Documentation
¶
Overview ¶
Package types contains shared types across the runners and auditors.
Index ¶
Constants ¶
const ( // Unknown severity or not yet rated Unknown Severity = iota // None represents a CVSS base score of 0.0 None = iota // Low represents a CVSS base score of 0.1 to 3.9 Low = iota // Medium represents a CVSS base score of 4.0 to 6.9 Medium = iota // High represents a CVSS base score of 7.0 to 8.9 High = iota // Critical represents a CVSS base score of 9.0 to 10.0 Critical = iota )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditResult ¶
type AuditResult struct {
Name string `json:"name"`
Description string `json:"description"`
Severity Severity `json:"severity"`
Resource string `json:"resource"`
}
AuditResult is a single instance of an issue discovered by an auditor.
type Auditor ¶
type Auditor interface {
// Name returns a human-readable name to be associated with the
// AuditResults from an auditor
Name() string
// Audit returns an array of AuditResults after scanning the
// provided Discovery and Resources for a particular issue.
// Audit may also return an error if required data is not
// present or if the data is in an invalid format.
Audit(Discovery, Resources) ([]AuditResult, error)
}
Auditor is the interface that all auditors conform to and is required for auditor registration. Auditors should be scoped to a single issue.
type Discovery ¶
type Discovery struct {
// IstioVersion is the version of the istio control plane.
IstioVersion string
// IstioNamespace is the Kubernetes namespace of the istio control plane.
IstioNamespace string
// DiscoveryAddress is the IP:port of istiod's unauthenticated xds.
DiscoveryAddress string
// DebugzAddress is the IP:port of istiod's debug API.
DebugzAddress string
// KubeletAddresses is a list of addresses of each node's kubelet read-only API.
// These addresses have the form "host:port".
KubeletAddresses []string
}
Discovery represents all facts learned during the discovery phase of the scanner. These facts are used to populate the Resources from a deployment and are passed to each auditor to help with its scanning.
type Resources ¶
type Resources struct {
Namespaces []corev1.Namespace
Pods []corev1.Pod
PeerAuthentications []securityv1beta1.PeerAuthentication
AuthorizationPolicies []securityv1beta1.AuthorizationPolicy
DestinationRules []networkingv1alpha3.DestinationRule
Gateways []networkingv1alpha3.Gateway
VirtualServices []networkingv1alpha3.VirtualService
EnvoyFilters []networkingv1alpha3.EnvoyFilter
ServiceEntries []networkingv1alpha3.ServiceEntry
// contains filtered or unexported fields
}
Resources holds all known API objects related to the target. Resources are populated by various clients (e.g. xds, kubelet) and contains several different types of object (e.g. Namespaces, Pods, AuthorizationPolicies).
func NewResources ¶
func NewResources() Resources
NewResources returns Resources that can track and decode objects from clients.
func (*Resources) Export ¶
Export exports all known resources as YAML files in the provided directory.
func (*Resources) Load ¶
Load processes an array of Kubernetes runtime objects and adds relevant resources to the state. Load will ignore duplicate entries or entries with unknown types.
func (*Resources) LoadFromDirectory ¶
LoadFromDirectory processes all YAML files within a directory, decodes them as Kubernetes resources, and loads them into the state.
Source Files