Documentation
¶
Index ¶
- func EqualStringSlices(a, b []string) bool
- func FSTypeToStringSetInternal(fsTypes []securityv1.FSType) sets.String
- func GetAllFSTypesAsSet() sets.String
- func GetAllFSTypesExcept(exceptions ...string) sets.String
- func GetVolumeFSType(v api.Volume) (securityv1.FSType, error)
- func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool
- func SCCAllowsAllVolumes(scc *securityv1.SecurityContextConstraints) bool
- func SCCAllowsFSType(scc *securityv1.SecurityContextConstraints, fsType securityv1.FSType) bool
- func SCCAllowsFSTypeInternal(scc *securityv1.SecurityContextConstraints, fsType securityv1.FSType) bool
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EqualStringSlices ¶
EqualStringSlices compares string slices for equality. Slices are equal when their sizes and elements on similar positions are equal.
func FSTypeToStringSetInternal ¶
func FSTypeToStringSetInternal(fsTypes []securityv1.FSType) sets.String
fsTypeToStringSet converts an FSType slice to a string set.
func GetAllFSTypesAsSet ¶
func GetAllFSTypesExcept ¶
func GetVolumeFSType ¶
func GetVolumeFSType(v api.Volume) (securityv1.FSType, error)
getVolumeFSType gets the FSType for a volume.
func IsOnlyServiceAccountTokenSources ¶
func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool
IsOnlyServiceAccountTokenSources returns true if the sources of the projected volume source match to what would be injected by the ServiceAccount volume projection controller
This function is derived from pkg/security/podsecuritypolicy/util/util.go with the addition of OpenShift-specific "openshift-service-ca.crt" ConfigMap source.
This is what a sample injected volume looks like:
- projected: defaultMode: 420 sources:
- serviceAccountToken: expirationSeconds: 3607 path: token
- configMap: name: kube-root-ca.crt items:
- key: ca.crt path: ca.crt
- downwardAPI: items:
- path: namespace fieldRef: apiVersion: v1 fieldPath: metadata.namespace
- configMap: name: openshift-service-ca.crt items:
- key: service-ca.crt path: service-ca.crt
func SCCAllowsAllVolumes ¶
func SCCAllowsAllVolumes(scc *securityv1.SecurityContextConstraints) bool
SCCAllowsAllVolumes checks for FSTypeAll in the scc's allowed volumes.
func SCCAllowsFSType ¶
func SCCAllowsFSType(scc *securityv1.SecurityContextConstraints, fsType securityv1.FSType) bool
SCCAllowsFSType is a utility for checking if an SCC allows a particular FSType. If all volumes are allowed then this will return true for any FSType passed.
func SCCAllowsFSTypeInternal ¶
func SCCAllowsFSTypeInternal(scc *securityv1.SecurityContextConstraints, fsType securityv1.FSType) bool
SCCAllowsFSTypeInternal is a utility for checking if an SCC allows a particular FSType. If all volumes are allowed then this will return true for any FSType passed.
Types ¶
This section is empty.
Source Files
Directories