Documentation

Index

Constants

View Source
const KubernetesContainerNameIdentifier = "@usr:io.kubernetes.container.name"

    KubernetesContainerNameIdentifier is the label used by Docker for the K8S container name.

    View Source
    const KubernetesInfraContainerName = "POD"

      KubernetesInfraContainerName is the name of the infra POD.

      View Source
      const KubernetesPodNameIdentifier = "@usr:io.kubernetes.pod.name"

        KubernetesPodNameIdentifier is the label used by Docker for the K8S pod name.

        View Source
        const KubernetesPodNamespaceIdentifier = "@usr:io.kubernetes.pod.namespace"

          KubernetesPodNamespaceIdentifier is the label used by Docker for the K8S namespace.

          View Source
          const UpstreamNameIdentifier = "@app:k8s:name"

            UpstreamNameIdentifier is the identifier used to identify the nane on the resulting PU

            View Source
            const UpstreamNamespaceIdentifier = "@app:k8s:namespace"

              UpstreamNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU

              View Source
              const UpstreamOldNameIdentifier = "@k8s:name"

                UpstreamOldNameIdentifier is the identifier used to identify the nane on the resulting PU TODO: Remove OLDTAGS

                View Source
                const UpstreamOldNamespaceIdentifier = "@k8s:namespace"

                  UpstreamOldNamespaceIdentifier is the identifier used to identify the nanespace on the resulting PU

                  View Source
                  const UserLabelPrefix = "@usr:"

                    UserLabelPrefix is the label prefix for all user defined labels

                    Variables

                    View Source
                    var ErrNoHostNetworkPod = fmt.Errorf("pod is not a host network pod")

                      ErrNoHostNetworkPod is returned from the NetclsProgrammer if the given pod is not a host network pod.

                      Functions

                      func ComputeFileMd5

                      func ComputeFileMd5(filePath string) ([]byte, error)

                        ComputeFileMd5 computes the Md5 of a file

                        func DefaultHostMetadataExtractor

                        func DefaultHostMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)

                          DefaultHostMetadataExtractor is a host specific metadata extractor

                          func DefaultKubernetesMetadataExtractor

                          func DefaultKubernetesMetadataExtractor(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)

                            DefaultKubernetesMetadataExtractor is a default implementation for the medatadata extractor for Kubernetes It only activates the POD//INFRA containers and strips all the labels from docker to only keep the ones from Kubernetes

                            func DefaultMetadataExtractor

                            func DefaultMetadataExtractor(info *types.ContainerJSON) (*policy.PURuntime, error)

                              DefaultMetadataExtractor is the default metadata extractor for Docker

                              func ErrNetclsAlreadyProgrammed

                              func ErrNetclsAlreadyProgrammed(mark string) error

                                ErrNetclsAlreadyProgrammed is returned from the NetclsProgrammer when the net_cls cgroup for this pod has already been programmed

                                func IsErrNetclsAlreadyProgrammed

                                func IsErrNetclsAlreadyProgrammed(err error) bool

                                  IsErrNetclsAlreadyProgrammed checks if the provided error is an ErrNetclsAlreadyProgrammed error

                                  func IsErrNoHostNetworkPod

                                  func IsErrNoHostNetworkPod(err error) bool

                                    IsErrNoHostNetworkPod checks if the provided error is an ErrNoHostNetworkPod error

                                    func IsHostPU

                                    func IsHostPU(runtime policy.RuntimeReader, mode constants.ModeType) bool

                                      IsHostPU returns true if puType stored by policy extensions is host PU

                                      func IsHostmodePU

                                      func IsHostmodePU(runtime policy.RuntimeReader, mode constants.ModeType) bool

                                        IsHostmodePU returns true if puType stored by policy extensions is hostmode PU

                                        func Libs

                                        func Libs(binpath string) []string

                                          Libs returns the list of dynamic library dependencies of an executable

                                          func ProcessInfo

                                          func ProcessInfo(pid int32) []string

                                            ProcessInfo returns all metadata captured by a process

                                            func SSHMetadataExtractor

                                            func SSHMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)

                                              SSHMetadataExtractor is a metadata extractor for ssh.

                                              func SystemdEventMetadataExtractor

                                              func SystemdEventMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)

                                                SystemdEventMetadataExtractor is a systemd based metadata extractor TODO: Remove OLDTAGS

                                                func UIDMetadataExtractor

                                                func UIDMetadataExtractor(event *common.EventInfo) (*policy.PURuntime, error)

                                                  UIDMetadataExtractor is a metadata extractor for uid/gid.

                                                  Types

                                                  type DockerMetadataExtractor

                                                  type DockerMetadataExtractor func(*types.ContainerJSON) (*policy.PURuntime, error)

                                                    A DockerMetadataExtractor is a function used to extract a *policy.PURuntime from a given docker ContainerJSON.

                                                    func NewExternalExtractor

                                                    func NewExternalExtractor(filePath string) (DockerMetadataExtractor, error)

                                                      NewExternalExtractor returns a new bash metadata extractor for Docker that will call the executable given in parameter and will generate a Policy Runtime as standard output The format of Input/Output of the executable are in standard JSON.

                                                      type EventMetadataExtractor

                                                      type EventMetadataExtractor func(*common.EventInfo) (*policy.PURuntime, error)

                                                        EventMetadataExtractor is a function used to extract a *policy.PURuntime from a given EventInfo. The EventInfo is generic and is provided over the RPC interface

                                                        type KubernetesMetadataExtractorType

                                                        type KubernetesMetadataExtractorType func(runtime policy.RuntimeReader, pod *api.Pod) (*policy.PURuntime, bool, error)

                                                          KubernetesMetadataExtractorType is an extractor function for Kubernetes. It takes as parameter a standard Docker runtime and a Pod Kubernetes definition and return a PolicyRuntime This extractor also provides an extra boolean parameter that is used as a token to decide if activation is required.

                                                          type LinuxMetadataExtractorType

                                                          type LinuxMetadataExtractorType func(event *common.EventInfo) (*policy.PURuntime, error)

                                                            LinuxMetadataExtractorType is a type of Linux metadata extractors

                                                            type PodMetadataExtractor

                                                            type PodMetadataExtractor func(context.Context, client.Client, *runtime.Scheme, *corev1.Pod, bool) (*policy.PURuntime, error)

                                                              PodMetadataExtractor is a function used to extract a *policy.PURuntime from a given Kubernetes pod. It can furthermore extract more information using the client. The 5th argument (bool) indicates if a network namespace should get extracted

                                                              type PodNetclsProgrammer

                                                              type PodNetclsProgrammer func(context.Context, *corev1.Pod, policy.RuntimeReader) error

                                                                PodNetclsProgrammer is a function used to program the net_cls cgroup of a pod for Trireme. This has to be used when Trireme is used in conjunction with pods that are in HostNetwork=true mode.

                                                                type PodPidsSetMaxProcsProgrammer

                                                                type PodPidsSetMaxProcsProgrammer func(ctx context.Context, pod *corev1.Pod, maxProcs int) error

                                                                  PodPidsSetMaxProcsProgrammer is a function used to program the pids cgroup of a pod for Trireme.

                                                                  type PodSandboxExtractor

                                                                  type PodSandboxExtractor func(context.Context, *corev1.Pod) (string, error)

                                                                    PodSandboxExtractor is a function used to extract the SandboxID from a given pod.

                                                                    type ResetNetclsKubepods

                                                                    type ResetNetclsKubepods func(context.Context) error

                                                                      ResetNetclsKubepods is a function which must implement to reset all netcls cgroup programming of Trireme. It is called during Resync events in monitors and guarantees a fresh slate for the monitors for Kubernetes.