data into enum
Source Files