Documentation ¶
Index ¶
- Constants
- Variables
- func Execute()
- func IsSupportedResourceType(obj Resource) bool
- func WriteToFile(decode Resource, filename string, toAppend bool) error
- func WriteToTmpFile(decode Resource) (string, error)
- type CapSet
- type CapabilitiesV1
- type CapabilityV1
- type Client
- type ContainerV1
- type CronJobV1Beta1
- type DaemonSetListV1
- type DaemonSetV1
- type DaemonSetV1Beta1
- type DebugHook
- type DeploymentExtensionsV1Beta1
- type DeploymentListV1
- type DeploymentV1
- type DeploymentV1Beta1
- type DeploymentV1Beta2
- type K8sClient
- type ListOptionsV1
- type Metadata
- type NamespaceListV1
- type NamespaceV1
- type NetworkPolicyListV1
- type NetworkPolicyV1
- type ObjectMetaV1
- type Occurrence
- type PodListV1
- type PodSpecV1
- type PodV1
- type ReplicationControllerListV1
- type ReplicationControllerV1
- type Resource
- type Result
- type SecurityContextV1
- type StatefulSetListV1
- type StatefulSetV1
- type StatefulSetV1Beta1
Constants ¶
const ( // The prefix to an annotation key specifying a container profile. ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/" // The profile specifying the runtime default. ProfileRuntimeDefault = "runtime/default" // The prefix for specifying profiles loaded on the node. ProfileNamePrefix = "localhost/" )
As of Oct 1, 2018 these constants are not in the K8s API package, but once they are they should be replaced https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/pkg/security/apparmor/helpers.go#L25
const ( // KubeauditInternalError is an internal error which cannot be fixed by the user. KubeauditInternalError // ErrorAllowPrivilegeEscalationNil occurs when AllowPrivilegeEscalation is not set which allows privilege // escalation. ErrorAllowPrivilegeEscalationNil // ErrorAllowPrivilegeEscalationTrue occurs when AllowPrivilegeEscalation is set to true ErrorAllowPrivilegeEscalationTrue // ErrorAllowPrivilegeEscalationTrueAllowed occurs when AllowPrivilegeEscalation is allowed to be set to true. ErrorAllowPrivilegeEscalationTrueAllowed // ErrorAutomountServiceAccountTokenNilAndNoName occurs when automountServiceAccountToken is not set and // serviceAccountName is blank. ErrorAutomountServiceAccountTokenNilAndNoName // ErrorAutomountServiceAccountTokenTrueAllowed occurs when automountServiceAccountToken is allowed to be set // to true. ErrorAutomountServiceAccountTokenTrueAllowed // ErrorAutomountServiceAccountTokenTrueAndNoName occurs when automountServiceAccountToken is set as true and // serviceAccountName is blank. ErrorAutomountServiceAccountTokenTrueAndNoName // ErrorCapabilityAdded occurs when a capability is added that is not allowed ErrorCapabilityAdded // ErrorCapabilityAllowed occurs when a capability is allowed that is part of the toBeDropped list. ErrorCapabilityAllowed // ErrorCapabilityNotDropped occurs when a capability should be dropped but it isn't ErrorCapabilityNotDropped // ErrorImageTagIncorrect occurs when an incorrect image tag is provided. ErrorImageTagIncorrect // ErrorImageTagMissing occurs when there is no image tag provided. ErrorImageTagMissing // ErrorMisconfiguredKubeauditAllow occurs when the option to allow a setting is set to true but the option // itself is set to false or nil. ErrorMisconfiguredKubeauditAllow // ErrorPrivilegedNil occurs when Privileged is not set. ErrorPrivilegedNil // ErrorPrivilegedTrue occurs when Privileged is set to true. ErrorPrivilegedTrue // ErrorPrivilegedTrueAllowed occurs when Privileged is allowed to be set to true. ErrorPrivilegedTrueAllowed // ErrorReadOnlyRootFilesystemFalse occurs when ReadOnlyRootFilesystem is set to false. ErrorReadOnlyRootFilesystemFalse // ErrorReadOnlyRootFilesystemFalseAllowed occurs when ReadOnlyRootFilesystem is allowed to be set to false. ErrorReadOnlyRootFilesystemFalseAllowed // ErrorReadOnlyRootFilesystemNil occurs when ReadOnlyRootFilesystem is set to nil. ErrorReadOnlyRootFilesystemNil // ErrorResourcesLimitsCPUExceeded occurs when the CPU limit is exceeded. ErrorResourcesLimitsCPUExceeded // ErrorResourcesLimitsCPUNil occurs when the CPU limit is not set. ErrorResourcesLimitsCPUNil // ErrorResourcesLimitsMemoryExceeded occurs when the memory limit is exceeded. ErrorResourcesLimitsMemoryExceeded // ErrorResourcesLimitsMemoryNil occurs when the memory limit is not set. ErrorResourcesLimitsMemoryNil // ErrorResourcesLimitsNil occurs when the resource limit is set to nil. ErrorResourcesLimitsNil // ErrorRunAsNonRootPSCTrueCSCFalse occurs when RunAsNonRoot is set to false in the ContainerSecurityContext and to true/false in PodSecurityContext. ErrorRunAsNonRootPSCTrueFalseCSCFalse // ErrorRunAsNonRootPSCFalseCSCNil occurs when RunAsNonRoot is Nil in the ContainerSecurityContext and to false in Pod ecurityContext. ErrorRunAsNonRootPSCFalseCSCNil // ErrorRunAsNonRootFalseAllowed occurs when RunAsNonRoot is allowed to be set to false. ErrorRunAsNonRootFalseAllowed // ErrorRunAsNonRootNil occurs when RunAsNonRoot is not set in either PodSecurityContext or ContainerSecurityContext. ErrorRunAsNonRootPSCNilCSCNil // ErrorServiceAccountTokenDeprecated occurs when serviceAccount is used. ServiceAccount is a deprecated alias // for ServiceAccountName. ErrorServiceAccountTokenDeprecated // ErrorAppArmorDisabled occurs when the AppArmor annotation is set to a bad value. ErrorAppArmorDisabled // ErrorAppArmorAnnotationMissing occurs when there is no annotation enabling AppArmor on the pod. ErrorAppArmorAnnotationMissing // ErrorSeccompDisabledPod occurs when the Seccomp annotation is set to a bad value. ErrorSeccompDisabledPod // ErrorSeccompDisabled occurs when the Seccomp annotation is set to a bad value. ErrorSeccompDisabled // ErrorSeccompAnnotationMissing occurs when there is no annotation enabling Seccomp on the pod. ErrorSeccompAnnotationMissing // ErrorSeccompDeprecatedPod occurs when the Seccomp annotation is set to a deprecated value. ErrorSeccompDeprecatedPod // ErrorSeccompDeprecated occurs when the Seccomp annotation is set to a deprecated value. ErrorSeccompDeprecated // InfoImageCorrect occurs when an image tag is correct. InfoImageCorrect // ErrorMissingDefaultDenyEgressNetworkPolicy occurs when a namespace is missing a default deny egress NetworkPolicy ErrorMissingDefaultDenyEgressNetworkPolicy // ErrorMissingDefaultDenyEgressNetworkPolicy occurs when a namespace is missing a default deny ingress NetworkPolicy ErrorMissingDefaultDenyIngressNetworkPolicy // InfoDefaultDenyNetworkPolicyExists occurs when a namespace has a default deny NetworkPolicy InfoDefaultDenyNetworkPolicyExists // WarningAllowAllIngressNetworkPolicyExists occurs when a namespace has an allow all ingress NetworkPolicy WarningAllowAllIngressNetworkPolicyExists // WarningAllowAllEgressNetworkPolicyExists occurs when a namespace has an allow all egress NetworkPolicy WarningAllowAllEgressNetworkPolicyExists )
Error codes
const ( Error Warn Info Debug )
Log levels
Variables ¶
var ( Version = "0.0.0" Commit = "ffffffff" BuildDate = "2006-01-02T15:04:05Z07:00" )
Placeholder values will be overridden by goreleaser or makefile.
var ErrNoReadableKubeConfig = errors.New("unable to open kubeconfig file")
ErrNoReadableKubeConfig represents any error that prevents the client from opening a kubeconfig file.
var KubeauditLogLevel = Info
KubeauditLogLevel is the default log level to be used by the logger. All log events with this log level and above will be logged.
var KubeauditLogLevels = map[string]int{"ERROR": Error, "WARN": Warn, "INFO": Info, "DEBUG": Debug}
KubeauditLogLevels represents an enum for the supported log levels.
var RootCmd = &cobra.Command{
Use: "kubeaudit",
Short: "A Kubernetes security auditor",
Long: `kubeaudit is a program that checks security settings on your Kubernetes clusters.
#patcheswelcome`,
}
RootCmd defines the shell command usage for kubeaudit.
Functions ¶
func Execute ¶
func Execute()
Execute is a wrapper for the RootCmd.Execute method which will exit the program if there is an error.
func IsSupportedResourceType ¶ added in v0.3.0
IsSupportedResourceType returns true if obj is a supported Kubernetes resource type
func WriteToFile ¶ added in v0.3.0
WriteToFile writes and then appends incoming resource
func WriteToTmpFile ¶ added in v0.4.0
WriteToTmpFile writes a single resource to a tmpfile, you are responsible for deleting the file afterwards, that's why the function returns the file name.
Types ¶
type CapSet ¶ added in v0.3.0
type CapSet map[CapabilityV1]bool
CapSet represents a set of capabilities.
func NewCapSetFromArray ¶ added in v0.3.0
func NewCapSetFromArray(array []CapabilityV1) (set CapSet)
NewCapSetFromArray converts an array of capabilities into a CapSet.
type CapabilitiesV1 ¶ added in v0.4.0
type CapabilitiesV1 = apiv1.Capabilities
CapabilitiesV1 is a type alias for the v1 version of the k8s API.
type CapabilityV1 ¶ added in v0.4.0
type CapabilityV1 = apiv1.Capability
CapabilityV1 is a type alias for the v1 version of the k8s API.
type ContainerV1 ¶ added in v0.4.0
ContainerV1 is a type alias for the v1 version of the k8s API.
type CronJobV1Beta1 ¶ added in v0.4.0
type CronJobV1Beta1 = batchv1beta1.CronJob
CronJobV1Beta1 is a type alias for the v1beta1 version of the k8s batch API.
type DaemonSetListV1 ¶ added in v0.4.0
type DaemonSetListV1 = appsv1.DaemonSetList
DaemonSetListV1 is a type alias for the v1 version of the k8s apps API.
type DaemonSetV1 ¶ added in v0.4.0
DaemonSetV1 is a type alias for the v1 version of the k8s API.
type DaemonSetV1Beta1 ¶ added in v0.4.0
type DaemonSetV1Beta1 = extensionsv1beta1.DaemonSet
DaemonSetV1Beta1 is a type alias for the v1beta1 version of the k8s extensions API.
type DebugHook ¶
type DebugHook struct{}
DebugHook is a log hook intended to be used for debug logging.
type DeploymentExtensionsV1Beta1 ¶ added in v0.3.0
type DeploymentExtensionsV1Beta1 = extensionsv1beta1.Deployment
DeploymentExtensionsV1Beta1 is a type alias for the v1beta1 version of the k8s extensions API.
type DeploymentListV1 ¶ added in v0.4.0
type DeploymentListV1 = appsv1.DeploymentList
DeploymentListV1 is a type alias for the v1 version of the k8s apps API.
type DeploymentV1 ¶ added in v0.4.0
type DeploymentV1 = appsv1.Deployment
DeploymentV1 is a type alias for the v1 version of the k8s apps API.
type DeploymentV1Beta1 ¶ added in v0.3.0
type DeploymentV1Beta1 = appsv1beta1.Deployment
DeploymentV1Beta1 is a type alias for the v1beta1 version of the k8s apps API.
type DeploymentV1Beta2 ¶ added in v0.3.0
type DeploymentV1Beta2 = appsv1beta2.Deployment
DeploymentV1Beta2 is a type alias for the v1beta2 version of the k8s apps API.
type K8sClient ¶ added in v0.4.0
type K8sClient struct{}
K8sClient wraps kubernetes client-go so it can be mocked.
type ListOptionsV1 ¶ added in v0.4.0
type ListOptionsV1 = metav1.ListOptions
ListOptionsV1 is a type alias for the v1 version of the k8s meta API.
type NamespaceListV1 ¶ added in v0.4.0
type NamespaceListV1 = apiv1.NamespaceList
NamespaceListV1 is a type alias for the v1 version of the k8s API.
type NamespaceV1 ¶ added in v0.4.0
NamespaceV1 is a type alias for the v1 version of the k8s API.
type NetworkPolicyListV1 ¶ added in v0.4.0
type NetworkPolicyListV1 = networkingv1.NetworkPolicyList
NetworkPolicyListV1 is a type alias for the v1 version of the k8s networking API.
type NetworkPolicyV1 ¶ added in v0.4.0
type NetworkPolicyV1 = networkingv1.NetworkPolicy
NetworkPolicyV1 is a type alias for the v1 version of the k8s API.
type ObjectMetaV1 ¶ added in v0.4.0
type ObjectMetaV1 = metav1.ObjectMeta
ObjectMetaV1 is a type alias for the v1 version of the k8s API.
type Occurrence ¶ added in v0.2.0
type Occurrence struct {
// contains filtered or unexported fields
}
An Occurrence represents a potential security issue. There may be multiple Occurrences per resource and audit.
type ReplicationControllerListV1 ¶ added in v0.4.0
type ReplicationControllerListV1 = apiv1.ReplicationControllerList
ReplicationControllerListV1 is a type alias for the v1 version of the k8s API.
type ReplicationControllerV1 ¶ added in v0.4.0
type ReplicationControllerV1 = apiv1.ReplicationController
ReplicationControllerV1 is a type alias for the v1 version of the k8s API.
type Resource ¶ added in v0.4.0
type Resource k8sRuntime.Object
func FixTestSetup ¶ added in v0.3.0
func FixTestSetup(t *testing.T, file string, auditFunction func(Resource) []Result) (*assert.Assertions, Resource)
FixTestSetup allows kubeaudit to be used programmatically instead of via the shell. It is intended to be used for testing.
type Result ¶
type Result struct { CPULimitActual string CPULimitMax string DSA string Err int ImageName string ImageTag string KubeType string Labels map[string]string MEMLimitActual string MEMLimitMax string Name string Namespace string Occurrences []Occurrence SA string Token *bool }
Result stores information about a Kubernetes resource, including all audit results (Occurrences) related to that resource.
type SecurityContextV1 ¶ added in v0.4.0
type SecurityContextV1 = apiv1.SecurityContext
SecurityContextV1 is a type alias for the v1 version of the k8s API.
type StatefulSetListV1 ¶ added in v0.4.0
type StatefulSetListV1 = appsv1.StatefulSetList
StatefulSetListV1 is a type alias for the v1 version of the k8s apps API.
type StatefulSetV1 ¶ added in v0.4.0
type StatefulSetV1 = appsv1.StatefulSet
StatefulSetV1 is a type alias for the v1 version of the k8s apps API.
type StatefulSetV1Beta1 ¶ added in v0.4.0
type StatefulSetV1Beta1 = appsv1beta1.StatefulSet
StatefulSetV1Beta1 is a type alias for the v1beta1 version of the k8s API.
Source Files ¶
- all.go
- allowPrivilegeEscalation.go
- allowPrivilegeEscalation_fixes.go
- appArmor.go
- appArmor_fixes.go
- autofix.go
- automountServiceAccountToken.go
- automountServiceAccountToken_fixes.go
- cap_set.go
- capabilities.go
- capabilities_fixes.go
- debugHook.go
- errors.go
- image.go
- k8sruntime_util.go
- kubernetes.go
- limits.go
- logLevel.go
- networkPolicies.go
- occurrence.go
- privileged.go
- privileged_fixes.go
- readOnlyRootFilesystem.go
- readOnlyRootFilesystem_fixes.go
- result.go
- root.go
- runAsNonRoot.go
- runAsNonRoot_fixes.go
- seccomp.go
- seccomp_fixes.go
- securitycontext_fixes.go
- test_util.go
- types.go
- util.go
- version.go