// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
//
// NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply
// the SC if validation passes.
func (s *simpleProvider) CreateSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) {
var sc *api.SecurityContext = nil
if container.SecurityContext != nil {
// work with a copy of the original
copy := *container.SecurityContext
sc = ©
} else {
sc = &api.SecurityContext{}
}
if sc.RunAsUser == nil {
uid, err := s.runAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.RunAsUser = uid
}
if sc.SELinuxOptions == nil {
seLinux, err := s.seLinuxStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.SELinuxOptions = seLinux
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// No need to touch capabilities, they will validate or not.
return sc, nil
}
// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
//
// NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply
// the SC if validation passes.
func (s *simpleProvider) CreateSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, error) {
var sc *api.SecurityContext = nil
if container.SecurityContext != nil {
// work with a copy of the original
copy := *container.SecurityContext
sc = ©
} else {
sc = &api.SecurityContext{}
}
if sc.RunAsUser == nil {
uid, err := s.runAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.RunAsUser = uid
}
if sc.SELinuxOptions == nil {
seLinux, err := s.seLinuxStrategy.Generate(pod, container)
if err != nil {
return nil, err
}
sc.SELinuxOptions = seLinux
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image
if s.scc.RunAsUser.Type == api.RunAsUserStrategyMustRunAsNonRoot {
sc.RunAsNonRoot = true
}
// No need to touch capabilities, they will validate or not.
return sc, nil
}
