Пример #1
0
func init() {
	kadmission.RegisterPlugin("SecurityContextConstraint",
		func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
			return NewConstraint(client), nil
		})
}

type constraint struct {
	*kadmission.Handler
	client    clientset.Interface
	sccLister *oscache.IndexerToSecurityContextConstraintsLister
}

var _ kadmission.Interface = &constraint{}
var _ = oadmission.WantsInformers(&constraint{})

// NewConstraint creates a new SCC constraint admission plugin.
func NewConstraint(kclient clientset.Interface) *constraint {
	return &constraint{
		Handler: kadmission.NewHandler(kadmission.Create, kadmission.Update),
		client:  kclient,
	}
}

// Admit determines if the pod should be admitted based on the requested security context
// and the available SCCs.
//
// 1.  Find SCCs for the user.
// 2.  Find SCCs for the SA.  If there is an error retrieving SA SCCs it is not fatal.
// 3.  Remove duplicates between the user/SA SCCs.
Пример #2
0
	oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
	"github.com/openshift/origin/pkg/controller/shared"
	kadmission "k8s.io/kubernetes/pkg/admission"
	kapi "k8s.io/kubernetes/pkg/api"
	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
)

func init() {
	kadmission.RegisterPlugin("SCCExecRestrictions", func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
		execAdmitter := NewSCCExecRestrictions(client)
		return execAdmitter, nil
	})
}

var _ kadmission.Interface = &sccExecRestrictions{}
var _ = oadmission.WantsInformers(&sccExecRestrictions{})

// sccExecRestrictions is an implementation of admission.Interface which says no to a pod/exec on
// a pod that the user would not be allowed to create
type sccExecRestrictions struct {
	*kadmission.Handler
	constraintAdmission *constraint
	client              clientset.Interface
}

func (d *sccExecRestrictions) Admit(a kadmission.Attributes) (err error) {
	if a.GetOperation() != kadmission.Connect {
		return nil
	}
	if a.GetResource().GroupResource() != kapi.Resource("pods") {
		return nil