Documentation ¶
Index ¶
- func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, ...) field.ErrorList
- func ConstraintAppliesTo(ctx context.Context, sccName string, sccUsers, sccGroups []string, ...) bool
- type PatchedContainerSecurityContextAccessor
- type PatchedContainerSecurityContextMutator
- type PatchedPodSecurityContextAccessor
- type PatchedPodSecurityContextMutator
- type SCCMatcher
- type SecccompProfileAccessor
- type SeccompProfileMutator
- type SecurityContextConstraintsProvider
- func CreateProviderFromConstraint(namespace *corev1.Namespace, constraint *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
- func CreateProvidersFromConstraints(ctx context.Context, namespaceName string, ...) ([]SecurityContextConstraintsProvider, []error)
- func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AssignSecurityContext ¶
func AssignSecurityContext(provider SecurityContextConstraintsProvider, pod *kapi.Pod, fldPath *field.Path) field.ErrorList
AssignSecurityContext creates a security context for each container in the pod and validates that the sc falls within the scc constraints. All containers must validate against the same scc or is not considered valid.
func ConstraintAppliesTo ¶
func ConstraintAppliesTo(ctx context.Context, sccName string, sccUsers, sccGroups []string, userInfo user.Info, namespace string, a authorizer.Authorizer) bool
ConstraintAppliesTo inspects the constraint's users and groups against the userInfo to determine if it is usable by the userInfo. Anything we do here needs to work with a deny authorizer so the choices are limited to SAR / Authorizer
Types ¶
type PatchedContainerSecurityContextAccessor ¶
type PatchedContainerSecurityContextAccessor interface { securitycontext.ContainerSecurityContextAccessor SecccompProfileAccessor }
func NewContainerSecurityContextAccessor ¶
func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) PatchedContainerSecurityContextAccessor
NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext
func NewEffectiveContainerSecurityContextAccessor ¶
func NewEffectiveContainerSecurityContextAccessor(podSC PatchedPodSecurityContextAccessor, containerSC PatchedContainerSecurityContextMutator) PatchedContainerSecurityContextAccessor
NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context
type PatchedContainerSecurityContextMutator ¶
type PatchedContainerSecurityContextMutator interface { securitycontext.ContainerSecurityContextMutator SecccompProfileAccessor SeccompProfileMutator }
func NewContainerSecurityContextMutator ¶
func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) PatchedContainerSecurityContextMutator
NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext
func NewEffectiveContainerSecurityContextMutator ¶
func NewEffectiveContainerSecurityContextMutator(podSC PatchedPodSecurityContextAccessor, containerSC PatchedContainerSecurityContextMutator) PatchedContainerSecurityContextMutator
NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context
type PatchedPodSecurityContextAccessor ¶
type PatchedPodSecurityContextAccessor interface { securitycontext.PodSecurityContextAccessor SecccompProfileAccessor }
func NewPodSecurityContextAccessor ¶
func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PatchedPodSecurityContextAccessor
NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.
type PatchedPodSecurityContextMutator ¶
type PatchedPodSecurityContextMutator interface { securitycontext.PodSecurityContextMutator SecccompProfileAccessor SeccompProfileMutator }
func NewPodSecurityContextMutator ¶
func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PatchedPodSecurityContextMutator
NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.
type SCCMatcher ¶
type SCCMatcher interface {
FindApplicableSCCs(ctx context.Context, namespace string, user ...user.Info) ([]*securityv1.SecurityContextConstraints, error)
}
func NewDefaultSCCMatcher ¶
func NewDefaultSCCMatcher(c securityv1listers.SecurityContextConstraintsLister, authorizer authorizer.Authorizer) SCCMatcher
type SecccompProfileAccessor ¶
type SecccompProfileAccessor interface {
SeccompProfile() *api.SeccompProfile
}
type SeccompProfileMutator ¶
type SeccompProfileMutator interface {
SetSeccompProfile(*api.SeccompProfile)
}
type SecurityContextConstraintsProvider ¶
type SecurityContextConstraintsProvider interface { // Create a PodSecurityContext based on the given constraints. CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) // Create a container SecurityContext based on the given constraints CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) // Ensure a pod's SecurityContext is in compliance with the given constraints. ValidatePodSecurityContext(pod *api.Pod, fldPath *field.Path) field.ErrorList // Ensure a container's SecurityContext is in compliance with the given constraints ValidateContainerSecurityContext(pod *api.Pod, container *api.Container, fldPath *field.Path) field.ErrorList // Get the SCC that this provider was initialized with. GetSCC() *securityv1.SecurityContextConstraints // Get the name of the SCC that this provider was initialized with. GetSCCName() string // Get the users associated to the SCC this provider was initialized with GetSCCUsers() []string // Get the groups associated to the SCC this provider was initialized with GetSCCGroups() []string }
SecurityContextConstraintsProvider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.
func CreateProviderFromConstraint ¶
func CreateProviderFromConstraint(namespace *corev1.Namespace, constraint *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
CreateProviderFromConstraint creates a SecurityContextConstraintProvider from a SecurityContextConstraint
func CreateProvidersFromConstraints ¶
func CreateProvidersFromConstraints(ctx context.Context, namespaceName string, sccs []*securityv1.SecurityContextConstraints, namespaceLister corev1listers.NamespaceLister) ([]SecurityContextConstraintsProvider, []error)
CreateProvidersFromConstraints creates providers from the constraints supplied, including looking up pre-allocated values if necessary using the pod's namespace.
func NewSimpleProvider ¶
func NewSimpleProvider(scc *securityv1.SecurityContextConstraints) (SecurityContextConstraintsProvider, error)
NewSimpleProvider creates a new SecurityContextConstraintsProvider instance.