// assignSecurityContext creates a security context for each container in the pod // and validates that the sc falls within the scc constraints. All containers must validate against // the same scc or is not considered valid. func assignSecurityContext(provider scc.SecurityContextConstraintsProvider, pod *kapi.Pod) fielderrors.ValidationErrorList { generatedSCs := make([]*kapi.SecurityContext, len(pod.Spec.Containers)) errs := fielderrors.ValidationErrorList{} for i, c := range pod.Spec.Containers { sc, err := provider.CreateSecurityContext(pod, &c) if err != nil { errs = append(errs, fielderrors.NewFieldInvalid(fmt.Sprintf("spec.containers[%d].securityContext", i), "", err.Error())) continue } generatedSCs[i] = sc c.SecurityContext = sc errs = append(errs, provider.ValidateSecurityContext(pod, &c).Prefix(fmt.Sprintf("spec.containers[%d].securityContext", i))...) } if len(errs) > 0 { return errs } // if we've reached this code then we've generated and validated an SC for every container in the // pod so let's apply what we generated for i, sc := range generatedSCs { pod.Spec.Containers[i].SecurityContext = sc } return nil }