in policy/check_seLinuxOptions.go [77:159]
func seLinuxOptions_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
var (
// sources that set bad seLinuxOptions
badSetters []string
// invalid type values set
badTypes = sets.NewString()
// was user set?
setUser = false
// was role set?
setRole = false
)
validSELinuxOptions := func(opts *corev1.SELinuxOptions) bool {
valid := true
if !selinux_allowed_types_1_0.Has(opts.Type) {
valid = false
badTypes.Insert(opts.Type)
}
if len(opts.User) > 0 {
valid = false
setUser = true
}
if len(opts.Role) > 0 {
valid = false
setRole = true
}
return valid
}
if podSpec.SecurityContext != nil && podSpec.SecurityContext.SELinuxOptions != nil {
if !validSELinuxOptions(podSpec.SecurityContext.SELinuxOptions) {
badSetters = append(badSetters, "pod")
}
}
var badContainers []string
visitContainers(podSpec, func(container *corev1.Container) {
if container.SecurityContext != nil && container.SecurityContext.SELinuxOptions != nil {
if !validSELinuxOptions(container.SecurityContext.SELinuxOptions) {
badContainers = append(badContainers, container.Name)
}
}
})
if len(badContainers) > 0 {
badSetters = append(
badSetters,
fmt.Sprintf(
"%s %s",
pluralize("container", "containers", len(badContainers)),
joinQuote(badContainers),
),
)
}
if len(badSetters) > 0 {
var badData []string
if len(badTypes) > 0 {
badData = append(badData, fmt.Sprintf(
"%s %s",
pluralize("type", "types", len(badTypes)),
joinQuote(badTypes.List()),
))
if setUser {
badData = append(badData, "user may not be set")
}
if setRole {
badData = append(badData, "role may not be set")
}
}
return CheckResult{
Allowed: false,
ForbiddenReason: "seLinuxOptions",
ForbiddenDetail: fmt.Sprintf(
`%s set forbidden securityContext.seLinuxOptions: %s`,
strings.Join(badSetters, " and "),
strings.Join(badData, "; "),
),
}
}
return CheckResult{Allowed: true}
}