securitycontext

package
v1.5.5-beta.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 8, 2017 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package securitycontext contains security context api implementations

Index

Constants

View Source
const (
	DockerLabelUser    string = "label:user"
	DockerLabelRole    string = "label:role"
	DockerLabelType    string = "label:type"
	DockerLabelLevel   string = "label:level"
	DockerLabelDisable string = "label:disable"
)

Variables

This section is empty.

Functions

func DetermineEffectiveSecurityContext added in v1.2.0

func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext

func HasCapabilitiesRequest

func HasCapabilitiesRequest(container *api.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest

func HasPrivilegedRequest(container *api.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func HasRootRunAsUser added in v1.1.0

func HasRootRunAsUser(container *api.Container) bool

HasRootRunAsUser returns true if the run as user is set and it is set to 0.

func HasRootUID added in v1.1.0

func HasRootUID(container *api.Container) bool

HasNonRootUID returns true if the runAsUser is set and is greater than 0.

func HasRunAsUser added in v1.1.0

func HasRunAsUser(container *api.Container) bool

HasRunAsUser determines if the sc's runAsUser field is set.

func MakeCapabilities added in v1.2.0

func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)

MakeCapabilities creates string slices from Capability slices

func ModifySecurityOptions added in v1.5.0

func ModifySecurityOptions(config []string, selinuxOpts *api.SELinuxOptions) []string

ModifySecurityOptions adds SELinux options to config.

func ParseSELinuxOptions added in v1.1.0

func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)

ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.

func ValidSecurityContextWithContainerDefaults

func ValidSecurityContextWithContainerDefaults() *api.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type FakeSecurityContextProvider

type FakeSecurityContextProvider struct{}

func (FakeSecurityContextProvider) ModifyContainerConfig

func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)

func (FakeSecurityContextProvider) ModifyHostConfig

func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)

type SecurityContextProvider

type SecurityContextProvider interface {
	// ModifyContainerConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the Config with which
	// the container is created.
	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)

	// ModifyHostConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the HostConfig, affecting
	// security options, whether the container is privileged, volume binds, etc.
	// An error is returned if it's not possible to secure the container as requested
	// with a security context.
	//
	// - pod: the pod to modify the docker hostconfig for
	// - container: the container to modify the hostconfig for
	// - supplementalGids: additional supplemental GIDs associated with the pod's volumes
	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
}

func NewFakeSecurityContextProvider

func NewFakeSecurityContextProvider() SecurityContextProvider

NewFakeSecurityContextProvider creates a new, no-op security context provider.

func NewSimpleSecurityContextProvider

func NewSimpleSecurityContextProvider() SecurityContextProvider

NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.

type SimpleSecurityContextProvider

type SimpleSecurityContextProvider struct{}

SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.

func (SimpleSecurityContextProvider) ModifyContainerConfig

func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)

ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.

func (SimpleSecurityContextProvider) ModifyHostConfig

func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)

ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL