Merge pull request #103323 from sejr/podsecurity-restricted-volumes

[Pod Security] Restricted volume type check

staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go

@@ -0,0 +1,106 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+In addition to restricting HostPath volumes, the restricted profile
+limits usage of non-core volume types to those defined through PersistentVolumes.
+
+**Restricted Fields:**
+
+spec.volumes[*].hostPath
+spec.volumes[*].gcePersistentDisk
+spec.volumes[*].awsElasticBlockStore
+spec.volumes[*].gitRepo
+spec.volumes[*].nfs
+spec.volumes[*].iscsi
+spec.volumes[*].glusterfs
+spec.volumes[*].rbd
+spec.volumes[*].flexVolume
+spec.volumes[*].cinder
+spec.volumes[*].cephFS
+spec.volumes[*].flocker
+spec.volumes[*].fc
+spec.volumes[*].azureFile
+spec.volumes[*].vsphereVolume
+spec.volumes[*].quobyte
+spec.volumes[*].azureDisk
+spec.volumes[*].portworxVolume
+spec.volumes[*].scaleIO
+spec.volumes[*].storageos
+spec.volumes[*].csi
+
+**Allowed Values:** undefined/nil
+*/
+
+func init() {
+	addCheck(CheckRestrictedVolumes)
+}
+
+// CheckRestrictedVolumes returns a restricted level check
+// that limits usage of specific volume types in 1.0+
+func CheckRestrictedVolumes() Check {
+	return Check{
+		ID:    "restrictedVolumes",
+		Level: api.LevelRestricted,
+		Versions: []VersionedCheck{
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 0),
+				CheckPod:       restrictedVolumes_1_0,
+			},
+		},
+	}
+}
+
+func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	restrictedVolumeNames := sets.NewString()
+
+	for _, volume := range podSpec.Volumes {
+		switch {
+		case volume.ConfigMap != nil,
+			volume.CSI != nil,
+			volume.DownwardAPI != nil,
+			volume.EmptyDir != nil,
+			volume.Ephemeral != nil,
+			volume.PersistentVolumeClaim != nil,
+			volume.Projected != nil,
+			volume.Secret != nil:
+			continue
+		default:
+			restrictedVolumeNames.Insert(volume.Name)
+		}
+	}
+
+	if len(restrictedVolumeNames) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "restricted volume types",
+			ForbiddenDetail: fmt.Sprintf("volumes %q have restricted types", restrictedVolumeNames.List()),
+		}
+	}
+
+	return CheckResult{Allowed: true}
+}

staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go

@@ -0,0 +1,377 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/pod-security-admission/api"
+)
+
+func init() {
+	// volumeType := "ext4"
+	fixtureData_1_0 := fixtureGenerator{
+		expectErrorSubstring: "restricted volume types",
+		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+			return []*corev1.Pod{
+				// pod that has all allowed volume types
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-configmap",
+							VolumeSource: corev1.VolumeSource{
+								ConfigMap: &corev1.ConfigMapVolumeSource{
+									LocalObjectReference: corev1.LocalObjectReference{
+										Name: "volume-configmap-test",
+									},
+								},
+							},
+						},
+						{
+							Name: "volume-downwardapi",
+							VolumeSource: corev1.VolumeSource{
+								DownwardAPI: &corev1.DownwardAPIVolumeSource{
+									Items: []corev1.DownwardAPIVolumeFile{
+										{
+											Path: "labels",
+											FieldRef: &corev1.ObjectFieldSelector{
+												FieldPath: "metadata.labels",
+											},
+										},
+									},
+								},
+							},
+						},
+						{
+							Name: "volume-emptydir",
+							VolumeSource: corev1.VolumeSource{
+								EmptyDir: &corev1.EmptyDirVolumeSource{},
+							},
+						},
+						{
+							Name: "volume-pvc",
+							VolumeSource: corev1.VolumeSource{
+								PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{
+									ClaimName: "test",
+								},
+							},
+						},
+						{
+							Name: "volume-projects",
+							VolumeSource: corev1.VolumeSource{
+								Projected: &corev1.ProjectedVolumeSource{
+									Sources: []corev1.VolumeProjection{},
+								},
+							},
+						},
+						{
+							Name: "volume-secret",
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: "test",
+								},
+							},
+						},
+						// TODO: Uncomment this volume when CSIInlineVolume hits GA.
+						//
+						// {
+						// 	Name: "volume-csi",
+						// 	VolumeSource: corev1.VolumeSource{
+						// 		CSI: &corev1.CSIVolumeSource{
+						// 			Driver: "inline.storage.kubernetes.io",
+						// 			VolumeAttributes: map[string]string{
+						// 				"foo": "bar",
+						// 			},
+						// 		},
+						// 	},
+						// },
+						//
+						// TODO: Uncomment this volume when Ephemeral hits GA.
+						//
+						// {
+						// 	Name: "volume-ephemeral",
+						// 	VolumeSource: corev1.VolumeSource{
+						// 		Ephemeral: &corev1.EphemeralVolumeSource{
+						// 			VolumeClaimTemplate: nil, // exercise for reader
+						// 		},
+						// 	},
+						// },
+					}
+				}),
+			}
+		},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-gcepersistentdisk",
+							VolumeSource: corev1.VolumeSource{
+								GCEPersistentDisk: &corev1.GCEPersistentDiskVolumeSource{
+									PDName: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-awselasticblockstore",
+							VolumeSource: corev1.VolumeSource{
+								AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{
+									VolumeID: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-gitrepo",
+							VolumeSource: corev1.VolumeSource{
+								GitRepo: &corev1.GitRepoVolumeSource{
+									Repository: "github.com/kubernetes/kubernetes",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-nfs",
+							VolumeSource: corev1.VolumeSource{
+								NFS: &corev1.NFSVolumeSource{
+									Server: "testing",
+									Path:   "/testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-iscsi",
+							VolumeSource: corev1.VolumeSource{
+								ISCSI: &corev1.ISCSIVolumeSource{
+									TargetPortal: "testing",
+									IQN:          "iqn.2001-04.com.example:storage.kube.sys1.xyz",
+									Lun:          0,
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-glusterfs",
+							VolumeSource: corev1.VolumeSource{
+								Glusterfs: &corev1.GlusterfsVolumeSource{
+									Path:          "testing",
+									EndpointsName: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-rbd",
+							VolumeSource: corev1.VolumeSource{
+								RBD: &corev1.RBDVolumeSource{
+									CephMonitors: []string{"testing"},
+									RBDImage:     "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-flexvolume",
+							VolumeSource: corev1.VolumeSource{
+								FlexVolume: &corev1.FlexVolumeSource{
+									Driver: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-cinder",
+							VolumeSource: corev1.VolumeSource{
+								Cinder: &corev1.CinderVolumeSource{
+									VolumeID: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-cephfs",
+							VolumeSource: corev1.VolumeSource{
+								CephFS: &corev1.CephFSVolumeSource{
+									Monitors: []string{"testing"},
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-flocker",
+							VolumeSource: corev1.VolumeSource{
+								Flocker: &corev1.FlockerVolumeSource{
+									DatasetName: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-fc",
+							VolumeSource: corev1.VolumeSource{
+								FC: &corev1.FCVolumeSource{
+									WWIDs: []string{"testing"},
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-azurefile",
+							VolumeSource: corev1.VolumeSource{
+								AzureFile: &corev1.AzureFileVolumeSource{
+									SecretName: "testing",
+									ShareName:  "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-vsphere",
+							VolumeSource: corev1.VolumeSource{
+								VsphereVolume: &corev1.VsphereVirtualDiskVolumeSource{
+									VolumePath: "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-quobyte",
+							VolumeSource: corev1.VolumeSource{
+								Quobyte: &corev1.QuobyteVolumeSource{
+									Registry: "localhost:1234",
+									Volume:   "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-azuredisk",
+							VolumeSource: corev1.VolumeSource{
+								AzureDisk: &corev1.AzureDiskVolumeSource{
+									DiskName:    "testing",
+									DataDiskURI: "https://test.blob.core.windows.net/test/test.vhd",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-portworxvolume",
+							VolumeSource: corev1.VolumeSource{
+								PortworxVolume: &corev1.PortworxVolumeSource{
+									VolumeID: "testing",
+									FSType:   "ext4",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-scaleio",
+							VolumeSource: corev1.VolumeSource{
+								ScaleIO: &corev1.ScaleIOVolumeSource{
+									VolumeName: "testing",
+									Gateway:    "localhost",
+									System:     "testing",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-storageos",
+							VolumeSource: corev1.VolumeSource{
+								StorageOS: &corev1.StorageOSVolumeSource{
+									VolumeName: "test",
+								},
+							},
+						},
+					}
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Volumes = []corev1.Volume{
+						{
+							Name: "volume-hostpath",
+							VolumeSource: corev1.VolumeSource{
+								HostPath: &corev1.HostPathVolumeSource{
+									Path: "/dev/null",
+								},
+							},
+						},
+					}
+				}),
+			}
+		},
+	}
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 0), check: "restrictedVolumes"},
+		fixtureData_1_0,
+	)
+}

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes0.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gcePersistentDisk:
+      pdName: testing
+    name: volume-gcepersistentdisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes1.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: testing
+    name: volume-awselasticblockstore

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes10.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flocker:
+      datasetName: testing
+    name: volume-flocker

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes11.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - fc:
+      wwids:
+      - testing
+    name: volume-fc

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes12.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureFile:
+      secretName: testing
+      shareName: testing
+    name: volume-azurefile

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes13.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-vsphere
+    vsphereVolume:
+      volumePath: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes14.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-quobyte
+    quobyte:
+      registry: localhost:1234
+      volume: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes15.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureDisk:
+      diskName: testing
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume-azuredisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes16.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-portworxvolume
+    portworxVolume:
+      fsType: ext4
+      volumeID: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes17.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-scaleio
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: testing
+      volumeName: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes18.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-storageos
+    storageos:
+      volumeName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes19.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes2.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume-gitrepo

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-nfs
+    nfs:
+      path: /testing
+      server: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes4.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - iscsi:
+      iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
+      lun: 0
+      targetPortal: testing
+    name: volume-iscsi

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes5.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes5
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - glusterfs:
+      endpoints: testing
+      path: testing
+    name: volume-glusterfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes6.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes6
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-rbd
+    rbd:
+      image: testing
+      monitors:
+      - testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes7.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes7
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flexVolume:
+      driver: testing
+    name: volume-flexvolume

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes8.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes8
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cinder:
+      volumeID: testing
+    name: volume-cinder

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes9.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes9
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cephfs:
+      monitors:
+      - testing
+    name: volume-cephfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/restrictedvolumes0.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - configMap:
+      name: volume-configmap-test
+    name: volume-configmap
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+    name: volume-downwardapi
+  - emptyDir: {}
+    name: volume-emptydir
+  - name: volume-pvc
+    persistentVolumeClaim:
+      claimName: test
+  - name: volume-projects
+    projected:
+      sources: []
+  - name: volume-secret
+    secret:
+      secretName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes0.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gcePersistentDisk:
+      pdName: testing
+    name: volume-gcepersistentdisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes1.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: testing
+    name: volume-awselasticblockstore

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes10.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flocker:
+      datasetName: testing
+    name: volume-flocker

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes11.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - fc:
+      wwids:
+      - testing
+    name: volume-fc

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes12.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureFile:
+      secretName: testing
+      shareName: testing
+    name: volume-azurefile

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes13.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-vsphere
+    vsphereVolume:
+      volumePath: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes14.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-quobyte
+    quobyte:
+      registry: localhost:1234
+      volume: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes15.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureDisk:
+      diskName: testing
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume-azuredisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes16.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-portworxvolume
+    portworxVolume:
+      fsType: ext4
+      volumeID: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes17.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-scaleio
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: testing
+      volumeName: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes18.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-storageos
+    storageos:
+      volumeName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes19.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes2.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume-gitrepo

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes3.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-nfs
+    nfs:
+      path: /testing
+      server: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes4.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - iscsi:
+      iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
+      lun: 0
+      targetPortal: testing
+    name: volume-iscsi

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes5.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes5
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - glusterfs:
+      endpoints: testing
+      path: testing
+    name: volume-glusterfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes6.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes6
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-rbd
+    rbd:
+      image: testing
+      monitors:
+      - testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes7.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes7
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flexVolume:
+      driver: testing
+    name: volume-flexvolume

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes8.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes8
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cinder:
+      volumeID: testing
+    name: volume-cinder

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes9.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes9
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cephfs:
+      monitors:
+      - testing
+    name: volume-cephfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/restrictedvolumes0.yaml

@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - configMap:
+      name: volume-configmap-test
+    name: volume-configmap
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+    name: volume-downwardapi
+  - emptyDir: {}
+    name: volume-emptydir
+  - name: volume-pvc
+    persistentVolumeClaim:
+      claimName: test
+  - name: volume-projects
+    projected:
+      sources: []
+  - name: volume-secret
+    secret:
+      secretName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes0.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gcePersistentDisk:
+      pdName: testing
+    name: volume-gcepersistentdisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: testing
+    name: volume-awselasticblockstore

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes10.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flocker:
+      datasetName: testing
+    name: volume-flocker

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes11.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - fc:
+      wwids:
+      - testing
+    name: volume-fc

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes12.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureFile:
+      secretName: testing
+      shareName: testing
+    name: volume-azurefile

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes13.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-vsphere
+    vsphereVolume:
+      volumePath: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes14.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-quobyte
+    quobyte:
+      registry: localhost:1234
+      volume: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes15.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureDisk:
+      diskName: testing
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume-azuredisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes16.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-portworxvolume
+    portworxVolume:
+      fsType: ext4
+      volumeID: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes17.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-scaleio
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: testing
+      volumeName: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes18.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-storageos
+    storageos:
+      volumeName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes19.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes2.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume-gitrepo

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes3.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-nfs
+    nfs:
+      path: /testing
+      server: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes4.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - iscsi:
+      iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
+      lun: 0
+      targetPortal: testing
+    name: volume-iscsi

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes5.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes5
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - glusterfs:
+      endpoints: testing
+      path: testing
+    name: volume-glusterfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes6.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes6
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-rbd
+    rbd:
+      image: testing
+      monitors:
+      - testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes7.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes7
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flexVolume:
+      driver: testing
+    name: volume-flexvolume

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes8.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes8
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cinder:
+      volumeID: testing
+    name: volume-cinder

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes9.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes9
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cephfs:
+      monitors:
+      - testing
+    name: volume-cephfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/restrictedvolumes0.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - configMap:
+      name: volume-configmap-test
+    name: volume-configmap
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+    name: volume-downwardapi
+  - emptyDir: {}
+    name: volume-emptydir
+  - name: volume-pvc
+    persistentVolumeClaim:
+      claimName: test
+  - name: volume-projects
+    projected:
+      sources: []
+  - name: volume-secret
+    secret:
+      secretName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes0.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gcePersistentDisk:
+      pdName: testing
+    name: volume-gcepersistentdisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: testing
+    name: volume-awselasticblockstore

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes10.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flocker:
+      datasetName: testing
+    name: volume-flocker

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes11.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - fc:
+      wwids:
+      - testing
+    name: volume-fc

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes12.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureFile:
+      secretName: testing
+      shareName: testing
+    name: volume-azurefile

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes13.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-vsphere
+    vsphereVolume:
+      volumePath: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes14.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-quobyte
+    quobyte:
+      registry: localhost:1234
+      volume: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes15.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureDisk:
+      diskName: testing
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume-azuredisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes16.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-portworxvolume
+    portworxVolume:
+      fsType: ext4
+      volumeID: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes17.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-scaleio
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: testing
+      volumeName: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes18.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-storageos
+    storageos:
+      volumeName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes19.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes2.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume-gitrepo

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes3.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-nfs
+    nfs:
+      path: /testing
+      server: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes4.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes4
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - iscsi:
+      iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
+      lun: 0
+      targetPortal: testing
+    name: volume-iscsi

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes5.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes5
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - glusterfs:
+      endpoints: testing
+      path: testing
+    name: volume-glusterfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes6.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes6
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-rbd
+    rbd:
+      image: testing
+      monitors:
+      - testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes7.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes7
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flexVolume:
+      driver: testing
+    name: volume-flexvolume

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes8.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes8
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cinder:
+      volumeID: testing
+    name: volume-cinder

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes9.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes9
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - cephfs:
+      monitors:
+      - testing
+    name: volume-cephfs

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/restrictedvolumes0.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - configMap:
+      name: volume-configmap-test
+    name: volume-configmap
+  - downwardAPI:
+      items:
+      - fieldRef:
+          fieldPath: metadata.labels
+        path: labels
+    name: volume-downwardapi
+  - emptyDir: {}
+    name: volume-emptydir
+  - name: volume-pvc
+    persistentVolumeClaim:
+      claimName: test
+  - name: volume-projects
+    projected:
+      sources: []
+  - name: volume-secret
+    secret:
+      secretName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes0.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gcePersistentDisk:
+      pdName: testing
+    name: volume-gcepersistentdisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes1.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - awsElasticBlockStore:
+      volumeID: testing
+    name: volume-awselasticblockstore

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes10.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes10
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - flocker:
+      datasetName: testing
+    name: volume-flocker

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes11.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes11
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - fc:
+      wwids:
+      - testing
+    name: volume-fc

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes12.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes12
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureFile:
+      secretName: testing
+      shareName: testing
+    name: volume-azurefile

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes13.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes13
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-vsphere
+    vsphereVolume:
+      volumePath: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes14.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes14
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-quobyte
+    quobyte:
+      registry: localhost:1234
+      volume: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes15.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes15
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - azureDisk:
+      diskName: testing
+      diskURI: https://test.blob.core.windows.net/test/test.vhd
+    name: volume-azuredisk

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes16.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes16
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-portworxvolume
+    portworxVolume:
+      fsType: ext4
+      volumeID: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes17.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes17
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-scaleio
+    scaleIO:
+      gateway: localhost
+      secretRef: null
+      system: testing
+      volumeName: testing

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes18.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes18
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-storageos
+    storageos:
+      volumeName: test

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes19.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes19
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - hostPath:
+      path: /dev/null
+    name: volume-hostpath

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes2.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - gitRepo:
+      repository: github.com/kubernetes/kubernetes
+    name: volume-gitrepo

staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes3.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: restrictedvolumes3
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      allowPrivilegeEscalation: false
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      allowPrivilegeEscalation: false
+  securityContext:
+    runAsNonRoot: true
+  volumes:
+  - name: volume-nfs
+    nfs:
+      path: /testing
+      server: testing