func()

in pkg/sysched/sysched.go [123:208]

• 65 lines of code
• 28 McCabe index (conditional complexity)

func (sc *SySched) getSyscalls(pod *v1.Pod) sets.Set[string] {
	r := sets.New[string]()

	// read the seccomp profile from the security context of a pod
	podSC := pod.Spec.SecurityContext

	if podSC != nil && podSC.SeccompProfile != nil && podSC.SeccompProfile.Type == "Localhost" {
		if podSC.SeccompProfile.LocalhostProfile != nil {
			profilePath := *podSC.SeccompProfile.LocalhostProfile
			ns, name := parseNameNS(profilePath)

			if len(ns) > 0 && len(name) > 0 {
				syscalls, err := sc.readSPOProfileCR(name, ns)
				if err != nil {
					klog.ErrorS(err, "Failed to read syscall CR by parsing pod security context")
				}

				if len(syscalls) > 0 {
					r = r.Union(syscalls)
				}
			}
		}
	}

	// read the seccomp profile from container security context and merge them
	for _, container := range pod.Spec.Containers {
		conSC := container.SecurityContext
		if conSC != nil && conSC.SeccompProfile != nil && conSC.SeccompProfile.Type == "Localhost" {
			if conSC.SeccompProfile.LocalhostProfile != nil {
				profilePath := *conSC.SeccompProfile.LocalhostProfile
				ns, name := parseNameNS(profilePath)

				if len(ns) > 0 && len(name) > 0 {
					syscalls, err := sc.readSPOProfileCR(name, ns)
					if err != nil {
						klog.ErrorS(err, "Failed to read syscall CR by parsing container security context")
					}

					if len(syscalls) > 0 {
						r = r.Union(syscalls)
					}
				}
			}
		}
	}

	// SPO seccomp profiles are sometimes automatically annotated to a pod
	if pod.ObjectMeta.Annotations != nil {
		// there could be multiple SPO seccomp profile annotations for a pod
		// merge all profiles to obtain the syscal set for a pod
		for k, v := range pod.ObjectMeta.Annotations {
			// looks for annotation related to the seccomp
			if strings.Contains(k, SPO_ANNOTATION) {
				ns, name := parseNameNS(v)

				if len(ns) > 0 && len(name) > 0 {
					syscalls, err := sc.readSPOProfileCR(name, ns)

					if err != nil {
						klog.ErrorS(err, "Failed to read syscall CR by parsing pod annotation")
						continue
					}

					if len(syscalls) > 0 {
						r = r.Union(syscalls)
					}
				}
				break
			}
		}
	}

	// if a pod does not have a seccomp profile specified, return the set of all syscalls
	if len(r) == 0 {
		syscalls, err := sc.readSPOProfileCR(sc.DefaultProfileName, sc.DefaultProfileNamespace)
		if err != nil {
			klog.ErrorS(err, "Failed to read the CR of all syscalls")
		}

		if syscalls.Len() > 0 {
			r = r.Union(syscalls)
		}
	}

	return r
}