Documentation
¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func DockerLabelDisable(separator rune) string
- func DockerLabelLevel(separator rune) string
- func DockerLabelRole(separator rune) string
- func DockerLabelType(separator rune) string
- func DockerLabelUser(separator rune) string
- func ModifySecurityOptions(config []string, selinuxOpts *v1.SELinuxOptions, separator rune) []string
- type FakeSecurityContextProvider
- type SecurityContextProvider
- type SimpleSecurityContextProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DockerLabelDisable ¶
DockerLaelDisable returns the Docker security opt that disables SELinux for the container.
func DockerLabelLevel ¶
DockerLabelLevel returns the fragment of a Docker security opt that describes the SELinux level. Note that strictly speaking this is not actually the name of the security opt, but a fragment of the whole key- value pair necessary to set the opt.
func DockerLabelRole ¶
DockerLabelRole returns the fragment of a Docker security opt that describes the SELinux role. Note that strictly speaking this is not actually the name of the security opt, but a fragment of the whole key- value pair necessary to set the opt.
func DockerLabelType ¶
DockerLabelType returns the fragment of a Docker security opt that describes the SELinux type. Note that strictly speaking this is not actually the name of the security opt, but a fragment of the whole key- value pair necessary to set the opt.
func DockerLabelUser ¶
DockerLabelUser returns the fragment of a Docker security opt that describes the SELinux user. Note that strictly speaking this is not actually the name of the security opt, but a fragment of the whole key- value pair necessary to set the opt.
func ModifySecurityOptions ¶
func ModifySecurityOptions(config []string, selinuxOpts *v1.SELinuxOptions, separator rune) []string
ModifySecurityOptions adds SELinux options to config using the given separator.
Types ¶
type FakeSecurityContextProvider ¶
type FakeSecurityContextProvider struct{}
func (FakeSecurityContextProvider) ModifyContainerConfig ¶
func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *v1.Pod, container *v1.Container, config *dockercontainer.Config)
func (FakeSecurityContextProvider) ModifyHostConfig ¶
func (p FakeSecurityContextProvider) ModifyHostConfig(pod *v1.Pod, container *v1.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
type SecurityContextProvider ¶
type SecurityContextProvider interface {
// ModifyContainerConfig is called before the Docker createContainer call.
// The security context provider can make changes to the Config with which
// the container is created.
ModifyContainerConfig(pod *v1.Pod, container *v1.Container, config *dockercontainer.Config)
// ModifyHostConfig is called before the Docker createContainer call.
// The security context provider can make changes to the HostConfig, affecting
// security options, whether the container is privileged, volume binds, etc.
// An error is returned if it's not possible to secure the container as requested
// with a security context.
//
// - pod: the pod to modify the docker hostconfig for
// - container: the container to modify the hostconfig for
// - supplementalGids: additional supplemental GIDs associated with the pod's volumes
ModifyHostConfig(pod *v1.Pod, container *v1.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
}
func NewFakeSecurityContextProvider ¶
func NewFakeSecurityContextProvider() SecurityContextProvider
NewFakeSecurityContextProvider creates a new, no-op security context provider.
func NewSimpleSecurityContextProvider ¶
func NewSimpleSecurityContextProvider(securityOptSeparator rune) SecurityContextProvider
NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
type SimpleSecurityContextProvider ¶
type SimpleSecurityContextProvider struct {
// contains filtered or unexported fields
}
SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
func (SimpleSecurityContextProvider) ModifyContainerConfig ¶
func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *v1.Pod, container *v1.Container, config *dockercontainer.Config)
ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.
func (SimpleSecurityContextProvider) ModifyHostConfig ¶
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *v1.Pod, container *v1.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.
Source Files