kubebench

package

v0.0.0-...-7c36f52 Latest Latest Go to latest Published: Sep 13, 2023 License: Apache-2.0 Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kube-security-manager/kube-security-manager

Links

Open Source Insights

Documentation ¶

Overview ¶

Package kubebench provides primitives for working with CIS Kubernetes benchmarks.

Index ¶

type Builder
- func NewBuilder(scheme *runtime.Scheme) *Builder
type Config
type NodeController
- func (r *NodeController) SetupWithManager(mgr ctrl.Manager) error
type Plugin
- func NewKubeBenchPlugin(clock ext.Clock, config Config) Plugin
type ReadWriter
- func NewReadWriter(client client.Client) ReadWriter
type Reader
type Writer

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Builder ¶

type Builder struct {
	// contains filtered or unexported fields
}

func NewBuilder ¶

func NewBuilder(scheme *runtime.Scheme) *Builder

func (*Builder) Controller ¶

func (b *Builder) Controller(controller metav1.Object) *Builder

func (*Builder) Data ¶

func (b *Builder) Data(data v1alpha1.CISKubeBenchReportData) *Builder

func (*Builder) Get ¶

func (b *Builder) Get() (v1alpha1.CISKubeBenchReport, error)

type Config ¶

type Config interface {
	GetKubeBenchImageRef() (string, error)
}

type NodeController ¶

type NodeController struct {
	logr.Logger
	etc.Config
	client.Client
	kube.LogsReader
	controller.LimitChecker
	ReadWriter
	Plugin
	starboard.ConfigData
}

NodeController reconciles corev1.Node and corev1.Job objects to check cluster nodes configuration with CIS Kubernetes Benchmark and saves results as v1alpha1.CISKubeBenchReport objects. Each v1alpha1.CISKubeBenchReport is controlled by the corev1.Node for which it was generated. Additionally, the CISKubeBenchReportReconciler.SetupWithManager method informs the ctrl.Manager that this controller reconciles nodes that own benchmark reports, so that it will automatically call the reconcile callback on the underlying corev1.Node when a v1alpha1.CISKubeBenchReport changes, is deleted, etc.

func (*NodeController) SetupWithManager ¶

func (r *NodeController) SetupWithManager(mgr ctrl.Manager) error

type Plugin ¶

type Plugin interface {

	// GetScanJobSpec describes the pod that will be created by Starboard when
	// it schedules a Kubernetes job to audit the configuration of the specified
	// node.
	GetScanJobSpec(node corev1.Node) (corev1.PodSpec, error)

	// ParseCISKubeBenchReportData is a callback to parse and convert logs of
	// the pod controlled by the scan job to v1alpha1.CISKubeBenchReportData.
	ParseCISKubeBenchReportData(logsStream io.ReadCloser) (v1alpha1.CISKubeBenchReportData, error)

	GetContainerName() string
}

Plugin defines the interface between Starboard and Kubernetes configuration checker with CIS Kubernetes Benchmarks.

func NewKubeBenchPlugin ¶

func NewKubeBenchPlugin(clock ext.Clock, config Config) Plugin

NewKubeBenchPlugin constructs a new Plugin, which is using an official Kube-Bench container image, with the specified Config.

type ReadWriter ¶

type ReadWriter interface {
	Writer
	Reader
}

func NewReadWriter ¶

func NewReadWriter(client client.Client) ReadWriter

type Reader ¶

type Reader interface {
	FindByOwner(ctx context.Context, node kube.ObjectRef) (*v1alpha1.CISKubeBenchReport, error)
}

type Writer ¶

type Writer interface {
	Write(ctx context.Context, report v1alpha1.CISKubeBenchReport) error
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL