func init() {
kadmission.RegisterPlugin("SecurityContextConstraint",
func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
return NewConstraint(client), nil
})
}
type constraint struct {
*kadmission.Handler
client clientset.Interface
sccLister *oscache.IndexerToSecurityContextConstraintsLister
}
var _ kadmission.Interface = &constraint{}
var _ = oadmission.WantsInformers(&constraint{})
// NewConstraint creates a new SCC constraint admission plugin.
func NewConstraint(kclient clientset.Interface) *constraint {
return &constraint{
Handler: kadmission.NewHandler(kadmission.Create, kadmission.Update),
client: kclient,
}
}
// Admit determines if the pod should be admitted based on the requested security context
// and the available SCCs.
//
// 1. Find SCCs for the user.
// 2. Find SCCs for the SA. If there is an error retrieving SA SCCs it is not fatal.
// 3. Remove duplicates between the user/SA SCCs.
oadmission "github.com/openshift/origin/pkg/cmd/server/admission"
"github.com/openshift/origin/pkg/controller/shared"
kadmission "k8s.io/kubernetes/pkg/admission"
kapi "k8s.io/kubernetes/pkg/api"
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
)
func init() {
kadmission.RegisterPlugin("SCCExecRestrictions", func(client clientset.Interface, config io.Reader) (kadmission.Interface, error) {
execAdmitter := NewSCCExecRestrictions(client)
return execAdmitter, nil
})
}
var _ kadmission.Interface = &sccExecRestrictions{}
var _ = oadmission.WantsInformers(&sccExecRestrictions{})
// sccExecRestrictions is an implementation of admission.Interface which says no to a pod/exec on
// a pod that the user would not be allowed to create
type sccExecRestrictions struct {
*kadmission.Handler
constraintAdmission *constraint
client clientset.Interface
}
func (d *sccExecRestrictions) Admit(a kadmission.Attributes) (err error) {
if a.GetOperation() != kadmission.Connect {
return nil
}
if a.GetResource().GroupResource() != kapi.Resource("pods") {
return nil