Documentation
¶
Index ¶
- Constants
- func GetProfileName(pod *v1.Pod, containerName string) string
- func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string
- func IsAppArmorEnabled() bool
- func SetProfileName(pod *v1.Pod, containerName, profileName string) error
- func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error
- func ValidateProfileFormat(profile string) error
- type Validator
Constants ¶
View Source
const (
// The prefix to an annotation key specifying a container profile.
ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
// The annotation key specifying the default AppArmor profile.
DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
// The annotation key specifying the allowed AppArmor profiles.
AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"
// The profile specifying the runtime default.
ProfileRuntimeDefault = "runtime/default"
// The prefix for specifying profiles loaded on the node.
ProfileNamePrefix = "localhost/"
// Unconfined profile
ProfileNameUnconfined = "unconfined"
)
TODO: Move these values into the API package.
Variables ¶
This section is empty.
Functions ¶
func GetProfileName ¶
func GetProfileName(pod *v1.Pod, containerName string) string
Returns the name of the profile to use with the container.
func GetProfileNameFromPodAnnotations ¶ added in v1.5.0
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string
GetProfileNameFromPodAnnotations gets the name of the profile to use with container from pod annotations
func IsAppArmorEnabled ¶
func IsAppArmorEnabled() bool
IsAppArmorEnabled returns true if apparmor is enabled for the host. This function is forked from https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go to avoid the libapparmor dependency.
func SetProfileName ¶
func SetProfileName(pod *v1.Pod, containerName, profileName string) error
Sets the name of the profile to use with the container.
func SetProfileNameFromPodAnnotations ¶ added in v1.6.0
func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error
Sets the name of the profile to use with the container.
func ValidateProfileFormat ¶
func ValidateProfileFormat(profile string) error
Types ¶
type Validator ¶
type Validator interface {
Validate(pod *v1.Pod) error
ValidateHost() error
}
Interface for validating that a pod with with an AppArmor profile can be run by a Node.
func NewValidator ¶
func NewValidator(runtime string) Validator
Source Files
Click to show internal directories.
Click to hide internal directories.