Affected by GO-2022-0617 and 2 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2025-3521: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

GO-2025-3547: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

translator

package

v1.35.0-alpha.1 Latest Latest Go to latest Published: Oct 8, 2025 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Links

Open Source Insights

Documentation ¶

Index ¶

type ControllerSELinuxTranslator

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ControllerSELinuxTranslator ¶

type ControllerSELinuxTranslator struct{}

ControllerSELinuxTranslator is implementation of SELinuxLabelTranslator that can be used in kube-controller-manager (KCM). A real SELinuxLabelTranslator would be able to file empty parts of SELinuxOptions from the operating system defaults (/etc/selinux/*). KCM often runs as a container and cannot access /etc/selinux on the host. Even if it could, KCM can run on a different distro than the actual worker nodes. Therefore do not even try to file the defaults, use only fields filed in the provided SELinuxOptions.

func (*ControllerSELinuxTranslator) Conflicts ¶

func (c *ControllerSELinuxTranslator) Conflicts(labelA, labelB string) bool

Conflicts returns true if two SELinux labels conflict. These labels must be generated by SELinuxOptionsToFileLabel above (the function expects strict nr. of elements in the labels). Since this translator cannot default missing label components from the operating system, the first three components can be empty. In this case, the empty components don't lead to a conflict when compared to a real SELinux label and this function returns false (as no conflict can be detected). The last component (level) is always compared, as it is not defaulted by the operating system. Example: "system_u:system_r:container_t:s0:c1,c2" *does not* conflict with ":::s0:c1,c2", because the node that will run such a Pod may expand ":::s0:c1,c2" to "system_u:system_r:container_t:s0:c1,c2". However: "system_u:system_r:container_t:s0:c1,c2" *does* conflict with ":::s0:c98,c99". And ":::s0:c1,c2" *does* conflict with "" or ":::", because it's never defaulted by the OS.

func (*ControllerSELinuxTranslator) SELinuxEnabled ¶

func (c *ControllerSELinuxTranslator) SELinuxEnabled() bool

func (*ControllerSELinuxTranslator) SELinuxOptionsToFileLabel ¶

func (c *ControllerSELinuxTranslator) SELinuxOptionsToFileLabel(opts *v1.SELinuxOptions) (string, error)

Source Files ¶

View all Source files

selinux_translator.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL