configauditreport

package
v1.1.2-beta.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2025 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Overview

Package configauditreport provides primitives for working with Kubernetes workload configuration checkers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetScanJobName added in v0.10.2 

func GetScanJobName(obj client.Object) string

Types

type Plugin added in v0.9.0 

type Plugin interface {

	// Init is a callback to initialize this plugin, e.g. ensure the default
	// configuration.
	Init(ctx starboard.PluginContext) error

	// GetScanJobSpec describes the pod that will be created by Starboard when
	// it schedules a Kubernetes job to scan the specified workload client.Object.
	// The plugin might return zero to many v1.Secret objects which will be
	// created by Starboard and associated with the scan job.
	GetScanJobSpec(ctx starboard.PluginContext, obj client.Object) (corev1.PodSpec, []*corev1.Secret, error)

	// ParseConfigAuditReportData is a callback to parse and convert logs of
	// the container in a pod controlled by the scan job to v1alpha1.ConfigAuditReportData.
	ParseConfigAuditReportData(ctx starboard.PluginContext, logsReader io.ReadCloser) (v1alpha1.ConfigAuditReportData, error)

	// GetContainerName returns the name of the container in a pod created by a scan job
	// to read logs from.
	GetContainerName() string

	// ConfigHash returns hash of the plugin's configuration settings. The computed hash
	// is used to invalidate v1alpha1.ConfigAuditReport and v1alpha1.ClusterConfigAuditReport
	// objects whenever configuration applicable to the specified resource kind changes.
	ConfigHash(ctx starboard.PluginContext, kind kube.Kind) (string, error)

	// SupportedKinds returns kinds supported by this plugin.
	SupportedKinds() []kube.Kind

	// IsApplicable return true if the given object can be scanned by this
	// plugin, false otherwise.
	IsApplicable(ctx starboard.PluginContext, obj client.Object) (bool, string, error)
}

Plugin defines the interface between Starboard and Kubernetes workload configuration checkers / linters / sanitizers.

type ReadWriter 

type ReadWriter interface {
	Writer
	Reader
}

func NewReadWriter 

func NewReadWriter(resolver *kube.ObjectResolver) ReadWriter

NewReadWriter constructs a new ReadWriter which is using the client package provided by the controller-runtime libraries for interacting with the Kubernetes API server.

type Reader 

type Reader interface {

	// FindReportByOwner returns a v1alpha1.ConfigAuditReport owned by the given
	// kube.ObjectRef or nil if the report is not found.
	FindReportByOwner(ctx context.Context, owner kube.ObjectRef) (*v1alpha1.ConfigAuditReport, error)

	// FindReportByOwnerInHierarchy is similar to FindReportByOwner except that it tries to find
	// a v1alpha1.ConfigAuditReport object owned by related Kubernetes objects.
	// For example, if the given owner is a Deployment, but a report is owned by the
	// active ReplicaSet (current revision) this method will return the report.
	FindReportByOwnerInHierarchy(ctx context.Context, owner kube.ObjectRef) (*v1alpha1.ConfigAuditReport, error)

	// FindClusterReportByOwner returns a v1alpha1.ClusterConfigAuditReport owned by the given
	// kube.ObjectRef or nil if the report is not found.
	FindClusterReportByOwner(ctx context.Context, owner kube.ObjectRef) (*v1alpha1.ClusterConfigAuditReport, error)
}

Reader is the interface that wraps methods for finding v1alpha1.ConfigAuditReport and v1alpha1.ClusterConfigAuditReport objects. TODO(danielpacak): Consider returning starboard.ResourceNotFound error instead of returning nil.

type ReportBuilder added in v0.10.2 

type ReportBuilder struct {
	// contains filtered or unexported fields
}

func NewReportBuilder added in v0.10.2 

func NewReportBuilder(scheme *runtime.Scheme) *ReportBuilder

func (*ReportBuilder) Controller added in v0.10.2 

func (b *ReportBuilder) Controller(controller client.Object) *ReportBuilder

func (*ReportBuilder) Data added in v0.10.2 

func (b *ReportBuilder) Data(data v1alpha1.ConfigAuditReportData) *ReportBuilder

func (*ReportBuilder) GetClusterReport added in v0.12.0 

func (b *ReportBuilder) GetClusterReport() (v1alpha1.ClusterConfigAuditReport, error)

func (*ReportBuilder) GetReport added in v0.12.0 

func (b *ReportBuilder) GetReport() (v1alpha1.ConfigAuditReport, error)

func (*ReportBuilder) PluginConfigHash added in v0.10.2 

func (b *ReportBuilder) PluginConfigHash(hash string) *ReportBuilder

func (*ReportBuilder) ResourceSpecHash added in v0.12.0 

func (b *ReportBuilder) ResourceSpecHash(hash string) *ReportBuilder

func (*ReportBuilder) Write added in v0.12.0 

func (b *ReportBuilder) Write(ctx context.Context, writer Writer) error

type ResourceController added in v0.15.0 

type ResourceController struct {
	logr.Logger
	etc.Config
	starboard.ConfigData
	client.Client
	kube.ObjectResolver
	ReadWriter
	starboard.BuildInfo
}

ResourceController watches all Kubernetes kinds and generates v1alpha1.ConfigAuditReport instances based on OPA Rego policies as fast as possible.

func (*ResourceController) SetupWithManager added in v0.15.0 

func (r *ResourceController) SetupWithManager(mgr ctrl.Manager) error

type ScanJobBuilder added in v0.10.2 

type ScanJobBuilder struct {
	// contains filtered or unexported fields
}

func NewScanJobBuilder added in v0.13.0 

func NewScanJobBuilder() *ScanJobBuilder

func (*ScanJobBuilder) Get added in v0.10.2 

func (s *ScanJobBuilder) Get() (*batchv1.Job, []*corev1.Secret, error)

func (*ScanJobBuilder) WithAnnotations added in v0.12.0 

func (s *ScanJobBuilder) WithAnnotations(annotations map[string]string) *ScanJobBuilder

func (*ScanJobBuilder) WithObject added in v0.10.2 

func (s *ScanJobBuilder) WithObject(object client.Object) *ScanJobBuilder

func (*ScanJobBuilder) WithPlugin added in v0.10.2 

func (s *ScanJobBuilder) WithPlugin(plugin Plugin) *ScanJobBuilder

func (*ScanJobBuilder) WithPluginContext added in v0.10.2 

func (s *ScanJobBuilder) WithPluginContext(pluginContext starboard.PluginContext) *ScanJobBuilder

func (*ScanJobBuilder) WithPodTemplateLabels added in v0.14.0 

func (s *ScanJobBuilder) WithPodTemplateLabels(podTemplateLabels labels.Set) *ScanJobBuilder

func (*ScanJobBuilder) WithTimeout added in v0.10.2 

func (s *ScanJobBuilder) WithTimeout(timeout time.Duration) *ScanJobBuilder

func (*ScanJobBuilder) WithTolerations added in v0.11.0 

func (s *ScanJobBuilder) WithTolerations(tolerations []corev1.Toleration) *ScanJobBuilder

type Scanner added in v0.9.0 

type Scanner struct {
	// contains filtered or unexported fields
}

func NewScanner added in v0.9.0 

func NewScanner(buildInfo starboard.BuildInfo, client client.Client, cm kube.CompatibleMgr) *Scanner

func (*Scanner) Scan added in v0.9.0 

func (s *Scanner) Scan(ctx context.Context, resourceRef kube.ObjectRef) (*ReportBuilder, error)

type Writer 

type Writer interface {

	// WriteReport creates or updates the given v1alpha1.ConfigAuditReport instance.
	WriteReport(ctx context.Context, report v1alpha1.ConfigAuditReport) error

	// WriteClusterReport creates or updates the given v1alpha1.ClusterConfigAuditReport instance.
	WriteClusterReport(ctx context.Context, report v1alpha1.ClusterConfigAuditReport) error
}

Writer is the interface for saving v1alpha1.ClusterConfigAuditReport and v1alpha1.ConfigAuditReport instances.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.