Affected by GO-2024-3042 and 4 other vulnerabilities

GO-2024-3042: Podman vulnerable to memory-based denial of service in github.com/containers/podman

GO-2024-3169: Improper Input Validation in Buildah and Podman in github.com/containers/buildah

GO-2025-3777: Podman Improper Certificate Validation; machine missing TLS verification in github.com/containers/podman

GO-2025-3935: podman kube play symlink traversal vulnerability in github.com/containers/podman

GO-2025-3961: Podman Creates Temporary File with Insecure Permissions in github.com/containers/podman

kube

package

v5.0.0 Latest Latest Go to latest Published: Mar 19, 2024 License: Apache-2.0 Imports: 37 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/containers/podman

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, ...) (map[string]*KubeVolume, error)
func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, ...) (entities.PodCreateOptions, error)
func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error)
type CtrSpecGenOptions
type KubeSeccompPaths
- func InitializeSeccompPaths(annotations map[string]string, profileRoot string) (*KubeSeccompPaths, error)
- func (k *KubeSeccompPaths) FindForContainer(ctrName string) string
type KubeVolume
type KubeVolumeType

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func InitializeVolumes ¶

func InitializeVolumes(specVolumes []v1.Volume, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager, mountLabel string) (map[string]*KubeVolume, error)

Create a map of volume name to KubeVolume

func ToPodOpt ¶

func ToPodOpt(ctx context.Context, podName string, p entities.PodCreateOptions, publishAllPorts bool, podYAML *v1.PodTemplateSpec) (entities.PodCreateOptions, error)

func ToSpecGen ¶

func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGenerator, error)

Types ¶

type CtrSpecGenOptions ¶

type CtrSpecGenOptions struct {
	// Annotations from the Pod
	Annotations map[string]string
	// Container as read from the pod yaml
	Container v1.Container
	// Image available to use (pulled or found local)
	Image *libimage.Image
	// IPCNSIsHost tells the container to use the host ipcns
	IpcNSIsHost bool
	// Volumes for all containers
	Volumes map[string]*KubeVolume
	// VolumesFrom for all containers
	VolumesFrom []string
	// PodID of the parent pod
	PodID string
	// PodName of the parent pod
	PodName string
	// PodInfraID as the infrastructure container id
	PodInfraID string
	// ConfigMaps the configuration maps for environment variables
	ConfigMaps []v1.ConfigMap
	// SeccompPaths for finding the seccomp profile path
	SeccompPaths *KubeSeccompPaths
	// ReadOnly make all containers root file system readonly
	ReadOnly itypes.OptionalBool
	// RestartPolicy defines the restart policy of the container
	RestartPolicy string
	// NetNSIsHost tells the container to use the host netns
	NetNSIsHost bool
	// UserNSIsHost tells the container to use the host userns
	UserNSIsHost bool
	// PidNSIsHost tells the container to use the host pidns
	PidNSIsHost bool
	// UtsNSIsHost tells the container to use the host utsns
	UtsNSIsHost bool
	// SecretManager to access the secrets
	SecretsManager *secrets.SecretsManager
	// LogDriver which should be used for the container
	LogDriver string
	// LogOptions log options which should be used for the container
	LogOptions []string
	// Labels define key-value pairs of metadata
	Labels map[string]string
	//
	IsInfra bool
	// InitContainerType sets what type the init container is
	// Note: When playing a kube yaml, the inti container type will be set to "always" only
	InitContainerType string
	// PodSecurityContext is the security context specified for the pod
	PodSecurityContext *v1.PodSecurityContext
	// TerminationGracePeriodSeconds is the grace period given to a container to stop before being forcefully killed
	TerminationGracePeriodSeconds *int64
}

type KubeSeccompPaths ¶

type KubeSeccompPaths struct {
	// contains filtered or unexported fields
}

KubeSeccompPaths holds information about a pod YAML's seccomp configuration it holds both container and pod seccomp paths

func InitializeSeccompPaths ¶

func InitializeSeccompPaths(annotations map[string]string, profileRoot string) (*KubeSeccompPaths, error)

InitializeSeccompPaths takes annotations from the pod object metadata and finds annotations pertaining to seccomp it parses both pod and container level if the annotation is of the form "localhost/%s", the seccomp profile will be set to profileRoot/%s

func (*KubeSeccompPaths) FindForContainer ¶

func (k *KubeSeccompPaths) FindForContainer(ctrName string) string

FindForContainer checks whether a container has a seccomp path configured for it if not, it returns the podPath, which should always have a value

type KubeVolume ¶

type KubeVolume struct {
	// Type of volume to create
	Type KubeVolumeType
	// Path for bind mount or volume name for named volume
	Source string
	// Items to add to a named volume created where the key is the file name and the value is the data
	// This is only used when there are volumes in the yaml that refer to a configmap
	// Example: if configmap has data "SPECIAL_LEVEL: very" then the file name is "SPECIAL_LEVEL" and the
	// data in that file is "very".
	Items map[string][]byte
	// If the volume is optional, we can move on if it is not found
	// Only used when there are volumes in a yaml that refer to a configmap
	Optional bool
	// DefaultMode sets the permissions on files created for the volume
	// This is optional and defaults to 0644
	DefaultMode int32
}

func VolumeFromConfigMap ¶

func VolumeFromConfigMap(configMapVolumeSource *v1.ConfigMapVolumeSource, configMaps []v1.ConfigMap) (*KubeVolume, error)

func VolumeFromEmptyDir ¶

func VolumeFromEmptyDir(emptyDirVolumeSource *v1.EmptyDirVolumeSource, name string) (*KubeVolume, error)

Create a kubeVolume for an emptyDir volume

func VolumeFromHostPath ¶

func VolumeFromHostPath(hostPath *v1.HostPathVolumeSource, mountLabel string) (*KubeVolume, error)

Create a KubeVolume from an HostPathVolumeSource

func VolumeFromPersistentVolumeClaim ¶

func VolumeFromPersistentVolumeClaim(claim *v1.PersistentVolumeClaimVolumeSource) (*KubeVolume, error)

Create a KubeVolume from a PersistentVolumeClaimVolumeSource

func VolumeFromSecret ¶

func VolumeFromSecret(secretSource *v1.SecretVolumeSource, secretsManager *secrets.SecretsManager) (*KubeVolume, error)

VolumeFromSecret creates a new kube volume from a kube secret.

func VolumeFromSource ¶

func VolumeFromSource(volumeSource v1.VolumeSource, configMaps []v1.ConfigMap, secretsManager *secrets.SecretsManager, volName, mountLabel string) (*KubeVolume, error)

Create a KubeVolume from one of the supported VolumeSource

type KubeVolumeType ¶

type KubeVolumeType int

const (
	KubeVolumeTypeBindMount KubeVolumeType = iota
	KubeVolumeTypeNamed
	KubeVolumeTypeConfigMap
	KubeVolumeTypeBlockDevice
	KubeVolumeTypeCharDevice
	KubeVolumeTypeSecret
	KubeVolumeTypeEmptyDir
	KubeVolumeTypeEmptyDirTmpfs
)

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL