const ForbiddenReason … type patternAllowlist … var _ … // NewAllowlist creates a new Allowlist from a list of sysctls and sysctl pattern (ending in *). func NewAllowlist(patterns []string) (*patternAllowlist, error) { … } // validateSysctl checks that a sysctl is allowlisted because it is known // to be namespaced by the Linux kernel. Note that being allowlisted is required, but not // sufficient: the container runtime might have a stricter check and refuse to launch a pod. // // The parameters hostNet and hostIPC are used to forbid sysctls for pod sharing the // respective namespaces with the host. This check is only possible for sysctls on // the static default allowlist, not those on the custom allowlist provided by the admin. func (w *patternAllowlist) validateSysctl(sysctl string, hostNet, hostIPC bool) error { … } // Admit checks that all sysctls given in pod's security context // are valid according to the allowlist. func (w *patternAllowlist) Admit(attrs *lifecycle.PodAdmitAttributes) lifecycle.PodAdmitResult { … }
Codebase Browser
kubernetes