// Create a SecurityContext based on the given constraints. If a setting is already set on the // container's security context then it will not be changed. Validation should be used after // the context is created to ensure it complies with the required restrictions. // // NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply // the SC if validation passes. func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) { var sc *api.SecurityContext = nil if container.SecurityContext != nil { // work with a copy of the original copy := *container.SecurityContext sc = © } else { sc = &api.SecurityContext{} } annotations := maps.CopySS(pod.Annotations) if sc.RunAsUser == nil { uid, err := s.strategies.RunAsUserStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.RunAsUser = uid } if sc.SELinuxOptions == nil { seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.SELinuxOptions = seLinux } annotations, err := s.strategies.AppArmorStrategy.Generate(annotations, container) if err != nil { return nil, nil, err } if sc.Privileged == nil { priv := false sc.Privileged = &priv } // if we're using the non-root strategy set the marker that this container should not be // run as root which will signal to the kubelet to do a final check either on the runAsUser // or, if runAsUser is not set, the image UID will be checked. if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot { nonRoot := true sc.RunAsNonRoot = &nonRoot } caps, err := s.strategies.CapabilitiesStrategy.Generate(pod, container) if err != nil { return nil, nil, err } sc.Capabilities = caps // if the PSP requires a read only root filesystem and the container has not made a specific // request then default ReadOnlyRootFilesystem to true. if s.psp.Spec.ReadOnlyRootFilesystem && sc.ReadOnlyRootFilesystem == nil { readOnlyRootFS := true sc.ReadOnlyRootFilesystem = &readOnlyRootFS } return sc, annotations, nil }