accessors.go

Documentation: k8s.io/kubernetes/pkg/securitycontext

     1  /*
     2  Copyright 2017 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package securitycontext
    18  
    19  import (
    20  	"reflect"
    21  
    22  	api "k8s.io/kubernetes/pkg/apis/core"
    23  )
    24  
    25  // PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
    26  type PodSecurityContextAccessor interface {
    27  	HostNetwork() bool
    28  	HostPID() bool
    29  	HostIPC() bool
    30  	SELinuxOptions() *api.SELinuxOptions
    31  	RunAsUser() *int64
    32  	RunAsGroup() *int64
    33  	RunAsNonRoot() *bool
    34  	SeccompProfile() *api.SeccompProfile
    35  	SupplementalGroups() []int64
    36  	FSGroup() *int64
    37  }
    38  
    39  // PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
    40  type PodSecurityContextMutator interface {
    41  	PodSecurityContextAccessor
    42  
    43  	SetHostNetwork(bool)
    44  	SetHostPID(bool)
    45  	SetHostIPC(bool)
    46  	SetSELinuxOptions(*api.SELinuxOptions)
    47  	SetRunAsUser(*int64)
    48  	SetRunAsGroup(*int64)
    49  	SetRunAsNonRoot(*bool)
    50  	SetSeccompProfile(*api.SeccompProfile)
    51  	SetSupplementalGroups([]int64)
    52  	SetFSGroup(*int64)
    53  
    54  	// PodSecurityContext returns the current PodSecurityContext object
    55  	PodSecurityContext() *api.PodSecurityContext
    56  }
    57  
    58  // NewPodSecurityContextAccessor returns an accessor for the given pod security context.
    59  // May be initialized with a nil PodSecurityContext.
    60  func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor {
    61  	return &podSecurityContextWrapper{podSC: podSC}
    62  }
    63  
    64  // NewPodSecurityContextMutator returns a mutator for the given pod security context.
    65  // May be initialized with a nil PodSecurityContext.
    66  func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator {
    67  	return &podSecurityContextWrapper{podSC: podSC}
    68  }
    69  
    70  type podSecurityContextWrapper struct {
    71  	podSC *api.PodSecurityContext
    72  }
    73  
    74  func (w *podSecurityContextWrapper) PodSecurityContext() *api.PodSecurityContext {
    75  	return w.podSC
    76  }
    77  
    78  func (w *podSecurityContextWrapper) ensurePodSC() {
    79  	if w.podSC == nil {
    80  		w.podSC = &api.PodSecurityContext{}
    81  	}
    82  }
    83  
    84  func (w *podSecurityContextWrapper) HostNetwork() bool {
    85  	if w.podSC == nil {
    86  		return false
    87  	}
    88  	return w.podSC.HostNetwork
    89  }
    90  func (w *podSecurityContextWrapper) SetHostNetwork(v bool) {
    91  	if w.podSC == nil && v == false {
    92  		return
    93  	}
    94  	w.ensurePodSC()
    95  	w.podSC.HostNetwork = v
    96  }
    97  func (w *podSecurityContextWrapper) HostPID() bool {
    98  	if w.podSC == nil {
    99  		return false
   100  	}
   101  	return w.podSC.HostPID
   102  }
   103  func (w *podSecurityContextWrapper) SetHostPID(v bool) {
   104  	if w.podSC == nil && v == false {
   105  		return
   106  	}
   107  	w.ensurePodSC()
   108  	w.podSC.HostPID = v
   109  }
   110  func (w *podSecurityContextWrapper) HostIPC() bool {
   111  	if w.podSC == nil {
   112  		return false
   113  	}
   114  	return w.podSC.HostIPC
   115  }
   116  func (w *podSecurityContextWrapper) SetHostIPC(v bool) {
   117  	if w.podSC == nil && v == false {
   118  		return
   119  	}
   120  	w.ensurePodSC()
   121  	w.podSC.HostIPC = v
   122  }
   123  func (w *podSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
   124  	if w.podSC == nil {
   125  		return nil
   126  	}
   127  	return w.podSC.SELinuxOptions
   128  }
   129  func (w *podSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
   130  	if w.podSC == nil && v == nil {
   131  		return
   132  	}
   133  	w.ensurePodSC()
   134  	w.podSC.SELinuxOptions = v
   135  }
   136  func (w *podSecurityContextWrapper) RunAsUser() *int64 {
   137  	if w.podSC == nil {
   138  		return nil
   139  	}
   140  	return w.podSC.RunAsUser
   141  }
   142  func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) {
   143  	if w.podSC == nil && v == nil {
   144  		return
   145  	}
   146  	w.ensurePodSC()
   147  	w.podSC.RunAsUser = v
   148  }
   149  func (w *podSecurityContextWrapper) RunAsGroup() *int64 {
   150  	if w.podSC == nil {
   151  		return nil
   152  	}
   153  	return w.podSC.RunAsGroup
   154  }
   155  func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) {
   156  	if w.podSC == nil && v == nil {
   157  		return
   158  	}
   159  	w.ensurePodSC()
   160  	w.podSC.RunAsGroup = v
   161  }
   162  
   163  func (w *podSecurityContextWrapper) RunAsNonRoot() *bool {
   164  	if w.podSC == nil {
   165  		return nil
   166  	}
   167  	return w.podSC.RunAsNonRoot
   168  }
   169  func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
   170  	if w.podSC == nil && v == nil {
   171  		return
   172  	}
   173  	w.ensurePodSC()
   174  	w.podSC.RunAsNonRoot = v
   175  }
   176  func (w *podSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
   177  	if w.podSC == nil {
   178  		return nil
   179  	}
   180  	return w.podSC.SeccompProfile
   181  }
   182  func (w *podSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
   183  	if w.podSC == nil && p == nil {
   184  		return
   185  	}
   186  	w.ensurePodSC()
   187  	w.podSC.SeccompProfile = p
   188  }
   189  func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
   190  	if w.podSC == nil {
   191  		return nil
   192  	}
   193  	return w.podSC.SupplementalGroups
   194  }
   195  func (w *podSecurityContextWrapper) SetSupplementalGroups(v []int64) {
   196  	if w.podSC == nil && len(v) == 0 {
   197  		return
   198  	}
   199  	w.ensurePodSC()
   200  	if len(v) == 0 && len(w.podSC.SupplementalGroups) == 0 {
   201  		return
   202  	}
   203  	w.podSC.SupplementalGroups = v
   204  }
   205  func (w *podSecurityContextWrapper) FSGroup() *int64 {
   206  	if w.podSC == nil {
   207  		return nil
   208  	}
   209  	return w.podSC.FSGroup
   210  }
   211  func (w *podSecurityContextWrapper) SetFSGroup(v *int64) {
   212  	if w.podSC == nil && v == nil {
   213  		return
   214  	}
   215  	w.ensurePodSC()
   216  	w.podSC.FSGroup = v
   217  }
   218  
   219  // ContainerSecurityContextAccessor allows reading the values of a SecurityContext object
   220  type ContainerSecurityContextAccessor interface {
   221  	Capabilities() *api.Capabilities
   222  	Privileged() *bool
   223  	ProcMount() api.ProcMountType
   224  	SELinuxOptions() *api.SELinuxOptions
   225  	RunAsUser() *int64
   226  	RunAsGroup() *int64
   227  	RunAsNonRoot() *bool
   228  	ReadOnlyRootFilesystem() *bool
   229  	SeccompProfile() *api.SeccompProfile
   230  	AllowPrivilegeEscalation() *bool
   231  }
   232  
   233  // ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object
   234  type ContainerSecurityContextMutator interface {
   235  	ContainerSecurityContextAccessor
   236  
   237  	ContainerSecurityContext() *api.SecurityContext
   238  
   239  	SetCapabilities(*api.Capabilities)
   240  	SetPrivileged(*bool)
   241  	SetSELinuxOptions(*api.SELinuxOptions)
   242  	SetRunAsUser(*int64)
   243  	SetRunAsGroup(*int64)
   244  	SetRunAsNonRoot(*bool)
   245  	SetReadOnlyRootFilesystem(*bool)
   246  	SetSeccompProfile(*api.SeccompProfile)
   247  	SetAllowPrivilegeEscalation(*bool)
   248  }
   249  
   250  // NewContainerSecurityContextAccessor returns an accessor for the provided container security context
   251  // May be initialized with a nil SecurityContext
   252  func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor {
   253  	return &containerSecurityContextWrapper{containerSC: containerSC}
   254  }
   255  
   256  // NewContainerSecurityContextMutator returns a mutator for the provided container security context
   257  // May be initialized with a nil SecurityContext
   258  func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator {
   259  	return &containerSecurityContextWrapper{containerSC: containerSC}
   260  }
   261  
   262  type containerSecurityContextWrapper struct {
   263  	containerSC *api.SecurityContext
   264  }
   265  
   266  func (w *containerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
   267  	return w.containerSC
   268  }
   269  
   270  func (w *containerSecurityContextWrapper) ensureContainerSC() {
   271  	if w.containerSC == nil {
   272  		w.containerSC = &api.SecurityContext{}
   273  	}
   274  }
   275  
   276  func (w *containerSecurityContextWrapper) Capabilities() *api.Capabilities {
   277  	if w.containerSC == nil {
   278  		return nil
   279  	}
   280  	return w.containerSC.Capabilities
   281  }
   282  func (w *containerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
   283  	if w.containerSC == nil && v == nil {
   284  		return
   285  	}
   286  	w.ensureContainerSC()
   287  	w.containerSC.Capabilities = v
   288  }
   289  func (w *containerSecurityContextWrapper) Privileged() *bool {
   290  	if w.containerSC == nil {
   291  		return nil
   292  	}
   293  	return w.containerSC.Privileged
   294  }
   295  func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
   296  	if w.containerSC == nil && v == nil {
   297  		return
   298  	}
   299  	w.ensureContainerSC()
   300  	w.containerSC.Privileged = v
   301  }
   302  func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType {
   303  	if w.containerSC == nil {
   304  		return api.DefaultProcMount
   305  	}
   306  	if w.containerSC.ProcMount == nil {
   307  		return api.DefaultProcMount
   308  	}
   309  	return *w.containerSC.ProcMount
   310  }
   311  func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
   312  	if w.containerSC == nil {
   313  		return nil
   314  	}
   315  	return w.containerSC.SELinuxOptions
   316  }
   317  func (w *containerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
   318  	if w.containerSC == nil && v == nil {
   319  		return
   320  	}
   321  	w.ensureContainerSC()
   322  	w.containerSC.SELinuxOptions = v
   323  }
   324  func (w *containerSecurityContextWrapper) RunAsUser() *int64 {
   325  	if w.containerSC == nil {
   326  		return nil
   327  	}
   328  	return w.containerSC.RunAsUser
   329  }
   330  func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) {
   331  	if w.containerSC == nil && v == nil {
   332  		return
   333  	}
   334  	w.ensureContainerSC()
   335  	w.containerSC.RunAsUser = v
   336  }
   337  func (w *containerSecurityContextWrapper) RunAsGroup() *int64 {
   338  	if w.containerSC == nil {
   339  		return nil
   340  	}
   341  	return w.containerSC.RunAsGroup
   342  }
   343  func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) {
   344  	if w.containerSC == nil && v == nil {
   345  		return
   346  	}
   347  	w.ensureContainerSC()
   348  	w.containerSC.RunAsGroup = v
   349  }
   350  
   351  func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool {
   352  	if w.containerSC == nil {
   353  		return nil
   354  	}
   355  	return w.containerSC.RunAsNonRoot
   356  }
   357  func (w *containerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
   358  	if w.containerSC == nil && v == nil {
   359  		return
   360  	}
   361  	w.ensureContainerSC()
   362  	w.containerSC.RunAsNonRoot = v
   363  }
   364  func (w *containerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
   365  	if w.containerSC == nil {
   366  		return nil
   367  	}
   368  	return w.containerSC.ReadOnlyRootFilesystem
   369  }
   370  func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
   371  	if w.containerSC == nil && v == nil {
   372  		return
   373  	}
   374  	w.ensureContainerSC()
   375  	w.containerSC.ReadOnlyRootFilesystem = v
   376  }
   377  func (w *containerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
   378  	if w.containerSC == nil {
   379  		return nil
   380  	}
   381  	return w.containerSC.SeccompProfile
   382  }
   383  func (w *containerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
   384  	if w.containerSC == nil && p == nil {
   385  		return
   386  	}
   387  	w.ensureContainerSC()
   388  	w.containerSC.SeccompProfile = p
   389  }
   390  
   391  func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
   392  	if w.containerSC == nil {
   393  		return nil
   394  	}
   395  	return w.containerSC.AllowPrivilegeEscalation
   396  }
   397  func (w *containerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
   398  	if w.containerSC == nil && v == nil {
   399  		return
   400  	}
   401  	w.ensureContainerSC()
   402  	w.containerSC.AllowPrivilegeEscalation = v
   403  }
   404  
   405  // NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values
   406  // for the provided pod security context and container security context
   407  func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor {
   408  	return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
   409  }
   410  
   411  // NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values
   412  // for the provided pod security context and container security context
   413  func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator {
   414  	return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
   415  }
   416  
   417  type effectiveContainerSecurityContextWrapper struct {
   418  	podSC       PodSecurityContextAccessor
   419  	containerSC ContainerSecurityContextMutator
   420  }
   421  
   422  func (w *effectiveContainerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
   423  	return w.containerSC.ContainerSecurityContext()
   424  }
   425  
   426  func (w *effectiveContainerSecurityContextWrapper) Capabilities() *api.Capabilities {
   427  	return w.containerSC.Capabilities()
   428  }
   429  func (w *effectiveContainerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
   430  	if !reflect.DeepEqual(w.Capabilities(), v) {
   431  		w.containerSC.SetCapabilities(v)
   432  	}
   433  }
   434  func (w *effectiveContainerSecurityContextWrapper) Privileged() *bool {
   435  	return w.containerSC.Privileged()
   436  }
   437  func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) {
   438  	if !reflect.DeepEqual(w.Privileged(), v) {
   439  		w.containerSC.SetPrivileged(v)
   440  	}
   441  }
   442  func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType {
   443  	return w.containerSC.ProcMount()
   444  }
   445  func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
   446  	if v := w.containerSC.SELinuxOptions(); v != nil {
   447  		return v
   448  	}
   449  	return w.podSC.SELinuxOptions()
   450  }
   451  func (w *effectiveContainerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
   452  	if !reflect.DeepEqual(w.SELinuxOptions(), v) {
   453  		w.containerSC.SetSELinuxOptions(v)
   454  	}
   455  }
   456  func (w *effectiveContainerSecurityContextWrapper) RunAsUser() *int64 {
   457  	if v := w.containerSC.RunAsUser(); v != nil {
   458  		return v
   459  	}
   460  	return w.podSC.RunAsUser()
   461  }
   462  func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) {
   463  	if !reflect.DeepEqual(w.RunAsUser(), v) {
   464  		w.containerSC.SetRunAsUser(v)
   465  	}
   466  }
   467  func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 {
   468  	if v := w.containerSC.RunAsGroup(); v != nil {
   469  		return v
   470  	}
   471  	return w.podSC.RunAsGroup()
   472  }
   473  func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) {
   474  	if !reflect.DeepEqual(w.RunAsGroup(), v) {
   475  		w.containerSC.SetRunAsGroup(v)
   476  	}
   477  }
   478  
   479  func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool {
   480  	if v := w.containerSC.RunAsNonRoot(); v != nil {
   481  		return v
   482  	}
   483  	return w.podSC.RunAsNonRoot()
   484  }
   485  func (w *effectiveContainerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
   486  	if !reflect.DeepEqual(w.RunAsNonRoot(), v) {
   487  		w.containerSC.SetRunAsNonRoot(v)
   488  	}
   489  }
   490  func (w *effectiveContainerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
   491  	return w.containerSC.ReadOnlyRootFilesystem()
   492  }
   493  func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
   494  	if !reflect.DeepEqual(w.ReadOnlyRootFilesystem(), v) {
   495  		w.containerSC.SetReadOnlyRootFilesystem(v)
   496  	}
   497  }
   498  func (w *effectiveContainerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile {
   499  	return w.containerSC.SeccompProfile()
   500  }
   501  func (w *effectiveContainerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) {
   502  	if !reflect.DeepEqual(w.SeccompProfile(), p) {
   503  		w.containerSC.SetSeccompProfile(p)
   504  	}
   505  }
   506  func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
   507  	return w.containerSC.AllowPrivilegeEscalation()
   508  }
   509  func (w *effectiveContainerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
   510  	if !reflect.DeepEqual(w.AllowPrivilegeEscalation(), v) {
   511  		w.containerSC.SetAllowPrivilegeEscalation(v)
   512  	}
   513  }
   514
View as plain text