k8s.io/kubernetes@v1.29.3/pkg/securitycontext/accessors.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package securitycontext 18 19 import ( 20 "reflect" 21 22 api "k8s.io/kubernetes/pkg/apis/core" 23 ) 24 25 // PodSecurityContextAccessor allows reading the values of a PodSecurityContext object 26 type PodSecurityContextAccessor interface { 27 HostNetwork() bool 28 HostPID() bool 29 HostIPC() bool 30 SELinuxOptions() *api.SELinuxOptions 31 RunAsUser() *int64 32 RunAsGroup() *int64 33 RunAsNonRoot() *bool 34 SeccompProfile() *api.SeccompProfile 35 SupplementalGroups() []int64 36 FSGroup() *int64 37 } 38 39 // PodSecurityContextMutator allows reading and writing the values of a PodSecurityContext object 40 type PodSecurityContextMutator interface { 41 PodSecurityContextAccessor 42 43 SetHostNetwork(bool) 44 SetHostPID(bool) 45 SetHostIPC(bool) 46 SetSELinuxOptions(*api.SELinuxOptions) 47 SetRunAsUser(*int64) 48 SetRunAsGroup(*int64) 49 SetRunAsNonRoot(*bool) 50 SetSeccompProfile(*api.SeccompProfile) 51 SetSupplementalGroups([]int64) 52 SetFSGroup(*int64) 53 54 // PodSecurityContext returns the current PodSecurityContext object 55 PodSecurityContext() *api.PodSecurityContext 56 } 57 58 // NewPodSecurityContextAccessor returns an accessor for the given pod security context. 59 // May be initialized with a nil PodSecurityContext. 60 func NewPodSecurityContextAccessor(podSC *api.PodSecurityContext) PodSecurityContextAccessor { 61 return &podSecurityContextWrapper{podSC: podSC} 62 } 63 64 // NewPodSecurityContextMutator returns a mutator for the given pod security context. 65 // May be initialized with a nil PodSecurityContext. 66 func NewPodSecurityContextMutator(podSC *api.PodSecurityContext) PodSecurityContextMutator { 67 return &podSecurityContextWrapper{podSC: podSC} 68 } 69 70 type podSecurityContextWrapper struct { 71 podSC *api.PodSecurityContext 72 } 73 74 func (w *podSecurityContextWrapper) PodSecurityContext() *api.PodSecurityContext { 75 return w.podSC 76 } 77 78 func (w *podSecurityContextWrapper) ensurePodSC() { 79 if w.podSC == nil { 80 w.podSC = &api.PodSecurityContext{} 81 } 82 } 83 84 func (w *podSecurityContextWrapper) HostNetwork() bool { 85 if w.podSC == nil { 86 return false 87 } 88 return w.podSC.HostNetwork 89 } 90 func (w *podSecurityContextWrapper) SetHostNetwork(v bool) { 91 if w.podSC == nil && v == false { 92 return 93 } 94 w.ensurePodSC() 95 w.podSC.HostNetwork = v 96 } 97 func (w *podSecurityContextWrapper) HostPID() bool { 98 if w.podSC == nil { 99 return false 100 } 101 return w.podSC.HostPID 102 } 103 func (w *podSecurityContextWrapper) SetHostPID(v bool) { 104 if w.podSC == nil && v == false { 105 return 106 } 107 w.ensurePodSC() 108 w.podSC.HostPID = v 109 } 110 func (w *podSecurityContextWrapper) HostIPC() bool { 111 if w.podSC == nil { 112 return false 113 } 114 return w.podSC.HostIPC 115 } 116 func (w *podSecurityContextWrapper) SetHostIPC(v bool) { 117 if w.podSC == nil && v == false { 118 return 119 } 120 w.ensurePodSC() 121 w.podSC.HostIPC = v 122 } 123 func (w *podSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions { 124 if w.podSC == nil { 125 return nil 126 } 127 return w.podSC.SELinuxOptions 128 } 129 func (w *podSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) { 130 if w.podSC == nil && v == nil { 131 return 132 } 133 w.ensurePodSC() 134 w.podSC.SELinuxOptions = v 135 } 136 func (w *podSecurityContextWrapper) RunAsUser() *int64 { 137 if w.podSC == nil { 138 return nil 139 } 140 return w.podSC.RunAsUser 141 } 142 func (w *podSecurityContextWrapper) SetRunAsUser(v *int64) { 143 if w.podSC == nil && v == nil { 144 return 145 } 146 w.ensurePodSC() 147 w.podSC.RunAsUser = v 148 } 149 func (w *podSecurityContextWrapper) RunAsGroup() *int64 { 150 if w.podSC == nil { 151 return nil 152 } 153 return w.podSC.RunAsGroup 154 } 155 func (w *podSecurityContextWrapper) SetRunAsGroup(v *int64) { 156 if w.podSC == nil && v == nil { 157 return 158 } 159 w.ensurePodSC() 160 w.podSC.RunAsGroup = v 161 } 162 163 func (w *podSecurityContextWrapper) RunAsNonRoot() *bool { 164 if w.podSC == nil { 165 return nil 166 } 167 return w.podSC.RunAsNonRoot 168 } 169 func (w *podSecurityContextWrapper) SetRunAsNonRoot(v *bool) { 170 if w.podSC == nil && v == nil { 171 return 172 } 173 w.ensurePodSC() 174 w.podSC.RunAsNonRoot = v 175 } 176 func (w *podSecurityContextWrapper) SeccompProfile() *api.SeccompProfile { 177 if w.podSC == nil { 178 return nil 179 } 180 return w.podSC.SeccompProfile 181 } 182 func (w *podSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) { 183 if w.podSC == nil && p == nil { 184 return 185 } 186 w.ensurePodSC() 187 w.podSC.SeccompProfile = p 188 } 189 func (w *podSecurityContextWrapper) SupplementalGroups() []int64 { 190 if w.podSC == nil { 191 return nil 192 } 193 return w.podSC.SupplementalGroups 194 } 195 func (w *podSecurityContextWrapper) SetSupplementalGroups(v []int64) { 196 if w.podSC == nil && len(v) == 0 { 197 return 198 } 199 w.ensurePodSC() 200 if len(v) == 0 && len(w.podSC.SupplementalGroups) == 0 { 201 return 202 } 203 w.podSC.SupplementalGroups = v 204 } 205 func (w *podSecurityContextWrapper) FSGroup() *int64 { 206 if w.podSC == nil { 207 return nil 208 } 209 return w.podSC.FSGroup 210 } 211 func (w *podSecurityContextWrapper) SetFSGroup(v *int64) { 212 if w.podSC == nil && v == nil { 213 return 214 } 215 w.ensurePodSC() 216 w.podSC.FSGroup = v 217 } 218 219 // ContainerSecurityContextAccessor allows reading the values of a SecurityContext object 220 type ContainerSecurityContextAccessor interface { 221 Capabilities() *api.Capabilities 222 Privileged() *bool 223 ProcMount() api.ProcMountType 224 SELinuxOptions() *api.SELinuxOptions 225 RunAsUser() *int64 226 RunAsGroup() *int64 227 RunAsNonRoot() *bool 228 ReadOnlyRootFilesystem() *bool 229 SeccompProfile() *api.SeccompProfile 230 AllowPrivilegeEscalation() *bool 231 } 232 233 // ContainerSecurityContextMutator allows reading and writing the values of a SecurityContext object 234 type ContainerSecurityContextMutator interface { 235 ContainerSecurityContextAccessor 236 237 ContainerSecurityContext() *api.SecurityContext 238 239 SetCapabilities(*api.Capabilities) 240 SetPrivileged(*bool) 241 SetSELinuxOptions(*api.SELinuxOptions) 242 SetRunAsUser(*int64) 243 SetRunAsGroup(*int64) 244 SetRunAsNonRoot(*bool) 245 SetReadOnlyRootFilesystem(*bool) 246 SetSeccompProfile(*api.SeccompProfile) 247 SetAllowPrivilegeEscalation(*bool) 248 } 249 250 // NewContainerSecurityContextAccessor returns an accessor for the provided container security context 251 // May be initialized with a nil SecurityContext 252 func NewContainerSecurityContextAccessor(containerSC *api.SecurityContext) ContainerSecurityContextAccessor { 253 return &containerSecurityContextWrapper{containerSC: containerSC} 254 } 255 256 // NewContainerSecurityContextMutator returns a mutator for the provided container security context 257 // May be initialized with a nil SecurityContext 258 func NewContainerSecurityContextMutator(containerSC *api.SecurityContext) ContainerSecurityContextMutator { 259 return &containerSecurityContextWrapper{containerSC: containerSC} 260 } 261 262 type containerSecurityContextWrapper struct { 263 containerSC *api.SecurityContext 264 } 265 266 func (w *containerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext { 267 return w.containerSC 268 } 269 270 func (w *containerSecurityContextWrapper) ensureContainerSC() { 271 if w.containerSC == nil { 272 w.containerSC = &api.SecurityContext{} 273 } 274 } 275 276 func (w *containerSecurityContextWrapper) Capabilities() *api.Capabilities { 277 if w.containerSC == nil { 278 return nil 279 } 280 return w.containerSC.Capabilities 281 } 282 func (w *containerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) { 283 if w.containerSC == nil && v == nil { 284 return 285 } 286 w.ensureContainerSC() 287 w.containerSC.Capabilities = v 288 } 289 func (w *containerSecurityContextWrapper) Privileged() *bool { 290 if w.containerSC == nil { 291 return nil 292 } 293 return w.containerSC.Privileged 294 } 295 func (w *containerSecurityContextWrapper) SetPrivileged(v *bool) { 296 if w.containerSC == nil && v == nil { 297 return 298 } 299 w.ensureContainerSC() 300 w.containerSC.Privileged = v 301 } 302 func (w *containerSecurityContextWrapper) ProcMount() api.ProcMountType { 303 if w.containerSC == nil { 304 return api.DefaultProcMount 305 } 306 if w.containerSC.ProcMount == nil { 307 return api.DefaultProcMount 308 } 309 return *w.containerSC.ProcMount 310 } 311 func (w *containerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions { 312 if w.containerSC == nil { 313 return nil 314 } 315 return w.containerSC.SELinuxOptions 316 } 317 func (w *containerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) { 318 if w.containerSC == nil && v == nil { 319 return 320 } 321 w.ensureContainerSC() 322 w.containerSC.SELinuxOptions = v 323 } 324 func (w *containerSecurityContextWrapper) RunAsUser() *int64 { 325 if w.containerSC == nil { 326 return nil 327 } 328 return w.containerSC.RunAsUser 329 } 330 func (w *containerSecurityContextWrapper) SetRunAsUser(v *int64) { 331 if w.containerSC == nil && v == nil { 332 return 333 } 334 w.ensureContainerSC() 335 w.containerSC.RunAsUser = v 336 } 337 func (w *containerSecurityContextWrapper) RunAsGroup() *int64 { 338 if w.containerSC == nil { 339 return nil 340 } 341 return w.containerSC.RunAsGroup 342 } 343 func (w *containerSecurityContextWrapper) SetRunAsGroup(v *int64) { 344 if w.containerSC == nil && v == nil { 345 return 346 } 347 w.ensureContainerSC() 348 w.containerSC.RunAsGroup = v 349 } 350 351 func (w *containerSecurityContextWrapper) RunAsNonRoot() *bool { 352 if w.containerSC == nil { 353 return nil 354 } 355 return w.containerSC.RunAsNonRoot 356 } 357 func (w *containerSecurityContextWrapper) SetRunAsNonRoot(v *bool) { 358 if w.containerSC == nil && v == nil { 359 return 360 } 361 w.ensureContainerSC() 362 w.containerSC.RunAsNonRoot = v 363 } 364 func (w *containerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool { 365 if w.containerSC == nil { 366 return nil 367 } 368 return w.containerSC.ReadOnlyRootFilesystem 369 } 370 func (w *containerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) { 371 if w.containerSC == nil && v == nil { 372 return 373 } 374 w.ensureContainerSC() 375 w.containerSC.ReadOnlyRootFilesystem = v 376 } 377 func (w *containerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile { 378 if w.containerSC == nil { 379 return nil 380 } 381 return w.containerSC.SeccompProfile 382 } 383 func (w *containerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) { 384 if w.containerSC == nil && p == nil { 385 return 386 } 387 w.ensureContainerSC() 388 w.containerSC.SeccompProfile = p 389 } 390 391 func (w *containerSecurityContextWrapper) AllowPrivilegeEscalation() *bool { 392 if w.containerSC == nil { 393 return nil 394 } 395 return w.containerSC.AllowPrivilegeEscalation 396 } 397 func (w *containerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) { 398 if w.containerSC == nil && v == nil { 399 return 400 } 401 w.ensureContainerSC() 402 w.containerSC.AllowPrivilegeEscalation = v 403 } 404 405 // NewEffectiveContainerSecurityContextAccessor returns an accessor for reading effective values 406 // for the provided pod security context and container security context 407 func NewEffectiveContainerSecurityContextAccessor(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextAccessor { 408 return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC} 409 } 410 411 // NewEffectiveContainerSecurityContextMutator returns a mutator for reading and writing effective values 412 // for the provided pod security context and container security context 413 func NewEffectiveContainerSecurityContextMutator(podSC PodSecurityContextAccessor, containerSC ContainerSecurityContextMutator) ContainerSecurityContextMutator { 414 return &effectiveContainerSecurityContextWrapper{podSC: podSC, containerSC: containerSC} 415 } 416 417 type effectiveContainerSecurityContextWrapper struct { 418 podSC PodSecurityContextAccessor 419 containerSC ContainerSecurityContextMutator 420 } 421 422 func (w *effectiveContainerSecurityContextWrapper) ContainerSecurityContext() *api.SecurityContext { 423 return w.containerSC.ContainerSecurityContext() 424 } 425 426 func (w *effectiveContainerSecurityContextWrapper) Capabilities() *api.Capabilities { 427 return w.containerSC.Capabilities() 428 } 429 func (w *effectiveContainerSecurityContextWrapper) SetCapabilities(v *api.Capabilities) { 430 if !reflect.DeepEqual(w.Capabilities(), v) { 431 w.containerSC.SetCapabilities(v) 432 } 433 } 434 func (w *effectiveContainerSecurityContextWrapper) Privileged() *bool { 435 return w.containerSC.Privileged() 436 } 437 func (w *effectiveContainerSecurityContextWrapper) SetPrivileged(v *bool) { 438 if !reflect.DeepEqual(w.Privileged(), v) { 439 w.containerSC.SetPrivileged(v) 440 } 441 } 442 func (w *effectiveContainerSecurityContextWrapper) ProcMount() api.ProcMountType { 443 return w.containerSC.ProcMount() 444 } 445 func (w *effectiveContainerSecurityContextWrapper) SELinuxOptions() *api.SELinuxOptions { 446 if v := w.containerSC.SELinuxOptions(); v != nil { 447 return v 448 } 449 return w.podSC.SELinuxOptions() 450 } 451 func (w *effectiveContainerSecurityContextWrapper) SetSELinuxOptions(v *api.SELinuxOptions) { 452 if !reflect.DeepEqual(w.SELinuxOptions(), v) { 453 w.containerSC.SetSELinuxOptions(v) 454 } 455 } 456 func (w *effectiveContainerSecurityContextWrapper) RunAsUser() *int64 { 457 if v := w.containerSC.RunAsUser(); v != nil { 458 return v 459 } 460 return w.podSC.RunAsUser() 461 } 462 func (w *effectiveContainerSecurityContextWrapper) SetRunAsUser(v *int64) { 463 if !reflect.DeepEqual(w.RunAsUser(), v) { 464 w.containerSC.SetRunAsUser(v) 465 } 466 } 467 func (w *effectiveContainerSecurityContextWrapper) RunAsGroup() *int64 { 468 if v := w.containerSC.RunAsGroup(); v != nil { 469 return v 470 } 471 return w.podSC.RunAsGroup() 472 } 473 func (w *effectiveContainerSecurityContextWrapper) SetRunAsGroup(v *int64) { 474 if !reflect.DeepEqual(w.RunAsGroup(), v) { 475 w.containerSC.SetRunAsGroup(v) 476 } 477 } 478 479 func (w *effectiveContainerSecurityContextWrapper) RunAsNonRoot() *bool { 480 if v := w.containerSC.RunAsNonRoot(); v != nil { 481 return v 482 } 483 return w.podSC.RunAsNonRoot() 484 } 485 func (w *effectiveContainerSecurityContextWrapper) SetRunAsNonRoot(v *bool) { 486 if !reflect.DeepEqual(w.RunAsNonRoot(), v) { 487 w.containerSC.SetRunAsNonRoot(v) 488 } 489 } 490 func (w *effectiveContainerSecurityContextWrapper) ReadOnlyRootFilesystem() *bool { 491 return w.containerSC.ReadOnlyRootFilesystem() 492 } 493 func (w *effectiveContainerSecurityContextWrapper) SetReadOnlyRootFilesystem(v *bool) { 494 if !reflect.DeepEqual(w.ReadOnlyRootFilesystem(), v) { 495 w.containerSC.SetReadOnlyRootFilesystem(v) 496 } 497 } 498 func (w *effectiveContainerSecurityContextWrapper) SeccompProfile() *api.SeccompProfile { 499 return w.containerSC.SeccompProfile() 500 } 501 func (w *effectiveContainerSecurityContextWrapper) SetSeccompProfile(p *api.SeccompProfile) { 502 if !reflect.DeepEqual(w.SeccompProfile(), p) { 503 w.containerSC.SetSeccompProfile(p) 504 } 505 } 506 func (w *effectiveContainerSecurityContextWrapper) AllowPrivilegeEscalation() *bool { 507 return w.containerSC.AllowPrivilegeEscalation() 508 } 509 func (w *effectiveContainerSecurityContextWrapper) SetAllowPrivilegeEscalation(v *bool) { 510 if !reflect.DeepEqual(w.AllowPrivilegeEscalation(), v) { 511 w.containerSC.SetAllowPrivilegeEscalation(v) 512 } 513 }