knative
/
func
mirror of https://github.com/knative/func.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
func/pkg/k8s/security_context.go

43 lines
1.2 KiB
Go
Raw Permalink Blame History

package k8s
import (
"github.com/Masterminds/semver"
corev1 "k8s.io/api/core/v1"
"k8s.io/client-go/kubernetes"
)
var oneTwentyFour = semver.MustParse("1.24")
func defaultPodSecurityContext() *corev1.PodSecurityContext {
// change ownership of the mounted volume to the first non-root user uid=1000
if IsOpenShift() {
return nil
}
runAsUser := int64(1001)
runAsGroup := int64(1002)
return &corev1.PodSecurityContext{
RunAsUser: &runAsUser,
RunAsGroup: &runAsGroup,
FSGroup: &runAsGroup,
}
}
func defaultSecurityContext(client *kubernetes.Clientset) *corev1.SecurityContext {
runAsNonRoot := true
sc := &corev1.SecurityContext{
Privileged: new(bool),
AllowPrivilegeEscalation: new(bool),
RunAsNonRoot: &runAsNonRoot,
Capabilities: &corev1.Capabilities{Drop: []corev1.Capability{"ALL"}},
SeccompProfile: nil,
}
if info, err := client.ServerVersion(); err == nil {
var v *semver.Version
v, err = semver.NewVersion(info.String())
if err == nil && v.Compare(oneTwentyFour) >= 0 {
sc.SeccompProfile = &corev1.SeccompProfile{Type: corev1.SeccompProfileTypeRuntimeDefault}
}
}
return sc
}
Reference in New Issue View Git Blame Copy Permalink