// Create a SecurityContext based on the given constraints. If a setting is already set on the // container's security context then it will not be changed. Validation should be used after // the context is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply // the SC if validation passes. func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) { var sc *api.SecurityContext = nil if container.SecurityContext != nil { // work with a copy of the original copy := *container.SecurityContext sc = © } else { sc = &api.SecurityContext{} } annotations := maps.CopySS(pod.Annotations) if sc.RunAsUser == nil { uid, err := s.strategies.RunAsUserStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.RunAsUser = uid } if sc.SELinuxOptions == nil { seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.SELinuxOptions = seLinux } annotations, err := s.strategies.AppArmorStrategy.Generate(annotations, container) if err != nil { return nil, nil, err } if sc.Privileged == nil { priv := false sc.Privileged = &priv } // if we're using the non-root strategy set the marker that this container should not be // run as root which will signal to the kubelet to do a final check either on the runAsUser // or, if runAsUser is not set, the image UID will be checked. if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot { nonRoot := true sc.RunAsNonRoot = &nonRoot } caps, err := s.strategies.CapabilitiesStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.Capabilities = caps // if the PSP requires a read only root filesystem and the container has not made a specific // request then default ReadOnlyRootFilesystem to true. if s.psp.Spec.ReadOnlyRootFilesystem && sc.ReadOnlyRootFilesystem == nil { readOnlyRootFS := true sc.ReadOnlyRootFilesystem = &readOnlyRootFS } return sc, annotations, nil }
func deepCopy_api_SecurityContext(in api.SecurityContext, out *api.SecurityContext, c *conversion.Cloner) error { if in.Capabilities != nil { out.Capabilities = new(api.Capabilities) if err := deepCopy_api_Capabilities(*in.Capabilities, out.Capabilities, c); err != nil { return err } } else { out.Capabilities = nil } if in.Privileged != nil { out.Privileged = new(bool) *out.Privileged = *in.Privileged } else { out.Privileged = nil } if in.SELinuxOptions != nil { out.SELinuxOptions = new(api.SELinuxOptions) if err := deepCopy_api_SELinuxOptions(*in.SELinuxOptions, out.SELinuxOptions, c); err != nil { return err } } else { out.SELinuxOptions = nil } if in.RunAsUser != nil { out.RunAsUser = new(int64) *out.RunAsUser = *in.RunAsUser } else { out.RunAsUser = nil } out.RunAsNonRoot = in.RunAsNonRoot return nil }
// Create a SecurityContext based on the given constraints. If a setting is already set on the // container's security context then it will not be changed. Validation should be used after // the context is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply // the SC if validation passes. func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) { var sc *api.SecurityContext = nil if container.SecurityContext != nil { // work with a copy of the original copy := *container.SecurityContext sc = © } else { sc = &api.SecurityContext{} } if sc.RunAsUser == nil { uid, err := s.runAsUserStrategy.Generate(pod, container) if err != nil { return nil, err } sc.RunAsUser = uid } if sc.SELinuxOptions == nil { seLinux, err := s.seLinuxStrategy.Generate(pod, container) if err != nil { return nil, err } sc.SELinuxOptions = seLinux } if sc.Privileged == nil { priv := false sc.Privileged = &priv } // if we're using the non-root strategy set the marker that this container should not be // run as root which will signal to the kubelet to do a final check either on the runAsUser // or, if runAsUser is not set, the image if s.scc.RunAsUser.Type == api.RunAsUserStrategyMustRunAsNonRoot { b := true sc.RunAsNonRoot = &b } caps, err := s.capabilitiesStrategy.Generate(pod, container) if err != nil { return nil, err } sc.Capabilities = caps return sc, nil }