// assignSecurityContext creates a security context for each container in the pod
// and validates that the sc falls within the scc constraints. All containers must validate against
// the same scc or is not considered valid.
func assignSecurityContext(provider scc.SecurityContextConstraintsProvider, pod *kapi.Pod) fielderrors.ValidationErrorList {
generatedSCs := make([]*kapi.SecurityContext, len(pod.Spec.Containers))
errs := fielderrors.ValidationErrorList{}
for i, c := range pod.Spec.Containers {
sc, err := provider.CreateSecurityContext(pod, &c)
if err != nil {
errs = append(errs, fielderrors.NewFieldInvalid(fmt.Sprintf("spec.containers[%d].securityContext", i), "", err.Error()))
continue
}
generatedSCs[i] = sc
c.SecurityContext = sc
errs = append(errs, provider.ValidateSecurityContext(pod, &c).Prefix(fmt.Sprintf("spec.containers[%d].securityContext", i))...)
}
if len(errs) > 0 {
return errs
}
// if we've reached this code then we've generated and validated an SC for every container in the
// pod so let's apply what we generated
for i, sc := range generatedSCs {
pod.Spec.Containers[i].SecurityContext = sc
}
return nil
}
