securitycontext

package

v0.0.0-...-d88c8b5 Latest Latest Go to latest Published: Feb 9, 2021 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/arhat-dev/nikaya

Documentation ¶

Overview ¶

Package securitycontext contains security context api implementations

Index ¶

func AddNoNewPrivileges(sc *v1.SecurityContext) bool
func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
func DetermineEffectiveRunAsUser(pod *v1.Pod, container *v1.Container) (*int64, bool)
func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
func HasCapabilitiesRequest(container *v1.Container) bool
func HasPrivilegedRequest(container *v1.Container) bool
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
type ContainerSecurityContextAccessor
- func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor
- func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor
type ContainerSecurityContextMutator
- func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator
- func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator
type PodSecurityContextAccessor
- func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor
type PodSecurityContextMutator
- func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddNoNewPrivileges ¶

func AddNoNewPrivileges(sc *v1.SecurityContext) bool

AddNoNewPrivileges returns if we should add the no_new_privs option.

func ConvertToRuntimeMaskedPaths ¶

func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.

func ConvertToRuntimeReadonlyPaths ¶

func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.

func DetermineEffectiveRunAsUser ¶

func DetermineEffectiveRunAsUser(pod *v1.Pod, container *v1.Container) (*int64, bool)

DetermineEffectiveRunAsUser returns a pointer of UID from the provided pod's and container's security context and a bool value to indicate if it is absent. Container's runAsUser take precedence in cases where both are set.

func DetermineEffectiveSecurityContext ¶

func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext

DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations from the provided pod's and container's security context. Container's fields take precedence in cases where both are set

func HasCapabilitiesRequest ¶

func HasCapabilitiesRequest(container *v1.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest ¶

func HasPrivilegedRequest(container *v1.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func ValidInternalSecurityContextWithContainerDefaults ¶

func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext

ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

func ValidSecurityContextWithContainerDefaults ¶

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types ¶

type ContainerSecurityContextAccessor ¶

type ContainerSecurityContextAccessor interface {
	Capabilities() *api.Capabilities
	Privileged() *bool
	ProcMount() api.ProcMountType
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	ReadOnlyRootFilesystem() *bool
	AllowPrivilegeEscalation() *bool
}

ContainerSecurityContextAccessor allows reading the values of a SecurityContext object

func NewContainerSecurityContextAccessor ¶

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor

NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextAccessor ¶

func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor

NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context

type ContainerSecurityContextMutator ¶

type ContainerSecurityContextMutator interface {
	ContainerSecurityContextAccessor

	ContainerSecurityContext() *api.SecurityContext

	SetCapabilities(*api.Capabilities)
	SetPrivileged(*bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetReadOnlyRootFilesystem(*bool)
	SetAllowPrivilegeEscalation(*bool)
}

ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object

func NewContainerSecurityContextMutator ¶

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator

NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextMutator ¶

func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator

NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context

type PodSecurityContextAccessor ¶

type PodSecurityContextAccessor interface {
	HostNetwork() bool
	HostPID() bool
	HostIPC() bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	SupplementalGroups() []int64
	FSGroup() *int64
}

PodSecurityContextAccessor allows reading the values of a PodSecurityContext object

func NewPodSecurityContextAccessor ¶

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PodSecurityContextMutator ¶

type PodSecurityContextMutator interface {
	PodSecurityContextAccessor

	SetHostNetwork(bool)
	SetHostPID(bool)
	SetHostIPC(bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetSupplementalGroups([]int64)
	SetFSGroup(*int64)

	// PodSecurityContext returns the current PodSecurityContext object
	PodSecurityContext() *api.PodSecurityContext
}

PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object

func NewPodSecurityContextMutator ¶

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL