Documentation
¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func AddNoNewPrivileges(sc *v1.SecurityContext) bool
- func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
- func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
- func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
- func HasCapabilitiesRequest(container *v1.Container) bool
- func HasPrivilegedRequest(container *v1.Container) bool
- func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
- func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
- func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
- type ContainerSecurityContextAccessor
- type ContainerSecurityContextMutator
- type PodSecurityContextAccessor
- type PodSecurityContextMutator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNoNewPrivileges ¶
func AddNoNewPrivileges(sc *v1.SecurityContext) bool
AddNoNewPrivileges returns if we should add the no_new_privs option.
func ConvertToRuntimeMaskedPaths ¶
func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.
func ConvertToRuntimeReadonlyPaths ¶
func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func ParseSELinuxOptions ¶
func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidInternalSecurityContextWithContainerDefaults ¶
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type ContainerSecurityContextAccessor ¶
type ContainerSecurityContextAccessor interface {
Capabilities() *api.Capabilities
Privileged() *bool
ProcMount() api.ProcMountType
SELinuxOptions() *api.SELinuxOptions
RunAsUser() *int64
RunAsNonRoot() *bool
ReadOnlyRootFilesystem() *bool
AllowPrivilegeEscalation() *bool
}
func NewContainerSecurityContextAccessor ¶
func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor
func NewEffectiveContainerSecurityContextAccessor ¶
func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor
type ContainerSecurityContextMutator ¶
type ContainerSecurityContextMutator interface {
ContainerSecurityContextAccessor
ContainerSecurityContext() *api.SecurityContext
SetCapabilities(*api.Capabilities)
SetPrivileged(*bool)
SetSELinuxOptions(*api.SELinuxOptions)
SetRunAsUser(*int64)
SetRunAsNonRoot(*bool)
SetReadOnlyRootFilesystem(*bool)
SetAllowPrivilegeEscalation(*bool)
}
func NewContainerSecurityContextMutator ¶
func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator
func NewEffectiveContainerSecurityContextMutator ¶
func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator
type PodSecurityContextAccessor ¶
type PodSecurityContextAccessor interface {
HostNetwork() bool
HostPID() bool
HostIPC() bool
SELinuxOptions() *api.SELinuxOptions
RunAsUser() *int64
RunAsNonRoot() *bool
SupplementalGroups() []int64
FSGroup() *int64
}
PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
func NewPodSecurityContextAccessor ¶
func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor
NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.
type PodSecurityContextMutator ¶
type PodSecurityContextMutator interface {
PodSecurityContextAccessor
SetHostNetwork(bool)
SetHostPID(bool)
SetHostIPC(bool)
SetSELinuxOptions(*api.SELinuxOptions)
SetRunAsUser(*int64)
SetRunAsNonRoot(*bool)
SetSupplementalGroups([]int64)
SetFSGroup(*int64)
// PodSecurityContext returns the current PodSecurityContext object
PodSecurityContext() *api.PodSecurityContext
}
PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
func NewPodSecurityContextMutator ¶
func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator
NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.
Source Files