diff --git a/pkg/securitycontext/util.go b/pkg/securitycontext/util.go index 73d23a43131..2719e118269 100644 --- a/pkg/securitycontext/util.go +++ b/pkg/securitycontext/util.go @@ -21,7 +21,6 @@ import ( "strings" "k8s.io/api/core/v1" - api "k8s.io/kubernetes/pkg/apis/core" ) // HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account @@ -165,83 +164,6 @@ func securityContextFromPodSecurityContext(pod *v1.Pod) *v1.SecurityContext { return synthesized } -// TODO: remove the duplicate code -func InternalDetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *api.SecurityContext { - effectiveSc := internalSecurityContextFromPodSecurityContext(pod) - containerSc := container.SecurityContext - - if effectiveSc == nil && containerSc == nil { - return nil - } - if effectiveSc != nil && containerSc == nil { - return effectiveSc - } - if effectiveSc == nil && containerSc != nil { - return containerSc - } - - if containerSc.SELinuxOptions != nil { - effectiveSc.SELinuxOptions = new(api.SELinuxOptions) - *effectiveSc.SELinuxOptions = *containerSc.SELinuxOptions - } - - if containerSc.Capabilities != nil { - effectiveSc.Capabilities = new(api.Capabilities) - *effectiveSc.Capabilities = *containerSc.Capabilities - } - - if containerSc.Privileged != nil { - effectiveSc.Privileged = new(bool) - *effectiveSc.Privileged = *containerSc.Privileged - } - - if containerSc.RunAsUser != nil { - effectiveSc.RunAsUser = new(int64) - *effectiveSc.RunAsUser = *containerSc.RunAsUser - } - - if containerSc.RunAsNonRoot != nil { - effectiveSc.RunAsNonRoot = new(bool) - *effectiveSc.RunAsNonRoot = *containerSc.RunAsNonRoot - } - - if containerSc.ReadOnlyRootFilesystem != nil { - effectiveSc.ReadOnlyRootFilesystem = new(bool) - *effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem - } - - if containerSc.AllowPrivilegeEscalation != nil { - effectiveSc.AllowPrivilegeEscalation = new(bool) - *effectiveSc.AllowPrivilegeEscalation = *containerSc.AllowPrivilegeEscalation - } - - return effectiveSc -} - -func internalSecurityContextFromPodSecurityContext(pod *api.Pod) *api.SecurityContext { - if pod.Spec.SecurityContext == nil { - return nil - } - - synthesized := &api.SecurityContext{} - - if pod.Spec.SecurityContext.SELinuxOptions != nil { - synthesized.SELinuxOptions = &api.SELinuxOptions{} - *synthesized.SELinuxOptions = *pod.Spec.SecurityContext.SELinuxOptions - } - if pod.Spec.SecurityContext.RunAsUser != nil { - synthesized.RunAsUser = new(int64) - *synthesized.RunAsUser = *pod.Spec.SecurityContext.RunAsUser - } - - if pod.Spec.SecurityContext.RunAsNonRoot != nil { - synthesized.RunAsNonRoot = new(bool) - *synthesized.RunAsNonRoot = *pod.Spec.SecurityContext.RunAsNonRoot - } - - return synthesized -} - // AddNoNewPrivileges returns if we should add the no_new_privs option. func AddNoNewPrivileges(sc *v1.SecurityContext) bool { if sc == nil {