securitycontext

package
v1.2.0-rancher-1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 22, 2016 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

Package securitycontext contains security context api implementations

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DetermineEffectiveSecurityContext added in v1.2.0

func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext

func HasCapabilitiesRequest

func HasCapabilitiesRequest(container *api.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest

func HasPrivilegedRequest(container *api.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func HasRootRunAsUser added in v1.1.0

func HasRootRunAsUser(container *api.Container) bool

HasRootRunAsUser returns true if the run as user is set and it is set to 0.

func HasRootUID added in v1.1.0

func HasRootUID(container *api.Container) bool

HasNonRootUID returns true if the runAsUser is set and is greater than 0.

func HasRunAsUser added in v1.1.0

func HasRunAsUser(container *api.Container) bool

HasRunAsUser determines if the sc's runAsUser field is set.

func MakeCapabilities added in v1.2.0

func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)

MakeCapabilities creates string slices from Capability slices

func ParseSELinuxOptions added in v1.1.0

func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)

ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.

func ValidSecurityContextWithContainerDefaults

func ValidSecurityContextWithContainerDefaults() *api.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type FakeSecurityContextProvider

type FakeSecurityContextProvider struct{}

func (FakeSecurityContextProvider) ModifyContainerConfig

func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)

func (FakeSecurityContextProvider) ModifyHostConfig

func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)

type SecurityContextProvider

type SecurityContextProvider interface {
	// ModifyContainerConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the Config with which
	// the container is created.
	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)

	// ModifyHostConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the HostConfig, affecting
	// security options, whether the container is privileged, volume binds, etc.
	// An error is returned if it's not possible to secure the container as requested
	// with a security context.
	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
}

func NewFakeSecurityContextProvider

func NewFakeSecurityContextProvider() SecurityContextProvider

NewFakeSecurityContextProvider creates a new, no-op security context provider.

func NewSimpleSecurityContextProvider

func NewSimpleSecurityContextProvider() SecurityContextProvider

NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.

type SimpleSecurityContextProvider

type SimpleSecurityContextProvider struct{}

SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.

func (SimpleSecurityContextProvider) ModifyContainerConfig

func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)

ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.

func (SimpleSecurityContextProvider) ModifyHostConfig

func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)

ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL