示例#1
0
// capabilityFromStringSlice creates a capability slice from a string slice.
func capabilityFromStringSlice(slice []string) []api.Capability {
	if len(slice) == 0 {
		return nil
	}
	caps := []api.Capability{}
	for _, c := range slice {
		caps = append(caps, api.Capability(c))
	}
	return caps
}
示例#2
0
func TestHasNonNamespacedCapability(t *testing.T) {
	createPodWithCap := func(caps []api.Capability) *api.Pod {
		pod := &api.Pod{
			Spec: api.PodSpec{
				Containers: []api.Container{{}},
			},
		}

		if len(caps) > 0 {
			pod.Spec.Containers[0].SecurityContext = &api.SecurityContext{
				Capabilities: &api.Capabilities{
					Add: caps,
				},
			}
		}
		return pod
	}

	nilCaps := createPodWithCap([]api.Capability{api.Capability("foo")})
	nilCaps.Spec.Containers[0].SecurityContext = nil

	tests := map[string]struct {
		pod      *api.Pod
		expected bool
	}{
		"nil security contxt":           {createPodWithCap(nil), false},
		"nil caps":                      {nilCaps, false},
		"namespaced cap":                {createPodWithCap([]api.Capability{api.Capability("foo")}), false},
		"non-namespaced cap MKNOD":      {createPodWithCap([]api.Capability{api.Capability("MKNOD")}), true},
		"non-namespaced cap SYS_TIME":   {createPodWithCap([]api.Capability{api.Capability("SYS_TIME")}), true},
		"non-namespaced cap SYS_MODULE": {createPodWithCap([]api.Capability{api.Capability("SYS_MODULE")}), true},
	}

	for k, v := range tests {
		actual := hasNonNamespacedCapability(v.pod)
		if actual != v.expected {
			t.Errorf("%s failed, expected %t but got %t", k, v.expected, actual)
		}
	}
}
示例#3
0
func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraints(in *SecurityContextConstraints, out *api.SecurityContextConstraints, s conversion.Scope) error {
	if defaulting, found := s.DefaultingInterface(reflect.TypeOf(*in)); found {
		defaulting.(func(*SecurityContextConstraints))(in)
	}

	if err := convert_v1beta3_ObjectMeta_To_api_ObjectMeta(&in.ObjectMeta, &out.ObjectMeta, s); err != nil {
		return err
	}
	if in.Priority != nil {
		out.Priority = new(int)
		*out.Priority = *in.Priority
	} else {
		out.Priority = nil
	}
	out.AllowPrivilegedContainer = in.AllowPrivilegedContainer
	if in.AllowedCapabilities != nil {
		out.AllowedCapabilities = make([]api.Capability, len(in.AllowedCapabilities))
		for i := range in.AllowedCapabilities {
			out.AllowedCapabilities[i] = api.Capability(in.AllowedCapabilities[i])
		}
	} else {
		out.AllowedCapabilities = nil
	}

	// for v1beta3 -> api volume conversion we must assume that all volumes were allowed.
	// the only volume you could turn off is the host path volume so we'll remove that based
	// on the v1beta3 setting.
	if !in.AllowHostDirVolumePlugin {
		for _, v := range sccutil.GetAllFSTypesExcept(string(api.FSTypeHostPath)).List() {
			out.Volumes = append(out.Volumes, api.FSType(v))
		}
	} else {
		out.Volumes = []api.FSType{api.FSTypeAll}
	}

	out.AllowHostNetwork = in.AllowHostNetwork
	out.AllowHostPorts = in.AllowHostPorts
	out.AllowHostPID = in.AllowHostPID
	out.AllowHostIPC = in.AllowHostIPC
	if err := convert_v1beta3_SELinuxContextStrategyOptions_To_api_SELinuxContextStrategyOptions(&in.SELinuxContext, &out.SELinuxContext, s); err != nil {
		return err
	}
	if err := convert_v1beta3_RunAsUserStrategyOptions_To_api_RunAsUserStrategyOptions(&in.RunAsUser, &out.RunAsUser, s); err != nil {
		return err
	}
	if err := convert_v1beta3_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {
		return err
	}
	if err := convert_v1beta3_SupplementalGroupsStrategyOptions_To_api_SupplementalGroupsStrategyOptions(&in.SupplementalGroups, &out.SupplementalGroups, s); err != nil {
		return err
	}
	if in.DefaultAddCapabilities != nil {
		out.DefaultAddCapabilities = make([]api.Capability, len(in.DefaultAddCapabilities))
		for i := range in.DefaultAddCapabilities {
			out.DefaultAddCapabilities[i] = api.Capability(in.DefaultAddCapabilities[i])
		}
	} else {
		out.DefaultAddCapabilities = nil
	}
	if in.RequiredDropCapabilities != nil {
		out.RequiredDropCapabilities = make([]api.Capability, len(in.RequiredDropCapabilities))
		for i := range in.RequiredDropCapabilities {
			out.RequiredDropCapabilities[i] = api.Capability(in.RequiredDropCapabilities[i])
		}
	} else {
		out.RequiredDropCapabilities = nil
	}
	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
	if in.Users != nil {
		out.Users = make([]string, len(in.Users))
		for i := range in.Users {
			out.Users[i] = in.Users[i]
		}
	} else {
		out.Users = nil
	}
	if in.Groups != nil {
		out.Groups = make([]string, len(in.Groups))
		for i := range in.Groups {
			out.Groups[i] = in.Groups[i]
		}
	} else {
		out.Groups = nil
	}
	return nil
}