Documentation
¶
Overview ¶
Package securitycontext contains security context api implementations
Index ¶
- func AddNoNewPrivileges(sc *v1.SecurityContext) bool
- func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
- func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
- func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
- func HasCapabilitiesRequest(container *v1.Container) bool
- func HasPrivilegedRequest(container *v1.Container) bool
- func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
- func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
- func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
- type ContainerSecurityContextAccessor
- type ContainerSecurityContextMutator
- type PodSecurityContextAccessor
- type PodSecurityContextMutator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNoNewPrivileges ¶ added in v1.8.0
func AddNoNewPrivileges(sc *v1.SecurityContext) bool
AddNoNewPrivileges returns if we should add the no_new_privs option.
func ConvertToRuntimeMaskedPaths ¶ added in v1.12.0
func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.
func ConvertToRuntimeReadonlyPaths ¶ added in v1.12.0
func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string
ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.
func DetermineEffectiveSecurityContext ¶ added in v1.2.0
func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext
func HasCapabilitiesRequest ¶
func HasCapabilitiesRequest(container *v1.Container) bool
HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils
func HasPrivilegedRequest ¶
func HasPrivilegedRequest(container *v1.Container) bool
HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils
func ParseSELinuxOptions ¶ added in v1.1.0
func ParseSELinuxOptions(context string) (*v1.SELinuxOptions, error)
ParseSELinuxOptions parses a string containing a full SELinux context (user, role, type, and level) into an SELinuxOptions object. If the context is malformed, an error is returned.
func ValidInternalSecurityContextWithContainerDefaults ¶ added in v1.6.0
func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext
ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
func ValidSecurityContextWithContainerDefaults ¶
func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext
ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.
Types ¶
type ContainerSecurityContextAccessor ¶ added in v1.8.3
type ContainerSecurityContextAccessor interface {
Capabilities() *api.Capabilities
Privileged() *bool
ProcMount() api.ProcMountType
SELinuxOptions() *api.SELinuxOptions
RunAsUser() *int64
RunAsGroup() *int64
RunAsNonRoot() *bool
ReadOnlyRootFilesystem() *bool
AllowPrivilegeEscalation() *bool
}
func NewContainerSecurityContextAccessor ¶ added in v1.8.3
func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor
func NewEffectiveContainerSecurityContextAccessor ¶ added in v1.8.3
func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor
type ContainerSecurityContextMutator ¶ added in v1.8.3
type ContainerSecurityContextMutator interface {
ContainerSecurityContextAccessor
ContainerSecurityContext() *api.SecurityContext
SetCapabilities(*api.Capabilities)
SetPrivileged(*bool)
SetSELinuxOptions(*api.SELinuxOptions)
SetRunAsUser(*int64)
SetRunAsGroup(*int64)
SetRunAsNonRoot(*bool)
SetReadOnlyRootFilesystem(*bool)
SetAllowPrivilegeEscalation(*bool)
}
func NewContainerSecurityContextMutator ¶ added in v1.8.3
func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator
func NewEffectiveContainerSecurityContextMutator ¶ added in v1.8.3
func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator
type PodSecurityContextAccessor ¶ added in v1.8.3
type PodSecurityContextAccessor interface {
HostNetwork() bool
HostPID() bool
HostIPC() bool
SELinuxOptions() *api.SELinuxOptions
RunAsUser() *int64
RunAsGroup() *int64
RunAsNonRoot() *bool
SupplementalGroups() []int64
FSGroup() *int64
}
PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
func NewPodSecurityContextAccessor ¶ added in v1.8.3
func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor
NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.
type PodSecurityContextMutator ¶ added in v1.8.3
type PodSecurityContextMutator interface {
PodSecurityContextAccessor
SetHostNetwork(bool)
SetHostPID(bool)
SetHostIPC(bool)
SetSELinuxOptions(*api.SELinuxOptions)
SetRunAsUser(*int64)
SetRunAsGroup(*int64)
SetRunAsNonRoot(*bool)
SetSupplementalGroups([]int64)
SetFSGroup(*int64)
// PodSecurityContext returns the current PodSecurityContext object
PodSecurityContext() *api.PodSecurityContext
}
PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
func NewPodSecurityContextMutator ¶ added in v1.8.3
func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator
NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.
Source Files