Documentation
¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
- func HasCapabilitiesRequest(container *api.Container) bool
- func HasPrivilegedRequest(container *api.Container) bool
- func HasRootRunAsUser(container *api.Container) bool
- func HasRootUID(container *api.Container) bool
- func HasRunAsUser(container *api.Container) bool
- func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
- func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
- func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
- type FakeSecurityContextProvider
- type SecurityContextProvider
- type SimpleSecurityContextProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DetermineEffectiveSecurityContext ¶ added in v1.2.0
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶ added in v1.1.0
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶ added in v1.1.0
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶ added in v1.1.0
HasRunAsUser determines if the sc's runAsUser field is set.
func MakeCapabilities ¶ added in v1.2.0
func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
MakeCapabilities creates string slices from Capability slices
func ParseSELinuxOptions ¶ added in v1.1.0
func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type FakeSecurityContextProvider ¶
type FakeSecurityContextProvider struct{}
func (FakeSecurityContextProvider) ModifyContainerConfig ¶
func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
func (FakeSecurityContextProvider) ModifyHostConfig ¶
func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
type SecurityContextProvider ¶
type SecurityContextProvider interface {
// ModifyContainerConfig is called before the Docker createContainer call.
// The security context provider can make changes to the Config with which
// the container is created.
ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
// ModifyHostConfig is called before the Docker createContainer call.
// The security context provider can make changes to the HostConfig, affecting
// security options, whether the container is privileged, volume binds, etc.
// An error is returned if it's not possible to secure the container as requested
// with a security context.
//
// - pod: the pod to modify the docker hostconfig for
// - container: the container to modify the hostconfig for
// - supplementalGids: additional supplemental GIDs associated with the pod's volumes
ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
}
func NewFakeSecurityContextProvider ¶
func NewFakeSecurityContextProvider() SecurityContextProvider
NewFakeSecurityContextProvider creates a new, no-op security context provider.
func NewSimpleSecurityContextProvider ¶
func NewSimpleSecurityContextProvider() SecurityContextProvider
NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
type SimpleSecurityContextProvider ¶
type SimpleSecurityContextProvider struct{}
SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
func (SimpleSecurityContextProvider) ModifyContainerConfig ¶
func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.
func (SimpleSecurityContextProvider) ModifyHostConfig ¶
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.
Source Files