mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-27 05:04:52 +00:00
Drop hack/verify-govet-levee
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This commit is contained in:
Davanum Srinivas
8
hack/testdata/levee/OWNERS
vendored
8
hack/testdata/levee/OWNERS
vendored
@@ -1,8 +0,0 @@
|
||||
# See the OWNERS docs at https://go.k8s.io/owners
|
||||
|
||||
approvers:
|
||||
- sig-security-approvers
|
||||
reviewers:
|
||||
- sig-security-reviewers
|
||||
labels:
|
||||
- sig/security
|
||||
154
hack/testdata/levee/levee-config.yaml
vendored
154
hack/testdata/levee/levee-config.yaml
vendored
@@ -1,154 +0,0 @@
|
||||
# Copyright 2015 The Kubernetes Authors.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# This file holds configuration for taint propagation analysis of Kubernetes source via go-flow-levee.
|
||||
# It defines sources which may contain credentials and sinks where these should not be logged.
|
||||
# Sources may be identified by the FieldTags element, or by matching package, type, and field explicitly in the Sources element.
|
||||
# Sanitizers permit sources to safely reach a sink.
|
||||
# False positives may be suppressed in the Exclude block.
|
||||
# Note that `*RE` keys have regexp values.
|
||||
|
||||
# For additional details, see KEP-1933.
|
||||
---
|
||||
|
||||
# These field tags were introduced by KEP-1753 to indicate fields which may contain credentials
|
||||
FieldTags:
|
||||
- Key: "datapolicy"
|
||||
Value: "security-key"
|
||||
- Key: "datapolicy"
|
||||
Value: "token"
|
||||
- Key: "datapolicy"
|
||||
Value: "password"
|
||||
|
||||
# This preliminary collection of source types should be removed once
|
||||
# KEP-1753 adds tags to the relevant fields.
|
||||
Sources:
|
||||
# The following fields are tagged in #95994
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "Config"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/test/e2e/storage/vsphere"
|
||||
TypeRE: "ConfigFile"
|
||||
FieldRE: "Global" # Global is of unnamed type, contains the field Password.
|
||||
|
||||
# The following fields are tagged in #95997
|
||||
- PackageRE: "k8s.io/kubelet/config/v1beta1"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
|
||||
# The following fields are tagged in #95998
|
||||
- PackageRE: "k8s.io/kube-scheduler/config/v1"
|
||||
TypeRE: "ExtenderTLSConfig"
|
||||
FieldRE: "KeyData"
|
||||
|
||||
# The following fields are tagged in #95600
|
||||
- PackageRE: "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96002
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/apiserver" # multiple versions
|
||||
TypeRE: "TLSConfig"
|
||||
FieldRE: "ClientKey"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/apis/config" # multiple versions
|
||||
TypeRE: "Key"
|
||||
FieldRE: "Secret"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/authentication/request/headerrequest"
|
||||
TypeRE: "requestHeaderBundle"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "certKeyContent"
|
||||
FieldRE: "key"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/dynamiccertificates"
|
||||
TypeRE: "DynamicCertKeyPairContent"
|
||||
FieldRE: "certKeyPair"
|
||||
- PackageRE: "k8s.io/apiserver/pkg/server/options"
|
||||
TypeRE: "RequestHeaderAuthenticationOptions"
|
||||
FieldRE: "UsernameHeaders|GroupHeaders"
|
||||
- PackageRE: "k8s.io/apiserver/plugin/pkg/authenticator/token/oidc"
|
||||
TypeRE: "endpoint"
|
||||
FieldRE: "AccessToken"
|
||||
|
||||
# The following fields are tagged in #96003
|
||||
- PackageRE: "k8s.io/cli-runtime/pkg/genericclioptions"
|
||||
TypeRE: "ConfigFlags"
|
||||
FieldRE: "BearerToken|Password"
|
||||
|
||||
# The following fields are tagged in #96004
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/apis/config"
|
||||
TypeRE: "KubeletConfiguration"
|
||||
FieldRE: "StaticPodURLHeader"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/kubelet/client"
|
||||
TypeRE: "KubeletClientConfig"
|
||||
FieldRE: "BearerToken"
|
||||
|
||||
# The following fields are tagged in #96005
|
||||
- PackageRE: "k8s.io/api/authentication/v1"
|
||||
TypeRE: "TokenReviewSpec|TokenRequestStatus"
|
||||
FieldRE: " Token"
|
||||
- PackageRE: "k8s.io/api/authentication/v1beta1"
|
||||
TypeRE: "TokenReviewSpec"
|
||||
FieldRE: " Token"
|
||||
|
||||
# The following fields are tagged in #96007
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/azure"
|
||||
TypeRE: "acrAuthResponse"
|
||||
FieldRE: "RefreshToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigEntry"
|
||||
FieldRE: "Password"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "DockerConfigJSON"
|
||||
FieldRE: "Auths|HTTPHeaders"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "dockerConfigEntryWithAuth"
|
||||
FieldRE: "Password|Auth"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider/gcp"
|
||||
TypeRE: "tokenBlob"
|
||||
FieldRE: "AccessToken"
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/credentialprovider"
|
||||
TypeRE: "AuthConfig"
|
||||
FieldRE: "Password|Auth|IdentityToken|RegistryToken"
|
||||
|
||||
# The following fields are tagged in #96008
|
||||
- PackageRE: "k8s.io/kubernetes/pkg/controller/certificates/authority"
|
||||
TypeRE: "CertificateAuthority"
|
||||
FieldRE: "RawKey"
|
||||
|
||||
# The following fields are not yet tagged
|
||||
- PackageRE: "k8s.io/api/core/v1"
|
||||
TypeRE: "Secret"
|
||||
FieldRE: "Data|StringData"
|
||||
|
||||
# Sinks are functions that should not be called with source or source-tainted arguments.
|
||||
# This configuration should capture all log unfiltered log calls.
|
||||
Sinks:
|
||||
- PackageRE: "k?log"
|
||||
# Empty regexp receiver will match both top-level klog functions and klog.Verbose methods.
|
||||
ReceiverRE: ""
|
||||
MethodRE: "Info|Warning|Error|Fatal|Exit"
|
||||
|
||||
# Sanitizers permit a source to reach a sink by explicitly removing the source data.
|
||||
Sanitizers:
|
||||
# maskValue strips bearer tokens from request headers
|
||||
- PackageRE: "k8s.io/client-go/transport"
|
||||
MethodRE: "maskValue"
|
||||
|
||||
# False positives may be suppressed here.
|
||||
# Exclude reporting within a given function by specifying it similar to Sinks, i.e.,
|
||||
# PackageRE | ReceiverRE | MethodRE regexp
|
||||
Exclude:
|
||||
- PackageRE: "k8s.io/kubernetes/cmd/kubelet/app"
|
||||
# Regexp matches anonymized inner function
|
||||
MethodRE: "NewKubeletCommand"
|
||||
Reference in New Issue
Block a user