func Convert_v1_PodSecurityContext_To_api_PodSecurityContext(in *PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error { out.SupplementalGroups = in.SupplementalGroups if in.SELinuxOptions != nil { out.SELinuxOptions = new(api.SELinuxOptions) if err := Convert_v1_SELinuxOptions_To_api_SELinuxOptions(in.SELinuxOptions, out.SELinuxOptions, s); err != nil { return err } } else { out.SELinuxOptions = nil } if in.RunAsUser != nil { out.RunAsUser = new(int64) *out.RunAsUser = *in.RunAsUser } else { out.RunAsUser = nil } if in.RunAsNonRoot != nil { out.RunAsNonRoot = new(bool) *out.RunAsNonRoot = *in.RunAsNonRoot } else { out.RunAsNonRoot = nil } if in.FSGroup != nil { out.FSGroup = new(int64) *out.FSGroup = *in.FSGroup } else { out.FSGroup = nil } return nil }
func Convert_v1_PodSecurityContext_To_api_PodSecurityContext(in *v1.PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error { if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found { defaulting.(func(*v1.PodSecurityContext))(in) } out.SupplementalGroups = in.SupplementalGroups if in.SELinuxOptions != nil { out.SELinuxOptions = new(api.SELinuxOptions) if err := Convert_v1_SELinuxOptions_To_api_SELinuxOptions(in.SELinuxOptions, out.SELinuxOptions, s); err != nil { return err } } else { out.SELinuxOptions = nil } if in.RunAsUser != nil { out.RunAsUser = new(int64) *out.RunAsUser = *in.RunAsUser } else { out.RunAsUser = nil } if in.RunAsNonRoot != nil { out.RunAsNonRoot = new(bool) *out.RunAsNonRoot = *in.RunAsNonRoot } else { out.RunAsNonRoot = nil } if in.FSGroup != nil { out.FSGroup = new(int64) *out.FSGroup = *in.FSGroup } else { out.FSGroup = nil } return nil }
func deepCopy_api_PodSecurityContext(in api.PodSecurityContext, out *api.PodSecurityContext, c *conversion.Cloner) error { out.HostNetwork = in.HostNetwork out.HostPID = in.HostPID out.HostIPC = in.HostIPC if in.SupplementalGroups != nil { out.SupplementalGroups = make([]int64, len(in.SupplementalGroups)) for i := range in.SupplementalGroups { out.SupplementalGroups[i] = in.SupplementalGroups[i] } } else { out.SupplementalGroups = nil } return nil }
// Create a PodSecurityContext based on the given constraints. If a setting is already set // on the PodSecurityContext it will not be changed. Validate should be used after the context // is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the PodSecurityContext. It is up to the caller to // apply the PSC if validation passes. func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) { var sc *api.PodSecurityContext = nil if pod.Spec.SecurityContext != nil { // work with a copy copy := *pod.Spec.SecurityContext sc = © } else { sc = &api.PodSecurityContext{} } annotations := maps.CopySS(pod.Annotations) if len(sc.SupplementalGroups) == 0 { supGroups, err := s.strategies.SupplementalGroupStrategy.Generate(pod) if err != nil { return nil, nil, err } sc.SupplementalGroups = supGroups } if sc.FSGroup == nil { fsGroup, err := s.strategies.FSGroupStrategy.GenerateSingle(pod) if err != nil { return nil, nil, err } sc.FSGroup = fsGroup } if sc.SELinuxOptions == nil { seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, nil) if err != nil { return nil, nil, err } sc.SELinuxOptions = seLinux } // This is only generated on the pod level. Containers inherit the pod's profile. If the // container has a specific profile set then it will be caught in the validation step. seccompProfile, err := s.strategies.SeccompStrategy.Generate(annotations, pod) if err != nil { return nil, nil, err } if seccompProfile != "" { if annotations == nil { annotations = map[string]string{} } annotations[api.SeccompPodAnnotationKey] = seccompProfile } return sc, annotations, nil }
func convert_v1_PodSecurityContext_To_api_PodSecurityContext(in *v1.PodSecurityContext, out *api.PodSecurityContext, s conversion.Scope) error { if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found { defaulting.(func(*v1.PodSecurityContext))(in) } out.SupplementalGroups = in.SupplementalGroups return nil }
// Create a PodSecurityContext based on the given constraints. If a setting is already set // on the PodSecurityContext it will not be changed. Validate should be used after the context // is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the PodSecurityContext. It is up to the caller to // apply the PSC if validation passes. func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) { var sc *api.PodSecurityContext = nil if pod.Spec.SecurityContext != nil { // work with a copy copy := *pod.Spec.SecurityContext sc = © } else { sc = &api.PodSecurityContext{} } annotations := maps.CopySS(pod.Annotations) if len(sc.SupplementalGroups) == 0 { supGroups, err := s.strategies.SupplementalGroupStrategy.Generate(pod) if err != nil { return nil, nil, err } sc.SupplementalGroups = supGroups } if sc.FSGroup == nil { fsGroup, err := s.strategies.FSGroupStrategy.GenerateSingle(pod) if err != nil { return nil, nil, err } sc.FSGroup = fsGroup } if sc.SELinuxOptions == nil { seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, nil) if err != nil { return nil, nil, err } sc.SELinuxOptions = seLinux } return sc, annotations, nil }
func deepCopy_api_PodSecurityContext(in api.PodSecurityContext, out *api.PodSecurityContext, c *conversion.Cloner) error { out.HostNetwork = in.HostNetwork out.HostPID = in.HostPID out.HostIPC = in.HostIPC if in.SELinuxOptions != nil { out.SELinuxOptions = new(api.SELinuxOptions) if err := deepCopy_api_SELinuxOptions(*in.SELinuxOptions, out.SELinuxOptions, c); err != nil { return err } } else { out.SELinuxOptions = nil } if in.RunAsUser != nil { out.RunAsUser = new(int64) *out.RunAsUser = *in.RunAsUser } else { out.RunAsUser = nil } if in.RunAsNonRoot != nil { out.RunAsNonRoot = new(bool) *out.RunAsNonRoot = *in.RunAsNonRoot } else { out.RunAsNonRoot = nil } if in.SupplementalGroups != nil { out.SupplementalGroups = make([]int64, len(in.SupplementalGroups)) for i := range in.SupplementalGroups { out.SupplementalGroups[i] = in.SupplementalGroups[i] } } else { out.SupplementalGroups = nil } if in.FSGroup != nil { out.FSGroup = new(int64) *out.FSGroup = *in.FSGroup } else { out.FSGroup = nil } return nil }
func deepCopy_api_PodSecurityContext(in api.PodSecurityContext, out *api.PodSecurityContext, c *conversion.Cloner) error { out.HostNetwork = in.HostNetwork out.HostPID = in.HostPID out.HostIPC = in.HostIPC return nil }
// Create a PodSecurityContext based on the given constraints. If a setting is already set // on the PodSecurityContext it will not be changed. Validate should be used after the context // is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the PodSecurityContext. It is up to the caller to // apply the PSC if validation passes. func (s *simpleProvider) CreatePodSecurityContext(pod *api.Pod) (*api.PodSecurityContext, map[string]string, error) { var sc *api.PodSecurityContext = nil if pod.Spec.SecurityContext != nil { // work with a copy copy := *pod.Spec.SecurityContext sc = © } else { sc = &api.PodSecurityContext{} } var annotationsCopy map[string]string = nil if pod.Annotations != nil { annotationsCopy = make(map[string]string, len(pod.Annotations)) for k, v := range pod.Annotations { annotationsCopy[k] = v } } if len(sc.SupplementalGroups) == 0 { supGroups, err := s.supplementalGroupStrategy.Generate(pod) if err != nil { return nil, nil, err } sc.SupplementalGroups = supGroups } if sc.FSGroup == nil { fsGroup, err := s.fsGroupStrategy.GenerateSingle(pod) if err != nil { return nil, nil, err } sc.FSGroup = fsGroup } if sc.SELinuxOptions == nil { seLinux, err := s.seLinuxStrategy.Generate(pod, nil) if err != nil { return nil, nil, err } sc.SELinuxOptions = seLinux } // we only generate a seccomp annotation for the entire pod. Validation // will catch any container annotations that are invalid and containers // will inherit the pod annotation. _, hasPodProfile := pod.Annotations[api.SeccompPodAnnotationKey] if !hasPodProfile { profile, err := s.seccompStrategy.Generate(pod) if err != nil { return nil, nil, err } if profile != "" { if annotationsCopy == nil { annotationsCopy = map[string]string{} } annotationsCopy[api.SeccompPodAnnotationKey] = profile } } return sc, annotationsCopy, nil }