本文整理汇总了Golang中k8s/io/kubernetes/pkg/api.SecurityContext.ReadOnlyRootFilesystem方法的典型用法代码示例。如果您正苦于以下问题:Golang SecurityContext.ReadOnlyRootFilesystem方法的具体用法?Golang SecurityContext.ReadOnlyRootFilesystem怎么用?Golang SecurityContext.ReadOnlyRootFilesystem使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类k8s/io/kubernetes/pkg/api.SecurityContext的用法示例。
在下文中一共展示了SecurityContext.ReadOnlyRootFilesystem方法的1个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: CreateContainerSecurityContext
// Create a SecurityContext based on the given constraints. If a setting is already set on the
// container's security context then it will not be changed. Validation should be used after
// the context is created to ensure it complies with the required restrictions.
//
// NOTE: this method works on a copy of the SC of the container. It is up to the caller to apply
// the SC if validation passes.
func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container *api.Container) (*api.SecurityContext, map[string]string, error) {
var sc *api.SecurityContext = nil
if container.SecurityContext != nil {
// work with a copy of the original
copy := *container.SecurityContext
sc = ©
} else {
sc = &api.SecurityContext{}
}
annotations := maps.CopySS(pod.Annotations)
if sc.RunAsUser == nil {
uid, err := s.strategies.RunAsUserStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.RunAsUser = uid
}
if sc.SELinuxOptions == nil {
seLinux, err := s.strategies.SELinuxStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.SELinuxOptions = seLinux
}
annotations, err := s.strategies.AppArmorStrategy.Generate(annotations, container)
if err != nil {
return nil, nil, err
}
if sc.Privileged == nil {
priv := false
sc.Privileged = &priv
}
// if we're using the non-root strategy set the marker that this container should not be
// run as root which will signal to the kubelet to do a final check either on the runAsUser
// or, if runAsUser is not set, the image UID will be checked.
if s.psp.Spec.RunAsUser.Rule == extensions.RunAsUserStrategyMustRunAsNonRoot {
nonRoot := true
sc.RunAsNonRoot = &nonRoot
}
caps, err := s.strategies.CapabilitiesStrategy.Generate(pod, container)
if err != nil {
return nil, nil, err
}
sc.Capabilities = caps
// if the PSP requires a read only root filesystem and the container has not made a specific
// request then default ReadOnlyRootFilesystem to true.
if s.psp.Spec.ReadOnlyRootFilesystem && sc.ReadOnlyRootFilesystem == nil {
readOnlyRootFS := true
sc.ReadOnlyRootFilesystem = &readOnlyRootFS
}
return sc, annotations, nil
}