opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-27 21:50:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

kube: refactor setupSecurityContext to accept directly the security ctx

Browse Source 
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2022-05-09 15:50:29 +02:00
parent 21c816bb16
commit 82a4b8f01c
1 changed files with 15 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
pkg/specgen/generate/kube/kube.go
View File

@ -188,7 +188,7 @@ func ToSpecGen(ctx context.Context, opts *CtrSpecGenOptions) (*specgen.SpecGener
s.InitContainerType = opts.InitContainerType s.InitContainerType = opts.InitContainerType
setupSecurityContext(s, opts.Container) setupSecurityContext(s, opts.Container.SecurityContext)
err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy) err := setupLivenessProbe(s, opts.Container, opts.RestartPolicy)
if err != nil { if err != nil {
return nil, errors.Wrap(err, "Failed to configure livenessProbe") return nil, errors.Wrap(err, "Failed to configure livenessProbe")
@ -531,22 +531,22 @@ func makeHealthCheck(inCmd string, interval int32, retries int32, timeout int32,
return &hc, nil return &hc, nil
} }
func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container) { func setupSecurityContext(s *specgen.SpecGenerator, securityContext *v1.SecurityContext) {
if containerYAML.SecurityContext == nil { if securityContext == nil {
return return
} }
if containerYAML.SecurityContext.ReadOnlyRootFilesystem != nil { if securityContext.ReadOnlyRootFilesystem != nil {
s.ReadOnlyFilesystem = *containerYAML.SecurityContext.ReadOnlyRootFilesystem s.ReadOnlyFilesystem = *securityContext.ReadOnlyRootFilesystem
} }
if containerYAML.SecurityContext.Privileged != nil { if securityContext.Privileged != nil {
s.Privileged = *containerYAML.SecurityContext.Privileged s.Privileged = *securityContext.Privileged
} }
if containerYAML.SecurityContext.AllowPrivilegeEscalation != nil { if securityContext.AllowPrivilegeEscalation != nil {
s.NoNewPrivileges = !*containerYAML.SecurityContext.AllowPrivilegeEscalation s.NoNewPrivileges = !*securityContext.AllowPrivilegeEscalation
} }
if seopt := containerYAML.SecurityContext.SELinuxOptions; seopt != nil { if seopt := securityContext.SELinuxOptions; seopt != nil {
if seopt.User != "" { if seopt.User != "" {
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("user:%s", seopt.User))
} }
@ -560,7 +560,7 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level)) s.SelinuxOpts = append(s.SelinuxOpts, fmt.Sprintf("level:%s", seopt.Level))
} }
} }
if caps := containerYAML.SecurityContext.Capabilities; caps != nil { if caps := securityContext.Capabilities; caps != nil {
for _, capability := range caps.Add { for _, capability := range caps.Add {
s.CapAdd = append(s.CapAdd, string(capability)) s.CapAdd = append(s.CapAdd, string(capability))
} }
@ -568,14 +568,14 @@ func setupSecurityContext(s *specgen.SpecGenerator, containerYAML v1.Container)
s.CapDrop = append(s.CapDrop, string(capability)) s.CapDrop = append(s.CapDrop, string(capability))
} }
} }
if containerYAML.SecurityContext.RunAsUser != nil { if securityContext.RunAsUser != nil {
s.User = fmt.Sprintf("%d", *containerYAML.SecurityContext.RunAsUser) s.User = fmt.Sprintf("%d", *securityContext.RunAsUser)
} }
if containerYAML.SecurityContext.RunAsGroup != nil { if securityContext.RunAsGroup != nil {
if s.User == "" { if s.User == "" {
s.User = "0" s.User = "0"
} }
s.User = fmt.Sprintf("%s:%d", s.User, *containerYAML.SecurityContext.RunAsGroup) s.User = fmt.Sprintf("%s:%d", s.User, *securityContext.RunAsGroup)
} }
} }