podsecuritypolicy

package

v1.13.2-k3s1 Latest Latest Go to latest Published: Jan 21, 2019 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

Documentation ¶

Overview ¶

Package podsecuritypolicy contains code for validating and defaulting the security context of a pod and its containers according to a security policy.

Index ¶

type Provider
- func NewSimpleProvider(psp *policy.PodSecurityPolicy, namespace string, ...) (Provider, error)
type ProviderStrategies
type StrategyFactory
- func NewSimpleStrategyFactory() StrategyFactory

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Provider ¶

type Provider interface {
	// DefaultPodSecurityContext sets the default values of the required but not filled fields.
	// It modifies the SecurityContext and annotations of the provided pod.
	DefaultPodSecurityContext(pod *api.Pod) error
	// DefaultContainerSecurityContext sets the default values of the required but not filled fields.
	// It modifies the SecurityContext of the container and annotations of the pod.
	DefaultContainerSecurityContext(pod *api.Pod, container *api.Container) error
	// Ensure a pod is in compliance with the given constraints.
	ValidatePod(pod *api.Pod) field.ErrorList
	// Ensure a container's SecurityContext is in compliance with the given constraints.
	ValidateContainer(pod *api.Pod, container *api.Container, containerPath *field.Path) field.ErrorList
	// Get the name of the PSP that this provider was initialized with.
	GetPSPName() string
}

Provider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.

func NewSimpleProvider ¶

func NewSimpleProvider(psp *policy.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error)

NewSimpleProvider creates a new Provider instance.

type ProviderStrategies ¶

type ProviderStrategies struct {
	RunAsUserStrategy         user.RunAsUserStrategy
	RunAsGroupStrategy        group.GroupStrategy
	SELinuxStrategy           selinux.SELinuxStrategy
	AppArmorStrategy          apparmor.Strategy
	FSGroupStrategy           group.GroupStrategy
	SupplementalGroupStrategy group.GroupStrategy
	CapabilitiesStrategy      capabilities.Strategy
	SysctlsStrategy           sysctl.SysctlsStrategy
	SeccompStrategy           seccomp.Strategy
}

ProviderStrategies is a holder for all strategies that the provider requires to be populated.

type StrategyFactory ¶

type StrategyFactory interface {
	// CreateStrategies creates the strategies that a provider will use.  The namespace argument
	// should be the namespace of the object being checked (the pod's namespace).
	CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error)
}

StrategyFactory abstracts how the strategies are created from the provider so that you may implement your own custom strategies that may pull information from other resources as necessary. For example, if you would like to populate the strategies with values from namespace annotations you may create a factory with a client that can pull the namespace and populate the appropriate values.

func NewSimpleStrategyFactory ¶

func NewSimpleStrategyFactory() StrategyFactory

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
apparmor
capabilities Package capabilities contains code for validating and defaulting a pod's kernel capabilities according to a security policy.	Package capabilities contains code for validating and defaulting a pod's kernel capabilities according to a security policy.
group Package group contains code for validating and defaulting the FSGroup and supplemental groups of a pod according to a security policy.	Package group contains code for validating and defaulting the FSGroup and supplemental groups of a pod according to a security policy.
seccomp
selinux Package selinux contains code for validating and defaulting the SELinux context of a pod according to a security policy.	Package selinux contains code for validating and defaulting the SELinux context of a pod according to a security policy.
sysctl
user Package user contains code for validating and defaulting the UID of a pod or container according to a security policy.	Package user contains code for validating and defaulting the UID of a pod or container according to a security policy.
util Package util contains utility code shared amongst different parts of the pod security policy apparatus.	Package util contains utility code shared amongst different parts of the pod security policy apparatus.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL