package apparmor

kubernetes – k8s.io/kubernetes/pkg/security/apparmor Index | Files

import "k8s.io/kubernetes/pkg/security/apparmor"

Index ¶

Constants
func GetProfileName(pod *v1.Pod, containerName string) string
func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string
func IsAppArmorEnabled() bool
func SetProfileName(pod *v1.Pod, containerName, profileName string) error
func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error
func ValidateProfileFormat(profile string) error
type Validator

func NewValidator(runtime string) Validator

Constants ¶

const (
	// The prefix to an annotation key specifying a container profile.
	ContainerAnnotationKeyPrefix = "container.apparmor.security.beta.kubernetes.io/"
	// The annotation key specifying the default AppArmor profile.
	DefaultProfileAnnotationKey = "apparmor.security.beta.kubernetes.io/defaultProfileName"
	// The annotation key specifying the allowed AppArmor profiles.
	AllowedProfilesAnnotationKey = "apparmor.security.beta.kubernetes.io/allowedProfileNames"

	// The profile specifying the runtime default.
	ProfileRuntimeDefault = "runtime/default"
	// The prefix for specifying profiles loaded on the node.
	ProfileNamePrefix = "localhost/"

	// Unconfined profile
	ProfileNameUnconfined = "unconfined"
)

TODO: Move these values into the API package.

Functions ¶

func GetProfileName ¶

func GetProfileName(pod *v1.Pod, containerName string) string

Returns the name of the profile to use with the container.

func GetProfileNameFromPodAnnotations ¶

func GetProfileNameFromPodAnnotations(annotations map[string]string, containerName string) string

GetProfileNameFromPodAnnotations gets the name of the profile to use with container from pod annotations

func IsAppArmorEnabled ¶

func IsAppArmorEnabled() bool

IsAppArmorEnabled returns true if apparmor is enabled for the host. This function is forked from https://github.com/opencontainers/runc/blob/1a81e9ab1f138c091fe5c86d0883f87716088527/libcontainer/apparmor/apparmor.go to avoid the libapparmor dependency.

func SetProfileName ¶

func SetProfileName(pod *v1.Pod, containerName, profileName string) error

Sets the name of the profile to use with the container.

func SetProfileNameFromPodAnnotations ¶

func SetProfileNameFromPodAnnotations(annotations map[string]string, containerName, profileName string) error

Sets the name of the profile to use with the container.

func ValidateProfileFormat ¶

func ValidateProfileFormat(profile string) error

Types ¶

type Validator ¶

type Validator interface {
	Validate(pod *v1.Pod) error
	ValidateHost() error
}

Interface for validating that a pod with an AppArmor profile can be run by a Node.

func NewValidator ¶

func NewValidator(runtime string) Validator

Source Files ¶

helpers.go validate.go validate_disabled.go

Version: v1.14.1
Published: Apr 5, 2019
Platform: js/wasm
Imports: 12 packages
Last checked: 30 seconds ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples