securitycontextconstraints

package
v1.0.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 24, 2018 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

View Source
const SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"

TODO promote like kube did

Variables

This section is empty.

Functions

func AssignSecurityContext

func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, fldPath *field.Path) field.ErrorList

AssignSecurityContext creates a security context for each container in the pod and validates that the sc falls within the scc constraints. All containers must validate against the same scc or is not considered valid.

func ConstraintAppliesTo

func ConstraintAppliesTo(constraint *securityapi.SecurityContextConstraints, userInfo user.Info, namespace string, a authorizer.Authorizer) bool

ConstraintAppliesTo inspects the constraint's users and groups against the userInfo to determine if it is usable by the userInfo. TODO make this private and have the router SA check do a SAR check instead. Anything we do here needs to work with a deny authorizer so the choices are limited to SAR / Authorizer

func DeduplicateSecurityContextConstraints

func DeduplicateSecurityContextConstraints(sccs []*securityapi.SecurityContextConstraints) []*securityapi.SecurityContextConstraints

DeduplicateSecurityContextConstraints ensures we have a unique slice of constraints.

func SysctlsFromPodSecurityPolicyAnnotation

func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error)

TODO promote like kube did

Types

type ByPriority

ByRestrictions is a helper to sort SCCs based on priority. If priorities are equal a string compare of the name is used.

func (ByPriority) Len

func (s ByPriority) Len() int

func (ByPriority) Less

func (s ByPriority) Less(i, j int) bool

func (ByPriority) Swap

func (s ByPriority) Swap(i, j int)

type ByRestrictions

type ByRestrictions []*securityapi.SecurityContextConstraints

ByRestrictions is a helper to sort SCCs in order of most restrictive to least restrictive.

func (ByRestrictions) Len

func (s ByRestrictions) Len() int

func (ByRestrictions) Less

func (s ByRestrictions) Less(i, j int) bool

func (ByRestrictions) Swap

func (s ByRestrictions) Swap(i, j int)

type SCCMatcher

type SCCMatcher interface {
	FindApplicableSCCs(user user.Info, namespace string) ([]*securityapi.SecurityContextConstraints, error)
}

type SecurityContextConstraintsProvider

type SecurityContextConstraintsProvider interface {
	// Create a PodSecurityContext based on the given constraints.
	CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error)
	// Create a container SecurityContext based on the given constraints
	CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error)
	// Ensure a pod's SecurityContext is in compliance with the given constraints.
	ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList
	// Ensure a container's SecurityContext is in compliance with the given constraints
	ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList
	// Get the name of the SCC that this provider was initialized with.
	GetSCCName() string
}

SecurityContextConstraintsProvider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.

func CreateProviderFromConstraint

func CreateProviderFromConstraint(ns string, namespace *kapi.Namespace, constraint *securityapi.SecurityContextConstraints, client clientset.Interface) (SecurityContextConstraintsProvider, *kapi.Namespace, error)

CreateProviderFromConstraint creates a SecurityContextConstraintProvider from a SecurityContextConstraint

func CreateProvidersFromConstraints

func CreateProvidersFromConstraints(ns string, sccs []*securityapi.SecurityContextConstraints, client clientset.Interface) ([]SecurityContextConstraintsProvider, []error)

CreateProvidersFromConstraints creates providers from the constraints supplied, including looking up pre-allocated values if necessary using the pod's namespace.

func NewSimpleProvider

NewSimpleProvider creates a new SecurityContextConstraintsProvider instance.

Directories

Path Synopsis
Package selinux contains security context constraints SELinux strategy implementations.
Package selinux contains security context constraints SELinux strategy implementations.
Package user contains security context constraints user strategy implementations.
Package user contains security context constraints user strategy implementations.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL