sccmatching

package
v0.0.0-...-facc40c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 13, 2024 License: Apache-2.0 Imports: 30 Imported by: 13

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AssignSecurityContext 

func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, fldPath *field.Path) field.ErrorList

AssignSecurityContext creates a security context for each container in the pod and validates that the sc falls within the scc constraints. All containers must validate against the same scc or is not considered valid.

func ConstraintAppliesTo 

func ConstraintAppliesTo(ctx context.Context, sccName string, sccUsers, sccGroups []string, userInfo user.Info, namespace string, a authorizer.Authorizer) bool

ConstraintAppliesTo inspects the constraint's users and groups against the userInfo to determine if it is usable by the userInfo. Anything we do here needs to work with a deny authorizer so the choices are limited to SAR / Authorizer

Types

type PatchedContainerSecurityContextAccessor 

type PatchedContainerSecurityContextAccessor interface {
	securitycontext.ContainerSecurityContextAccessor
	SecccompProfileAccessor
}

func NewContainerSecurityContextAccessor 

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) PatchedContainerSecurityContextAccessor

NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextAccessor 

func NewEffectiveContainerSecurityContextAccessor(podSC PatchedPodSecurityContextAccessor, containerSC PatchedContainerSecurityContextMutator) PatchedContainerSecurityContextAccessor

NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context

type PatchedContainerSecurityContextMutator 

type PatchedContainerSecurityContextMutator interface {
	securitycontext.ContainerSecurityContextMutator
	SecccompProfileAccessor
	SeccompProfileMutator
}

func NewContainerSecurityContextMutator 

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) PatchedContainerSecurityContextMutator

NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextMutator 

func NewEffectiveContainerSecurityContextMutator(podSC PatchedPodSecurityContextAccessor, containerSC PatchedContainerSecurityContextMutator) PatchedContainerSecurityContextMutator

NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context

type PatchedPodSecurityContextAccessor 

type PatchedPodSecurityContextAccessor interface {
	securitycontext.PodSecurityContextAccessor
	SecccompProfileAccessor
}

func NewPodSecurityContextAccessor 

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PatchedPodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PatchedPodSecurityContextMutator 

type PatchedPodSecurityContextMutator interface {
	securitycontext.PodSecurityContextMutator
	SecccompProfileAccessor
	SeccompProfileMutator
}

func NewPodSecurityContextMutator 

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PatchedPodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

type SCCMatcher 

type SCCMatcher interface {
	FindApplicableSCCs(ctx context.Context, namespace string, user ...user.Info) ([]*securityv1.SecurityContextConstraints, error)
}

func NewDefaultSCCMatcher 

func NewDefaultSCCMatcher(c securityv1listers.SecurityContextConstraintsLister, authorizer authorizer.Authorizer) SCCMatcher

type SecccompProfileAccessor 

type SecccompProfileAccessor interface {
	SeccompProfile() *api.SeccompProfile
}

type SeccompProfileMutator 

type SeccompProfileMutator interface {
	SetSeccompProfile(*api.SeccompProfile)
}

type SecurityContextConstraintsProvider 

type SecurityContextConstraintsProvider interface {
	// Create a PodSecurityContext based on the given constraints.
	CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error)
	// Create a container SecurityContext based on the given constraints
	CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error)
	// Ensure a pod's SecurityContext is in compliance with the given constraints.
	ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList
	// Ensure a container's SecurityContext is in compliance with the given constraints
	ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList
	// Get the SCC that this provider was initialized with.
	GetSCC() *securityv1.SecurityContextConstraints
	// Get the name of the SCC that this provider was initialized with.
	GetSCCName() string
	// Get the users associated to the SCC this provider was initialized with
	GetSCCUsers() []string
	// Get the groups associated to the SCC this provider was initialized with
	GetSCCGroups() []string
}

SecurityContextConstraintsProvider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.

func CreateProviderFromConstraint 

func CreateProviderFromConstraint(namespace *corev1.Namespace, constraint *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)

CreateProviderFromConstraint creates a SecurityContextConstraintProvider from a SecurityContextConstraint

func CreateProvidersFromConstraints 

func CreateProvidersFromConstraints(ctx context.Context, namespaceName string, sccs []*securityv1.SecurityContextConstraints, namespaceLister corev1listers.NamespaceLister) ([]SecurityContextConstraintsProvider, []error)

CreateProvidersFromConstraints creates providers from the constraints supplied, including looking up pre-allocated values if necessary using the pod's namespace.

func NewSimpleProvider 

func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)

NewSimpleProvider creates a new SecurityContextConstraintsProvider instance.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.