Make emptyDir volumes work for non-root UIDs

2015-07-07 12:40:55 -04:00
parent 63cf00d24f
commit 5394aa979f
14 changed files with 739 additions and 165 deletions
--- a/pkg/securitycontext/util.go
+++ b/pkg/securitycontext/util.go
@@ -16,7 +16,12 @@ limitations under the License.

 package securitycontext

-import "github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+import (
+	"fmt"
+	"strings"
+
+	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+)

 // HasPrivilegedRequest returns the value of SecurityContext.Privileged, taking into account
 // the possibility of nils
@@ -41,3 +46,23 @@ func HasCapabilitiesRequest(container *api.Container) bool {
 	}
 	return len(container.SecurityContext.Capabilities.Add) > 0 || len(container.SecurityContext.Capabilities.Drop) > 0
 }
+
+const expectedSELinuxContextFields = 4
+
+// ParseSELinuxOptions parses a string containing a full SELinux context
+// (user, role, type, and level) into an SELinuxOptions object.  If the
+// context is malformed, an error is returned.
+func ParseSELinuxOptions(context string) (*api.SELinuxOptions, error) {
+	fields := strings.SplitN(context, ":", expectedSELinuxContextFields)
+
+	if len(fields) != expectedSELinuxContextFields {
+		return nil, fmt.Errorf("expected %v fields in selinuxcontext; got %v (context: %v)", expectedSELinuxContextFields, len(fields), context)
+	}
+
+	return &api.SELinuxOptions{
+		User:  fields[0],
+		Role:  fields[1],
+		Type:  fields[2],
+		Level: fields[3],
+	}, nil
+}