func deepCopy_api_SecurityContext(in api.SecurityContext, out *api.SecurityContext, c *conversion.Cloner) error {
if in.Capabilities != nil {
out.Capabilities = new(api.Capabilities)
if err := deepCopy_api_Capabilities(*in.Capabilities, out.Capabilities, c); err != nil {
return err
}
} else {
out.Capabilities = nil
}
if in.Privileged != nil {
out.Privileged = new(bool)
*out.Privileged = *in.Privileged
} else {
out.Privileged = nil
}
if in.SELinuxOptions != nil {
out.SELinuxOptions = new(api.SELinuxOptions)
if err := deepCopy_api_SELinuxOptions(*in.SELinuxOptions, out.SELinuxOptions, c); err != nil {
return err
}
} else {
out.SELinuxOptions = nil
}
if in.RunAsUser != nil {
out.RunAsUser = new(int64)
*out.RunAsUser = *in.RunAsUser
} else {
out.RunAsUser = nil
}
out.RunAsNonRoot = in.RunAsNonRoot
return nil
}
// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
//
// NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply
// the SC if validation passes.
func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) {
var sc *api.SecurityContext = nil
if container.SecurityContext != nil {
// work with a copy of the original
copy := *container.SecurityContext
sc = ©
} else {
sc = &api.SecurityContext{}
}
annotations := maps.CopySS(pod.Annotations)
if sc.RunAsUser == nil {
uid, err := s.strategies.RunAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.RunAsUser = uid
}
if sc.SELinuxOptions == nil {
seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.SELinuxOptions = seLinux
}
annotations, err := s.strategies.AppArmorStrategy.Generate(annotations, container)
if err != nil {
return nil, nil, err
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image UID will be checked.
if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot {
nonRoot := true
sc.RunAsNonRoot = &nonRoot
}
caps, err := s.strategies.CapabilitiesStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.Capabilities = caps
// if the PSP requires a read only root filesystem and the container has not made a specific
// request then default ReadOnlyRootFilesystem to true.
if s.psp.Spec.ReadOnlyRootFilesystem && sc.ReadOnlyRootFilesystem == nil {
readOnlyRootFS := true
sc.ReadOnlyRootFilesystem = &readOnlyRootFS
}
return sc, annotations, nil
}
// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
//
// NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply
// the SC if validation passes.
func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) {
var sc *api.SecurityContext = nil
if container.SecurityContext != nil {
// work with a copy of the original
copy := *container.SecurityContext
sc = ©
} else {
sc = &api.SecurityContext{}
}
if sc.RunAsUser == nil {
uid, err := s.runAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.RunAsUser = uid
}
if sc.SELinuxOptions == nil {
seLinux, err := s.seLinuxStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.SELinuxOptions = seLinux
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image
if s.scc.RunAsUser.Type == api.RunAsUserStrategyMustRunAsNonRoot {
b := true
sc.RunAsNonRoot = &b
}
// No need to touch capabilities, they will validate or not.
return sc, nil
}
env.Value = "tiesheng"
envs = append(envs, env)
env.Name = "PASSWORD"
env.Value = "opensource"
envs = append(envs, env)
env.Name = "EMAIL"
env.Value = "*****@*****.**"
envs = append(envs, env)
env.Name = "GIT_REPO"
env.Value = "https://github.com/docker-library/hello-world.git"
envs = append(envs, env)
var sc api.SecurityContext
pri := true
sc.Privileged = &pri
terminateCase = ConformanceContainer{
Container: api.Container{
Image: "tiesheng/builder",
Name: "builder",
Env: envs,
SecurityContext: &sc,
Args: []string{"tiesheng/20160315-ok"},
ImagePullPolicy: api.PullNever,
},
Client: cl,
Phase: api.PodSucceeded,
NodeName: *nodeName,
}
