kubernetes: k8s.io/kubernetes/pkg/security/podsecuritypolicy Index | Files | Directories

package podsecuritypolicy

import "k8s.io/kubernetes/pkg/security/podsecuritypolicy"

Package podsecuritypolicy contains code for validating and defaulting the security context of a pod and its containers according to a security policy.


Package Files

doc.go factory.go provider.go types.go

type Provider Uses

type Provider interface {
    // MutatePod sets the default values of the required but not filled fields of the pod and all
    // containers in the pod.
    MutatePod(pod *api.Pod) error
    // ValidatePod ensures a pod and all its containers are in compliance with the given constraints.
    // ValidatePod MUST NOT mutate the pod.
    ValidatePod(pod *api.Pod) field.ErrorList
    // Get the name of the PSP that this provider was initialized with.
    GetPSPName() string

Provider provides the implementation to generate a new security context based on constraints or validate an existing security context against constraints.

func NewSimpleProvider Uses

func NewSimpleProvider(psp *policy.PodSecurityPolicy, namespace string, strategyFactory StrategyFactory) (Provider, error)

NewSimpleProvider creates a new Provider instance.

type ProviderStrategies Uses

type ProviderStrategies struct {
    RunAsUserStrategy         user.RunAsUserStrategy
    RunAsGroupStrategy        group.GroupStrategy
    SELinuxStrategy           selinux.SELinuxStrategy
    AppArmorStrategy          apparmor.Strategy
    FSGroupStrategy           group.GroupStrategy
    SupplementalGroupStrategy group.GroupStrategy
    CapabilitiesStrategy      capabilities.Strategy
    SysctlsStrategy           sysctl.SysctlsStrategy
    SeccompStrategy           seccomp.Strategy

ProviderStrategies is a holder for all strategies that the provider requires to be populated.

type StrategyFactory Uses

type StrategyFactory interface {
    // CreateStrategies creates the strategies that a provider will use.  The namespace argument
    // should be the namespace of the object being checked (the pod's namespace).
    CreateStrategies(psp *policy.PodSecurityPolicy, namespace string) (*ProviderStrategies, error)

StrategyFactory abstracts how the strategies are created from the provider so that you may implement your own custom strategies that may pull information from other resources as necessary. For example, if you would like to populate the strategies with values from namespace annotations you may create a factory with a client that can pull the namespace and populate the appropriate values.

func NewSimpleStrategyFactory Uses

func NewSimpleStrategyFactory() StrategyFactory


capabilitiesPackage capabilities contains code for validating and defaulting a pod's kernel capabilities according to a security policy.
groupPackage group contains code for validating and defaulting the FSGroup and supplemental groups of a pod according to a security policy.
selinuxPackage selinux contains code for validating and defaulting the SELinux context of a pod according to a security policy.
userPackage user contains code for validating and defaulting the UID of a pod or container according to a security policy.
utilPackage util contains utility code shared amongst different parts of the pod security policy apparatus.

Package podsecuritypolicy imports 20 packages (graph) and is imported by 23 packages. Updated 2019-07-02. Refresh now. Tools for package owners.