Documentation ¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func AddNoNewPrivileges(sc *v1.SecurityContext) bool
- func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
- func HasCapabilitiesRequest(container *v1.Container) bool
- func HasPrivilegedRequest(container *v1.Container) bool
- func HasRootRunAsUser(container *v1.Container) bool
- func HasRootUID(container *v1.Container) bool
- func HasRunAsUser(container *v1.Container) bool
- func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
- func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
- func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
- func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
- type ContainerSecurityContextAccessor
- type ContainerSecurityContextMutator
- type PodSecurityContextAccessor
- type PodSecurityContextMutator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNoNewPrivileges ¶
func AddNoNewPrivileges(sc *v1.SecurityContext) bool
AddNoNewPrivileges returns if we should add the no_new_privs option.
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶
HasRunAsUser determines if the sc's runAsUser field is set.
func InternalDetermineEffectiveSecurityContext ¶
func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
TODO: remove the duplicate code
func ParseSELinuxOptions ¶
func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidInternalSecurityContextWithContainerDefaults ¶
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type ContainerSecurityContextAccessor ¶
type ContainerSecurityContextAccessor interface { Capabilities() *api.Capabilities Privileged() *bool SELinuxOptions() *api.SELinuxOptions RunAsUser() *int64 RunAsNonRoot() *bool ReadOnlyRootFilesystem() *bool AllowPrivilegeEscalation() *bool }
func NewContainerSecurityContextAccessor ¶
func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor
func NewEffectiveContainerSecurityContextAccessor ¶
func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor
type ContainerSecurityContextMutator ¶
type ContainerSecurityContextMutator interface { ContainerSecurityContextAccessor ContainerSecurityContext() *api.SecurityContext SetCapabilities(*api.Capabilities) SetPrivileged(*bool) SetSELinuxOptions(*api.SELinuxOptions) SetRunAsUser(*int64) SetRunAsNonRoot(*bool) SetReadOnlyRootFilesystem(*bool) SetAllowPrivilegeEscalation(*bool) }
func NewContainerSecurityContextMutator ¶
func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator
func NewEffectiveContainerSecurityContextMutator ¶
func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator
type PodSecurityContextAccessor ¶
type PodSecurityContextAccessor interface { HostNetwork() bool HostPID() bool HostIPC() bool SELinuxOptions() *api.SELinuxOptions RunAsUser() *int64 RunAsNonRoot() *bool SupplementalGroups() []int64 FSGroup() *int64 }
PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
func NewPodSecurityContextAccessor ¶
func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor
NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.
type PodSecurityContextMutator ¶
type PodSecurityContextMutator interface { PodSecurityContextAccessor SetHostNetwork(bool) SetHostPID(bool) SetHostIPC(bool) SetSELinuxOptions(*api.SELinuxOptions) SetRunAsUser(*int64) SetRunAsNonRoot(*bool) SetSupplementalGroups([]int64) SetFSGroup(*int64) // PodSecurityContext returns the current PodSecurityContext object PodSecurityContext() *api.PodSecurityContext }
PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
func NewPodSecurityContextMutator ¶
func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator
NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.