podwatcher

package

v0.0.0-...-cd07ea3 Latest Latest Go to latest Published: Apr 8, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/diranged/oz

Links

Open Source Insights

Documentation ¶

Overview ¶

Package podwatcher provides a Webhook handler for Pod Exec/Debug events for auditing purposes

Index ¶

func NewPodWatcherRegistration(mgr manager.Manager, path string)
func ObjectToJSON(obj any) string
type PodWatcher

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func NewPodWatcherRegistration ¶

func NewPodWatcherRegistration(
	mgr manager.Manager,
	path string,
)

NewPodWatcherRegistration creates a PodWatcher{} object and registers it at the supplied path.

func ObjectToJSON ¶

func ObjectToJSON(obj any) string

ObjectToJSON is a quick helper function for pretty-printing an entire K8S object in JSON form. Used in certain debug log statements primarily.

Types ¶

type PodWatcher ¶

type PodWatcher struct {
	Client client.Client
	// contains filtered or unexported fields
}

PodWatcher is a ValidatingWebhookEndpoint that receives calls from the Kubernetes API just before Pod's "exec" subresource is written into the cluster. The intention for this resource is to perform audit-logging type actions in the short term, and in the long term provide a more granular layer of security for Pod Exec access.

func (*PodWatcher) Handle ¶

func (w *PodWatcher) Handle(ctx context.Context, req admission.Request) admission.Response

Handle is responsible for monitoring events that take place on a Pod (Attach, Execs, etc) and ultimately making decisions about whether or not those events can take place. The Handle() function primarily fires off requests to more explicit handlers for different event types and then returns the result.

https://github.com/diranged/oz/issues/50 and https://github.com/diranged/oz/issues/51 will be handled through this endpoint in the future.

func (*PodWatcher) HandleAttach ¶

func (w *PodWatcher) HandleAttach(ctx context.Context, req admission.Request) admission.Response

HandleAttach is a placeholder for future logic that will validate whether or not a user has the appropriate permissions to attach to a new pod. Currently this function logs the event, and that is it.

func (*PodWatcher) HandleExec ¶

func (w *PodWatcher) HandleExec(ctx context.Context, req admission.Request) admission.Response

HandleExec monitors for CONNECT events on existing Pods and logs events about them.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL