aboutsummaryrefslogtreecommitdiff
path: root/vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go')
-rw-r--r--vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go94
1 files changed, 94 insertions, 0 deletions
diff --git a/vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go b/vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go
new file mode 100644
index 000000000..be721a785
--- /dev/null
+++ b/vendor/k8s.io/kubernetes/pkg/capabilities/capabilities.go
@@ -0,0 +1,94 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package capabilities
+
+import (
+ "sync"
+)
+
+// Capabilities defines the set of capabilities available within the system.
+// For now these are global. Eventually they may be per-user
+type Capabilities struct {
+ AllowPrivileged bool
+
+ // Pod sources from which to allow privileged capabilities like host networking, sharing the host
+ // IPC namespace, and sharing the host PID namespace.
+ PrivilegedSources PrivilegedSources
+
+ // PerConnectionBandwidthLimitBytesPerSec limits the throughput of each connection (currently only used for proxy, exec, attach)
+ PerConnectionBandwidthLimitBytesPerSec int64
+}
+
+// PrivilegedSources defines the pod sources allowed to make privileged requests for certain types
+// of capabilities like host networking, sharing the host IPC namespace, and sharing the host PID namespace.
+type PrivilegedSources struct {
+ // List of pod sources for which using host network is allowed.
+ HostNetworkSources []string
+
+ // List of pod sources for which using host pid namespace is allowed.
+ HostPIDSources []string
+
+ // List of pod sources for which using host ipc is allowed.
+ HostIPCSources []string
+}
+
+// TODO: Clean these up into a singleton
+var once sync.Once
+var lock sync.Mutex
+var capabilities *Capabilities
+
+// Initialize the capability set. This can only be done once per binary, subsequent calls are ignored.
+func Initialize(c Capabilities) {
+ // Only do this once
+ once.Do(func() {
+ capabilities = &c
+ })
+}
+
+// Setup the capability set. It wraps Initialize for improving usability.
+func Setup(allowPrivileged bool, privilegedSources PrivilegedSources, perConnectionBytesPerSec int64) {
+ Initialize(Capabilities{
+ AllowPrivileged: allowPrivileged,
+ PrivilegedSources: privilegedSources,
+ PerConnectionBandwidthLimitBytesPerSec: perConnectionBytesPerSec,
+ })
+}
+
+// SetForTests sets capabilities for tests. Convenience method for testing. This should only be called from tests.
+func SetForTests(c Capabilities) {
+ lock.Lock()
+ defer lock.Unlock()
+ capabilities = &c
+}
+
+// Returns a read-only copy of the system capabilities.
+func Get() Capabilities {
+ lock.Lock()
+ defer lock.Unlock()
+ // This check prevents clobbering of capabilities that might've been set via SetForTests
+ if capabilities == nil {
+ Initialize(Capabilities{
+ AllowPrivileged: false,
+ PrivilegedSources: PrivilegedSources{
+ HostNetworkSources: []string{},
+ HostPIDSources: []string{},
+ HostIPCSources: []string{},
+ },
+ })
+ }
+ return *capabilities
+}