helpers

Documentation

Index

• func ComputeLayerHashes(img v1.Image) ([]string, error)
• func DefaultContainerConfigs() []sp.ContainerConfig
• func ParseCommandFromImage(img v1.Image) ([]string, error)
• func ParseEnvFromImage(img v1.Image) ([]string, error)
• func ParseUserFromImage(img v1.Image) (sp.IDNameConfig, sp.IDNameConfig, error)
• func ParseWorkingDirFromImage(img v1.Image) (string, error)
• func PolicyContainersFromConfigs(containerConfigs []sp.ContainerConfig) ([]*sp.Container, error)
• func RemoteImageFromImageName(imageName string, opts ...remote.Option) (v1.Image, error)

Functions

func ComputeLayerHashes

func ComputeLayerHashes(img v1.Image) ([]string, error)

ComputeLayerHashes computes cryptographic digests of image layers and returns them as slice of string hashes.

func DefaultContainerConfigs

func DefaultContainerConfigs() []sp.ContainerConfig

DefaultContainerConfigs returns a hardcoded slice of container configs, which should be included by default in the security policy. The slice includes only a sandbox pause container.

func ParseCommandFromImage

func ParseCommandFromImage(img v1.Image) ([]string, error)

ParseCommandFromImage inspects the image and returns the command args, which is a combination of ENTRYPOINT and CMD Docker directives.

func ParseEnvFromImage

func ParseEnvFromImage(img v1.Image) ([]string, error)

ParseEnvFromImage inspects the image spec and adds security policy rules for environment variables from the spec. Additionally, includes "TERM=xterm" rule, which is added for linux containers by CRI.

func ParseUserFromImage

func ParseUserFromImage(img v1.Image) (sp.IDNameConfig, sp.IDNameConfig, error)

ParseUserFromImage inspects the image and returns the user and group

func ParseWorkingDirFromImage

func ParseWorkingDirFromImage(img v1.Image) (string, error)

ParseWorkingDirFromImage inspects the image spec and returns working directory if one was set via CWD Docker directive, otherwise returns "/".

func PolicyContainersFromConfigs

func PolicyContainersFromConfigs(containerConfigs []sp.ContainerConfig) ([]*sp.Container, error)

PolicyContainersFromConfigs returns a slice of sp.Container generated from a slice of sp.ContainerConfig's

func RemoteImageFromImageName

func RemoteImageFromImageName(imageName string, opts ...remote.Option) (v1.Image, error)

RemoteImageFromImageName parses a given imageName reference and creates a v1.Image with provided remote.Option opts.