Documentation ¶
Index ¶
- Constants
- func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, ...) field.ErrorList
- func ConstraintAppliesTo(constraint *securityapi.SecurityContextConstraints, userInfo user.Info, ...) bool
- func DeduplicateSecurityContextConstraints(sccs []*securityapi.SecurityContextConstraints) []*securityapi.SecurityContextConstraints
- func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error)
- type ByPriority
- type ByRestrictions
- type SCCMatcher
- type SecurityContextConstraintsProvider
- func CreateProviderFromConstraint(ns string, namespace *kapi.Namespace, ...) (SecurityContextConstraintsProvider, *kapi.Namespace, error)
- func CreateProvidersFromConstraints(ns string, sccs []*securityapi.SecurityContextConstraints, ...) ([]SecurityContextConstraintsProvider, []error)
- func NewSimpleProvider(scc *securityapi.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
Constants ¶
const SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
TODO promote like kube did
Variables ¶
This section is empty.
Functions ¶
func AssignSecurityContext ¶
func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, fldPath *field.Path) field.ErrorList
AssignSecurityContext creates a security context for each container in the pod and validates that the sc falls within the scc constraints. All containers must validate against the same scc or is not considered valid.
func ConstraintAppliesTo ¶
func ConstraintAppliesTo(constraint *securityapi.SecurityContextConstraints, userInfo user.Info, namespace string, a authorizer.Authorizer) bool
ConstraintAppliesTo inspects the constraint's users and groups against the userInfo to determine if it is usable by the userInfo. TODO make this private and have the router SA check do a SAR check instead. Anything we do here needs to work with a deny authorizer so the choices are limited to SAR / Authorizer
func DeduplicateSecurityContextConstraints ¶
func DeduplicateSecurityContextConstraints(sccs []*securityapi.SecurityContextConstraints) []*securityapi.SecurityContextConstraints
DeduplicateSecurityContextConstraints ensures we have a unique slice of constraints.
func SysctlsFromPodSecurityPolicyAnnotation ¶
TODO promote like kube did
Types ¶
type ByPriority ¶
type ByPriority []*securityapi.SecurityContextConstraints
ByRestrictions is a helper to sort SCCs based on priority. If priorities are equal a string compare of the name is used.
func (ByPriority) Len ¶
func (s ByPriority) Len() int
func (ByPriority) Less ¶
func (s ByPriority) Less(i, j int) bool
func (ByPriority) Swap ¶
func (s ByPriority) Swap(i, j int)
type ByRestrictions ¶
type ByRestrictions []*securityapi.SecurityContextConstraints
ByRestrictions is a helper to sort SCCs in order of most restrictive to least restrictive.
func (ByRestrictions) Len ¶
func (s ByRestrictions) Len() int
func (ByRestrictions) Less ¶
func (s ByRestrictions) Less(i, j int) bool
func (ByRestrictions) Swap ¶
func (s ByRestrictions) Swap(i, j int)
type SCCMatcher ¶
type SCCMatcher interface {
FindApplicableSCCs(user user.Info, namespace string) ([]*securityapi.SecurityContextConstraints, error)
}
func NewDefaultSCCMatcher ¶
func NewDefaultSCCMatcher(c securitylisters.SecurityContextConstraintsLister, authorizer authorizer.Authorizer) SCCMatcher
type SecurityContextConstraintsProvider ¶
type SecurityContextConstraintsProvider interface { // Create a PodSecurityContext based on the given constraints. CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) // Create a container SecurityContext based on the given constraints CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) // Ensure a pod's SecurityContext is in compliance with the given constraints. ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList // Ensure a container's SecurityContext is in compliance with the given constraints ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList // Get the name of the SCC that this provider was initialized with. GetSCCName() string }
SecurityContextConstraintsProvider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.
func CreateProviderFromConstraint ¶
func CreateProviderFromConstraint(ns string, namespace *kapi.Namespace, constraint *securityapi.SecurityContextConstraints, client clientset.Interface) (SecurityContextConstraintsProvider, *kapi.Namespace, error)
CreateProviderFromConstraint creates a SecurityContextConstraintProvider from a SecurityContextConstraint
func CreateProvidersFromConstraints ¶
func CreateProvidersFromConstraints(ns string, sccs []*securityapi.SecurityContextConstraints, client clientset.Interface) ([]SecurityContextConstraintsProvider, []error)
CreateProvidersFromConstraints creates providers from the constraints supplied, including looking up pre-allocated values if necessary using the pod's namespace.
func NewSimpleProvider ¶
func NewSimpleProvider(scc *securityapi.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
NewSimpleProvider creates a new SecurityContextConstraintsProvider instance.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package selinux contains security context constraints SELinux strategy implementations.
|
Package selinux contains security context constraints SELinux strategy implementations. |
Package user contains security context constraints user strategy implementations.
|
Package user contains security context constraints user strategy implementations. |