"Fossies" - the Fresh Open Source Software Archive

Member "cri-o-1.25.1/vendor/k8s.io/kubernetes/pkg/securitycontext/accessors.go" (7 Oct 2022, 13624 Bytes) of package /linux/misc/cri-o-1.25.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Go source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file.

    1 /*
    2 Copyright 2017 The Kubernetes Authors.
    3 
    4 Licensed under the Apache License, Version 2.0 (the "License");
    5 you may not use this file except in compliance with the License.
    6 You may obtain a copy of the License at
    7 
    8     http://www.apache.org/licenses/LICENSE-2.0
    9 
   10 Unless required by applicable law or agreed to in writing, software
   11 distributed under the License is distributed on an "AS IS" BASIS,
   12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   13 See the License for the specific language governing permissions and
   14 limitations under the License.
   15 */
   16 
   17 package securitycontext
   18 
   19 import (
   20     "reflect"
   21 
   22     api "k8s.io/kubernetes/pkg/apis/core"
   23 )
   24 
   25 // PodSecurityContextAccessor allows reading the values of a PodSecurityContext object
   26 type PodSecurityContextAccessor interface {
   27     HostNetwork() bool
   28     HostPID() bool
   29     HostIPC() bool
   30     SELinuxOptions() *api.SELinuxOptions
   31     RunAsUser() *int64
   32     RunAsGroup() *int64
   33     RunAsNonRoot() *bool
   34     SupplementalGroups() []int64
   35     FSGroup() *int64
   36 }
   37 
   38 // PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object
   39 type PodSecurityContextMutator interface {
   40     PodSecurityContextAccessor
   41 
   42     SetHostNetwork(bool)
   43     SetHostPID(bool)
   44     SetHostIPC(bool)
   45     SetSELinuxOptions(*api.SELinuxOptions)
   46     SetRunAsUser(*int64)
   47     SetRunAsGroup(*int64)
   48     SetRunAsNonRoot(*bool)
   49     SetSupplementalGroups([]int64)
   50     SetFSGroup(*int64)
   51 
   52     // PodSecurityContext returns the current PodSecurityContext object
   53     PodSecurityContext() *api.PodSecurityContext
   54 }
   55 
   56 // NewPodSecurityContextAccessor returns an accessor for the given pod security context.
   57 // May be initialized with a nil PodSecurityContext.
   58 func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor {
   59     return &podSecurityContextWrapper{podSC: podSC}
   60 }
   61 
   62 // NewPodSecurityContextMutator returns a mutator for the given pod security context.
   63 // May be initialized with a nil PodSecurityContext.
   64 func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator {
   65     return &podSecurityContextWrapper{podSC: podSC}
   66 }
   67 
   68 type podSecurityContextWrapper struct {
   69     podSC *api.PodSecurityContext
   70 }
   71 
   72 func (w *podSecurityContextWrapper) PodSecurityContext() *api.PodSecurityContext {
   73     return w.podSC
   74 }
   75 
   76 func (w *podSecurityContextWrapper) ensurePodSC() {
   77     if w.podSC == nil {
   78         w.podSC = &api.PodSecurityContext{}
   79     }
   80 }
   81 
   82 func (w *podSecurityContextWrapper) HostNetwork() bool {
   83     if w.podSC == nil {
   84         return false
   85     }
   86     return w.podSC.HostNetwork
   87 }
   88 func (w *podSecurityContextWrapper) SetHostNetwork(v bool) {
   89     if w.podSC == nil && v == false {
   90         return
   91     }
   92     w.ensurePodSC()
   93     w.podSC.HostNetwork = v
   94 }
   95 func (w *podSecurityContextWrapper) HostPID() bool {
   96     if w.podSC == nil {
   97         return false
   98     }
   99     return w.podSC.HostPID
  100 }
  101 func (w *podSecurityContextWrapper) SetHostPID(v bool) {
  102     if w.podSC == nil && v == false {
  103         return
  104     }
  105     w.ensurePodSC()
  106     w.podSC.HostPID = v
  107 }
  108 func (w *podSecurityContextWrapper) HostIPC() bool {
  109     if w.podSC == nil {
  110         return false
  111     }
  112     return w.podSC.HostIPC
  113 }
  114 func (w *podSecurityContextWrapper) SetHostIPC(v bool) {
  115     if w.podSC == nil && v == false {
  116         return
  117     }
  118     w.ensurePodSC()
  119     w.podSC.HostIPC = v
  120 }
  121 func (w *podSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
  122     if w.podSC == nil {
  123         return nil
  124     }
  125     return w.podSC.SELinuxOptions
  126 }
  127 func (w *podSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
  128     if w.podSC == nil && v == nil {
  129         return
  130     }
  131     w.ensurePodSC()
  132     w.podSC.SELinuxOptions = v
  133 }
  134 func (w *podSecurityContextWrapper) RunAsUser() *int64 {
  135     if w.podSC == nil {
  136         return nil
  137     }
  138     return w.podSC.RunAsUser
  139 }
  140 func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) {
  141     if w.podSC == nil && v == nil {
  142         return
  143     }
  144     w.ensurePodSC()
  145     w.podSC.RunAsUser = v
  146 }
  147 func (w *podSecurityContextWrapper) RunAsGroup() *int64 {
  148     if w.podSC == nil {
  149         return nil
  150     }
  151     return w.podSC.RunAsGroup
  152 }
  153 func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) {
  154     if w.podSC == nil && v == nil {
  155         return
  156     }
  157     w.ensurePodSC()
  158     w.podSC.RunAsGroup = v
  159 }
  160 
  161 func (w *podSecurityContextWrapper) RunAsNonRoot() *bool {
  162     if w.podSC == nil {
  163         return nil
  164     }
  165     return w.podSC.RunAsNonRoot
  166 }
  167 func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
  168     if w.podSC == nil && v == nil {
  169         return
  170     }
  171     w.ensurePodSC()
  172     w.podSC.RunAsNonRoot = v
  173 }
  174 func (w *podSecurityContextWrapper) SupplementalGroups() []int64 {
  175     if w.podSC == nil {
  176         return nil
  177     }
  178     return w.podSC.SupplementalGroups
  179 }
  180 func (w *podSecurityContextWrapper) SetSupplementalGroups(v []int64) {
  181     if w.podSC == nil && len(v) == 0 {
  182         return
  183     }
  184     w.ensurePodSC()
  185     if len(v) == 0 && len(w.podSC.SupplementalGroups) == 0 {
  186         return
  187     }
  188     w.podSC.SupplementalGroups = v
  189 }
  190 func (w *podSecurityContextWrapper) FSGroup() *int64 {
  191     if w.podSC == nil {
  192         return nil
  193     }
  194     return w.podSC.FSGroup
  195 }
  196 func (w *podSecurityContextWrapper) SetFSGroup(v *int64) {
  197     if w.podSC == nil && v == nil {
  198         return
  199     }
  200     w.ensurePodSC()
  201     w.podSC.FSGroup = v
  202 }
  203 
  204 // ContainerSecurityContextAccessor allows reading the values of a SecurityContext object
  205 type ContainerSecurityContextAccessor interface {
  206     Capabilities() *api.Capabilities
  207     Privileged() *bool
  208     ProcMount() api.ProcMountType
  209     SELinuxOptions() *api.SELinuxOptions
  210     RunAsUser() *int64
  211     RunAsGroup() *int64
  212     RunAsNonRoot() *bool
  213     ReadOnlyRootFilesystem() *bool
  214     AllowPrivilegeEscalation() *bool
  215 }
  216 
  217 // ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object
  218 type ContainerSecurityContextMutator interface {
  219     ContainerSecurityContextAccessor
  220 
  221     ContainerSecurityContext() *api.SecurityContext
  222 
  223     SetCapabilities(*api.Capabilities)
  224     SetPrivileged(*bool)
  225     SetSELinuxOptions(*api.SELinuxOptions)
  226     SetRunAsUser(*int64)
  227     SetRunAsGroup(*int64)
  228     SetRunAsNonRoot(*bool)
  229     SetReadOnlyRootFilesystem(*bool)
  230     SetAllowPrivilegeEscalation(*bool)
  231 }
  232 
  233 // NewContainerSecurityContextAccessor returns an accessor for the provided container security context
  234 // May be initialized with a nil SecurityContext
  235 func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor {
  236     return &containerSecurityContextWrapper{containerSC: containerSC}
  237 }
  238 
  239 // NewContainerSecurityContextMutator returns a mutator for the provided container security context
  240 // May be initialized with a nil SecurityContext
  241 func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator {
  242     return &containerSecurityContextWrapper{containerSC: containerSC}
  243 }
  244 
  245 type containerSecurityContextWrapper struct {
  246     containerSC *api.SecurityContext
  247 }
  248 
  249 func (w *containerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
  250     return w.containerSC
  251 }
  252 
  253 func (w *containerSecurityContextWrapper) ensureContainerSC() {
  254     if w.containerSC == nil {
  255         w.containerSC = &api.SecurityContext{}
  256     }
  257 }
  258 
  259 func (w *containerSecurityContextWrapper) Capabilities() *api.Capabilities {
  260     if w.containerSC == nil {
  261         return nil
  262     }
  263     return w.containerSC.Capabilities
  264 }
  265 func (w *containerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
  266     if w.containerSC == nil && v == nil {
  267         return
  268     }
  269     w.ensureContainerSC()
  270     w.containerSC.Capabilities = v
  271 }
  272 func (w *containerSecurityContextWrapper) Privileged() *bool {
  273     if w.containerSC == nil {
  274         return nil
  275     }
  276     return w.containerSC.Privileged
  277 }
  278 func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) {
  279     if w.containerSC == nil && v == nil {
  280         return
  281     }
  282     w.ensureContainerSC()
  283     w.containerSC.Privileged = v
  284 }
  285 func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType {
  286     if w.containerSC == nil {
  287         return api.DefaultProcMount
  288     }
  289     if w.containerSC.ProcMount == nil {
  290         return api.DefaultProcMount
  291     }
  292     return *w.containerSC.ProcMount
  293 }
  294 func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
  295     if w.containerSC == nil {
  296         return nil
  297     }
  298     return w.containerSC.SELinuxOptions
  299 }
  300 func (w *containerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
  301     if w.containerSC == nil && v == nil {
  302         return
  303     }
  304     w.ensureContainerSC()
  305     w.containerSC.SELinuxOptions = v
  306 }
  307 func (w *containerSecurityContextWrapper) RunAsUser() *int64 {
  308     if w.containerSC == nil {
  309         return nil
  310     }
  311     return w.containerSC.RunAsUser
  312 }
  313 func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) {
  314     if w.containerSC == nil && v == nil {
  315         return
  316     }
  317     w.ensureContainerSC()
  318     w.containerSC.RunAsUser = v
  319 }
  320 func (w *containerSecurityContextWrapper) RunAsGroup() *int64 {
  321     if w.containerSC == nil {
  322         return nil
  323     }
  324     return w.containerSC.RunAsGroup
  325 }
  326 func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) {
  327     if w.containerSC == nil && v == nil {
  328         return
  329     }
  330     w.ensureContainerSC()
  331     w.containerSC.RunAsGroup = v
  332 }
  333 
  334 func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool {
  335     if w.containerSC == nil {
  336         return nil
  337     }
  338     return w.containerSC.RunAsNonRoot
  339 }
  340 func (w *containerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
  341     if w.containerSC == nil && v == nil {
  342         return
  343     }
  344     w.ensureContainerSC()
  345     w.containerSC.RunAsNonRoot = v
  346 }
  347 func (w *containerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
  348     if w.containerSC == nil {
  349         return nil
  350     }
  351     return w.containerSC.ReadOnlyRootFilesystem
  352 }
  353 func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
  354     if w.containerSC == nil && v == nil {
  355         return
  356     }
  357     w.ensureContainerSC()
  358     w.containerSC.ReadOnlyRootFilesystem = v
  359 }
  360 func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
  361     if w.containerSC == nil {
  362         return nil
  363     }
  364     return w.containerSC.AllowPrivilegeEscalation
  365 }
  366 func (w *containerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
  367     if w.containerSC == nil && v == nil {
  368         return
  369     }
  370     w.ensureContainerSC()
  371     w.containerSC.AllowPrivilegeEscalation = v
  372 }
  373 
  374 // NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values
  375 // for the provided pod security context and container security context
  376 func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor {
  377     return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
  378 }
  379 
  380 // NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values
  381 // for the provided pod security context and container security context
  382 func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator {
  383     return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC}
  384 }
  385 
  386 type effectiveContainerSecurityContextWrapper struct {
  387     podSC       PodSecurityContextAccessor
  388     containerSC ContainerSecurityContextMutator
  389 }
  390 
  391 func (w *effectiveContainerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext {
  392     return w.containerSC.ContainerSecurityContext()
  393 }
  394 
  395 func (w *effectiveContainerSecurityContextWrapper) Capabilities() *api.Capabilities {
  396     return w.containerSC.Capabilities()
  397 }
  398 func (w *effectiveContainerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) {
  399     if !reflect.DeepEqual(w.Capabilities(), v) {
  400         w.containerSC.SetCapabilities(v)
  401     }
  402 }
  403 func (w *effectiveContainerSecurityContextWrapper) Privileged() *bool {
  404     return w.containerSC.Privileged()
  405 }
  406 func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) {
  407     if !reflect.DeepEqual(w.Privileged(), v) {
  408         w.containerSC.SetPrivileged(v)
  409     }
  410 }
  411 func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType {
  412     return w.containerSC.ProcMount()
  413 }
  414 func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions {
  415     if v := w.containerSC.SELinuxOptions(); v != nil {
  416         return v
  417     }
  418     return w.podSC.SELinuxOptions()
  419 }
  420 func (w *effectiveContainerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) {
  421     if !reflect.DeepEqual(w.SELinuxOptions(), v) {
  422         w.containerSC.SetSELinuxOptions(v)
  423     }
  424 }
  425 func (w *effectiveContainerSecurityContextWrapper) RunAsUser() *int64 {
  426     if v := w.containerSC.RunAsUser(); v != nil {
  427         return v
  428     }
  429     return w.podSC.RunAsUser()
  430 }
  431 func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) {
  432     if !reflect.DeepEqual(w.RunAsUser(), v) {
  433         w.containerSC.SetRunAsUser(v)
  434     }
  435 }
  436 func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 {
  437     if v := w.containerSC.RunAsGroup(); v != nil {
  438         return v
  439     }
  440     return w.podSC.RunAsGroup()
  441 }
  442 func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) {
  443     if !reflect.DeepEqual(w.RunAsGroup(), v) {
  444         w.containerSC.SetRunAsGroup(v)
  445     }
  446 }
  447 
  448 func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool {
  449     if v := w.containerSC.RunAsNonRoot(); v != nil {
  450         return v
  451     }
  452     return w.podSC.RunAsNonRoot()
  453 }
  454 func (w *effectiveContainerSecurityContextWrapper) SetRunAsNonRoot(v *bool) {
  455     if !reflect.DeepEqual(w.RunAsNonRoot(), v) {
  456         w.containerSC.SetRunAsNonRoot(v)
  457     }
  458 }
  459 func (w *effectiveContainerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool {
  460     return w.containerSC.ReadOnlyRootFilesystem()
  461 }
  462 func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) {
  463     if !reflect.DeepEqual(w.ReadOnlyRootFilesystem(), v) {
  464         w.containerSC.SetReadOnlyRootFilesystem(v)
  465     }
  466 }
  467 func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool {
  468     return w.containerSC.AllowPrivilegeEscalation()
  469 }
  470 func (w *effectiveContainerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) {
  471     if !reflect.DeepEqual(w.AllowPrivilegeEscalation(), v) {
  472         w.containerSC.SetAllowPrivilegeEscalation(v)
  473     }
  474 }