package util

import "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"

Package util contains utility code shared amongst different parts of the pod security policy apparatus.

Index ¶

• Constants
• func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool)
• func EqualStringSlices(a, b []string) bool
• func FSTypeToStringSet(fsTypes []policy.FSType) sets.String
• func GetAllFSTypesAsSet() sets.String
• func GetAllFSTypesExcept(exceptions ...string) sets.String
• func GetVolumeFSType(v api.Volume) (policy.FSType, error)
• func GroupFallsInRange(id int64, rng policy.IDRange) bool
• func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool
• func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool
• func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool
• func UserFallsInRange(id int64, rng policy.IDRange) bool

Package Files ¶

doc.go util.go

Constants ¶

const (
    ValidatedPSPAnnotation = "kubernetes.io/psp"
)

func AllowsHostVolumePath ¶ Uses

func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool)

AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path. This only checks the path. You should still check to make sure the host volume fs type is allowed.

func EqualStringSlices ¶ Uses

func EqualStringSlices(a, b []string) bool

EqualStringSlices compares string slices for equality. Slices are equal when their sizes and elements on similar positions are equal.

func FSTypeToStringSet ¶ Uses

func FSTypeToStringSet(fsTypes []policy.FSType) sets.String

FSTypeToStringSet converts an FSType slice to a string set.

func GetAllFSTypesAsSet ¶ Uses

func GetAllFSTypesAsSet() sets.String

func GetAllFSTypesExcept ¶ Uses

func GetAllFSTypesExcept(exceptions ...string) sets.String

func GetVolumeFSType ¶ Uses

func GetVolumeFSType(v api.Volume) (policy.FSType, error)

getVolumeFSType gets the FSType for a volume.

func GroupFallsInRange ¶ Uses

func GroupFallsInRange(id int64, rng policy.IDRange) bool

GroupFallsInRange is a utility to determine it the id falls in the valid range.

func IsOnlyServiceAccountTokenSources ¶ Uses

func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool

func PSPAllowsAllVolumes ¶ Uses

func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool

PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.

func PSPAllowsFSType ¶ Uses

func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool

PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType. If all volumes are allowed then this will return true for any FSType passed.

func UserFallsInRange ¶ Uses

func UserFallsInRange(id int64, rng policy.IDRange) bool

UserFallsInRange is a utility to determine it the id falls in the valid range.