diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go new file mode 100644 index 00000000000..62cbc4406a5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_restrictedVolumes.go @@ -0,0 +1,106 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/pod-security-admission/api" +) + +/* +In addition to restricting HostPath volumes, the restricted profile +limits usage of non-core volume types to those defined through PersistentVolumes. + +**Restricted Fields:** + +spec.volumes[*].hostPath +spec.volumes[*].gcePersistentDisk +spec.volumes[*].awsElasticBlockStore +spec.volumes[*].gitRepo +spec.volumes[*].nfs +spec.volumes[*].iscsi +spec.volumes[*].glusterfs +spec.volumes[*].rbd +spec.volumes[*].flexVolume +spec.volumes[*].cinder +spec.volumes[*].cephFS +spec.volumes[*].flocker +spec.volumes[*].fc +spec.volumes[*].azureFile +spec.volumes[*].vsphereVolume +spec.volumes[*].quobyte +spec.volumes[*].azureDisk +spec.volumes[*].portworxVolume +spec.volumes[*].scaleIO +spec.volumes[*].storageos +spec.volumes[*].csi + +**Allowed Values:** undefined/nil +*/ + +func init() { + addCheck(CheckRestrictedVolumes) +} + +// CheckRestrictedVolumes returns a restricted level check +// that limits usage of specific volume types in 1.0+ +func CheckRestrictedVolumes() Check { + return Check{ + ID: "restrictedVolumes", + Level: api.LevelRestricted, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: restrictedVolumes_1_0, + }, + }, + } +} + +func restrictedVolumes_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + restrictedVolumeNames := sets.NewString() + + for _, volume := range podSpec.Volumes { + switch { + case volume.ConfigMap != nil, + volume.CSI != nil, + volume.DownwardAPI != nil, + volume.EmptyDir != nil, + volume.Ephemeral != nil, + volume.PersistentVolumeClaim != nil, + volume.Projected != nil, + volume.Secret != nil: + continue + default: + restrictedVolumeNames.Insert(volume.Name) + } + } + + if len(restrictedVolumeNames) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "restricted volume types", + ForbiddenDetail: fmt.Sprintf("volumes %q have restricted types", restrictedVolumeNames.List()), + } + } + + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go new file mode 100644 index 00000000000..a6ff7da1bd3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_restrictedVolumes.go @@ -0,0 +1,377 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +func init() { + // volumeType := "ext4" + fixtureData_1_0 := fixtureGenerator{ + expectErrorSubstring: "restricted volume types", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{ + // pod that has all allowed volume types + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-configmap", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "volume-configmap-test", + }, + }, + }, + }, + { + Name: "volume-downwardapi", + VolumeSource: corev1.VolumeSource{ + DownwardAPI: &corev1.DownwardAPIVolumeSource{ + Items: []corev1.DownwardAPIVolumeFile{ + { + Path: "labels", + FieldRef: &corev1.ObjectFieldSelector{ + FieldPath: "metadata.labels", + }, + }, + }, + }, + }, + }, + { + Name: "volume-emptydir", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "volume-pvc", + VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: "test", + }, + }, + }, + { + Name: "volume-projects", + VolumeSource: corev1.VolumeSource{ + Projected: &corev1.ProjectedVolumeSource{ + Sources: []corev1.VolumeProjection{}, + }, + }, + }, + { + Name: "volume-secret", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: "test", + }, + }, + }, + // TODO: Uncomment this volume when CSIInlineVolume hits GA. + // + // { + // Name: "volume-csi", + // VolumeSource: corev1.VolumeSource{ + // CSI: &corev1.CSIVolumeSource{ + // Driver: "inline.storage.kubernetes.io", + // VolumeAttributes: map[string]string{ + // "foo": "bar", + // }, + // }, + // }, + // }, + // + // TODO: Uncomment this volume when Ephemeral hits GA. + // + // { + // Name: "volume-ephemeral", + // VolumeSource: corev1.VolumeSource{ + // Ephemeral: &corev1.EphemeralVolumeSource{ + // VolumeClaimTemplate: nil, // exercise for reader + // }, + // }, + // }, + } + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-gcepersistentdisk", + VolumeSource: corev1.VolumeSource{ + GCEPersistentDisk: &corev1.GCEPersistentDiskVolumeSource{ + PDName: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-awselasticblockstore", + VolumeSource: corev1.VolumeSource{ + AWSElasticBlockStore: &corev1.AWSElasticBlockStoreVolumeSource{ + VolumeID: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-gitrepo", + VolumeSource: corev1.VolumeSource{ + GitRepo: &corev1.GitRepoVolumeSource{ + Repository: "github.com/kubernetes/kubernetes", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-nfs", + VolumeSource: corev1.VolumeSource{ + NFS: &corev1.NFSVolumeSource{ + Server: "testing", + Path: "/testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-iscsi", + VolumeSource: corev1.VolumeSource{ + ISCSI: &corev1.ISCSIVolumeSource{ + TargetPortal: "testing", + IQN: "iqn.2001-04.com.example:storage.kube.sys1.xyz", + Lun: 0, + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-glusterfs", + VolumeSource: corev1.VolumeSource{ + Glusterfs: &corev1.GlusterfsVolumeSource{ + Path: "testing", + EndpointsName: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-rbd", + VolumeSource: corev1.VolumeSource{ + RBD: &corev1.RBDVolumeSource{ + CephMonitors: []string{"testing"}, + RBDImage: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-flexvolume", + VolumeSource: corev1.VolumeSource{ + FlexVolume: &corev1.FlexVolumeSource{ + Driver: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-cinder", + VolumeSource: corev1.VolumeSource{ + Cinder: &corev1.CinderVolumeSource{ + VolumeID: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-cephfs", + VolumeSource: corev1.VolumeSource{ + CephFS: &corev1.CephFSVolumeSource{ + Monitors: []string{"testing"}, + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-flocker", + VolumeSource: corev1.VolumeSource{ + Flocker: &corev1.FlockerVolumeSource{ + DatasetName: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-fc", + VolumeSource: corev1.VolumeSource{ + FC: &corev1.FCVolumeSource{ + WWIDs: []string{"testing"}, + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-azurefile", + VolumeSource: corev1.VolumeSource{ + AzureFile: &corev1.AzureFileVolumeSource{ + SecretName: "testing", + ShareName: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-vsphere", + VolumeSource: corev1.VolumeSource{ + VsphereVolume: &corev1.VsphereVirtualDiskVolumeSource{ + VolumePath: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-quobyte", + VolumeSource: corev1.VolumeSource{ + Quobyte: &corev1.QuobyteVolumeSource{ + Registry: "localhost:1234", + Volume: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-azuredisk", + VolumeSource: corev1.VolumeSource{ + AzureDisk: &corev1.AzureDiskVolumeSource{ + DiskName: "testing", + DataDiskURI: "https://test.blob.core.windows.net/test/test.vhd", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-portworxvolume", + VolumeSource: corev1.VolumeSource{ + PortworxVolume: &corev1.PortworxVolumeSource{ + VolumeID: "testing", + FSType: "ext4", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-scaleio", + VolumeSource: corev1.VolumeSource{ + ScaleIO: &corev1.ScaleIOVolumeSource{ + VolumeName: "testing", + Gateway: "localhost", + System: "testing", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-storageos", + VolumeSource: corev1.VolumeSource{ + StorageOS: &corev1.StorageOSVolumeSource{ + VolumeName: "test", + }, + }, + }, + } + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-hostpath", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/dev/null", + }, + }, + }, + } + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 0), check: "restrictedVolumes"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..f3beb2f8d03 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..d48d9e1aafa --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..c2114843728 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes10.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..6b937f3a6f3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes11.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..11ce7bff81a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes12.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..1a53bc5814a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes13.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..e2645cfebbb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes14.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..ebbfe853dce --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes15.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..de7b164c5b3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes16.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..92a6f34e379 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes17.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..84e296bef12 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes18.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..f38468316d4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes19.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..3c0a8a93e89 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes2.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..c68391a1e9a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes3.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..2d503254050 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes4.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..96eb492af82 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes5.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..79caa8a4970 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes6.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..8e09e7adcc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes7.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..850f77a4282 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes8.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..4e07a09ba16 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/restrictedvolumes9.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..639412d7645 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/restrictedvolumes0.yaml @@ -0,0 +1,34 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes0.yaml new file mode 100755 index 00000000000..85b4e96d085 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gcePersistentDisk: + pdName: testing + name: volume-gcepersistentdisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes1.yaml new file mode 100755 index 00000000000..721dd4c2160 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - awsElasticBlockStore: + volumeID: testing + name: volume-awselasticblockstore diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes10.yaml new file mode 100755 index 00000000000..e11b9e19139 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes10.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes10 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flocker: + datasetName: testing + name: volume-flocker diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes11.yaml new file mode 100755 index 00000000000..3612d9ac53a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes11.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes11 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - fc: + wwids: + - testing + name: volume-fc diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes12.yaml new file mode 100755 index 00000000000..c5720ea289f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes12.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes12 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureFile: + secretName: testing + shareName: testing + name: volume-azurefile diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes13.yaml new file mode 100755 index 00000000000..5548b433169 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes13.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes13 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-vsphere + vsphereVolume: + volumePath: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes14.yaml new file mode 100755 index 00000000000..8d72b6cb739 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes14.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes14 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-quobyte + quobyte: + registry: localhost:1234 + volume: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes15.yaml new file mode 100755 index 00000000000..7e2665def8c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes15.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes15 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - azureDisk: + diskName: testing + diskURI: https://test.blob.core.windows.net/test/test.vhd + name: volume-azuredisk diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes16.yaml new file mode 100755 index 00000000000..e40176d1a41 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes16.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes16 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-portworxvolume + portworxVolume: + fsType: ext4 + volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes17.yaml new file mode 100755 index 00000000000..48ace835a80 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes17.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes17 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-scaleio + scaleIO: + gateway: localhost + secretRef: null + system: testing + volumeName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes18.yaml new file mode 100755 index 00000000000..f1506e6ebb6 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes18.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes18 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-storageos + storageos: + volumeName: test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes19.yaml new file mode 100755 index 00000000000..6027a49b32a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes19.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes19 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes2.yaml new file mode 100755 index 00000000000..8774d204e3c --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - gitRepo: + repository: github.com/kubernetes/kubernetes + name: volume-gitrepo diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes3.yaml new file mode 100755 index 00000000000..db9f13963dc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes3.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-nfs + nfs: + path: /testing + server: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes4.yaml new file mode 100755 index 00000000000..39536e82fc9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes4.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - iscsi: + iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz + lun: 0 + targetPortal: testing + name: volume-iscsi diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes5.yaml new file mode 100755 index 00000000000..30104acb8c1 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes5.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - glusterfs: + endpoints: testing + path: testing + name: volume-glusterfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes6.yaml new file mode 100755 index 00000000000..93382090c2a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes6.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes6 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - name: volume-rbd + rbd: + image: testing + monitors: + - testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes7.yaml new file mode 100755 index 00000000000..94c49e7d548 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes7.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes7 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - flexVolume: + driver: testing + name: volume-flexvolume diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes8.yaml new file mode 100755 index 00000000000..557b65a3a5b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes8.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes8 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cinder: + volumeID: testing + name: volume-cinder diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes9.yaml new file mode 100755 index 00000000000..7a9682863fb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/restrictedvolumes9.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes9 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - cephfs: + monitors: + - testing + name: volume-cephfs diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/restrictedvolumes0.yaml new file mode 100755 index 00000000000..15806c8f02d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/restrictedvolumes0.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Pod +metadata: + name: restrictedvolumes0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - configMap: + name: volume-configmap-test + name: volume-configmap + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + name: volume-downwardapi + - emptyDir: {} + name: volume-emptydir + - name: volume-pvc + persistentVolumeClaim: + claimName: test + - name: volume-projects + projected: + sources: [] + - name: volume-secret + secret: + secretName: test