diff --git a/hack/.golint_failures b/hack/.golint_failures index 8ab29fc3b7a..564542b39c6 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -314,7 +314,6 @@ pkg/security/podsecuritypolicy/seccomp pkg/security/podsecuritypolicy/selinux pkg/security/podsecuritypolicy/user pkg/security/podsecuritypolicy/util -pkg/securitycontext pkg/serviceaccount pkg/ssh pkg/util/bandwidth diff --git a/pkg/securitycontext/accessors.go b/pkg/securitycontext/accessors.go index 739ca126f62..283181a7792 100644 --- a/pkg/securitycontext/accessors.go +++ b/pkg/securitycontext/accessors.go @@ -201,6 +201,7 @@ func (w *podSecurityContextWrapper) SetFSGroup(v *int64) { w.podSC.FSGroup = v } +// ContainerSecurityContextAccessor allows reading the values of a SecurityContext object type ContainerSecurityContextAccessor interface { Capabilities() *api.Capabilities Privileged() *bool @@ -213,6 +214,7 @@ type ContainerSecurityContextAccessor interface { AllowPrivilegeEscalation() *bool } +// ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object type ContainerSecurityContextMutator interface { ContainerSecurityContextAccessor @@ -228,10 +230,14 @@ type ContainerSecurityContextMutator interface { SetAllowPrivilegeEscalation(*bool) } +// NewContainerSecurityContextAccessor returns an accessor for the provided container security context +// May be initialized with a nil SecurityContext func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor { return &containerSecurityContextWrapper{containerSC: containerSC} } +// NewContainerSecurityContextMutator returns a mutator for the provided container security context +// May be initialized with a nil SecurityContext func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator { return &containerSecurityContextWrapper{containerSC: containerSC} } @@ -365,10 +371,14 @@ func (w *containerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) { w.containerSC.AllowPrivilegeEscalation = v } +// NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values +// for the provided pod security context and container security context func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor { return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC} } +// NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values +// for the provided pod security context and container security context func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator { return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC} } diff --git a/pkg/securitycontext/util.go b/pkg/securitycontext/util.go index f324f7d1216..a39ee7571a8 100644 --- a/pkg/securitycontext/util.go +++ b/pkg/securitycontext/util.go @@ -44,6 +44,9 @@ func HasCapabilitiesRequest(container *v1.Container) bool { return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0 } +// DetermineEffectiveSecurityContext returns a synthesized SecurityContext for reading effective configurations +// from the provided pod's and container's security context. Container's fields take precedence in cases where both +// are set func DetermineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container) *v1.SecurityContext { effectiveSc := securityContextFromPodSecurityContext(pod) containerSc := container.SecurityContext