forked from Shopify/kubeaudit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
result.go
89 lines (74 loc) · 2.72 KB
/
result.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
package kubeaudit
import "github.com/Shopify/kubeaudit/pkg/k8s"
// AuditResult severity levels. They also correspond to log levels
const (
// Info is used for informational audit results where no action is required
Info SeverityLevel = 0
// Warn is used for audit results where there may be security concerns. If an auditor is disabled for a resource
// using an override label, the audit results will be warnings instead of errors. Kubeaudit will NOT attempt to
// fix these
Warn SeverityLevel = 1
// Error is used for audit results where action is required. Kubeaudit will attempt to fix these
Error SeverityLevel = 2
)
// Result contains the audit results for a single Kubernetes resource
type Result interface {
GetResource() KubeResource
GetAuditResults() []*AuditResult
}
type SeverityLevel int
func (s SeverityLevel) String() string {
switch s {
case Info:
return "info"
case Warn:
return "warning"
case Error:
return "error"
default:
return "unknown"
}
}
// AuditResult represents a potential security issue. There may be multiple AuditResults per resource and audit
type AuditResult struct {
Auditor string // Auditor name
Rule string // Rule uniquely identifies a type of violation
Severity SeverityLevel // Severity is one of Error, Warn, or Info
Message string // Message is a human-readable description of the audit result
PendingFix PendingFix // PendingFix is the fix that will be applied to automatically fix the security issue
Metadata Metadata // Metadata includes additional context for an audit result
FilePath string // Manifest file path
}
func (result *AuditResult) Fix(resource k8s.Resource) (newResources []k8s.Resource) {
if result.PendingFix == nil {
return nil
}
return result.PendingFix.Apply(resource)
}
func (result *AuditResult) FixPlan() (ok bool, plan string) {
if result.PendingFix == nil {
return false, ""
}
return true, result.PendingFix.Plan()
}
// PendingFix includes the logic to automatically fix the issues caught by auditing
type PendingFix interface {
// Plan returns a human-readable description of what Apply() will do
Plan() string
// Apply applies the proposed fix to the resource and returns any new resources that were created. Note that
// Apply is expected to modify the passed in resource
Apply(k8s.Resource) []k8s.Resource
}
// Metadata holds metadata for a potential security issue
type Metadata = map[string]string
// Implements Result
type WorkloadResult struct {
Resource KubeResource
AuditResults []*AuditResult
}
func (wlResult *WorkloadResult) GetResource() KubeResource {
return wlResult.Resource
}
func (wlResult *WorkloadResult) GetAuditResults() []*AuditResult {
return wlResult.AuditResults
}