This folder contains the defintion of new CRDs needed by the agent, mainly the policies CRD. It defines all the required objects to make the Kubernetes API client aware of the new policy object and allows operations that are possible to the other built-in Kubernets objects.
This holds the generated manifests from the structs defined in the api folder. The files are generated by the tool controller-gen which comes packaged with kubebuilder. Currently the only files used are the CRD manifests.
This module is responsible for getting the agent configuration and making sure that it is a valid one. It uses viper and reads from a configuration file.
This contains the crux of the agent's logic. All the functionalities of the agent live there(audit, admission,..) as well as the various sinks code.
This contains the admission module. It uses the controller-runtime Kubernetes package to register a callback that will be called when the agent recieves an admission request.
Performs the audit functionality. It triggers per the specified interval and then lists all the resources that the agent has resources on and performs the validation.
Contains client code to contact any external services.
Contains code that make use of the Kubernetes client to contact the API server.
This module mainly is used to return the entities that will be be part of the audit. It does that by checking which resources the agent has permissions on and then checks the api resources existing on the cluster and return those who were matched if the agent has a permission to list them.
Contains the implementations of the PoliciesSource interface that is responsible for returning the policies to the validation operation. It contains the crd implementation which fetches them from the Kubernets API.
Contains the implementations of PolicyValidationSink, responsible of writing the validation results to a specified source:
- elastic: writes to an elastic search instance
- filesystem: writes to a configured file path
- flux-notification: integrates with flux and writes to its notification controller
- k8s-event: write to a Kubernetes event on the cluster
Contains the terraform server that is used by the terraform controller to validate terraform plans against terraform policies