Documentation ¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func AddNoNewPrivileges(sc *v1.SecurityContext) bool
- func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
- func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
- func DetermineEffectiveRunAsUser(pod *v1.Pod, container *v1.Container) (*int64, bool)
- func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
- func HasCapabilitiesRequest(container *v1.Container) bool
- func HasPrivilegedRequest(container *v1.Container) bool
- func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
- func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
- type ContainerSecurityContextAccessor
- type ContainerSecurityContextMutator
- type PodSecurityContextAccessor
- type PodSecurityContextMutator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNoNewPrivileges ¶ added in v1.8.0
func AddNoNewPrivileges(sc *v1.SecurityContext) bool
AddNoNewPrivileges returns if we should add the no_new_privs option.
func ConvertToRuntimeMaskedPaths ¶ added in v1.12.0
func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.
func ConvertToRuntimeReadonlyPaths ¶ added in v1.12.0
func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.
func DetermineEffectiveRunAsUser ¶ added in v1.19.0
DetermineEffectiveRunAsUser returns a pointer of UID from the provided pod's and container's security context and a bool value to indicate if it is absent. Container's runAsUser take precedence in cases where both are set.
func DetermineEffectiveSecurityContext ¶ added in v1.2.0
DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations from the provided pod's and container's security context. Container's fields take precedence in cases where both are set
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func ValidInternalSecurityContextWithContainerDefaults ¶ added in v1.6.0
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type ContainerSecurityContextAccessor ¶ added in v1.8.3
type ContainerSecurityContextAccessor interface { Capabilities() *api.Capabilities Privileged() *bool ProcMount() api.ProcMountType SELinuxOptions() *api.SELinuxOptions RunAsUser() *int64 RunAsGroup() *int64 RunAsNonRoot() *bool ReadOnlyRootFilesystem() *bool AllowPrivilegeEscalation() *bool }
ContainerSecurityContextAccessor allows reading the values of a SecurityContext object
func NewContainerSecurityContextAccessor ¶ added in v1.8.3
func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor
NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext
func NewEffectiveContainerSecurityContextAccessor ¶ added in v1.8.3
func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor
NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context
type ContainerSecurityContextMutator ¶ added in v1.8.3
type ContainerSecurityContextMutator interface { ContainerSecurityContextAccessor ContainerSecurityContext() *api.SecurityContext SetCapabilities(*api.Capabilities) SetPrivileged(*bool) SetSELinuxOptions(*api.SELinuxOptions) SetRunAsUser(*int64) SetRunAsGroup(*int64) SetRunAsNonRoot(*bool) SetReadOnlyRootFilesystem(*bool) SetAllowPrivilegeEscalation(*bool) }
ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object
func NewContainerSecurityContextMutator ¶ added in v1.8.3
func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator
NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext
func NewEffectiveContainerSecurityContextMutator ¶ added in v1.8.3
func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator
NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context
type PodSecurityContextAccessor ¶ added in v1.8.3
type PodSecurityContextAccessor interface { HostNetwork() bool HostPID() bool HostIPC() bool SELinuxOptions() *api.SELinuxOptions RunAsUser() *int64 RunAsGroup() *int64 RunAsNonRoot() *bool SupplementalGroups() []int64 FSGroup() *int64 }
PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
func NewPodSecurityContextAccessor ¶ added in v1.8.3
func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor
NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.
type PodSecurityContextMutator ¶ added in v1.8.3
type PodSecurityContextMutator interface { PodSecurityContextAccessor SetHostNetwork(bool) SetHostPID(bool) SetHostIPC(bool) SetSELinuxOptions(*api.SELinuxOptions) SetRunAsUser(*int64) SetRunAsGroup(*int64) SetRunAsNonRoot(*bool) SetSupplementalGroups([]int64) SetFSGroup(*int64) // PodSecurityContext returns the current PodSecurityContext object PodSecurityContext() *api.PodSecurityContext }
PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
func NewPodSecurityContextMutator ¶ added in v1.8.3
func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator
NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.