kubernetesk8s.io/kubernetes/pkg/securitycontext Index | Files

package securitycontext

import "k8s.io/kubernetes/pkg/securitycontext"

Package securitycontext contains security context api implementations

Index

Functions

func AddNoNewPrivileges 

func AddNoNewPrivileges(sc *v1.SecurityContext) bool

AddNoNewPrivileges returns if we should add the no_new_privs option.

func ConvertToRuntimeMaskedPaths 

func ConvertToRuntimeMaskedPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeMaskedPaths converts the ProcMountType to the specified or default masked paths.

func ConvertToRuntimeReadonlyPaths 

func ConvertToRuntimeReadonlyPaths(opt *v1.ProcMountType) []string

ConvertToRuntimeReadonlyPaths converts the ProcMountType to the specified or default readonly paths.

func DetermineEffectiveSecurityContext 

func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext

DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations from the provided pod's and container's security context. Container's fields take precedence in cases where both are set

func HasCapabilitiesRequest 

func HasCapabilitiesRequest(container *v1.Container) bool

HasCapabilitiesRequest returns true if Adds or Drops are defined in the security context capabilities, taking into account nils

func HasPrivilegedRequest 

func HasPrivilegedRequest(container *v1.Container) bool

HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account the possibility of nils

func ValidInternalSecurityContextWithContainerDefaults 

func ValidInternalSecurityContextWithContainerDefaults() *api.SecurityContext

ValidInternalSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

func ValidSecurityContextWithContainerDefaults 

func ValidSecurityContextWithContainerDefaults() *v1.SecurityContext

ValidSecurityContextWithContainerDefaults creates a valid security context provider based on empty container defaults. Used for testing.

Types

type ContainerSecurityContextAccessor 

type ContainerSecurityContextAccessor interface {
	Capabilities() *api.Capabilities
	Privileged() *bool
	ProcMount() api.ProcMountType
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	ReadOnlyRootFilesystem() *bool
	AllowPrivilegeEscalation() *bool
}

ContainerSecurityContextAccessor allows reading the values of a SecurityContext object

func NewContainerSecurityContextAccessor 

func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor

NewContainerSecurityContextAccessor returns an accessor for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextAccessor 

func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor

NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values for the provided pod security context and container security context

type ContainerSecurityContextMutator 

type ContainerSecurityContextMutator interface {
	ContainerSecurityContextAccessor

	ContainerSecurityContext() *api.SecurityContext

	SetCapabilities(*api.Capabilities)
	SetPrivileged(*bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetReadOnlyRootFilesystem(*bool)
	SetAllowPrivilegeEscalation(*bool)
}

ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object

func NewContainerSecurityContextMutator 

func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator

NewContainerSecurityContextMutator returns a mutator for the provided container security context May be initialized with a nil SecurityContext

func NewEffectiveContainerSecurityContextMutator 

func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator

NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values for the provided pod security context and container security context

type PodSecurityContextAccessor 

type PodSecurityContextAccessor interface {
	HostNetwork() bool
	HostPID() bool
	HostIPC() bool
	SELinuxOptions() *api.SELinuxOptions
	RunAsUser() *int64
	RunAsGroup() *int64
	RunAsNonRoot() *bool
	SupplementalGroups() []int64
	FSGroup() *int64
}

PodSecurityContextAccessor allows reading the values of a PodSecurityContext object

func NewPodSecurityContextAccessor 

func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor

NewPodSecurityContextAccessor returns an accessor for the given pod security context. May be initialized with a nil PodSecurityContext.

type PodSecurityContextMutator 

type PodSecurityContextMutator interface {
	PodSecurityContextAccessor

	SetHostNetwork(bool)
	SetHostPID(bool)
	SetHostIPC(bool)
	SetSELinuxOptions(*api.SELinuxOptions)
	SetRunAsUser(*int64)
	SetRunAsGroup(*int64)
	SetRunAsNonRoot(*bool)
	SetSupplementalGroups([]int64)
	SetFSGroup(*int64)

	// PodSecurityContext returns the current PodSecurityContext object
	PodSecurityContext() *api.PodSecurityContext
}

PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object

func NewPodSecurityContextMutator 

func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator

NewPodSecurityContextMutator returns a mutator for the given pod security context. May be initialized with a nil PodSecurityContext.

Source Files

accessors.go doc.go fake.go util.go

Version
v1.18.9-rc.0
Published
Aug 13, 2020
Platform
linux/amd64
Imports
3 packages
Last checked
13 minutes ago

Tools for package owners.