securitycontext

package
v1.20.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 15, 2021 License: Apache-2.0 Imports: 3 Imported by: 487

Documentation

Overview

Package securitycontext contains security context api implementations

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNoNewPrivileges added in v1.8.0

func AddNoNewPrivileges(sc *v1.SecurityContext) bool

AddNoNewPrivileges returns if we should add the no_new_privs option.

func ConvertToRuntimeMaskedPaths added in v1.12.0

func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.

func ConvertToRuntimeReadonlyPaths added in v1.12.0

func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.

func DetermineEffectiveRunAsUser added in v1.19.0

func DetermineEffectiveRunAsUser(pod *v1.Pod, container *v1.Container) (*int64, bool)

DetermineEffectiveRunAsUser returns a pointer of UID from the provided pod's and container's security context and a bool value to indicate if it is absent. Container's runAsUser take precedence in cases where both are set.

func DetermineEffectiveSecurityContext added in v1.2.0

func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext

DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations from the provided pod's and container's security context. Container's fields take precedence in cases where both are set

func HasCapabilitiesRequest

func HasCapabilitiesRequest(container *v1.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest

func HasPrivilegedRequest(container *v1.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func ValidInternalSecurityContextWithContainerDefaults added in v1.6.0

func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext

ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

func ValidSecurityContextWithContainerDefaults

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type ContainerSecurityContextAccessor added in v1.8.3

type ContainerSecurityContextAccessor interface {
	Capabilities() *api.Capabilities
	Privileged() *bool
	ProcMount() api.ProcMountType
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	ReadOnlyRootFilesystem() *bool
	AllowPrivilegeEscalation() *bool
}

ContainerSecurityContextAccessor allows reading the values of a SecurityContext object

func NewContainerSecurityContextAccessor added in v1.8.3

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor

NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextAccessor added in v1.8.3

func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor

NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context

type ContainerSecurityContextMutator added in v1.8.3

type ContainerSecurityContextMutator interface {
	ContainerSecurityContextAccessor

	ContainerSecurityContext() *api.SecurityContext

	SetCapabilities(*api.Capabilities)
	SetPrivileged(*bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetReadOnlyRootFilesystem(*bool)
	SetAllowPrivilegeEscalation(*bool)
}

ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object

func NewContainerSecurityContextMutator added in v1.8.3

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator

NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextMutator added in v1.8.3

func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator

NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context

type PodSecurityContextAccessor added in v1.8.3

type PodSecurityContextAccessor interface {
	HostNetwork() bool
	HostPID() bool
	HostIPC() bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	SupplementalGroups() []int64
	FSGroup() *int64
}

PodSecurityContextAccessor allows reading the values of a PodSecurityContext object

func NewPodSecurityContextAccessor added in v1.8.3

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PodSecurityContextMutator added in v1.8.3

type PodSecurityContextMutator interface {
	PodSecurityContextAccessor

	SetHostNetwork(bool)
	SetHostPID(bool)
	SetHostIPC(bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetSupplementalGroups([]int64)
	SetFSGroup(*int64)

	// PodSecurityContext returns the current PodSecurityContext object
	PodSecurityContext() *api.PodSecurityContext
}

PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object

func NewPodSecurityContextMutator added in v1.8.3

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL