pod

package

v0.6.0-alpha.1 Latest Latest Go to latest Published: Oct 12, 2020 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/aquasecurity/starboard

Documentation ¶

Index ¶

func IsPodManagedByStarboardOperator(pod *corev1.Pod) bool
func SliceContainsString(slice []string, value string) bool
type PodController

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func IsPodManagedByStarboardOperator ¶

func IsPodManagedByStarboardOperator(pod *corev1.Pod) bool

IsPodManagedByStarboardOperator returns true if the specified Pod is managed by the Starboard Operator, false otherwise.

We define managed Pods as ones controlled by Jobs created by the Starboard Operator. They're labeled with `app.kubernetes.io/managed-by=starboard-operator`.

func SliceContainsString ¶

func SliceContainsString(slice []string, value string) bool

SliceContainsString returns true if the specified slice of strings contains the give value, false otherwise.

Types ¶

type PodController ¶

type PodController struct {
	Config  etc.Operator
	Client  client.Client
	Store   reports.StoreInterface
	Scanner scanner.VulnerabilityScanner
	Scheme  *runtime.Scheme
}

func (*PodController) GetJobMetaFrom ¶

func (r *PodController) GetJobMetaFrom(owner kube.Object, hash string, spec corev1.PodSpec) (scanner.JobMeta, error)

func (*PodController) IgnorePodInOperatorNamespace ¶

func (r *PodController) IgnorePodInOperatorNamespace(installMode etc.InstallMode, pod types.NamespacedName) bool

IgnorePodInOperatorNamespace determines whether to reconcile the specified Pod based on the give InstallMode or not. Returns true if the Pod should be ignored, false otherwise.

In the SingleNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace.

In the MultiNamespace install mode we're configuring Client cache to watch the operator namespace, in which the operator runs scan Jobs. However, we do not want to scan the workloads that might run in the operator namespace unless the operator namespace is added to the list of target namespaces.

func (*PodController) Reconcile ¶

func (r *PodController) Reconcile(req ctrl.Request) (ctrl.Result, error)

Reconcile resolves the actual state of the system against the desired state of the system. The desired state is that there is a vulnerability report associated with the controller managing the given Pod. Since the scanning is asynchronous, the desired state is also when there's a pending scan Job for the underlying workload.

As Kubernetes invokes the Reconcile() function multiple times throughout the lifecycle of a Pod, it is important that the implementation be idempotent to prevent the creation of duplicate scan Jobs or vulnerability reports.

The Reconcile function returns two object which indicate whether or not Kubernetes should requeue the request.

func (*PodController) SetupWithManager ¶

func (r *PodController) SetupWithManager(mgr ctrl.Manager) error

Source Files ¶

View all Source files

pod_controller.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL