securitycontext

package
v1.10.6-lite6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 4, 2018 License: Apache-2.0 Imports: 5 Imported by: 0

Documentation

Overview

Package securitycontext contains security context api implementations

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNoNewPrivileges 

func AddNoNewPrivileges(sc *v1.SecurityContext) bool

AddNoNewPrivileges returns if we should add the no_new_privs option.

func DetermineEffectiveSecurityContext 

func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext

func HasCapabilitiesRequest 

func HasCapabilitiesRequest(container *v1.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest 

func HasPrivilegedRequest(container *v1.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func HasRootRunAsUser 

func HasRootRunAsUser(container *v1.Container) bool

HasRootRunAsUser returns true if the run as user is set and it is set to 0.

func HasRootUID 

func HasRootUID(container *v1.Container) bool

HasNonRootUID returns true if the runAsUser is set and is greater than 0.

func HasRunAsUser 

func HasRunAsUser(container *v1.Container) bool

HasRunAsUser determines if the sc's runAsUser field is set.

func ParseSELinuxOptions 

func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)

ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.

func ValidInternalSecurityContextWithContainerDefaults 

func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext

ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

func ValidSecurityContextWithContainerDefaults 

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type ContainerSecurityContextAccessor 

type ContainerSecurityContextAccessor interface {
	Capabilities() *api.Capabilities
	Privileged() *bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsNonRoot() *bool
	ReadOnlyRootFilesystem() *bool
	AllowPrivilegeEscalation() *bool
}

func NewContainerSecurityContextAccessor 

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor

func NewEffectiveContainerSecurityContextAccessor 

func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor

type ContainerSecurityContextMutator 

type ContainerSecurityContextMutator interface {
	ContainerSecurityContextAccessor

	ContainerSecurityContext() *api.SecurityContext

	SetCapabilities(*api.Capabilities)
	SetPrivileged(*bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsNonRoot(*bool)
	SetReadOnlyRootFilesystem(*bool)
	SetAllowPrivilegeEscalation(*bool)
}

func NewContainerSecurityContextMutator 

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator

func NewEffectiveContainerSecurityContextMutator 

func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator

type PodSecurityContextAccessor 

type PodSecurityContextAccessor interface {
	HostNetwork() bool
	HostPID() bool
	HostIPC() bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsNonRoot() *bool
	SupplementalGroups() []int64
	FSGroup() *int64
}

PodSecurityContextAccessor allows reading the values of a PodSecurityContext object

func NewPodSecurityContextAccessor 

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PodSecurityContextMutator 

type PodSecurityContextMutator interface {
	PodSecurityContextAccessor

	SetHostNetwork(bool)
	SetHostPID(bool)
	SetHostIPC(bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsNonRoot(*bool)
	SetSupplementalGroups([]int64)
	SetFSGroup(*int64)

	// PodSecurityContext returns the current PodSecurityContext object
	PodSecurityContext() *api.PodSecurityContext
}

PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object

func NewPodSecurityContextMutator 

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.