Documentation ¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func AddNoNewPrivileges(sc *v1.SecurityContext) bool
- func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
- func HasCapabilitiesRequest(container *v1.Container) bool
- func HasPrivilegedRequest(container *v1.Container) bool
- func HasRootRunAsUser(container *v1.Container) bool
- func HasRootUID(container *v1.Container) bool
- func HasRunAsUser(container *v1.Container) bool
- func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
- func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
- func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
- func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNoNewPrivileges ¶
func AddNoNewPrivileges(sc *v1.SecurityContext) bool
AddNoNewPrivileges returns if we should add the no_new_privs option. This will return true if: 1) the container is not privileged 2) CAP_SYS_ADMIN is not being added 3) if podSecurityPolicy.DefaultAllowPrivilegeEscalation is:
- nil, then return false
- true, then return false
- false, then return true
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶
HasRunAsUser determines if the sc's runAsUser field is set.
func InternalDetermineEffectiveSecurityContext ¶
func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
TODO: remove the duplicate code
func ParseSELinuxOptions ¶
func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidInternalSecurityContextWithContainerDefaults ¶
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
This section is empty.