Documentation ¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func HasCapabilitiesRequest(container *api.Container) bool
- func HasPrivilegedRequest(container *api.Container) bool
- func HasRootRunAsUser(container *api.Container) bool
- func HasRootUID(container *api.Container) bool
- func HasRunAsUser(container *api.Container) bool
- func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
- func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
- type FakeSecurityContextProvider
- type SecurityContextProvider
- type SimpleSecurityContextProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶
HasRunAsUser determines if the sc's runAsUser field is set.
func ParseSELinuxOptions ¶
func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type FakeSecurityContextProvider ¶
type FakeSecurityContextProvider struct{}
func (FakeSecurityContextProvider) ModifyContainerConfig ¶
func (FakeSecurityContextProvider) ModifyHostConfig ¶
func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
type SecurityContextProvider ¶
type SecurityContextProvider interface { // ModifyContainerConfig is called before the Docker createContainer call. // The security context provider can make changes to the Config with which // the container is created. ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config) // ModifyHostConfig is called before the Docker runContainer call. // The security context provider can make changes to the HostConfig, affecting // security options, whether the container is privileged, volume binds, etc. // An error is returned if it's not possible to secure the container as requested // with a security context. ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig) }
func NewFakeSecurityContextProvider ¶
func NewFakeSecurityContextProvider() SecurityContextProvider
NewFakeSecurityContextProvider creates a new, no-op security context provider.
func NewSimpleSecurityContextProvider ¶
func NewSimpleSecurityContextProvider() SecurityContextProvider
NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
type SimpleSecurityContextProvider ¶
type SimpleSecurityContextProvider struct{}
SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
func (SimpleSecurityContextProvider) ModifyContainerConfig ¶
func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *docker.Config)
ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.
func (SimpleSecurityContextProvider) ModifyHostConfig ¶
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *docker.HostConfig)
ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc. An error is returned if it's not possible to secure the container as requested with a security context.