github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

PodSecurity: test: generate 1.23 fixtures

Browse Source
This commit is contained in:
Jordan Liggitt 2021-10-25 13:28:25 -04:00
parent ef3bf86f5b
commit 9b930e3728
124 changed files with 3053 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
staging/src/k8s.io/pod-security-admission/test/fixtures_test.go
View File

@ -46,7 +46,7 @@ func TestFixtures(t *testing.T) {
defaultChecks := policy.DefaultChecks() defaultChecks := policy.DefaultChecks()
const newestMinorVersionToTest = 22 const newestMinorVersionToTest = 23
policyVersions := computeVersionsToTest(t, defaultChecks) policyVersions := computeVersionsToTest(t, defaultChecks)
newestMinorVersionWithPolicyChanges := policyVersions[len(policyVersions)-1].Minor() newestMinorVersionWithPolicyChanges := policyVersions[len(policyVersions)-1].Minor()

4
staging/src/k8s.io/pod-security-admission/test/run.go
View File

@ -118,10 +118,10 @@ func computeVersionsToTest(t *testing.T, checks []policy.Check) []api.Version {
alwaysIncludeVersions := []api.Version{ alwaysIncludeVersions := []api.Version{
// include the oldest version by default // include the oldest version by default
api.MajorMinorVersion(1, 0), api.MajorMinorVersion(1, 0),
// include the release under development (1.22 at time of writing). // include the release under development (1.23 at time of writing).
// this can be incremented to the current version whenever is convenient. // this can be incremented to the current version whenever is convenient.
// TODO: find a way to use api.LatestVersion() here // TODO: find a way to use api.LatestVersion() here
api.MajorMinorVersion(1, 22), api.MajorMinorVersion(1, 23),
} }
for _, version := range alwaysIncludeVersions { for _, version := range alwaysIncludeVersions {
seenVersions[version] = true seenVersions[version] = true

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/apparmorprofile0.yaml vendored Executable file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/apparmorprofile1.yaml vendored Executable file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/capabilities_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- NET_RAW
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/capabilities_baseline1.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- NET_RAW
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/capabilities_baseline2.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- chown
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/capabilities_baseline3.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- CAP_CHOWN
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities: {}
securityContext: {}

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostnamespaces0.yaml vendored Executable file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostIPC: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostnamespaces1.yaml vendored Executable file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostnamespaces2.yaml vendored Executable file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
hostPID: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

17
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostpathvolumes0.yaml vendored Executable file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostpathvolumes1.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostports0.yaml vendored Executable file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

14
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostports1.yaml vendored Executable file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346

19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/hostports2.yaml vendored Executable file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/privileged0.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/privileged1.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: true
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/procmount0.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/procmount1.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Unmasked
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/seccompprofile_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: Unconfined

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/seccompprofile_baseline1.yaml vendored Executable file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: Unconfined
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/seccompprofile_baseline2.yaml vendored Executable file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seccompProfile:
type: Unconfined
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/selinuxoptions0.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
type: somevalue

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/selinuxoptions1.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
type: somevalue
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/selinuxoptions2.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: somevalue
securityContext:
seLinuxOptions: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/selinuxoptions3.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
user: somevalue

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/selinuxoptions4.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions4
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext:
seLinuxOptions:
role: somevalue

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/sysctls0.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: othersysctl
value: other

19
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/windowshostprocess0.yaml vendored Executable file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions: {}
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions: {}
securityContext:
windowsOptions:
hostProcess: true

20
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/fail/windowshostprocess1.yaml vendored Executable file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: windowshostprocess1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
windowsOptions:
hostProcess: true
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
windowsOptions:
hostProcess: true
securityContext:
windowsOptions: {}

13
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/apparmorprofile0.yaml vendored Executable file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: localhost/foo
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

11
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/base.yaml vendored Executable file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: base
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1

44
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/capabilities_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,44 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
securityContext: {}

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/hostports0.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/privileged0.yaml vendored Executable file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
privileged: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
privileged: false
securityContext: {}

16
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/procmount0.yaml vendored Executable file
View File

@ -0,0 +1,16 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
procMount: Default
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
procMount: Default
securityContext: {}

18
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/seccompprofile_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seccompProfile:
type: RuntimeDefault
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}
securityContext:
seccompProfile:
type: RuntimeDefault

15
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/selinuxoptions0.yaml vendored Executable file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions: {}
securityContext: {}

21
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/selinuxoptions1.yaml vendored Executable file
View File

@ -0,0 +1,21 @@
apiVersion: v1
kind: Pod
metadata:
name: selinuxoptions1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
seLinuxOptions:
level: somevalue
type: container_init_t
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
seLinuxOptions:
type: container_kvm_t
securityContext:
seLinuxOptions:
type: container_t

12
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/sysctls0.yaml vendored Executable file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext: {}

23
staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.23/pass/sysctls1.yaml vendored Executable file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: sysctls1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
sysctls:
- name: kernel.shm_rmid_forced
value: "0"
- name: net.ipv4.ip_local_port_range
value: 1024 65535
- name: net.ipv4.tcp_syncookies
value: "0"
- name: net.ipv4.ping_group_range
value: 1 0
- name: net.ipv4.ip_unprivileged_port_start
value: "1024"

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/allowprivilegeescalation0.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/allowprivilegeescalation1.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

24
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/allowprivilegeescalation2.yaml vendored Executable file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

20
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/allowprivilegeescalation3.yaml vendored Executable file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: Pod
metadata:
name: allowprivilegeescalation3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/apparmorprofile0.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/container1: unconfined
name: apparmorprofile0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/apparmorprofile1.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
annotations:
container.apparmor.security.beta.kubernetes.io/initcontainer1: unconfined
name: apparmorprofile1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_baseline1.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_RAW
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_baseline2.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- chown
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_baseline3.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_baseline3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- CAP_CHOWN
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_restricted0.yaml vendored Executable file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_restricted1.yaml vendored Executable file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities: {}
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

97
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_restricted2.yaml vendored Executable file
View File

@ -0,0 +1,97 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- SYS_TIME
- SYS_MODULE
- SYS_RAWIO
- SYS_PACCT
- SYS_ADMIN
- SYS_NICE
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- MKNOD
- AUDIT_WRITE
- AUDIT_CONTROL
- MAC_OVERRIDE
- MAC_ADMIN
- NET_ADMIN
- SYSLOG
- CHOWN
- NET_RAW
- DAC_OVERRIDE
- FOWNER
- DAC_READ_SEARCH
- FSETID
- KILL
- SETGID
- SETUID
- LINUX_IMMUTABLE
- NET_BIND_SERVICE
- NET_BROADCAST
- IPC_LOCK
- IPC_OWNER
- SYS_CHROOT
- SYS_PTRACE
- SYS_BOOT
- LEASE
- SETFCAP
- WAKE_ALARM
- BLOCK_SUSPEND
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

53
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/capabilities_restricted3.yaml vendored Executable file
View File

@ -0,0 +1,53 @@
apiVersion: v1
kind: Pod
metadata:
name: capabilities_restricted3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- FSETID
- KILL
- MKNOD
- NET_BIND_SERVICE
- SETFCAP
- SETGID
- SETPCAP
- SETUID
- SYS_CHROOT
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostnamespaces0.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostIPC: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostnamespaces1.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostNetwork: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostnamespaces2.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: hostnamespaces2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
hostPID: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostpathvolumes0.yaml vendored Executable file
View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- emptyDir: {}
name: volume-emptydir
- hostPath:
path: /a
name: volume-hostpath

32
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostpathvolumes1.yaml vendored Executable file
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
name: hostpathvolumes1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /a
name: volume-hostpath-a
- hostPath:
path: /b
name: volume-hostpath-b

28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostports0.yaml vendored Executable file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

28
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostports1.yaml vendored Executable file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

33
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/hostports2.yaml vendored Executable file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: Pod
metadata:
name: hostports2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
ports:
- containerPort: 12345
hostPort: 12345
- containerPort: 12347
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
ports:
- containerPort: 12346
hostPort: 12346
- containerPort: 12348
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/privileged0.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
capabilities:
drop:
- ALL
privileged: true
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/privileged1.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: privileged1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
capabilities:
drop:
- ALL
privileged: true
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/procmount0.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/procmount1.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: procmount1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
procMount: Unmasked
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes0.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- gcePersistentDisk:
pdName: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes1.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- awsElasticBlockStore:
volumeID: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes10.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes10
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- flocker:
datasetName: test
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes11.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes11
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- fc:
wwids:
- test
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes12.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes12
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- azureFile:
secretName: test
shareName: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes13.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes13
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
vsphereVolume:
volumePath: test

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes14.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes14
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
quobyte:
registry: localhost:1234
volume: test

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes15.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes15
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- azureDisk:
diskName: test
diskURI: https://test.blob.core.windows.net/test/test.vhd
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes16.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes16
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
portworxVolume:
fsType: ext4
volumeID: test

32
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes17.yaml vendored Executable file
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes17
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
scaleIO:
gateway: localhost
secretRef: null
system: test
volumeName: test

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes18.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes18
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
storageos:
volumeName: test

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes19.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes19
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- hostPath:
path: /dev/null
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes2.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- gitRepo:
repository: github.com/kubernetes/kubernetes
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes3.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
nfs:
path: /test
server: test

31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes4.yaml vendored Executable file
View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes4
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- iscsi:
iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz
lun: 0
targetPortal: test
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes5.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes5
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- glusterfs:
endpoints: test
path: test
name: volume1

31
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes6.yaml vendored Executable file
View File

@ -0,0 +1,31 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes6
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- name: volume1
rbd:
image: test
monitors:
- test

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes7.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes7
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- flexVolume:
driver: test
name: volume1

29
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes8.yaml vendored Executable file
View File

@ -0,0 +1,29 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes8
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- cinder:
volumeID: test
name: volume1

30
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/restrictedvolumes9.yaml vendored Executable file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: Pod
metadata:
name: restrictedvolumes9
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
volumes:
- cephfs:
monitors:
- test
name: volume1

24
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/runasnonroot0.yaml vendored Executable file
View File

@ -0,0 +1,24 @@
apiVersion: v1
kind: Pod
metadata:
name: runasnonroot0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/runasnonroot1.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: runasnonroot1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/runasnonroot2.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: runasnonroot2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: false
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

26
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/runasnonroot3.yaml vendored Executable file
View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Pod
metadata:
name: runasnonroot3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
runAsNonRoot: false
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_baseline0.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: Unconfined

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_baseline1.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: Unconfined
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_baseline2.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_baseline2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: Unconfined
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault

23
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_restricted0.yaml vendored Executable file
View File

@ -0,0 +1,23 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_restricted0
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_restricted1.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_restricted1
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true
seccompProfile:
type: Unconfined

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_restricted2.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_restricted2
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
securityContext:
runAsNonRoot: true

25
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_restricted3.yaml vendored Executable file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_restricted3
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
securityContext:
runAsNonRoot: true

27
staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.23/fail/seccompprofile_restricted4.yaml vendored Executable file
View File

@ -0,0 +1,27 @@
apiVersion: v1
kind: Pod
metadata:
name: seccompprofile_restricted4
spec:
containers:
- image: k8s.gcr.io/pause
name: container1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
initContainers:
- image: k8s.gcr.io/pause
name: initcontainer1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: Unconfined
securityContext:
runAsNonRoot: true

Some files were not shown because too many files have changed in this diff Show More