Documentation
¶
Index ¶
Constants ¶
View Source
const ( OKNOK = iota NOK // 0 OK // 1 )
View Source
const ( OKString = "true" NOKString = "false" )
View Source
const ( CategoryID1String = "CategoryID1(limited access granted automatically)" CategoryID1NoUID0String = "CategoryID1NoUID0(automatically granted, basic rights with mesh networks)" CategoryID2String = "CategoryID2(advanced networking (vlan tag, dscp, priority))" CategoryID3String = "CategoryID3(SRIOV and DPDK)" CategoryID4String = "CategoryID4(anything not matching lower category)" )
Variables ¶
View Source
var ( Category1 = ContainerSCC{ NOK, NOK, NOK, NOK, NOK, OK, NOK, OK, NOK, NOK, OK, OK, CategoryID1, OK, OK} // AllVolumeAllowed Category1NoUID0 = ContainerSCC{ NOK, NOK, NOK, NOK, NOK, OK, NOK, OK, NOK, OK, OK, OK, CategoryID1, OK, OK} // AllVolumeAllowed Category2 = ContainerSCC{ NOK, NOK, NOK, NOK, NOK, OK, NOK, OK, NOK, OK, OK, OK, CategoryID2, OK, OK} // AllVolumeAllowed Category3 = ContainerSCC{ NOK, NOK, NOK, NOK, NOK, OK, NOK, OK, NOK, OK, OK, OK, CategoryID3, OK, OK} // AllVolumeAllowed )
Functions ¶
This section is empty.
Types ¶
type CategoryID ¶
type CategoryID int
const ( Undefined CategoryID = iota CategoryID1 CategoryID1NoUID0 CategoryID2 CategoryID3 CategoryID4 )
func (CategoryID) String ¶
func (category CategoryID) String() string
String converts the category to a string. Returns:
- string: The string representation of the Category.
type ContainerSCC ¶
type ContainerSCC struct {
HostDirVolumePluginPresent OkNok // 0 or 1 - 0 is false 1 - true
HostIPC OkNok
HostNetwork OkNok
HostPID OkNok
HostPorts OkNok
PrivilegeEscalation OkNok // this can be true or false
PrivilegedContainer OkNok
RunAsUserPresent OkNok
ReadOnlyRootFilesystem OkNok
RunAsNonRoot OkNok
FsGroupPresent OkNok
SeLinuxContextPresent OkNok
CapabilitiesCategory CategoryID
RequiredDropCapabilitiesPresent OkNok
AllVolumeAllowed OkNok
}
func GetContainerSCC ¶
func GetContainerSCC(cut *provider.Container, containerSCC ContainerSCC) ContainerSCC
GetContainerSCC is update the containerSCC according capability of container(cut) Returns:
- ContainerSCC: struct that updated according container(cut)
type OkNok ¶
type OkNok int
func AllVolumeAllowed ¶
AllVolumeAllowed checks if all volumes in the provided slice are allowed based on certain criteria. Returns :
- r1 : whether all volumes are allowed (OK/NOK)
- r2 : whether any volume with HostPath is found (OK/NOK)
type PodListCategory ¶
type PodListCategory struct {
Containername string
Podname string
NameSpace string
Category CategoryID
}
func CheckPod ¶
func CheckPod(pod *provider.Pod) []PodListCategory
CheckPod updates the containerSCC objects with security context variable defined at the Pod Level. Then it updates the containerSCC object with security context values overloaded at the container level. It then categorizes each container based on specific conditions and constructs a list of PodListCategory structs, each representing a container along with its category information. Returns:
- []PodListCategory: a slice of PodListCategory structs representing categorized containers for the pod.
Source Files
Click to show internal directories.
Click to hide internal directories.