Documentation ¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- Constants
- func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
- func HasCapabilitiesRequest(container *api.Container) bool
- func HasPrivilegedRequest(container *api.Container) bool
- func HasRootRunAsUser(container *api.Container) bool
- func HasRootUID(container *api.Container) bool
- func HasRunAsUser(container *api.Container) bool
- func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
- func ModifySecurityOptions(config []string, selinuxOpts *api.SELinuxOptions) []string
- func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
- func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
- type FakeSecurityContextProvider
- type SecurityContextProvider
- type SimpleSecurityContextProvider
Constants ¶
Variables ¶
This section is empty.
Functions ¶
func DetermineEffectiveSecurityContext ¶ added in v1.2.0
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶ added in v1.1.1
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶ added in v1.1.1
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶ added in v1.1.1
HasRunAsUser determines if the sc's runAsUser field is set.
func MakeCapabilities ¶ added in v1.2.0
func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
MakeCapabilities creates string slices from Capability slices
func ModifySecurityOptions ¶ added in v1.5.0
func ModifySecurityOptions(config []string, selinuxOpts *api.SELinuxOptions) []string
ModifySecurityOptions adds SELinux options to config.
func ParseSELinuxOptions ¶ added in v1.1.1
func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type FakeSecurityContextProvider ¶
type FakeSecurityContextProvider struct{}
func (FakeSecurityContextProvider) ModifyContainerConfig ¶
func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
func (FakeSecurityContextProvider) ModifyHostConfig ¶
func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
type SecurityContextProvider ¶
type SecurityContextProvider interface { // ModifyContainerConfig is called before the Docker createContainer call. // The security context provider can make changes to the Config with which // the container is created. ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config) // ModifyHostConfig is called before the Docker createContainer call. // The security context provider can make changes to the HostConfig, affecting // security options, whether the container is privileged, volume binds, etc. // An error is returned if it's not possible to secure the container as requested // with a security context. // // - pod: the pod to modify the docker hostconfig for // - container: the container to modify the hostconfig for // - supplementalGids: additional supplemental GIDs associated with the pod's volumes ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64) }
func NewFakeSecurityContextProvider ¶
func NewFakeSecurityContextProvider() SecurityContextProvider
NewFakeSecurityContextProvider creates a new, no-op security context provider.
func NewSimpleSecurityContextProvider ¶
func NewSimpleSecurityContextProvider() SecurityContextProvider
NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
type SimpleSecurityContextProvider ¶
type SimpleSecurityContextProvider struct{}
SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
func (SimpleSecurityContextProvider) ModifyContainerConfig ¶
func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.
func (SimpleSecurityContextProvider) ModifyHostConfig ¶
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.