-
Notifications
You must be signed in to change notification settings - Fork 148
/
Copy pathsecurity_context.go
42 lines (38 loc) · 1.15 KB
/
security_context.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package k8s
import (
"github.com/Masterminds/semver"
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/kubernetes"
)
var oneTwentyFour = semver.MustParse("1.24")
func defaultPodSecurityContext() *corev1.PodSecurityContext {
// change ownership of the mounted volume to the first non-root user uid=1000
if IsOpenShift() {
return nil
}
runAsUser := int64(1001)
runAsGroup := int64(1002)
return &corev1.PodSecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &runAsGroup,
FSGroup: &runAsGroup,
}
}
func defaultSecurityContext(client *kubernetes.Clientset) *corev1.SecurityContext {
runAsNonRoot := true
sc := &corev1.SecurityContext{
Privileged: new(bool),
AllowPrivilegeEscalation: new(bool),
RunAsNonRoot: &runAsNonRoot,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
SeccompProfile: nil,
}
if info, err := client.ServerVersion(); err == nil {
var v *semver.Version
v, err = semver.NewVersion(info.String())
if err == nil && v.Compare(oneTwentyFour) >= 0 {
sc.SeccompProfile = &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}
}
}
return sc
}