Version: v0.13.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Nov 10, 2021 License: Apache-2.0 Imports: 21 Imported by: 0



Package configauditreport provides primitives for working with Kubernetes workload configuration checkers.



This section is empty.


This section is empty.


func GetScanJobName added in v0.10.2

func GetScanJobName(obj client.Object) string


type Plugin added in v0.9.0

type Plugin interface {

	// Init is a callback to initialize this plugin, e.g. ensure the default
	// configuration.
	Init(ctx starboard.PluginContext) error

	// GetScanJobSpec describes the pod that will be created by Starboard when
	// it schedules a Kubernetes job to scan the specified workload client.Object.
	// The plugin might return zero to many v1.Secret objects which will be
	// created by Starboard and associated with the scan job.
	GetScanJobSpec(ctx starboard.PluginContext, obj client.Object) (corev1.PodSpec, []*corev1.Secret, error)

	// ParseConfigAuditReportData is a callback to parse and convert logs of
	// the container in a pod controlled by the scan job to v1alpha1.ConfigAuditReportData.
	ParseConfigAuditReportData(ctx starboard.PluginContext, logsReader io.ReadCloser) (v1alpha1.ConfigAuditReportData, error)

	// GetContainerName returns the name of the container in a pod created by a scan job
	// to read logs from.
	GetContainerName() string

	// ConfigHash returns hash of the plugin's configuration settings. The computed hash
	// is used to invalidate v1alpha1.ConfigAuditReport and v1alpha1.ClusterConfigAuditReport
	// objects whenever configuration applicable to the specified resource kind changes.
	ConfigHash(ctx starboard.PluginContext, kind kube.Kind) (string, error)

	// SupportedKinds returns kinds supported by this plugin.
	SupportedKinds() []kube.Kind

	// IsApplicable return true if the given object can be scanned by this
	// plugin, false otherwise.
	IsApplicable(ctx starboard.PluginContext, obj client.Object) (bool, string, error)

Plugin defines the interface between Starboard and Kubernetes workload configuration checkers / linters / sanitizers.

type ReadWriter

type ReadWriter interface {

func NewReadWriter

func NewReadWriter(client client.Client) ReadWriter

NewReadWriter constructs a new ReadWriter which is using the client package provided by the controller-runtime libraries for interacting with the Kubernetes API server.

type Reader

type Reader interface {

	// FindReportByOwner returns a v1alpha1.ConfigAuditReport owned by the given
	// kube.Object or nil if the report is not found.
	FindReportByOwner(ctx context.Context, owner kube.Object) (*v1alpha1.ConfigAuditReport, error)

	// FindReportByOwnerInHierarchy is similar to FindReportByOwner except that it tries to lookup
	// a v1alpha1.ConfigAuditReport object owned by related Kubernetes objects.
	// For example, if the given owner is a Deployment, but a report is owned by the
	// active ReplicaSet (current revision) this method will return the report.
	FindReportByOwnerInHierarchy(ctx context.Context, owner kube.Object) (*v1alpha1.ConfigAuditReport, error)

	// FindClusterReportByOwner returns a v1alpha1.ClusterConfigAuditReport owned by the given
	// kube.Object or nil if the report is not found.
	FindClusterReportByOwner(ctx context.Context, owner kube.Object) (*v1alpha1.ClusterConfigAuditReport, error)

Reader is the interface that wraps methods for finding v1alpha1.ConfigAuditReport and v1alpha1.ClusterConfigAuditReport objects. TODO(danielpacak): Consider returning starboard.ResourceNotFound error instead of returning nil.

type ReportBuilder added in v0.10.2

type ReportBuilder struct {
	// contains filtered or unexported fields

func NewReportBuilder added in v0.10.2

func NewReportBuilder(scheme *runtime.Scheme) *ReportBuilder

func (*ReportBuilder) Controller added in v0.10.2

func (b *ReportBuilder) Controller(controller client.Object) *ReportBuilder

func (*ReportBuilder) Data added in v0.10.2

func (*ReportBuilder) GetClusterReport added in v0.12.0

func (b *ReportBuilder) GetClusterReport() (v1alpha1.ClusterConfigAuditReport, error)

func (*ReportBuilder) GetReport added in v0.12.0

func (b *ReportBuilder) GetReport() (v1alpha1.ConfigAuditReport, error)

func (*ReportBuilder) PluginConfigHash added in v0.10.2

func (b *ReportBuilder) PluginConfigHash(hash string) *ReportBuilder

func (*ReportBuilder) ResourceSpecHash added in v0.12.0

func (b *ReportBuilder) ResourceSpecHash(hash string) *ReportBuilder

func (*ReportBuilder) Write added in v0.12.0

func (b *ReportBuilder) Write(ctx context.Context, writer Writer) error

type ScanJobBuilder added in v0.10.2

type ScanJobBuilder struct {
	// contains filtered or unexported fields

func NewScanJobBuilder added in v0.13.0

func NewScanJobBuilder() *ScanJobBuilder

func (*ScanJobBuilder) Get added in v0.10.2

func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error)

func (*ScanJobBuilder) WithAnnotations added in v0.12.0

func (s *ScanJobBuilder) WithAnnotations(annotations map[string]string) *ScanJobBuilder

func (*ScanJobBuilder) WithObject added in v0.10.2

func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder

func (*ScanJobBuilder) WithPlugin added in v0.10.2

func (s *ScanJobBuilder) WithPlugin(plugin Plugin) *ScanJobBuilder

func (*ScanJobBuilder) WithPluginContext added in v0.10.2

func (s *ScanJobBuilder) WithPluginContext(pluginContext starboard.PluginContext) *ScanJobBuilder

func (*ScanJobBuilder) WithTimeout added in v0.10.2

func (s *ScanJobBuilder) WithTimeout(timeout time.Duration) *ScanJobBuilder

func (*ScanJobBuilder) WithTolerations added in v0.11.0

func (s *ScanJobBuilder) WithTolerations(tolerations []corev1.Toleration) *ScanJobBuilder

type Scanner added in v0.9.0

type Scanner struct {
	// contains filtered or unexported fields

func NewScanner added in v0.9.0

func NewScanner(
	clientset kubernetes.Interface,
	client client.Client,
	plugin Plugin,
	pluginContext starboard.PluginContext,
	config starboard.ConfigData,
	opts kube.ScannerOpts,
) *Scanner

func (*Scanner) Scan added in v0.9.0

func (s *Scanner) Scan(ctx context.Context, partial kube.Object) (*ReportBuilder, error)

type Writer

type Writer interface {

	// WriteReport creates or updates the given v1alpha1.ConfigAuditReport instance.
	WriteReport(ctx context.Context, report v1alpha1.ConfigAuditReport) error

	// WriteClusterReport creates or updates the given v1alpha1.ClusterConfigAuditReport instance.
	WriteClusterReport(ctx context.Context, report v1alpha1.ClusterConfigAuditReport) error

Writer is the interface for saving v1alpha1.ClusterConfigAuditReport and v1alpha1.ConfigAuditReport instances.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL