 Documentation
      ¶
      Documentation
      ¶
    
    
  
    
  
    Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext
- func HasCapabilitiesRequest(container *api.Container) bool
- func HasPrivilegedRequest(container *api.Container) bool
- func HasRootRunAsUser(container *api.Container) bool
- func HasRootUID(container *api.Container) bool
- func HasRunAsUser(container *api.Container) bool
- func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
- func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
- func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
- type FakeSecurityContextProvider
- type SecurityContextProvider
- type SimpleSecurityContextProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DetermineEffectiveSecurityContext ¶ added in v1.2.0
func HasCapabilitiesRequest ¶
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func HasRootRunAsUser ¶ added in v1.1.1
HasRootRunAsUser returns true if the run as user is set and it is set to 0.
func HasRootUID ¶ added in v1.1.1
HasNonRootUID returns true if the runAsUser is set and is greater than 0.
func HasRunAsUser ¶ added in v1.1.1
HasRunAsUser determines if the sc's runAsUser field is set.
func MakeCapabilities ¶ added in v1.2.0
func MakeCapabilities(capAdd []api.Capability, capDrop []api.Capability) ([]string, []string)
MakeCapabilities creates string slices from Capability slices
func ParseSELinuxOptions ¶ added in v1.1.1
func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *api.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type FakeSecurityContextProvider ¶
type FakeSecurityContextProvider struct{}
    func (FakeSecurityContextProvider) ModifyContainerConfig ¶
func (p FakeSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
func (FakeSecurityContextProvider) ModifyHostConfig ¶
func (p FakeSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
type SecurityContextProvider ¶
type SecurityContextProvider interface {
	// ModifyContainerConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the Config with which
	// the container is created.
	ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
	// ModifyHostConfig is called before the Docker createContainer call.
	// The security context provider can make changes to the HostConfig, affecting
	// security options, whether the container is privileged, volume binds, etc.
	// An error is returned if it's not possible to secure the container as requested
	// with a security context.
	//
	// - pod: the pod to modify the docker hostconfig for
	// - container: the container to modify the hostconfig for
	// - supplementalGids: additional supplemental GIDs associated with the pod's volumes
	ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
}
    func NewFakeSecurityContextProvider ¶
func NewFakeSecurityContextProvider() SecurityContextProvider
NewFakeSecurityContextProvider creates a new, no-op security context provider.
func NewSimpleSecurityContextProvider ¶
func NewSimpleSecurityContextProvider() SecurityContextProvider
NewSimpleSecurityContextProvider creates a new SimpleSecurityContextProvider.
type SimpleSecurityContextProvider ¶
type SimpleSecurityContextProvider struct{}
    SimpleSecurityContextProvider is the default implementation of a SecurityContextProvider.
func (SimpleSecurityContextProvider) ModifyContainerConfig ¶
func (p SimpleSecurityContextProvider) ModifyContainerConfig(pod *api.Pod, container *api.Container, config *dockercontainer.Config)
ModifyContainerConfig is called before the Docker createContainer call. The security context provider can make changes to the Config with which the container is created.
func (SimpleSecurityContextProvider) ModifyHostConfig ¶
func (p SimpleSecurityContextProvider) ModifyHostConfig(pod *api.Pod, container *api.Container, hostConfig *dockercontainer.HostConfig, supplementalGids []int64)
ModifyHostConfig is called before the Docker runContainer call. The security context provider can make changes to the HostConfig, affecting security options, whether the container is privileged, volume binds, etc.