From 9e87082b85fc27aa9b0b77ad4978f090dd84bb0c Mon Sep 17 00:00:00 2001 From: Samuel Roth <2413031+sejr@users.noreply.github.com> Date: Wed, 7 Jul 2021 01:11:28 -0400 Subject: [PATCH] [Pod Security] Baseline + restricted policy checks for seccomp (#103341) * podsecurity: add seccomp policy checks * podsecurity: generated seccomp fixtures --- .../policy/check_seccomp_baseline.go | 140 ++++++++++++++++++ .../policy/check_seccomp_restricted.go | 88 +++++++++++ .../pod-security-admission/test/fixtures.go | 9 ++ .../test/fixtures_seccomp_baseline.go | 120 +++++++++++++++ .../test/fixtures_seccomp_restricted.go | 90 +++++++++++ .../test/helpers_seccomp.go | 51 +++++++ .../k8s.io/pod-security-admission/test/run.go | 7 +- .../baseline/v1.0/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.0/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.0/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.0/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.0/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.1/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.1/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.1/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.1/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.1/pass/seccomp_baseline1.yaml | 15 ++ .../v1.10/fail/seccomp_baseline0.yaml | 13 ++ .../v1.10/fail/seccomp_baseline1.yaml | 13 ++ .../v1.10/fail/seccomp_baseline2.yaml | 13 ++ .../v1.10/pass/seccomp_baseline0.yaml | 15 ++ .../v1.10/pass/seccomp_baseline1.yaml | 15 ++ .../v1.11/fail/seccomp_baseline0.yaml | 13 ++ .../v1.11/fail/seccomp_baseline1.yaml | 13 ++ .../v1.11/fail/seccomp_baseline2.yaml | 13 ++ .../v1.11/pass/seccomp_baseline0.yaml | 15 ++ .../v1.11/pass/seccomp_baseline1.yaml | 15 ++ .../v1.12/fail/seccomp_baseline0.yaml | 13 ++ .../v1.12/fail/seccomp_baseline1.yaml | 13 ++ .../v1.12/fail/seccomp_baseline2.yaml | 13 ++ .../v1.12/pass/seccomp_baseline0.yaml | 15 ++ .../v1.12/pass/seccomp_baseline1.yaml | 15 ++ .../v1.13/fail/seccomp_baseline0.yaml | 13 ++ .../v1.13/fail/seccomp_baseline1.yaml | 13 ++ .../v1.13/fail/seccomp_baseline2.yaml | 13 ++ .../v1.13/pass/seccomp_baseline0.yaml | 15 ++ .../v1.13/pass/seccomp_baseline1.yaml | 15 ++ .../v1.14/fail/seccomp_baseline0.yaml | 13 ++ .../v1.14/fail/seccomp_baseline1.yaml | 13 ++ .../v1.14/fail/seccomp_baseline2.yaml | 13 ++ .../v1.14/pass/seccomp_baseline0.yaml | 15 ++ .../v1.14/pass/seccomp_baseline1.yaml | 15 ++ .../v1.15/fail/seccomp_baseline0.yaml | 13 ++ .../v1.15/fail/seccomp_baseline1.yaml | 13 ++ .../v1.15/fail/seccomp_baseline2.yaml | 13 ++ .../v1.15/pass/seccomp_baseline0.yaml | 15 ++ .../v1.15/pass/seccomp_baseline1.yaml | 15 ++ .../v1.16/fail/seccomp_baseline0.yaml | 13 ++ .../v1.16/fail/seccomp_baseline1.yaml | 13 ++ .../v1.16/fail/seccomp_baseline2.yaml | 13 ++ .../v1.16/pass/seccomp_baseline0.yaml | 15 ++ .../v1.16/pass/seccomp_baseline1.yaml | 15 ++ .../v1.17/fail/seccomp_baseline0.yaml | 13 ++ .../v1.17/fail/seccomp_baseline1.yaml | 13 ++ .../v1.17/fail/seccomp_baseline2.yaml | 13 ++ .../v1.17/pass/seccomp_baseline0.yaml | 15 ++ .../v1.17/pass/seccomp_baseline1.yaml | 15 ++ .../v1.18/fail/seccomp_baseline0.yaml | 13 ++ .../v1.18/fail/seccomp_baseline1.yaml | 13 ++ .../v1.18/fail/seccomp_baseline2.yaml | 13 ++ .../v1.18/pass/seccomp_baseline0.yaml | 15 ++ .../v1.18/pass/seccomp_baseline1.yaml | 15 ++ .../v1.19/fail/seccomp_baseline0.yaml | 16 ++ .../v1.19/fail/seccomp_baseline1.yaml | 16 ++ .../v1.19/fail/seccomp_baseline2.yaml | 16 ++ .../v1.19/pass/seccomp_baseline0.yaml | 20 +++ .../v1.19/pass/seccomp_baseline1.yaml | 23 +++ .../baseline/v1.2/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.2/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.2/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.2/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.2/pass/seccomp_baseline1.yaml | 15 ++ .../v1.20/fail/seccomp_baseline0.yaml | 16 ++ .../v1.20/fail/seccomp_baseline1.yaml | 16 ++ .../v1.20/fail/seccomp_baseline2.yaml | 16 ++ .../v1.20/pass/seccomp_baseline0.yaml | 20 +++ .../v1.20/pass/seccomp_baseline1.yaml | 23 +++ .../v1.21/fail/seccomp_baseline0.yaml | 16 ++ .../v1.21/fail/seccomp_baseline1.yaml | 16 ++ .../v1.21/fail/seccomp_baseline2.yaml | 16 ++ .../v1.21/pass/seccomp_baseline0.yaml | 20 +++ .../v1.21/pass/seccomp_baseline1.yaml | 23 +++ .../v1.22/fail/seccomp_baseline0.yaml | 16 ++ .../v1.22/fail/seccomp_baseline1.yaml | 16 ++ .../v1.22/fail/seccomp_baseline2.yaml | 16 ++ .../v1.22/pass/seccomp_baseline0.yaml | 20 +++ .../v1.22/pass/seccomp_baseline1.yaml | 23 +++ .../baseline/v1.3/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.3/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.3/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.3/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.3/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.4/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.4/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.4/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.4/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.4/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.5/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.5/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.5/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.5/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.5/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.6/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.6/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.6/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.6/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.6/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.7/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.7/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.7/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.7/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.7/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.8/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.8/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.8/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.8/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.8/pass/seccomp_baseline1.yaml | 15 ++ .../baseline/v1.9/fail/seccomp_baseline0.yaml | 13 ++ .../baseline/v1.9/fail/seccomp_baseline1.yaml | 13 ++ .../baseline/v1.9/fail/seccomp_baseline2.yaml | 13 ++ .../baseline/v1.9/pass/seccomp_baseline0.yaml | 15 ++ .../baseline/v1.9/pass/seccomp_baseline1.yaml | 15 ++ .../v1.0/fail/seccomp_baseline0.yaml | 15 ++ .../v1.0/fail/seccomp_baseline1.yaml | 15 ++ .../v1.0/fail/seccomp_baseline2.yaml | 15 ++ .../v1.0/pass/seccomp_baseline0.yaml | 17 +++ .../v1.0/pass/seccomp_baseline1.yaml | 17 +++ .../v1.1/fail/seccomp_baseline0.yaml | 15 ++ .../v1.1/fail/seccomp_baseline1.yaml | 15 ++ .../v1.1/fail/seccomp_baseline2.yaml | 15 ++ .../v1.1/pass/seccomp_baseline0.yaml | 17 +++ .../v1.1/pass/seccomp_baseline1.yaml | 17 +++ .../v1.10/fail/seccomp_baseline0.yaml | 19 +++ .../v1.10/fail/seccomp_baseline1.yaml | 19 +++ .../v1.10/fail/seccomp_baseline2.yaml | 19 +++ .../v1.10/pass/seccomp_baseline0.yaml | 21 +++ .../v1.10/pass/seccomp_baseline1.yaml | 21 +++ .../v1.11/fail/seccomp_baseline0.yaml | 19 +++ .../v1.11/fail/seccomp_baseline1.yaml | 19 +++ .../v1.11/fail/seccomp_baseline2.yaml | 19 +++ .../v1.11/pass/seccomp_baseline0.yaml | 21 +++ .../v1.11/pass/seccomp_baseline1.yaml | 21 +++ .../v1.12/fail/seccomp_baseline0.yaml | 19 +++ .../v1.12/fail/seccomp_baseline1.yaml | 19 +++ .../v1.12/fail/seccomp_baseline2.yaml | 19 +++ .../v1.12/pass/seccomp_baseline0.yaml | 21 +++ .../v1.12/pass/seccomp_baseline1.yaml | 21 +++ .../v1.13/fail/seccomp_baseline0.yaml | 19 +++ .../v1.13/fail/seccomp_baseline1.yaml | 19 +++ .../v1.13/fail/seccomp_baseline2.yaml | 19 +++ .../v1.13/pass/seccomp_baseline0.yaml | 21 +++ .../v1.13/pass/seccomp_baseline1.yaml | 21 +++ .../v1.14/fail/seccomp_baseline0.yaml | 19 +++ .../v1.14/fail/seccomp_baseline1.yaml | 19 +++ .../v1.14/fail/seccomp_baseline2.yaml | 19 +++ .../v1.14/pass/seccomp_baseline0.yaml | 21 +++ .../v1.14/pass/seccomp_baseline1.yaml | 21 +++ .../v1.15/fail/seccomp_baseline0.yaml | 19 +++ .../v1.15/fail/seccomp_baseline1.yaml | 19 +++ .../v1.15/fail/seccomp_baseline2.yaml | 19 +++ .../v1.15/pass/seccomp_baseline0.yaml | 21 +++ .../v1.15/pass/seccomp_baseline1.yaml | 21 +++ .../v1.16/fail/seccomp_baseline0.yaml | 19 +++ .../v1.16/fail/seccomp_baseline1.yaml | 19 +++ .../v1.16/fail/seccomp_baseline2.yaml | 19 +++ .../v1.16/pass/seccomp_baseline0.yaml | 21 +++ .../v1.16/pass/seccomp_baseline1.yaml | 21 +++ .../v1.17/fail/seccomp_baseline0.yaml | 19 +++ .../v1.17/fail/seccomp_baseline1.yaml | 19 +++ .../v1.17/fail/seccomp_baseline2.yaml | 19 +++ .../v1.17/pass/seccomp_baseline0.yaml | 21 +++ .../v1.17/pass/seccomp_baseline1.yaml | 21 +++ .../v1.18/fail/seccomp_baseline0.yaml | 19 +++ .../v1.18/fail/seccomp_baseline1.yaml | 19 +++ .../v1.18/fail/seccomp_baseline2.yaml | 19 +++ .../v1.18/pass/seccomp_baseline0.yaml | 21 +++ .../v1.18/pass/seccomp_baseline1.yaml | 21 +++ .../v1.19/fail/addcapabilities0.yaml | 2 + .../v1.19/fail/addcapabilities1.yaml | 2 + .../v1.19/fail/addcapabilities2.yaml | 2 + .../v1.19/fail/addcapabilities3.yaml | 2 + .../v1.19/fail/addcapabilities4.yaml | 2 + .../v1.19/fail/addcapabilities5.yaml | 2 + .../v1.19/fail/addcapabilities6.yaml | 2 + .../v1.19/fail/addcapabilities7.yaml | 2 + .../v1.19/fail/allowprivilegeescalation0.yaml | 2 + .../v1.19/fail/allowprivilegeescalation1.yaml | 2 + .../v1.19/fail/allowprivilegeescalation2.yaml | 2 + .../v1.19/fail/allowprivilegeescalation3.yaml | 2 + .../v1.19/fail/allowprivilegeescalation4.yaml | 2 + .../v1.19/fail/allowprivilegeescalation5.yaml | 2 + .../v1.19/fail/apparmorprofile0.yaml | 2 + .../v1.19/fail/apparmorprofile1.yaml | 2 + .../v1.19/fail/hostnamespaces0.yaml | 2 + .../v1.19/fail/hostnamespaces1.yaml | 2 + .../v1.19/fail/hostnamespaces2.yaml | 2 + .../restricted/v1.19/fail/hostpath0.yaml | 2 + .../restricted/v1.19/fail/hostpath1.yaml | 2 + .../restricted/v1.19/fail/hostports0.yaml | 2 + .../restricted/v1.19/fail/hostports1.yaml | 2 + .../restricted/v1.19/fail/hostports2.yaml | 2 + .../restricted/v1.19/fail/hostprocess0.yaml | 2 + .../restricted/v1.19/fail/hostprocess1.yaml | 2 + .../restricted/v1.19/fail/privileged0.yaml | 2 + .../restricted/v1.19/fail/privileged1.yaml | 2 + .../restricted/v1.19/fail/procmount0.yaml | 2 + .../restricted/v1.19/fail/procmount1.yaml | 2 + .../v1.19/fail/restrictedvolumes0.yaml | 2 + .../v1.19/fail/restrictedvolumes1.yaml | 2 + .../v1.19/fail/restrictedvolumes10.yaml | 2 + .../v1.19/fail/restrictedvolumes11.yaml | 2 + .../v1.19/fail/restrictedvolumes12.yaml | 2 + .../v1.19/fail/restrictedvolumes13.yaml | 2 + .../v1.19/fail/restrictedvolumes14.yaml | 2 + .../v1.19/fail/restrictedvolumes15.yaml | 2 + .../v1.19/fail/restrictedvolumes16.yaml | 2 + .../v1.19/fail/restrictedvolumes17.yaml | 2 + .../v1.19/fail/restrictedvolumes18.yaml | 2 + .../v1.19/fail/restrictedvolumes19.yaml | 2 + .../v1.19/fail/restrictedvolumes2.yaml | 2 + .../v1.19/fail/restrictedvolumes3.yaml | 2 + .../v1.19/fail/restrictedvolumes4.yaml | 2 + .../v1.19/fail/restrictedvolumes5.yaml | 2 + .../v1.19/fail/restrictedvolumes6.yaml | 2 + .../v1.19/fail/restrictedvolumes7.yaml | 2 + .../v1.19/fail/restrictedvolumes8.yaml | 2 + .../v1.19/fail/restrictedvolumes9.yaml | 2 + .../restricted/v1.19/fail/runasnonroot0.yaml | 4 +- .../restricted/v1.19/fail/runasnonroot1.yaml | 2 + .../restricted/v1.19/fail/runasnonroot2.yaml | 2 + .../restricted/v1.19/fail/runasnonroot3.yaml | 2 + .../v1.19/fail/seccomp_baseline0.yaml | 19 +++ .../v1.19/fail/seccomp_baseline1.yaml | 21 +++ .../v1.19/fail/seccomp_baseline2.yaml | 21 +++ .../v1.19/fail/seccomp_restricted0.yaml | 17 +++ .../v1.19/fail/seccomp_restricted1.yaml | 19 +++ .../v1.19/fail/seccomp_restricted2.yaml | 19 +++ .../v1.19/fail/seccomp_restricted3.yaml | 19 +++ .../v1.19/fail/seccomp_restricted4.yaml | 21 +++ .../v1.19/fail/seccomp_restricted5.yaml | 21 +++ .../restricted/v1.19/fail/selinux0.yaml | 2 + .../restricted/v1.19/fail/selinux1.yaml | 2 + .../restricted/v1.19/fail/selinux2.yaml | 2 + .../restricted/v1.19/fail/selinux3.yaml | 2 + .../restricted/v1.19/fail/selinux4.yaml | 2 + .../restricted/v1.19/fail/selinux5.yaml | 2 + .../restricted/v1.19/fail/selinux6.yaml | 2 + .../restricted/v1.19/fail/selinux7.yaml | 2 + .../restricted/v1.19/fail/selinux8.yaml | 2 + .../restricted/v1.19/fail/sysctls0.yaml | 2 + .../v1.19/pass/addcapabilities0.yaml | 2 + .../v1.19/pass/addcapabilities1.yaml | 2 + .../v1.19/pass/apparmorprofile0.yaml | 2 + .../testdata/restricted/v1.19/pass/base.yaml | 2 + .../restricted/v1.19/pass/hostports0.yaml | 2 + .../restricted/v1.19/pass/privileged0.yaml | 2 + .../restricted/v1.19/pass/procmount0.yaml | 2 + .../v1.19/pass/restrictedvolumes0.yaml | 2 + .../restricted/v1.19/pass/runasnonroot0.yaml | 2 + .../restricted/v1.19/pass/runasnonroot1.yaml | 4 +- .../restricted/v1.19/pass/runasnonroot2.yaml | 2 + .../v1.19/pass/seccomp_restricted0.yaml | 19 +++ .../v1.19/pass/seccomp_restricted1.yaml | 20 +++ .../v1.19/pass/seccomp_restricted2.yaml | 21 +++ .../v1.19/pass/seccomp_restricted3.yaml | 23 +++ .../restricted/v1.19/pass/selinux0.yaml | 2 + .../restricted/v1.19/pass/selinux1.yaml | 2 + .../restricted/v1.19/pass/selinux10.yaml | 2 + .../restricted/v1.19/pass/selinux11.yaml | 2 + .../restricted/v1.19/pass/selinux12.yaml | 2 + .../restricted/v1.19/pass/selinux13.yaml | 2 + .../restricted/v1.19/pass/selinux14.yaml | 2 + .../restricted/v1.19/pass/selinux15.yaml | 2 + .../restricted/v1.19/pass/selinux16.yaml | 2 + .../restricted/v1.19/pass/selinux17.yaml | 2 + .../restricted/v1.19/pass/selinux18.yaml | 2 + .../restricted/v1.19/pass/selinux19.yaml | 2 + .../restricted/v1.19/pass/selinux2.yaml | 2 + .../restricted/v1.19/pass/selinux20.yaml | 2 + .../restricted/v1.19/pass/selinux3.yaml | 2 + .../restricted/v1.19/pass/selinux4.yaml | 2 + .../restricted/v1.19/pass/selinux5.yaml | 2 + .../restricted/v1.19/pass/selinux6.yaml | 2 + .../restricted/v1.19/pass/selinux7.yaml | 2 + .../restricted/v1.19/pass/selinux8.yaml | 2 + .../restricted/v1.19/pass/selinux9.yaml | 2 + .../restricted/v1.19/pass/sysctls0.yaml | 2 + .../restricted/v1.19/pass/sysctls1.yaml | 2 + .../v1.2/fail/seccomp_baseline0.yaml | 15 ++ .../v1.2/fail/seccomp_baseline1.yaml | 15 ++ .../v1.2/fail/seccomp_baseline2.yaml | 15 ++ .../v1.2/pass/seccomp_baseline0.yaml | 17 +++ .../v1.2/pass/seccomp_baseline1.yaml | 17 +++ .../v1.20/fail/addcapabilities0.yaml | 2 + .../v1.20/fail/addcapabilities1.yaml | 2 + .../v1.20/fail/addcapabilities2.yaml | 2 + .../v1.20/fail/addcapabilities3.yaml | 2 + .../v1.20/fail/addcapabilities4.yaml | 2 + .../v1.20/fail/addcapabilities5.yaml | 2 + .../v1.20/fail/addcapabilities6.yaml | 2 + .../v1.20/fail/addcapabilities7.yaml | 2 + .../v1.20/fail/allowprivilegeescalation0.yaml | 2 + .../v1.20/fail/allowprivilegeescalation1.yaml | 2 + .../v1.20/fail/allowprivilegeescalation2.yaml | 2 + .../v1.20/fail/allowprivilegeescalation3.yaml | 2 + .../v1.20/fail/allowprivilegeescalation4.yaml | 2 + .../v1.20/fail/allowprivilegeescalation5.yaml | 2 + .../v1.20/fail/apparmorprofile0.yaml | 2 + .../v1.20/fail/apparmorprofile1.yaml | 2 + .../v1.20/fail/hostnamespaces0.yaml | 2 + .../v1.20/fail/hostnamespaces1.yaml | 2 + .../v1.20/fail/hostnamespaces2.yaml | 2 + .../restricted/v1.20/fail/hostpath0.yaml | 2 + .../restricted/v1.20/fail/hostpath1.yaml | 2 + .../restricted/v1.20/fail/hostports0.yaml | 2 + .../restricted/v1.20/fail/hostports1.yaml | 2 + .../restricted/v1.20/fail/hostports2.yaml | 2 + .../restricted/v1.20/fail/hostprocess0.yaml | 2 + .../restricted/v1.20/fail/hostprocess1.yaml | 2 + .../restricted/v1.20/fail/privileged0.yaml | 2 + .../restricted/v1.20/fail/privileged1.yaml | 2 + .../restricted/v1.20/fail/procmount0.yaml | 2 + .../restricted/v1.20/fail/procmount1.yaml | 2 + .../v1.20/fail/restrictedvolumes0.yaml | 2 + .../v1.20/fail/restrictedvolumes1.yaml | 2 + .../v1.20/fail/restrictedvolumes10.yaml | 2 + .../v1.20/fail/restrictedvolumes11.yaml | 2 + .../v1.20/fail/restrictedvolumes12.yaml | 2 + .../v1.20/fail/restrictedvolumes13.yaml | 2 + .../v1.20/fail/restrictedvolumes14.yaml | 2 + .../v1.20/fail/restrictedvolumes15.yaml | 2 + .../v1.20/fail/restrictedvolumes16.yaml | 2 + .../v1.20/fail/restrictedvolumes17.yaml | 2 + .../v1.20/fail/restrictedvolumes18.yaml | 2 + .../v1.20/fail/restrictedvolumes19.yaml | 2 + .../v1.20/fail/restrictedvolumes2.yaml | 2 + .../v1.20/fail/restrictedvolumes3.yaml | 2 + .../v1.20/fail/restrictedvolumes4.yaml | 2 + .../v1.20/fail/restrictedvolumes5.yaml | 2 + .../v1.20/fail/restrictedvolumes6.yaml | 2 + .../v1.20/fail/restrictedvolumes7.yaml | 2 + .../v1.20/fail/restrictedvolumes8.yaml | 2 + .../v1.20/fail/restrictedvolumes9.yaml | 2 + .../restricted/v1.20/fail/runasnonroot0.yaml | 4 +- .../restricted/v1.20/fail/runasnonroot1.yaml | 2 + .../restricted/v1.20/fail/runasnonroot2.yaml | 2 + .../restricted/v1.20/fail/runasnonroot3.yaml | 2 + .../v1.20/fail/seccomp_baseline0.yaml | 19 +++ .../v1.20/fail/seccomp_baseline1.yaml | 21 +++ .../v1.20/fail/seccomp_baseline2.yaml | 21 +++ .../v1.20/fail/seccomp_restricted0.yaml | 17 +++ .../v1.20/fail/seccomp_restricted1.yaml | 19 +++ .../v1.20/fail/seccomp_restricted2.yaml | 19 +++ .../v1.20/fail/seccomp_restricted3.yaml | 19 +++ .../v1.20/fail/seccomp_restricted4.yaml | 21 +++ .../v1.20/fail/seccomp_restricted5.yaml | 21 +++ .../restricted/v1.20/fail/selinux0.yaml | 2 + .../restricted/v1.20/fail/selinux1.yaml | 2 + .../restricted/v1.20/fail/selinux2.yaml | 2 + .../restricted/v1.20/fail/selinux3.yaml | 2 + .../restricted/v1.20/fail/selinux4.yaml | 2 + .../restricted/v1.20/fail/selinux5.yaml | 2 + .../restricted/v1.20/fail/selinux6.yaml | 2 + .../restricted/v1.20/fail/selinux7.yaml | 2 + .../restricted/v1.20/fail/selinux8.yaml | 2 + .../restricted/v1.20/fail/sysctls0.yaml | 2 + .../v1.20/pass/addcapabilities0.yaml | 2 + .../v1.20/pass/addcapabilities1.yaml | 2 + .../v1.20/pass/apparmorprofile0.yaml | 2 + .../testdata/restricted/v1.20/pass/base.yaml | 2 + .../restricted/v1.20/pass/hostports0.yaml | 2 + .../restricted/v1.20/pass/privileged0.yaml | 2 + .../restricted/v1.20/pass/procmount0.yaml | 2 + .../v1.20/pass/restrictedvolumes0.yaml | 2 + .../restricted/v1.20/pass/runasnonroot0.yaml | 2 + .../restricted/v1.20/pass/runasnonroot1.yaml | 4 +- .../restricted/v1.20/pass/runasnonroot2.yaml | 2 + .../v1.20/pass/seccomp_restricted0.yaml | 19 +++ .../v1.20/pass/seccomp_restricted1.yaml | 20 +++ .../v1.20/pass/seccomp_restricted2.yaml | 21 +++ .../v1.20/pass/seccomp_restricted3.yaml | 23 +++ .../restricted/v1.20/pass/selinux0.yaml | 2 + .../restricted/v1.20/pass/selinux1.yaml | 2 + .../restricted/v1.20/pass/selinux10.yaml | 2 + .../restricted/v1.20/pass/selinux11.yaml | 2 + .../restricted/v1.20/pass/selinux12.yaml | 2 + .../restricted/v1.20/pass/selinux13.yaml | 2 + .../restricted/v1.20/pass/selinux14.yaml | 2 + .../restricted/v1.20/pass/selinux15.yaml | 2 + .../restricted/v1.20/pass/selinux16.yaml | 2 + .../restricted/v1.20/pass/selinux17.yaml | 2 + .../restricted/v1.20/pass/selinux18.yaml | 2 + .../restricted/v1.20/pass/selinux19.yaml | 2 + .../restricted/v1.20/pass/selinux2.yaml | 2 + .../restricted/v1.20/pass/selinux20.yaml | 2 + .../restricted/v1.20/pass/selinux3.yaml | 2 + .../restricted/v1.20/pass/selinux4.yaml | 2 + .../restricted/v1.20/pass/selinux5.yaml | 2 + .../restricted/v1.20/pass/selinux6.yaml | 2 + .../restricted/v1.20/pass/selinux7.yaml | 2 + .../restricted/v1.20/pass/selinux8.yaml | 2 + .../restricted/v1.20/pass/selinux9.yaml | 2 + .../restricted/v1.20/pass/sysctls0.yaml | 2 + .../restricted/v1.20/pass/sysctls1.yaml | 2 + .../v1.21/fail/addcapabilities0.yaml | 2 + .../v1.21/fail/addcapabilities1.yaml | 2 + .../v1.21/fail/addcapabilities2.yaml | 2 + .../v1.21/fail/addcapabilities3.yaml | 2 + .../v1.21/fail/addcapabilities4.yaml | 2 + .../v1.21/fail/addcapabilities5.yaml | 2 + .../v1.21/fail/addcapabilities6.yaml | 2 + .../v1.21/fail/addcapabilities7.yaml | 2 + .../v1.21/fail/allowprivilegeescalation0.yaml | 2 + .../v1.21/fail/allowprivilegeescalation1.yaml | 2 + .../v1.21/fail/allowprivilegeescalation2.yaml | 2 + .../v1.21/fail/allowprivilegeescalation3.yaml | 2 + .../v1.21/fail/allowprivilegeescalation4.yaml | 2 + .../v1.21/fail/allowprivilegeescalation5.yaml | 2 + .../v1.21/fail/apparmorprofile0.yaml | 2 + .../v1.21/fail/apparmorprofile1.yaml | 2 + .../v1.21/fail/hostnamespaces0.yaml | 2 + .../v1.21/fail/hostnamespaces1.yaml | 2 + .../v1.21/fail/hostnamespaces2.yaml | 2 + .../restricted/v1.21/fail/hostpath0.yaml | 2 + .../restricted/v1.21/fail/hostpath1.yaml | 2 + .../restricted/v1.21/fail/hostports0.yaml | 2 + .../restricted/v1.21/fail/hostports1.yaml | 2 + .../restricted/v1.21/fail/hostports2.yaml | 2 + .../restricted/v1.21/fail/hostprocess0.yaml | 2 + .../restricted/v1.21/fail/hostprocess1.yaml | 2 + .../restricted/v1.21/fail/privileged0.yaml | 2 + .../restricted/v1.21/fail/privileged1.yaml | 2 + .../restricted/v1.21/fail/procmount0.yaml | 2 + .../restricted/v1.21/fail/procmount1.yaml | 2 + .../v1.21/fail/restrictedvolumes0.yaml | 2 + .../v1.21/fail/restrictedvolumes1.yaml | 2 + .../v1.21/fail/restrictedvolumes10.yaml | 2 + .../v1.21/fail/restrictedvolumes11.yaml | 2 + .../v1.21/fail/restrictedvolumes12.yaml | 2 + .../v1.21/fail/restrictedvolumes13.yaml | 2 + .../v1.21/fail/restrictedvolumes14.yaml | 2 + .../v1.21/fail/restrictedvolumes15.yaml | 2 + .../v1.21/fail/restrictedvolumes16.yaml | 2 + .../v1.21/fail/restrictedvolumes17.yaml | 2 + .../v1.21/fail/restrictedvolumes18.yaml | 2 + .../v1.21/fail/restrictedvolumes19.yaml | 2 + .../v1.21/fail/restrictedvolumes2.yaml | 2 + .../v1.21/fail/restrictedvolumes3.yaml | 2 + .../v1.21/fail/restrictedvolumes4.yaml | 2 + .../v1.21/fail/restrictedvolumes5.yaml | 2 + .../v1.21/fail/restrictedvolumes6.yaml | 2 + .../v1.21/fail/restrictedvolumes7.yaml | 2 + .../v1.21/fail/restrictedvolumes8.yaml | 2 + .../v1.21/fail/restrictedvolumes9.yaml | 2 + .../restricted/v1.21/fail/runasnonroot0.yaml | 4 +- .../restricted/v1.21/fail/runasnonroot1.yaml | 2 + .../restricted/v1.21/fail/runasnonroot2.yaml | 2 + .../restricted/v1.21/fail/runasnonroot3.yaml | 2 + .../v1.21/fail/seccomp_baseline0.yaml | 19 +++ .../v1.21/fail/seccomp_baseline1.yaml | 21 +++ .../v1.21/fail/seccomp_baseline2.yaml | 21 +++ .../v1.21/fail/seccomp_restricted0.yaml | 17 +++ .../v1.21/fail/seccomp_restricted1.yaml | 19 +++ .../v1.21/fail/seccomp_restricted2.yaml | 19 +++ .../v1.21/fail/seccomp_restricted3.yaml | 19 +++ .../v1.21/fail/seccomp_restricted4.yaml | 21 +++ .../v1.21/fail/seccomp_restricted5.yaml | 21 +++ .../restricted/v1.21/fail/selinux0.yaml | 2 + .../restricted/v1.21/fail/selinux1.yaml | 2 + .../restricted/v1.21/fail/selinux2.yaml | 2 + .../restricted/v1.21/fail/selinux3.yaml | 2 + .../restricted/v1.21/fail/selinux4.yaml | 2 + .../restricted/v1.21/fail/selinux5.yaml | 2 + .../restricted/v1.21/fail/selinux6.yaml | 2 + .../restricted/v1.21/fail/selinux7.yaml | 2 + .../restricted/v1.21/fail/selinux8.yaml | 2 + .../restricted/v1.21/fail/sysctls0.yaml | 2 + .../v1.21/pass/addcapabilities0.yaml | 2 + .../v1.21/pass/addcapabilities1.yaml | 2 + .../v1.21/pass/apparmorprofile0.yaml | 2 + .../testdata/restricted/v1.21/pass/base.yaml | 2 + .../restricted/v1.21/pass/hostports0.yaml | 2 + .../restricted/v1.21/pass/privileged0.yaml | 2 + .../restricted/v1.21/pass/procmount0.yaml | 2 + .../v1.21/pass/restrictedvolumes0.yaml | 2 + .../restricted/v1.21/pass/runasnonroot0.yaml | 2 + .../restricted/v1.21/pass/runasnonroot1.yaml | 4 +- .../restricted/v1.21/pass/runasnonroot2.yaml | 2 + .../v1.21/pass/seccomp_restricted0.yaml | 19 +++ .../v1.21/pass/seccomp_restricted1.yaml | 20 +++ .../v1.21/pass/seccomp_restricted2.yaml | 21 +++ .../v1.21/pass/seccomp_restricted3.yaml | 23 +++ .../restricted/v1.21/pass/selinux0.yaml | 2 + .../restricted/v1.21/pass/selinux1.yaml | 2 + .../restricted/v1.21/pass/selinux10.yaml | 2 + .../restricted/v1.21/pass/selinux11.yaml | 2 + .../restricted/v1.21/pass/selinux12.yaml | 2 + .../restricted/v1.21/pass/selinux13.yaml | 2 + .../restricted/v1.21/pass/selinux14.yaml | 2 + .../restricted/v1.21/pass/selinux15.yaml | 2 + .../restricted/v1.21/pass/selinux16.yaml | 2 + .../restricted/v1.21/pass/selinux17.yaml | 2 + .../restricted/v1.21/pass/selinux18.yaml | 2 + .../restricted/v1.21/pass/selinux19.yaml | 2 + .../restricted/v1.21/pass/selinux2.yaml | 2 + .../restricted/v1.21/pass/selinux20.yaml | 2 + .../restricted/v1.21/pass/selinux3.yaml | 2 + .../restricted/v1.21/pass/selinux4.yaml | 2 + .../restricted/v1.21/pass/selinux5.yaml | 2 + .../restricted/v1.21/pass/selinux6.yaml | 2 + .../restricted/v1.21/pass/selinux7.yaml | 2 + .../restricted/v1.21/pass/selinux8.yaml | 2 + .../restricted/v1.21/pass/selinux9.yaml | 2 + .../restricted/v1.21/pass/sysctls0.yaml | 2 + .../restricted/v1.21/pass/sysctls1.yaml | 2 + .../v1.22/fail/addcapabilities0.yaml | 2 + .../v1.22/fail/addcapabilities1.yaml | 2 + .../v1.22/fail/addcapabilities2.yaml | 2 + .../v1.22/fail/addcapabilities3.yaml | 2 + .../v1.22/fail/addcapabilities4.yaml | 2 + .../v1.22/fail/addcapabilities5.yaml | 2 + .../v1.22/fail/addcapabilities6.yaml | 2 + .../v1.22/fail/addcapabilities7.yaml | 2 + .../v1.22/fail/allowprivilegeescalation0.yaml | 2 + .../v1.22/fail/allowprivilegeescalation1.yaml | 2 + .../v1.22/fail/allowprivilegeescalation2.yaml | 2 + .../v1.22/fail/allowprivilegeescalation3.yaml | 2 + .../v1.22/fail/allowprivilegeescalation4.yaml | 2 + .../v1.22/fail/allowprivilegeescalation5.yaml | 2 + .../v1.22/fail/apparmorprofile0.yaml | 2 + .../v1.22/fail/apparmorprofile1.yaml | 2 + .../v1.22/fail/hostnamespaces0.yaml | 2 + .../v1.22/fail/hostnamespaces1.yaml | 2 + .../v1.22/fail/hostnamespaces2.yaml | 2 + .../restricted/v1.22/fail/hostpath0.yaml | 2 + .../restricted/v1.22/fail/hostpath1.yaml | 2 + .../restricted/v1.22/fail/hostports0.yaml | 2 + .../restricted/v1.22/fail/hostports1.yaml | 2 + .../restricted/v1.22/fail/hostports2.yaml | 2 + .../restricted/v1.22/fail/hostprocess0.yaml | 2 + .../restricted/v1.22/fail/hostprocess1.yaml | 2 + .../restricted/v1.22/fail/privileged0.yaml | 2 + .../restricted/v1.22/fail/privileged1.yaml | 2 + .../restricted/v1.22/fail/procmount0.yaml | 2 + .../restricted/v1.22/fail/procmount1.yaml | 2 + .../v1.22/fail/restrictedvolumes0.yaml | 2 + .../v1.22/fail/restrictedvolumes1.yaml | 2 + .../v1.22/fail/restrictedvolumes10.yaml | 2 + .../v1.22/fail/restrictedvolumes11.yaml | 2 + .../v1.22/fail/restrictedvolumes12.yaml | 2 + .../v1.22/fail/restrictedvolumes13.yaml | 2 + .../v1.22/fail/restrictedvolumes14.yaml | 2 + .../v1.22/fail/restrictedvolumes15.yaml | 2 + .../v1.22/fail/restrictedvolumes16.yaml | 2 + .../v1.22/fail/restrictedvolumes17.yaml | 2 + .../v1.22/fail/restrictedvolumes18.yaml | 2 + .../v1.22/fail/restrictedvolumes19.yaml | 2 + .../v1.22/fail/restrictedvolumes2.yaml | 2 + .../v1.22/fail/restrictedvolumes3.yaml | 2 + .../v1.22/fail/restrictedvolumes4.yaml | 2 + .../v1.22/fail/restrictedvolumes5.yaml | 2 + .../v1.22/fail/restrictedvolumes6.yaml | 2 + .../v1.22/fail/restrictedvolumes7.yaml | 2 + .../v1.22/fail/restrictedvolumes8.yaml | 2 + .../v1.22/fail/restrictedvolumes9.yaml | 2 + .../restricted/v1.22/fail/runasnonroot0.yaml | 4 +- .../restricted/v1.22/fail/runasnonroot1.yaml | 2 + .../restricted/v1.22/fail/runasnonroot2.yaml | 2 + .../restricted/v1.22/fail/runasnonroot3.yaml | 2 + .../v1.22/fail/seccomp_baseline0.yaml | 19 +++ .../v1.22/fail/seccomp_baseline1.yaml | 21 +++ .../v1.22/fail/seccomp_baseline2.yaml | 21 +++ .../v1.22/fail/seccomp_restricted0.yaml | 17 +++ .../v1.22/fail/seccomp_restricted1.yaml | 19 +++ .../v1.22/fail/seccomp_restricted2.yaml | 19 +++ .../v1.22/fail/seccomp_restricted3.yaml | 19 +++ .../v1.22/fail/seccomp_restricted4.yaml | 21 +++ .../v1.22/fail/seccomp_restricted5.yaml | 21 +++ .../restricted/v1.22/fail/selinux0.yaml | 2 + .../restricted/v1.22/fail/selinux1.yaml | 2 + .../restricted/v1.22/fail/selinux2.yaml | 2 + .../restricted/v1.22/fail/selinux3.yaml | 2 + .../restricted/v1.22/fail/selinux4.yaml | 2 + .../restricted/v1.22/fail/selinux5.yaml | 2 + .../restricted/v1.22/fail/selinux6.yaml | 2 + .../restricted/v1.22/fail/selinux7.yaml | 2 + .../restricted/v1.22/fail/selinux8.yaml | 2 + .../restricted/v1.22/fail/sysctls0.yaml | 2 + .../v1.22/pass/addcapabilities0.yaml | 2 + .../v1.22/pass/addcapabilities1.yaml | 2 + .../v1.22/pass/apparmorprofile0.yaml | 2 + .../testdata/restricted/v1.22/pass/base.yaml | 2 + .../restricted/v1.22/pass/hostports0.yaml | 2 + .../restricted/v1.22/pass/privileged0.yaml | 2 + .../restricted/v1.22/pass/procmount0.yaml | 2 + .../v1.22/pass/restrictedvolumes0.yaml | 2 + .../restricted/v1.22/pass/runasnonroot0.yaml | 2 + .../restricted/v1.22/pass/runasnonroot1.yaml | 4 +- .../restricted/v1.22/pass/runasnonroot2.yaml | 2 + .../v1.22/pass/seccomp_restricted0.yaml | 19 +++ .../v1.22/pass/seccomp_restricted1.yaml | 20 +++ .../v1.22/pass/seccomp_restricted2.yaml | 21 +++ .../v1.22/pass/seccomp_restricted3.yaml | 23 +++ .../restricted/v1.22/pass/selinux0.yaml | 2 + .../restricted/v1.22/pass/selinux1.yaml | 2 + .../restricted/v1.22/pass/selinux10.yaml | 2 + .../restricted/v1.22/pass/selinux11.yaml | 2 + .../restricted/v1.22/pass/selinux12.yaml | 2 + .../restricted/v1.22/pass/selinux13.yaml | 2 + .../restricted/v1.22/pass/selinux14.yaml | 2 + .../restricted/v1.22/pass/selinux15.yaml | 2 + .../restricted/v1.22/pass/selinux16.yaml | 2 + .../restricted/v1.22/pass/selinux17.yaml | 2 + .../restricted/v1.22/pass/selinux18.yaml | 2 + .../restricted/v1.22/pass/selinux19.yaml | 2 + .../restricted/v1.22/pass/selinux2.yaml | 2 + .../restricted/v1.22/pass/selinux20.yaml | 2 + .../restricted/v1.22/pass/selinux3.yaml | 2 + .../restricted/v1.22/pass/selinux4.yaml | 2 + .../restricted/v1.22/pass/selinux5.yaml | 2 + .../restricted/v1.22/pass/selinux6.yaml | 2 + .../restricted/v1.22/pass/selinux7.yaml | 2 + .../restricted/v1.22/pass/selinux8.yaml | 2 + .../restricted/v1.22/pass/selinux9.yaml | 2 + .../restricted/v1.22/pass/sysctls0.yaml | 2 + .../restricted/v1.22/pass/sysctls1.yaml | 2 + .../v1.3/fail/seccomp_baseline0.yaml | 15 ++ .../v1.3/fail/seccomp_baseline1.yaml | 15 ++ .../v1.3/fail/seccomp_baseline2.yaml | 15 ++ .../v1.3/pass/seccomp_baseline0.yaml | 17 +++ .../v1.3/pass/seccomp_baseline1.yaml | 17 +++ .../v1.4/fail/seccomp_baseline0.yaml | 15 ++ .../v1.4/fail/seccomp_baseline1.yaml | 15 ++ .../v1.4/fail/seccomp_baseline2.yaml | 15 ++ .../v1.4/pass/seccomp_baseline0.yaml | 17 +++ .../v1.4/pass/seccomp_baseline1.yaml | 17 +++ .../v1.5/fail/seccomp_baseline0.yaml | 15 ++ .../v1.5/fail/seccomp_baseline1.yaml | 15 ++ .../v1.5/fail/seccomp_baseline2.yaml | 15 ++ .../v1.5/pass/seccomp_baseline0.yaml | 17 +++ .../v1.5/pass/seccomp_baseline1.yaml | 17 +++ .../v1.6/fail/seccomp_baseline0.yaml | 15 ++ .../v1.6/fail/seccomp_baseline1.yaml | 15 ++ .../v1.6/fail/seccomp_baseline2.yaml | 15 ++ .../v1.6/pass/seccomp_baseline0.yaml | 17 +++ .../v1.6/pass/seccomp_baseline1.yaml | 17 +++ .../v1.7/fail/seccomp_baseline0.yaml | 15 ++ .../v1.7/fail/seccomp_baseline1.yaml | 15 ++ .../v1.7/fail/seccomp_baseline2.yaml | 15 ++ .../v1.7/pass/seccomp_baseline0.yaml | 17 +++ .../v1.7/pass/seccomp_baseline1.yaml | 17 +++ .../v1.8/fail/seccomp_baseline0.yaml | 19 +++ .../v1.8/fail/seccomp_baseline1.yaml | 19 +++ .../v1.8/fail/seccomp_baseline2.yaml | 19 +++ .../v1.8/pass/seccomp_baseline0.yaml | 21 +++ .../v1.8/pass/seccomp_baseline1.yaml | 21 +++ .../v1.9/fail/seccomp_baseline0.yaml | 19 +++ .../v1.9/fail/seccomp_baseline1.yaml | 19 +++ .../v1.9/fail/seccomp_baseline2.yaml | 19 +++ .../v1.9/pass/seccomp_baseline0.yaml | 21 +++ .../v1.9/pass/seccomp_baseline1.yaml | 21 +++ 661 files changed, 5732 insertions(+), 9 deletions(-) create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_seccomp_baseline.go create mode 100644 staging/src/k8s.io/pod-security-admission/policy/check_seccomp_restricted.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_baseline.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_restricted.go create mode 100644 staging/src/k8s.io/pod-security-admission/test/helpers_seccomp.go create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted4.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted5.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted3.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline1.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline2.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline0.yaml create mode 100755 staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline1.yaml diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_baseline.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_baseline.go new file mode 100644 index 00000000000..829d3e47e58 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_baseline.go @@ -0,0 +1,140 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "fmt" + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/pod-security-admission/api" +) + +const ( + annotationKeyPod = "seccomp.security.alpha.kubernetes.io/pod" + annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/" + missingRequiredValue = "" +) + +func init() { + addCheck(CheckSeccompBaseline) +} + +func fieldValue(f *field.Path, val string) string { + return fmt.Sprintf("%s=%s", f.String(), val) +} + +func fieldValueRequired(f *field.Path) string { + return fmt.Sprintf("%s=%s", f.String(), missingRequiredValue) +} + +func CheckSeccompBaseline() Check { + return Check{ + ID: "seccomp_baseline", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: seccomp_1_0_baseline, + }, + { + MinimumVersion: api.MajorMinorVersion(1, 19), + CheckPod: seccomp_1_19_baseline, + }, + }, + } +} + +func validSeccomp(t corev1.SeccompProfileType) bool { + return t == corev1.SeccompProfileTypeLocalhost || + t == corev1.SeccompProfileTypeRuntimeDefault +} + +// seccomp_1_0_baseline checks baseline policy on seccomp alpha annotation +func seccomp_1_0_baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + forbidden := sets.NewString() + + if val, ok := podMetadata.Annotations[annotationKeyPod]; ok { + if val == corev1.SeccompProfileNameUnconfined { + podAnnotationField := field.NewPath("metadata").Child("annotations", annotationKeyPod) + forbidden.Insert(fieldValue(podAnnotationField, val)) + } + } + + visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) { + annotation := annotationKeyContainerPrefix + c.Name + if val, ok := podMetadata.Annotations[annotation]; ok { + if val == corev1.SeccompProfileNameUnconfined { + containerAnnotationField := field.NewPath("metadata"). + Child("annotations", annotation) + forbidden.Insert(fieldValue(containerAnnotationField, val)) + } + } + }) + + if len(forbidden) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "seccomp profile", + ForbiddenDetail: strings.Join(forbidden.List(), ", "), + } + } + + return CheckResult{Allowed: true} +} + +// seccomp_1_19_baseline checks baseline policy on securityContext.seccompProfile field +func seccomp_1_19_baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + forbidden := sets.NewString() + + if podSpec.SecurityContext != nil { + if podSpec.SecurityContext.SeccompProfile != nil { + seccompType := podSpec.SecurityContext.SeccompProfile.Type + if !validSeccomp(seccompType) { + podSeccompField := field.NewPath("spec").Child("securityContext", "seccompProfile", "type") + forbidden.Insert(fieldValue(podSeccompField, string(seccompType))) + } + } + } + + visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) { + if c.SecurityContext != nil { + if c.SecurityContext.SeccompProfile != nil { + if c.SecurityContext.SeccompProfile.Type != "" { + seccompType := c.SecurityContext.SeccompProfile.Type + if !validSeccomp(seccompType) { + containerSeccompField := path.Child("securityContext", "seccompProfile", "type") + forbidden.Insert(fieldValue(containerSeccompField, string(seccompType))) + } + } + } + } + }) + + if len(forbidden) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "seccomp profile", + ForbiddenDetail: strings.Join(forbidden.List(), ", "), + } + } + + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_restricted.go b/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_restricted.go new file mode 100644 index 00000000000..75748c23f0d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_seccomp_restricted.go @@ -0,0 +1,88 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "strings" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/pod-security-admission/api" +) + +func init() { + addCheck(CheckSeccompRestricted) +} + +func CheckSeccompRestricted() Check { + return Check{ + ID: "seccomp_restricted", + Level: api.LevelRestricted, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 19), + CheckPod: seccomp_1_19_restricted, + }, + }, + } +} + +// seccomp_1_19_restricted checks restricted policy on securityContext.seccompProfile field +func seccomp_1_19_restricted(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + forbidden := sets.NewString() + podSeccompField := field.NewPath("spec").Child("securityContext", "seccompProfile", "type") + podSeccompSet := false + + if podSpec.SecurityContext != nil { + if podSpec.SecurityContext.SeccompProfile != nil { + seccompType := podSpec.SecurityContext.SeccompProfile.Type + if !validSeccomp(podSpec.SecurityContext.SeccompProfile.Type) { + forbidden.Insert(fieldValue(podSeccompField, string(seccompType))) + } else { + podSeccompSet = true + } + } + } + + visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) { + if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil { + seccompType := c.SecurityContext.SeccompProfile.Type + if !validSeccomp(seccompType) { + containerSeccompField := path.Child("securityContext", "seccompProfile", "type") + forbidden.Insert(fieldValue(containerSeccompField, string(seccompType))) + } + return + } + + if !podSeccompSet { + containerSeccompField := path.Child("securityContext", "seccompProfile", "type") + forbidden.Insert(fieldValueRequired(containerSeccompField)) + } + }) + + if len(forbidden) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "seccomp profile", + ForbiddenDetail: strings.Join(forbidden.List(), ", "), + } + } + + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures.go b/staging/src/k8s.io/pod-security-admission/test/fixtures.go index b8ca07294fb..3e2af52b60c 100644 --- a/staging/src/k8s.io/pod-security-admission/test/fixtures.go +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures.go @@ -57,6 +57,15 @@ func init() { p.Spec.InitContainers[0].SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: pointer.BoolPtr(false)} }) minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = restricted_1_8 + + // 1.19+: seccompProfile.type=RuntimeDefault + restricted_1_19 := tweak(restricted_1_8, func(p *corev1.Pod) { + p.Annotations = nil + p.Spec.SecurityContext.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + }) + minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = restricted_1_19 } // getValidPod returns a minimal valid pod for the specified level and version. diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_baseline.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_baseline.go new file mode 100644 index 00000000000..428a1f7f567 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_baseline.go @@ -0,0 +1,120 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +/* +Note: these fixtures utilize seccomp helper functions that ensure consistency across the +alpha annotation (up to v.1.19) and the securityContext.seccompProfile field (v1.19+). + +The check implementation looks at the appropriate value based on version. +*/ + +func init() { + fixtureData_baseline_1_0 := fixtureGenerator{ + expectErrorSubstring: "seccomp profile", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + // don't generate fixtures if minimal valid pod already has seccomp config + if val, ok := p.Annotations[annotationKeyPod]; ok && + val == corev1.SeccompProfileRuntimeDefault { + return nil + } + + p = ensureAnnotation(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Annotations[annotationKeyPod] = corev1.SeccompProfileRuntimeDefault + p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompProfileRuntimeDefault + p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Annotations[annotationKeyPod] = corev1.SeccompLocalhostProfileNamePrefix + "testing" + p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompLocalhostProfileNamePrefix + "testing" + p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompLocalhostProfileNamePrefix + "testing" + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureAnnotation(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Annotations[annotationKeyPod] = corev1.SeccompProfileNameUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompProfileNameUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompProfileNameUnconfined + }), + } + }, + } + + fixtureData_baseline_1_19 := fixtureGenerator{ + expectErrorSubstring: "seccomp profile", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + // don't generate fixtures if minimal valid pod already has seccomp config + if p.Spec.SecurityContext != nil && + p.Spec.SecurityContext.SeccompProfile != nil && + p.Spec.SecurityContext.SeccompProfile.Type == corev1.SeccompProfileTypeRuntimeDefault { + return nil + } + + p = ensureSecurityContext(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "seccomp_baseline"}, + fixtureData_baseline_1_0, + ) + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 19), check: "seccomp_baseline"}, + fixtureData_baseline_1_19, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_restricted.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_restricted.go new file mode 100644 index 00000000000..a0d7306ea66 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_restricted.go @@ -0,0 +1,90 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +/* +Note: these fixtures utilize seccomp helper functions that ensure consistency across the +alpha annotation (up to v.1.19) and the securityContext.seccompProfile field (v1.19+). + +The check implementation looks at the appropriate value based on version. +*/ + +func init() { + fixtureData_restricted_1_19 := fixtureGenerator{ + expectErrorSubstring: "seccomp profile", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing") + }), + } + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + p = ensureSecurityContext(p) + return []*corev1.Pod{ + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = seccompProfileUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined + }), + tweak(p, func(p *corev1.Pod) { + p.Spec.SecurityContext.SeccompProfile = nil + p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined + p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 19), check: "seccomp_restricted"}, + fixtureData_restricted_1_19, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/helpers_seccomp.go b/staging/src/k8s.io/pod-security-admission/test/helpers_seccomp.go new file mode 100644 index 00000000000..2676ef700a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/helpers_seccomp.go @@ -0,0 +1,51 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" +) + +const ( + annotationKeyPod = "seccomp.security.alpha.kubernetes.io/pod" + annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/" +) + +var ( + // the RuntimeDefault seccomp profile + seccompProfileRuntimeDefault *corev1.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeRuntimeDefault, + } + + // the Unconfined seccomp profile + seccompProfileUnconfined *corev1.SeccompProfile = &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeUnconfined, + } +) + +// the Localhost seccomp profile +func seccompProfileLocalhost(profile string) *corev1.SeccompProfile { + return &corev1.SeccompProfile{ + Type: corev1.SeccompProfileTypeLocalhost, + LocalhostProfile: &profile, + } +} + +// annotationKeyContainer builds the annotation key for a specific container +func annotationKeyContainer(c corev1.Container) string { + return annotationKeyContainerPrefix + c.Name +} diff --git a/staging/src/k8s.io/pod-security-admission/test/run.go b/staging/src/k8s.io/pod-security-admission/test/run.go index 3a3ccb48870..f1d41c7f301 100644 --- a/staging/src/k8s.io/pod-security-admission/test/run.go +++ b/staging/src/k8s.io/pod-security-admission/test/run.go @@ -110,6 +110,7 @@ func (t *testWarningHandler) HandleWarningHeader(code int, agent string, warning defer t.lock.Unlock() t.warnings = append(t.warnings, warning) } + func (t *testWarningHandler) FlushWarnings() []string { t.lock.Lock() defer t.lock.Unlock() @@ -251,8 +252,12 @@ func Run(t *testing.T, opts Options) { return } } + if expectSuccess && len(warningText) > 0 { - t.Errorf("%d: unexpected warning creating %s: %v", i, toJSON(pod), warningText) + if (len(expectErrorSubstring) > 0 && strings.Contains(warningText, expectErrorSubstring)) || + strings.Contains(warningText, policy.UnknownForbiddenReason) { + t.Errorf("%d: unexpected warning creating %s: %v", i, toJSON(pod), warningText) + } } } diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5e666272fe8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..0b952b03b62 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..3d00d1d75e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..a8c54ecdd5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..a0bd52f05e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5e666272fe8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..0b952b03b62 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..3d00d1d75e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..a8c54ecdd5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..a0bd52f05e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5e666272fe8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..0b952b03b62 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..3d00d1d75e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..a8c54ecdd5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..a0bd52f05e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5e666272fe8 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline0.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..0b952b03b62 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline1.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: {} + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..3d00d1d75e9 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline2.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: {} + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: Unconfined + securityContext: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..a8c54ecdd5f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline0.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + type: RuntimeDefault + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..a0bd52f05e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..850ee301a59 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..08c5b3a861b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline1.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..a933f4e9bf5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/seccomp_baseline2.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..87c776915d5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..dd244c9580a --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml index 8d989f6f2ba..10190974a52 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities0.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml index 92c51f1a671..59eee88a009 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities1.yaml @@ -19,3 +19,5 @@ spec: - NET_RAW securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml index f1decea46f1..ec31abd9b1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities2.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml index 23f4b98b35c..014e2e7b81c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities3.yaml @@ -19,3 +19,5 @@ spec: - chown securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml index 270fd72f07d..beaed5ad3a6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities4.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml index 58e5bd93805..a4d9d5cf57f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities5.yaml @@ -19,3 +19,5 @@ spec: - bogus securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml index 935bbec6908..e7da6cee1d8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities6.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml index acb905603ef..b1b74fc56d2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/addcapabilities7.yaml @@ -19,3 +19,5 @@ spec: - CAP_CHOWN securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml index f3835ccd458..0e98e3879e9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml index 2a63d4f945c..63bbf45ed51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml index f3eaa44ffef..20022bc88f3 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation2.yaml @@ -14,3 +14,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml index 981f2c97513..8b9881e7afc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation3.yaml @@ -14,3 +14,5 @@ spec: securityContext: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml index 6c21220c390..42457598c95 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation4.yaml @@ -13,3 +13,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml index 6c9c205114e..72af5337a51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/allowprivilegeescalation5.yaml @@ -13,3 +13,5 @@ spec: name: initcontainer1 securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile0.yaml index 73af668ccd8..fd3b525952a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile1.yaml index 4dffe9451d5..4bde1b9ad34 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/apparmorprofile1.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces0.yaml index 5c2411e93ae..16cbb88f201 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces1.yaml index f77a1b85692..d30c296533b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces1.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces2.yaml index 1a5a484a3e7..4fa96d092eb 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostnamespaces2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml index ef7e51009bf..f51dbff440b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml index ebdc4d0e129..d2ee473b464 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports0.yaml index bc2a000d493..a6f6880b7c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports0.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports1.yaml index 03b861c1fb4..5e17d3079d4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports1.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports2.yaml index d6a1bdc2696..276de00717c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostports2.yaml @@ -23,3 +23,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess0.yaml index e0fcdec7109..0cf6668cffd 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess0.yaml @@ -18,5 +18,7 @@ spec: windowsOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess1.yaml index 5d941917537..8d8e7947659 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostprocess1.yaml @@ -20,4 +20,6 @@ spec: hostProcess: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml index 1db3de5f92b..2f90e402881 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml index 222624aab0b..1866ef9fd7f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/privileged1.yaml @@ -15,3 +15,5 @@ spec: privileged: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml index c810b36721c..062a5631e4b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml index a5fb64c359d..ec5208c9db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/procmount1.yaml @@ -16,3 +16,5 @@ spec: procMount: Unmasked securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml index 85b4e96d085..8792fbb9720 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gcePersistentDisk: pdName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml index 721dd4c2160..ce9d18346b8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - awsElasticBlockStore: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml index e11b9e19139..6377b1e1844 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes10.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flocker: datasetName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml index 3612d9ac53a..7158ab0fda2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes11.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - fc: wwids: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml index c5720ea289f..3b73c846153 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes12.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureFile: secretName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml index 5548b433169..abc80ffd21e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes13.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-vsphere vsphereVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml index 8d72b6cb739..87aa397702b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes14.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-quobyte quobyte: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml index 7e2665def8c..b7c9e62960e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes15.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureDisk: diskName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml index e40176d1a41..d4b535b4ac4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes16.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-portworxvolume portworxVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml index 48ace835a80..37c22f90489 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes17.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-scaleio scaleIO: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml index f1506e6ebb6..796292e5d9c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes18.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-storageos storageos: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml index 6027a49b32a..2a4f12fec56 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes19.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml index 8774d204e3c..6ab10f43260 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes2.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gitRepo: repository: github.com/kubernetes/kubernetes diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml index db9f13963dc..cbd05c1038f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes3.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-nfs nfs: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml index 39536e82fc9..eb681cc09b0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes4.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - iscsi: iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml index 30104acb8c1..9d1b9b1eb29 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes5.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - glusterfs: endpoints: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml index 93382090c2a..20129aebdfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes6.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-rbd rbd: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml index 94c49e7d548..9d3941ad1f4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes7.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flexVolume: driver: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml index 557b65a3a5b..bc91d5ddf3e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes8.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cinder: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml index 7a9682863fb..bdd60608583 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/restrictedvolumes9.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cephfs: monitors: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml index 333736b5ee5..4f4330ee174 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot0.yaml @@ -13,4 +13,6 @@ spec: name: initcontainer1 securityContext: allowPrivilegeEscalation: false - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml index 3d9fa196e3a..00edbfd581b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml index 90fb05805ff..b0192800e26 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml index 90d318e1a7c..4fc8ccf4a36 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/runasnonroot3.yaml @@ -16,3 +16,5 @@ spec: runAsNonRoot: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5ad24796925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..ff706106914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..c814a943205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_baseline2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted0.yaml new file mode 100755 index 00000000000..c36a8e926e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted1.yaml new file mode 100755 index 00000000000..8bee65ae547 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted2.yaml new file mode 100755 index 00000000000..2964bc3ed60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted3.yaml new file mode 100755 index 00000000000..0145d71a4a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted4.yaml new file mode 100755 index 00000000000..bab74799f68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted5.yaml new file mode 100755 index 00000000000..c3a09bb5550 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/seccomp_restricted5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml index bfb4dde7008..3908e365a59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux0.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml index b3be2791491..aeb8cd7be9a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux1.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml index 933d98f0afd..51b9505ecd6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux2.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml index 236e6994069..d751ea95bf8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux3.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml index 72bb1e246da..196ee200c7d 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux4.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml index 054ed87df3b..f02b6946db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux5.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml index c7885b0e51b..d62fc00da2f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml index dc8abb1a8d9..39da09e68c0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml index 0f900bb42f0..d90a71d0dfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml index 21d63a65a8f..428e57812d0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/sysctls0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: othersysctl value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml index f28e384225c..b0f763a20a7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities0.yaml @@ -31,3 +31,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml index b4be8387110..d055e87ceb6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/addcapabilities1.yaml @@ -31,3 +31,5 @@ spec: - SYS_CHROOT securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/apparmorprofile0.yaml index 2f790baa0a4..63dfb044ca6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml index 56b47e7f2f4..985b50e2276 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/base.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostports0.yaml index c1813d4ff52..7908d1bb599 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostports0.yaml @@ -19,3 +19,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml index 0194f47aef1..efe91659066 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/privileged0.yaml @@ -17,3 +17,5 @@ spec: privileged: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml index 0fd9424c3da..7e97f7178c5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/procmount0.yaml @@ -17,3 +17,5 @@ spec: procMount: Default securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml index 15806c8f02d..b2ae5c424b7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - configMap: name: volume-configmap-test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml index 7250230e275..b4d19bc30ff 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml index 7ba6345d0f2..9545e3c5846 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot1.yaml @@ -15,4 +15,6 @@ spec: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml index 27b53f0d805..58a6c8cee0e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/runasnonroot2.yaml @@ -17,3 +17,5 @@ spec: runAsNonRoot: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted0.yaml new file mode 100755 index 00000000000..dbb38cf8522 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted1.yaml new file mode 100755 index 00000000000..88b6a1b845f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted2.yaml new file mode 100755 index 00000000000..56acb87a81e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted3.yaml new file mode 100755 index 00000000000..5bced2bf738 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/seccomp_restricted3.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml index d914e0b00c8..bba683b7e0f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux0.yaml @@ -17,3 +17,5 @@ spec: seLinuxOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml index c391cd71474..81761b0cdf4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux1.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml index 67d30aa7119..60ca43d5c2e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux10.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml index 5e8e4299521..4a0a792a1c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux11.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml index 67150038291..004817c1425 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux12.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_kvm_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml index 2c44d9fd807..b10723aad1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux13.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml index 08d9789a6d5..f8ffc5ce30e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux14.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml index 6ab973f2a29..a81aea47d81 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux15.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml index a51186318c9..efef1073d16 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux16.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml index 16c93576fb5..23ee4b82ee4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux17.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml index 6141503f43f..53ec170307e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux18.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: level: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml index 2251561ecd0..94800132aac 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux19.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml index b8498cbc662..ddedc76b193 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux2.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml index d5819531dcb..5c3fac8d8d9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux20.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml index 54345a56a0e..c87d7057f70 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux3.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml index 0274d5bbc5f..00cd4082dd5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux4.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml index 72b1c0818a8..222af451dec 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux5.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml index 9d0c703d8a9..2ab63985910 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml index 5138c5cdcb2..0c4c326edf6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml index 99fd076bed6..1e26c538446 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml index b4c3e31d113..03a382e5790 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/selinux9.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_init_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml index e5e3fb64968..b4f0f501ad7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml index dbb7d262e07..3d7ec630afe 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/sysctls1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: kernel.shm_rmid_forced value: "0" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml index 8d989f6f2ba..10190974a52 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities0.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml index 92c51f1a671..59eee88a009 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities1.yaml @@ -19,3 +19,5 @@ spec: - NET_RAW securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml index f1decea46f1..ec31abd9b1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities2.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml index 23f4b98b35c..014e2e7b81c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities3.yaml @@ -19,3 +19,5 @@ spec: - chown securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml index 270fd72f07d..beaed5ad3a6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities4.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml index 58e5bd93805..a4d9d5cf57f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities5.yaml @@ -19,3 +19,5 @@ spec: - bogus securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml index 935bbec6908..e7da6cee1d8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities6.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml index acb905603ef..b1b74fc56d2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/addcapabilities7.yaml @@ -19,3 +19,5 @@ spec: - CAP_CHOWN securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml index f3835ccd458..0e98e3879e9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml index 2a63d4f945c..63bbf45ed51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml index f3eaa44ffef..20022bc88f3 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation2.yaml @@ -14,3 +14,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml index 981f2c97513..8b9881e7afc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation3.yaml @@ -14,3 +14,5 @@ spec: securityContext: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml index 6c21220c390..42457598c95 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation4.yaml @@ -13,3 +13,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml index 6c9c205114e..72af5337a51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/allowprivilegeescalation5.yaml @@ -13,3 +13,5 @@ spec: name: initcontainer1 securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile0.yaml index 73af668ccd8..fd3b525952a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile1.yaml index 4dffe9451d5..4bde1b9ad34 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/apparmorprofile1.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces0.yaml index 5c2411e93ae..16cbb88f201 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces1.yaml index f77a1b85692..d30c296533b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces1.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces2.yaml index 1a5a484a3e7..4fa96d092eb 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostnamespaces2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml index ef7e51009bf..f51dbff440b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml index ebdc4d0e129..d2ee473b464 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports0.yaml index bc2a000d493..a6f6880b7c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports0.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports1.yaml index 03b861c1fb4..5e17d3079d4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports1.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports2.yaml index d6a1bdc2696..276de00717c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostports2.yaml @@ -23,3 +23,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess0.yaml index e0fcdec7109..0cf6668cffd 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess0.yaml @@ -18,5 +18,7 @@ spec: windowsOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess1.yaml index 5d941917537..8d8e7947659 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostprocess1.yaml @@ -20,4 +20,6 @@ spec: hostProcess: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml index 1db3de5f92b..2f90e402881 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml index 222624aab0b..1866ef9fd7f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/privileged1.yaml @@ -15,3 +15,5 @@ spec: privileged: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml index c810b36721c..062a5631e4b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml index a5fb64c359d..ec5208c9db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/procmount1.yaml @@ -16,3 +16,5 @@ spec: procMount: Unmasked securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml index 85b4e96d085..8792fbb9720 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gcePersistentDisk: pdName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml index 721dd4c2160..ce9d18346b8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - awsElasticBlockStore: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml index e11b9e19139..6377b1e1844 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes10.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flocker: datasetName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml index 3612d9ac53a..7158ab0fda2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes11.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - fc: wwids: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml index c5720ea289f..3b73c846153 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes12.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureFile: secretName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml index 5548b433169..abc80ffd21e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes13.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-vsphere vsphereVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml index 8d72b6cb739..87aa397702b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes14.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-quobyte quobyte: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml index 7e2665def8c..b7c9e62960e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes15.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureDisk: diskName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml index e40176d1a41..d4b535b4ac4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes16.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-portworxvolume portworxVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml index 48ace835a80..37c22f90489 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes17.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-scaleio scaleIO: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml index f1506e6ebb6..796292e5d9c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes18.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-storageos storageos: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml index 6027a49b32a..2a4f12fec56 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes19.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml index 8774d204e3c..6ab10f43260 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes2.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gitRepo: repository: github.com/kubernetes/kubernetes diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml index db9f13963dc..cbd05c1038f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes3.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-nfs nfs: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml index 39536e82fc9..eb681cc09b0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes4.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - iscsi: iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml index 30104acb8c1..9d1b9b1eb29 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes5.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - glusterfs: endpoints: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml index 93382090c2a..20129aebdfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes6.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-rbd rbd: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml index 94c49e7d548..9d3941ad1f4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes7.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flexVolume: driver: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml index 557b65a3a5b..bc91d5ddf3e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes8.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cinder: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml index 7a9682863fb..bdd60608583 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/restrictedvolumes9.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cephfs: monitors: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml index 333736b5ee5..4f4330ee174 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot0.yaml @@ -13,4 +13,6 @@ spec: name: initcontainer1 securityContext: allowPrivilegeEscalation: false - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml index 3d9fa196e3a..00edbfd581b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml index 90fb05805ff..b0192800e26 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml index 90d318e1a7c..4fc8ccf4a36 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/runasnonroot3.yaml @@ -16,3 +16,5 @@ spec: runAsNonRoot: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5ad24796925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..ff706106914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..c814a943205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_baseline2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted0.yaml new file mode 100755 index 00000000000..c36a8e926e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted1.yaml new file mode 100755 index 00000000000..8bee65ae547 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted2.yaml new file mode 100755 index 00000000000..2964bc3ed60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted3.yaml new file mode 100755 index 00000000000..0145d71a4a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted4.yaml new file mode 100755 index 00000000000..bab74799f68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted5.yaml new file mode 100755 index 00000000000..c3a09bb5550 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/seccomp_restricted5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml index bfb4dde7008..3908e365a59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux0.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml index b3be2791491..aeb8cd7be9a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux1.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml index 933d98f0afd..51b9505ecd6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux2.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml index 236e6994069..d751ea95bf8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux3.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml index 72bb1e246da..196ee200c7d 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux4.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml index 054ed87df3b..f02b6946db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux5.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml index c7885b0e51b..d62fc00da2f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml index dc8abb1a8d9..39da09e68c0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml index 0f900bb42f0..d90a71d0dfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml index 21d63a65a8f..428e57812d0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/sysctls0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: othersysctl value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml index f28e384225c..b0f763a20a7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities0.yaml @@ -31,3 +31,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml index b4be8387110..d055e87ceb6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/addcapabilities1.yaml @@ -31,3 +31,5 @@ spec: - SYS_CHROOT securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/apparmorprofile0.yaml index 2f790baa0a4..63dfb044ca6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml index 56b47e7f2f4..985b50e2276 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/base.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostports0.yaml index c1813d4ff52..7908d1bb599 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostports0.yaml @@ -19,3 +19,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml index 0194f47aef1..efe91659066 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/privileged0.yaml @@ -17,3 +17,5 @@ spec: privileged: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml index 0fd9424c3da..7e97f7178c5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/procmount0.yaml @@ -17,3 +17,5 @@ spec: procMount: Default securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml index 15806c8f02d..b2ae5c424b7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - configMap: name: volume-configmap-test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml index 7250230e275..b4d19bc30ff 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml index 7ba6345d0f2..9545e3c5846 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot1.yaml @@ -15,4 +15,6 @@ spec: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml index 27b53f0d805..58a6c8cee0e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/runasnonroot2.yaml @@ -17,3 +17,5 @@ spec: runAsNonRoot: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted0.yaml new file mode 100755 index 00000000000..dbb38cf8522 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted1.yaml new file mode 100755 index 00000000000..88b6a1b845f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted2.yaml new file mode 100755 index 00000000000..56acb87a81e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted3.yaml new file mode 100755 index 00000000000..5bced2bf738 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/seccomp_restricted3.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml index d914e0b00c8..bba683b7e0f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux0.yaml @@ -17,3 +17,5 @@ spec: seLinuxOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml index c391cd71474..81761b0cdf4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux1.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml index 67d30aa7119..60ca43d5c2e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux10.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml index 5e8e4299521..4a0a792a1c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux11.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml index 67150038291..004817c1425 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux12.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_kvm_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml index 2c44d9fd807..b10723aad1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux13.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml index 08d9789a6d5..f8ffc5ce30e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux14.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml index 6ab973f2a29..a81aea47d81 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux15.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml index a51186318c9..efef1073d16 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux16.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml index 16c93576fb5..23ee4b82ee4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux17.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml index 6141503f43f..53ec170307e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux18.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: level: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml index 2251561ecd0..94800132aac 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux19.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml index b8498cbc662..ddedc76b193 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux2.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml index d5819531dcb..5c3fac8d8d9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux20.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml index 54345a56a0e..c87d7057f70 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux3.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml index 0274d5bbc5f..00cd4082dd5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux4.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml index 72b1c0818a8..222af451dec 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux5.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml index 9d0c703d8a9..2ab63985910 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml index 5138c5cdcb2..0c4c326edf6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml index 99fd076bed6..1e26c538446 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml index b4c3e31d113..03a382e5790 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/selinux9.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_init_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml index e5e3fb64968..b4f0f501ad7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml index dbb7d262e07..3d7ec630afe 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/sysctls1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: kernel.shm_rmid_forced value: "0" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml index 8d989f6f2ba..10190974a52 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities0.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml index 92c51f1a671..59eee88a009 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities1.yaml @@ -19,3 +19,5 @@ spec: - NET_RAW securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml index f1decea46f1..ec31abd9b1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities2.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml index 23f4b98b35c..014e2e7b81c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities3.yaml @@ -19,3 +19,5 @@ spec: - chown securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml index 270fd72f07d..beaed5ad3a6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities4.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml index 58e5bd93805..a4d9d5cf57f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities5.yaml @@ -19,3 +19,5 @@ spec: - bogus securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml index 935bbec6908..e7da6cee1d8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities6.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml index acb905603ef..b1b74fc56d2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/addcapabilities7.yaml @@ -19,3 +19,5 @@ spec: - CAP_CHOWN securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml index f3835ccd458..0e98e3879e9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml index 2a63d4f945c..63bbf45ed51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml index f3eaa44ffef..20022bc88f3 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation2.yaml @@ -14,3 +14,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml index 981f2c97513..8b9881e7afc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation3.yaml @@ -14,3 +14,5 @@ spec: securityContext: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml index 6c21220c390..42457598c95 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation4.yaml @@ -13,3 +13,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml index 6c9c205114e..72af5337a51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/allowprivilegeescalation5.yaml @@ -13,3 +13,5 @@ spec: name: initcontainer1 securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile0.yaml index 73af668ccd8..fd3b525952a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile1.yaml index 4dffe9451d5..4bde1b9ad34 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/apparmorprofile1.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces0.yaml index 5c2411e93ae..16cbb88f201 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces1.yaml index f77a1b85692..d30c296533b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces1.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces2.yaml index 1a5a484a3e7..4fa96d092eb 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostnamespaces2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml index ef7e51009bf..f51dbff440b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml index ebdc4d0e129..d2ee473b464 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports0.yaml index bc2a000d493..a6f6880b7c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports0.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports1.yaml index 03b861c1fb4..5e17d3079d4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports1.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports2.yaml index d6a1bdc2696..276de00717c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostports2.yaml @@ -23,3 +23,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess0.yaml index e0fcdec7109..0cf6668cffd 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess0.yaml @@ -18,5 +18,7 @@ spec: windowsOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess1.yaml index 5d941917537..8d8e7947659 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostprocess1.yaml @@ -20,4 +20,6 @@ spec: hostProcess: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml index 1db3de5f92b..2f90e402881 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml index 222624aab0b..1866ef9fd7f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/privileged1.yaml @@ -15,3 +15,5 @@ spec: privileged: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml index c810b36721c..062a5631e4b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml index a5fb64c359d..ec5208c9db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/procmount1.yaml @@ -16,3 +16,5 @@ spec: procMount: Unmasked securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml index 85b4e96d085..8792fbb9720 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gcePersistentDisk: pdName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml index 721dd4c2160..ce9d18346b8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - awsElasticBlockStore: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml index e11b9e19139..6377b1e1844 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes10.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flocker: datasetName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml index 3612d9ac53a..7158ab0fda2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes11.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - fc: wwids: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml index c5720ea289f..3b73c846153 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes12.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureFile: secretName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml index 5548b433169..abc80ffd21e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes13.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-vsphere vsphereVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml index 8d72b6cb739..87aa397702b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes14.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-quobyte quobyte: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml index 7e2665def8c..b7c9e62960e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes15.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureDisk: diskName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml index e40176d1a41..d4b535b4ac4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes16.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-portworxvolume portworxVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml index 48ace835a80..37c22f90489 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes17.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-scaleio scaleIO: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml index f1506e6ebb6..796292e5d9c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes18.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-storageos storageos: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml index 6027a49b32a..2a4f12fec56 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes19.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml index 8774d204e3c..6ab10f43260 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes2.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gitRepo: repository: github.com/kubernetes/kubernetes diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml index db9f13963dc..cbd05c1038f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes3.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-nfs nfs: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml index 39536e82fc9..eb681cc09b0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes4.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - iscsi: iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml index 30104acb8c1..9d1b9b1eb29 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes5.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - glusterfs: endpoints: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml index 93382090c2a..20129aebdfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes6.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-rbd rbd: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml index 94c49e7d548..9d3941ad1f4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes7.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flexVolume: driver: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml index 557b65a3a5b..bc91d5ddf3e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes8.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cinder: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml index 7a9682863fb..bdd60608583 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/restrictedvolumes9.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cephfs: monitors: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml index 333736b5ee5..4f4330ee174 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot0.yaml @@ -13,4 +13,6 @@ spec: name: initcontainer1 securityContext: allowPrivilegeEscalation: false - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml index 3d9fa196e3a..00edbfd581b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml index 90fb05805ff..b0192800e26 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml index 90d318e1a7c..4fc8ccf4a36 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/runasnonroot3.yaml @@ -16,3 +16,5 @@ spec: runAsNonRoot: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5ad24796925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..ff706106914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..c814a943205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_baseline2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted0.yaml new file mode 100755 index 00000000000..c36a8e926e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted1.yaml new file mode 100755 index 00000000000..8bee65ae547 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted2.yaml new file mode 100755 index 00000000000..2964bc3ed60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted3.yaml new file mode 100755 index 00000000000..0145d71a4a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted4.yaml new file mode 100755 index 00000000000..bab74799f68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted5.yaml new file mode 100755 index 00000000000..c3a09bb5550 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/seccomp_restricted5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml index bfb4dde7008..3908e365a59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux0.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml index b3be2791491..aeb8cd7be9a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux1.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml index 933d98f0afd..51b9505ecd6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux2.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml index 236e6994069..d751ea95bf8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux3.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml index 72bb1e246da..196ee200c7d 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux4.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml index 054ed87df3b..f02b6946db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux5.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml index c7885b0e51b..d62fc00da2f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml index dc8abb1a8d9..39da09e68c0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml index 0f900bb42f0..d90a71d0dfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml index 21d63a65a8f..428e57812d0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/sysctls0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: othersysctl value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml index f28e384225c..b0f763a20a7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities0.yaml @@ -31,3 +31,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml index b4be8387110..d055e87ceb6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/addcapabilities1.yaml @@ -31,3 +31,5 @@ spec: - SYS_CHROOT securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/apparmorprofile0.yaml index 2f790baa0a4..63dfb044ca6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml index 56b47e7f2f4..985b50e2276 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/base.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostports0.yaml index c1813d4ff52..7908d1bb599 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostports0.yaml @@ -19,3 +19,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml index 0194f47aef1..efe91659066 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/privileged0.yaml @@ -17,3 +17,5 @@ spec: privileged: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml index 0fd9424c3da..7e97f7178c5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/procmount0.yaml @@ -17,3 +17,5 @@ spec: procMount: Default securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml index 15806c8f02d..b2ae5c424b7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - configMap: name: volume-configmap-test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml index 7250230e275..b4d19bc30ff 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml index 7ba6345d0f2..9545e3c5846 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot1.yaml @@ -15,4 +15,6 @@ spec: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml index 27b53f0d805..58a6c8cee0e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/runasnonroot2.yaml @@ -17,3 +17,5 @@ spec: runAsNonRoot: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted0.yaml new file mode 100755 index 00000000000..dbb38cf8522 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted1.yaml new file mode 100755 index 00000000000..88b6a1b845f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted2.yaml new file mode 100755 index 00000000000..56acb87a81e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted3.yaml new file mode 100755 index 00000000000..5bced2bf738 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/seccomp_restricted3.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml index d914e0b00c8..bba683b7e0f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux0.yaml @@ -17,3 +17,5 @@ spec: seLinuxOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml index c391cd71474..81761b0cdf4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux1.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml index 67d30aa7119..60ca43d5c2e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux10.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml index 5e8e4299521..4a0a792a1c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux11.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml index 67150038291..004817c1425 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux12.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_kvm_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml index 2c44d9fd807..b10723aad1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux13.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml index 08d9789a6d5..f8ffc5ce30e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux14.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml index 6ab973f2a29..a81aea47d81 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux15.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml index a51186318c9..efef1073d16 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux16.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml index 16c93576fb5..23ee4b82ee4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux17.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml index 6141503f43f..53ec170307e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux18.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: level: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml index 2251561ecd0..94800132aac 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux19.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml index b8498cbc662..ddedc76b193 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux2.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml index d5819531dcb..5c3fac8d8d9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux20.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml index 54345a56a0e..c87d7057f70 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux3.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml index 0274d5bbc5f..00cd4082dd5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux4.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml index 72b1c0818a8..222af451dec 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux5.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml index 9d0c703d8a9..2ab63985910 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml index 5138c5cdcb2..0c4c326edf6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml index 99fd076bed6..1e26c538446 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml index b4c3e31d113..03a382e5790 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/selinux9.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_init_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml index e5e3fb64968..b4f0f501ad7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml index dbb7d262e07..3d7ec630afe 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/sysctls1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: kernel.shm_rmid_forced value: "0" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml index 8d989f6f2ba..10190974a52 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities0.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml index 92c51f1a671..59eee88a009 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities1.yaml @@ -19,3 +19,5 @@ spec: - NET_RAW securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml index f1decea46f1..ec31abd9b1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities2.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml index 23f4b98b35c..014e2e7b81c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities3.yaml @@ -19,3 +19,5 @@ spec: - chown securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml index 270fd72f07d..beaed5ad3a6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities4.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml index 58e5bd93805..a4d9d5cf57f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities5.yaml @@ -19,3 +19,5 @@ spec: - bogus securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml index 935bbec6908..e7da6cee1d8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities6.yaml @@ -19,3 +19,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml index acb905603ef..b1b74fc56d2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/addcapabilities7.yaml @@ -19,3 +19,5 @@ spec: - CAP_CHOWN securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml index f3835ccd458..0e98e3879e9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml index 2a63d4f945c..63bbf45ed51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml index f3eaa44ffef..20022bc88f3 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation2.yaml @@ -14,3 +14,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml index 981f2c97513..8b9881e7afc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation3.yaml @@ -14,3 +14,5 @@ spec: securityContext: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml index 6c21220c390..42457598c95 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation4.yaml @@ -13,3 +13,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml index 6c9c205114e..72af5337a51 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/allowprivilegeescalation5.yaml @@ -13,3 +13,5 @@ spec: name: initcontainer1 securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile0.yaml index 73af668ccd8..fd3b525952a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile1.yaml index 4dffe9451d5..4bde1b9ad34 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/apparmorprofile1.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces0.yaml index 5c2411e93ae..16cbb88f201 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces1.yaml index f77a1b85692..d30c296533b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces1.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces2.yaml index 1a5a484a3e7..4fa96d092eb 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostnamespaces2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml index ef7e51009bf..f51dbff440b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml index ebdc4d0e129..d2ee473b464 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports0.yaml index bc2a000d493..a6f6880b7c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports0.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports1.yaml index 03b861c1fb4..5e17d3079d4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports1.yaml @@ -18,3 +18,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports2.yaml index d6a1bdc2696..276de00717c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostports2.yaml @@ -23,3 +23,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess0.yaml index e0fcdec7109..0cf6668cffd 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess0.yaml @@ -18,5 +18,7 @@ spec: windowsOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: hostProcess: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess1.yaml index 5d941917537..8d8e7947659 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostprocess1.yaml @@ -20,4 +20,6 @@ spec: hostProcess: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault windowsOptions: {} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml index 1db3de5f92b..2f90e402881 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml index 222624aab0b..1866ef9fd7f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/privileged1.yaml @@ -15,3 +15,5 @@ spec: privileged: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml index c810b36721c..062a5631e4b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount0.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml index a5fb64c359d..ec5208c9db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/procmount1.yaml @@ -16,3 +16,5 @@ spec: procMount: Unmasked securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml index 85b4e96d085..8792fbb9720 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gcePersistentDisk: pdName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml index 721dd4c2160..ce9d18346b8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - awsElasticBlockStore: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml index e11b9e19139..6377b1e1844 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes10.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flocker: datasetName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml index 3612d9ac53a..7158ab0fda2 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes11.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - fc: wwids: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml index c5720ea289f..3b73c846153 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes12.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureFile: secretName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml index 5548b433169..abc80ffd21e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes13.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-vsphere vsphereVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml index 8d72b6cb739..87aa397702b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes14.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-quobyte quobyte: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml index 7e2665def8c..b7c9e62960e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes15.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - azureDisk: diskName: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml index e40176d1a41..d4b535b4ac4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes16.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-portworxvolume portworxVolume: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml index 48ace835a80..37c22f90489 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes17.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-scaleio scaleIO: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml index f1506e6ebb6..796292e5d9c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes18.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-storageos storageos: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml index 6027a49b32a..2a4f12fec56 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes19.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - hostPath: path: /dev/null diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml index 8774d204e3c..6ab10f43260 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes2.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - gitRepo: repository: github.com/kubernetes/kubernetes diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml index db9f13963dc..cbd05c1038f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes3.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-nfs nfs: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml index 39536e82fc9..eb681cc09b0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes4.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - iscsi: iqn: iqn.2001-04.com.example:storage.kube.sys1.xyz diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml index 30104acb8c1..9d1b9b1eb29 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes5.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - glusterfs: endpoints: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml index 93382090c2a..20129aebdfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes6.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - name: volume-rbd rbd: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml index 94c49e7d548..9d3941ad1f4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes7.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - flexVolume: driver: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml index 557b65a3a5b..bc91d5ddf3e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes8.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cinder: volumeID: testing diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml index 7a9682863fb..bdd60608583 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/restrictedvolumes9.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - cephfs: monitors: diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml index 333736b5ee5..4f4330ee174 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot0.yaml @@ -13,4 +13,6 @@ spec: name: initcontainer1 securityContext: allowPrivilegeEscalation: false - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml index 3d9fa196e3a..00edbfd581b 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot1.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: false + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml index 90fb05805ff..b0192800e26 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot2.yaml @@ -16,3 +16,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml index 90d318e1a7c..4fc8ccf4a36 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/runasnonroot3.yaml @@ -16,3 +16,5 @@ spec: runAsNonRoot: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..5ad24796925 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..ff706106914 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..c814a943205 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_baseline2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted0.yaml new file mode 100755 index 00000000000..c36a8e926e5 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted1.yaml new file mode 100755 index 00000000000..8bee65ae547 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: Unconfined diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted2.yaml new file mode 100755 index 00000000000..2964bc3ed60 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted3.yaml new file mode 100755 index 00000000000..0145d71a4a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted3.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted4.yaml new file mode 100755 index 00000000000..bab74799f68 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted4.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted4 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted5.yaml new file mode 100755 index 00000000000..c3a09bb5550 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/seccomp_restricted5.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted5 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: Unconfined + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml index bfb4dde7008..3908e365a59 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux0.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml index b3be2791491..aeb8cd7be9a 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux1.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml index 933d98f0afd..51b9505ecd6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux2.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml index 236e6994069..d751ea95bf8 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux3.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: user: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml index 72bb1e246da..196ee200c7d 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux4.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml index 054ed87df3b..f02b6946db5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux5.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml index c7885b0e51b..d62fc00da2f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: role: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml index dc8abb1a8d9..39da09e68c0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml index 0f900bb42f0..d90a71d0dfc 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml index 21d63a65a8f..428e57812d0 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/sysctls0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: othersysctl value: other diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml index f28e384225c..b0f763a20a7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities0.yaml @@ -31,3 +31,5 @@ spec: capabilities: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml index b4be8387110..d055e87ceb6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/addcapabilities1.yaml @@ -31,3 +31,5 @@ spec: - SYS_CHROOT securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/apparmorprofile0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/apparmorprofile0.yaml index 2f790baa0a4..63dfb044ca6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/apparmorprofile0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/apparmorprofile0.yaml @@ -17,3 +17,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml index 56b47e7f2f4..985b50e2276 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/base.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostports0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostports0.yaml index c1813d4ff52..7908d1bb599 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostports0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostports0.yaml @@ -19,3 +19,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml index 0194f47aef1..efe91659066 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/privileged0.yaml @@ -17,3 +17,5 @@ spec: privileged: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml index 0fd9424c3da..7e97f7178c5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/procmount0.yaml @@ -17,3 +17,5 @@ spec: procMount: Default securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml index 15806c8f02d..b2ae5c424b7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/restrictedvolumes0.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault volumes: - configMap: name: volume-configmap-test diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml index 7250230e275..b4d19bc30ff 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml index 7ba6345d0f2..9545e3c5846 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot1.yaml @@ -15,4 +15,6 @@ spec: securityContext: allowPrivilegeEscalation: false runAsNonRoot: true - securityContext: {} + securityContext: + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml index 27b53f0d805..58a6c8cee0e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/runasnonroot2.yaml @@ -17,3 +17,5 @@ spec: runAsNonRoot: true securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted0.yaml new file mode 100755 index 00000000000..dbb38cf8522 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted1.yaml new file mode 100755 index 00000000000..88b6a1b845f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted1.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + seccompProfile: + localhostProfile: testing + type: Localhost diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted2.yaml new file mode 100755 index 00000000000..56acb87a81e --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted2.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted3.yaml new file mode 100755 index 00000000000..5bced2bf738 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/seccomp_restricted3.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: seccomp_restricted3 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + seccompProfile: + localhostProfile: testing + type: Localhost + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml index d914e0b00c8..bba683b7e0f 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux0.yaml @@ -17,3 +17,5 @@ spec: seLinuxOptions: {} securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml index c391cd71474..81761b0cdf4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux1.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml index 67d30aa7119..60ca43d5c2e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux10.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml index 5e8e4299521..4a0a792a1c6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux11.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml index 67150038291..004817c1425 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux12.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_kvm_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml index 2c44d9fd807..b10723aad1c 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux13.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml index 08d9789a6d5..f8ffc5ce30e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux14.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml index 6ab973f2a29..a81aea47d81 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux15.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml index a51186318c9..efef1073d16 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux16.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml index 16c93576fb5..23ee4b82ee4 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux17.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml index 6141503f43f..53ec170307e 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux18.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: level: somevalue + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml index 2251561ecd0..94800132aac 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux19.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml index b8498cbc662..ddedc76b193 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux2.yaml @@ -17,3 +17,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml index d5819531dcb..5c3fac8d8d9 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux20.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml index 54345a56a0e..c87d7057f70 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux3.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml index 0274d5bbc5f..00cd4082dd5 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux4.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml index 72b1c0818a8..222af451dec 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux5.yaml @@ -18,3 +18,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml index 9d0c703d8a9..2ab63985910 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux6.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml index 5138c5cdcb2..0c4c326edf6 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux7.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml index 99fd076bed6..1e26c538446 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux8.yaml @@ -19,3 +19,5 @@ spec: securityContext: runAsNonRoot: true seLinuxOptions: {} + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml index b4c3e31d113..03a382e5790 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/selinux9.yaml @@ -19,3 +19,5 @@ spec: runAsNonRoot: true seLinuxOptions: type: container_init_t + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml index e5e3fb64968..b4f0f501ad7 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls0.yaml @@ -15,3 +15,5 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml index dbb7d262e07..3d7ec630afe 100755 --- a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/sysctls1.yaml @@ -15,6 +15,8 @@ spec: allowPrivilegeEscalation: false securityContext: runAsNonRoot: true + seccompProfile: + type: RuntimeDefault sysctls: - name: kernel.shm_rmid_forced value: "0" diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..3717716775f --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline0.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..3f64251e05b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline1.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..13d46702827 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/seccomp_baseline2.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..f473dc1a097 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..95c57261a76 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/seccomp_baseline1.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline0.yaml new file mode 100755 index 00000000000..ce641c5a1e3 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline0.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/pod: unconfined + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline1.yaml new file mode 100755 index 00000000000..672af9afd92 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline1.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: unconfined + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline2.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline2.yaml new file mode 100755 index 00000000000..e3f4a5fbe50 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/seccomp_baseline2.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined + name: seccomp_baseline2 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline0.yaml new file mode 100755 index 00000000000..0537678d5bd --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline0.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: runtime/default + container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default + seccomp.security.alpha.kubernetes.io/pod: runtime/default + name: seccomp_baseline0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline1.yaml new file mode 100755 index 00000000000..206664d04eb --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/seccomp_baseline1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + annotations: + container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing + container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing + seccomp.security.alpha.kubernetes.io/pod: localhost/testing + name: seccomp_baseline1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true