package util

import "k8s.io/kubernetes/pkg/security/podsecuritypolicy/util"

Package util contains utility code shared amongst different parts of the pod security policy apparatus.

Index ¶

• Constants
• func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool)
• func EqualStringSlices(a, b []string) bool
• func FSTypeToStringSet(fsTypes []policy.FSType) sets.String
• func GetAllFSTypesAsSet() sets.String
• func GetAllFSTypesExcept(exceptions ...string) sets.String
• func GetVolumeFSType(v api.Volume) (policy.FSType, error)
• func GroupFallsInRange(id int64, rng policy.IDRange) bool
• func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool
• func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool
• func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool
• func UserFallsInRange(id int64, rng policy.IDRange) bool

Constants ¶

const (
	ValidatedPSPAnnotation = "kubernetes.io/psp"
)

Functions ¶

func AllowsHostVolumePath ¶

func AllowsHostVolumePath(psp *policy.PodSecurityPolicy, hostPath string) (pathIsAllowed, mustBeReadOnly bool)

AllowsHostVolumePath is a utility for checking if a PSP allows the host volume path. This only checks the path. You should still check to make sure the host volume fs type is allowed.

func EqualStringSlices ¶

func EqualStringSlices(a, b []string) bool

EqualStringSlices compares string slices for equality. Slices are equal when their sizes and elements on similar positions are equal.

func FSTypeToStringSet ¶

func FSTypeToStringSet(fsTypes []policy.FSType) sets.String

FSTypeToStringSet converts an FSType slice to a string set.

func GetAllFSTypesAsSet ¶

func GetAllFSTypesAsSet() sets.String

GetAllFSTypesAsSet returns all actual volume types, regardless of feature gates. The special policy.All pseudo type is not included.

func GetAllFSTypesExcept ¶

func GetAllFSTypesExcept(exceptions ...string) sets.String

GetAllFSTypesExcept returns the result of GetAllFSTypesAsSet minus the given exceptions.

func GetVolumeFSType ¶

func GetVolumeFSType(v api.Volume) (policy.FSType, error)

getVolumeFSType gets the FSType for a volume.

func GroupFallsInRange ¶

func GroupFallsInRange(id int64, rng policy.IDRange) bool

GroupFallsInRange is a utility to determine it the id falls in the valid range.

func IsOnlyServiceAccountTokenSources ¶

func IsOnlyServiceAccountTokenSources(v *api.ProjectedVolumeSource) bool

func PSPAllowsAllVolumes ¶

func PSPAllowsAllVolumes(psp *policy.PodSecurityPolicy) bool

PSPAllowsAllVolumes checks for FSTypeAll in the psp's allowed volumes.

func PSPAllowsFSType ¶

func PSPAllowsFSType(psp *policy.PodSecurityPolicy, fsType policy.FSType) bool

PSPAllowsFSType is a utility for checking if a PSP allows a particular FSType. If all volumes are allowed then this will return true for any FSType passed.

func UserFallsInRange ¶

func UserFallsInRange(id int64, rng policy.IDRange) bool

UserFallsInRange is a utility to determine it the id falls in the valid range.

Source Files ¶

doc.go util.go