[Pod Security] Baseline + restricted policy checks for seccomp (#103341)

* podsecurity: add seccomp policy checks

* podsecurity: generated seccomp fixtures

staging/src/k8s.io/pod-security-admission/policy/check_seccomp_baseline.go

@@ -0,0 +1,140 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"fmt"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/pod-security-admission/api"
+)
+
+const (
+	annotationKeyPod             = "seccomp.security.alpha.kubernetes.io/pod"
+	annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
+	missingRequiredValue         = "<missing required value>"
+)
+
+func init() {
+	addCheck(CheckSeccompBaseline)
+}
+
+func fieldValue(f *field.Path, val string) string {
+	return fmt.Sprintf("%s=%s", f.String(), val)
+}
+
+func fieldValueRequired(f *field.Path) string {
+	return fmt.Sprintf("%s=%s", f.String(), missingRequiredValue)
+}
+
+func CheckSeccompBaseline() Check {
+	return Check{
+		ID:    "seccomp_baseline",
+		Level: api.LevelBaseline,
+		Versions: []VersionedCheck{
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 0),
+				CheckPod:       seccomp_1_0_baseline,
+			},
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 19),
+				CheckPod:       seccomp_1_19_baseline,
+			},
+		},
+	}
+}
+
+func validSeccomp(t corev1.SeccompProfileType) bool {
+	return t == corev1.SeccompProfileTypeLocalhost ||
+		t == corev1.SeccompProfileTypeRuntimeDefault
+}
+
+// seccomp_1_0_baseline checks baseline policy on seccomp alpha annotation
+func seccomp_1_0_baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	forbidden := sets.NewString()
+
+	if val, ok := podMetadata.Annotations[annotationKeyPod]; ok {
+		if val == corev1.SeccompProfileNameUnconfined {
+			podAnnotationField := field.NewPath("metadata").Child("annotations", annotationKeyPod)
+			forbidden.Insert(fieldValue(podAnnotationField, val))
+		}
+	}
+
+	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+		annotation := annotationKeyContainerPrefix + c.Name
+		if val, ok := podMetadata.Annotations[annotation]; ok {
+			if val == corev1.SeccompProfileNameUnconfined {
+				containerAnnotationField := field.NewPath("metadata").
+					Child("annotations", annotation)
+				forbidden.Insert(fieldValue(containerAnnotationField, val))
+			}
+		}
+	})
+
+	if len(forbidden) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "seccomp profile",
+			ForbiddenDetail: strings.Join(forbidden.List(), ", "),
+		}
+	}
+
+	return CheckResult{Allowed: true}
+}
+
+// seccomp_1_19_baseline checks baseline policy on securityContext.seccompProfile field
+func seccomp_1_19_baseline(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	forbidden := sets.NewString()
+
+	if podSpec.SecurityContext != nil {
+		if podSpec.SecurityContext.SeccompProfile != nil {
+			seccompType := podSpec.SecurityContext.SeccompProfile.Type
+			if !validSeccomp(seccompType) {
+				podSeccompField := field.NewPath("spec").Child("securityContext", "seccompProfile", "type")
+				forbidden.Insert(fieldValue(podSeccompField, string(seccompType)))
+			}
+		}
+	}
+
+	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+		if c.SecurityContext != nil {
+			if c.SecurityContext.SeccompProfile != nil {
+				if c.SecurityContext.SeccompProfile.Type != "" {
+					seccompType := c.SecurityContext.SeccompProfile.Type
+					if !validSeccomp(seccompType) {
+						containerSeccompField := path.Child("securityContext", "seccompProfile", "type")
+						forbidden.Insert(fieldValue(containerSeccompField, string(seccompType)))
+					}
+				}
+			}
+		}
+	})
+
+	if len(forbidden) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "seccomp profile",
+			ForbiddenDetail: strings.Join(forbidden.List(), ", "),
+		}
+	}
+
+	return CheckResult{Allowed: true}
+}

staging/src/k8s.io/pod-security-admission/policy/check_seccomp_restricted.go

@@ -0,0 +1,88 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/pod-security-admission/api"
+)
+
+func init() {
+	addCheck(CheckSeccompRestricted)
+}
+
+func CheckSeccompRestricted() Check {
+	return Check{
+		ID:    "seccomp_restricted",
+		Level: api.LevelRestricted,
+		Versions: []VersionedCheck{
+			{
+				MinimumVersion: api.MajorMinorVersion(1, 19),
+				CheckPod:       seccomp_1_19_restricted,
+			},
+		},
+	}
+}
+
+// seccomp_1_19_restricted checks restricted policy on securityContext.seccompProfile field
+func seccomp_1_19_restricted(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult {
+	forbidden := sets.NewString()
+	podSeccompField := field.NewPath("spec").Child("securityContext", "seccompProfile", "type")
+	podSeccompSet := false
+
+	if podSpec.SecurityContext != nil {
+		if podSpec.SecurityContext.SeccompProfile != nil {
+			seccompType := podSpec.SecurityContext.SeccompProfile.Type
+			if !validSeccomp(podSpec.SecurityContext.SeccompProfile.Type) {
+				forbidden.Insert(fieldValue(podSeccompField, string(seccompType)))
+			} else {
+				podSeccompSet = true
+			}
+		}
+	}
+
+	visitContainersWithPath(podSpec, field.NewPath("spec"), func(c *corev1.Container, path *field.Path) {
+		if c.SecurityContext != nil && c.SecurityContext.SeccompProfile != nil {
+			seccompType := c.SecurityContext.SeccompProfile.Type
+			if !validSeccomp(seccompType) {
+				containerSeccompField := path.Child("securityContext", "seccompProfile", "type")
+				forbidden.Insert(fieldValue(containerSeccompField, string(seccompType)))
+			}
+			return
+		}
+
+		if !podSeccompSet {
+			containerSeccompField := path.Child("securityContext", "seccompProfile", "type")
+			forbidden.Insert(fieldValueRequired(containerSeccompField))
+		}
+	})
+
+	if len(forbidden) > 0 {
+		return CheckResult{
+			Allowed:         false,
+			ForbiddenReason: "seccomp profile",
+			ForbiddenDetail: strings.Join(forbidden.List(), ", "),
+		}
+	}
+
+	return CheckResult{Allowed: true}
+}

staging/src/k8s.io/pod-security-admission/test/fixtures.go

@@ -57,6 +57,15 @@ func init() {
 		p.Spec.InitContainers[0].SecurityContext = &corev1.SecurityContext{AllowPrivilegeEscalation: pointer.BoolPtr(false)}
 	})
 	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 8)] = restricted_1_8
+
+	// 1.19+: seccompProfile.type=RuntimeDefault
+	restricted_1_19 := tweak(restricted_1_8, func(p *corev1.Pod) {
+		p.Annotations = nil
+		p.Spec.SecurityContext.SeccompProfile = &corev1.SeccompProfile{
+			Type: corev1.SeccompProfileTypeRuntimeDefault,
+		}
+	})
+	minimalValidPods[api.LevelRestricted][api.MajorMinorVersion(1, 19)] = restricted_1_19
 }
 
 // getValidPod returns a minimal valid pod for the specified level and version.

staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_baseline.go

@@ -0,0 +1,120 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+Note: these fixtures utilize seccomp helper functions that ensure consistency across the
+alpha annotation (up to v.1.19) and the securityContext.seccompProfile field (v1.19+).
+
+The check implementation looks at the appropriate value based on version.
+*/
+
+func init() {
+	fixtureData_baseline_1_0 := fixtureGenerator{
+		expectErrorSubstring: "seccomp profile",
+		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+			// don't generate fixtures if minimal valid pod already has seccomp config
+			if val, ok := p.Annotations[annotationKeyPod]; ok &&
+				val == corev1.SeccompProfileRuntimeDefault {
+				return nil
+			}
+
+			p = ensureAnnotation(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Annotations[annotationKeyPod] = corev1.SeccompProfileRuntimeDefault
+					p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompProfileRuntimeDefault
+					p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Annotations[annotationKeyPod] = corev1.SeccompLocalhostProfileNamePrefix + "testing"
+					p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompLocalhostProfileNamePrefix + "testing"
+					p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompLocalhostProfileNamePrefix + "testing"
+				}),
+			}
+		},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureAnnotation(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Annotations[annotationKeyPod] = corev1.SeccompProfileNameUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Annotations[annotationKeyContainer(p.Spec.Containers[0])] = corev1.SeccompProfileNameUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Annotations[annotationKeyContainer(p.Spec.InitContainers[0])] = corev1.SeccompProfileNameUnconfined
+				}),
+			}
+		},
+	}
+
+	fixtureData_baseline_1_19 := fixtureGenerator{
+		expectErrorSubstring: "seccomp profile",
+		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+			// don't generate fixtures if minimal valid pod already has seccomp config
+			if p.Spec.SecurityContext != nil &&
+				p.Spec.SecurityContext.SeccompProfile != nil &&
+				p.Spec.SecurityContext.SeccompProfile.Type == corev1.SeccompProfileTypeRuntimeDefault {
+				return nil
+			}
+
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+				}),
+			}
+		},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined
+				}),
+			}
+		},
+	}
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "seccomp_baseline"},
+		fixtureData_baseline_1_0,
+	)
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 19), check: "seccomp_baseline"},
+		fixtureData_baseline_1_19,
+	)
+}

staging/src/k8s.io/pod-security-admission/test/fixtures_seccomp_restricted.go

@@ -0,0 +1,90 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/pod-security-admission/api"
+)
+
+/*
+Note: these fixtures utilize seccomp helper functions that ensure consistency across the
+alpha annotation (up to v.1.19) and the securityContext.seccompProfile field (v1.19+).
+
+The check implementation looks at the appropriate value based on version.
+*/
+
+func init() {
+	fixtureData_restricted_1_19 := fixtureGenerator{
+		expectErrorSubstring: "seccomp profile",
+		generatePass: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileLocalhost("testing")
+				}),
+			}
+		},
+		generateFail: func(p *corev1.Pod) []*corev1.Pod {
+			p = ensureSecurityContext(p)
+			return []*corev1.Pod{
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = seccompProfileUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined
+				}),
+				tweak(p, func(p *corev1.Pod) {
+					p.Spec.SecurityContext.SeccompProfile = nil
+					p.Spec.Containers[0].SecurityContext.SeccompProfile = seccompProfileUnconfined
+					p.Spec.InitContainers[0].SecurityContext.SeccompProfile = seccompProfileRuntimeDefault
+				}),
+			}
+		},
+	}
+
+	registerFixtureGenerator(
+		fixtureKey{level: api.LevelRestricted, version: api.MajorMinorVersion(1, 19), check: "seccomp_restricted"},
+		fixtureData_restricted_1_19,
+	)
+}

staging/src/k8s.io/pod-security-admission/test/helpers_seccomp.go

@@ -0,0 +1,51 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package test
+
+import (
+	corev1 "k8s.io/api/core/v1"
+)
+
+const (
+	annotationKeyPod             = "seccomp.security.alpha.kubernetes.io/pod"
+	annotationKeyContainerPrefix = "container.seccomp.security.alpha.kubernetes.io/"
+)
+
+var (
+	// the RuntimeDefault seccomp profile
+	seccompProfileRuntimeDefault *corev1.SeccompProfile = &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeRuntimeDefault,
+	}
+
+	// the Unconfined seccomp profile
+	seccompProfileUnconfined *corev1.SeccompProfile = &corev1.SeccompProfile{
+		Type: corev1.SeccompProfileTypeUnconfined,
+	}
+)
+
+// the Localhost seccomp profile
+func seccompProfileLocalhost(profile string) *corev1.SeccompProfile {
+	return &corev1.SeccompProfile{
+		Type:             corev1.SeccompProfileTypeLocalhost,
+		LocalhostProfile: &profile,
+	}
+}
+
+// annotationKeyContainer builds the annotation key for a specific container
+func annotationKeyContainer(c corev1.Container) string {
+	return annotationKeyContainerPrefix + c.Name
+}

staging/src/k8s.io/pod-security-admission/test/run.go

@@ -110,6 +110,7 @@ func (t *testWarningHandler) HandleWarningHeader(code int, agent string, warning
 	defer t.lock.Unlock()
 	t.warnings = append(t.warnings, warning)
 }
+
 func (t *testWarningHandler) FlushWarnings() []string {
 	t.lock.Lock()
 	defer t.lock.Unlock()
@@ -251,10 +252,14 @@ func Run(t *testing.T, opts Options) {
 						return
 					}
 				}
+
 				if expectSuccess && len(warningText) > 0 {
+					if (len(expectErrorSubstring) > 0 && strings.Contains(warningText, expectErrorSubstring)) ||
+						strings.Contains(warningText, policy.UnknownForbiddenReason) {
 						t.Errorf("%d: unexpected warning creating %s: %v", i, toJSON(pod), warningText)
 					}
 				}
+			}
 
 			minimalValidPod, err := getMinimalValidPod(level, version)
 			if err != nil {

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/seccomp_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline0.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/seccomp_baseline1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  securityContext:
+    seccompProfile:
+      localhostProfile: testing
+      type: Localhost

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/seccomp_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline0.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/seccomp_baseline1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  securityContext:
+    seccompProfile:
+      localhostProfile: testing
+      type: Localhost

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/seccomp_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline0.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/seccomp_baseline1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  securityContext:
+    seccompProfile:
+      localhostProfile: testing
+      type: Localhost

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline0.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext:
+    seccompProfile:
+      type: Unconfined

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline1.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext: {}
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/seccomp_baseline2.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext: {}
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: Unconfined
+  securityContext: {}

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline0.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        type: RuntimeDefault
+  securityContext:
+    seccompProfile:
+      type: RuntimeDefault

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/seccomp_baseline1.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1
+    securityContext:
+      seccompProfile:
+        localhostProfile: testing
+        type: Localhost
+  securityContext:
+    seccompProfile:
+      localhostProfile: testing
+      type: Localhost

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline0.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: runtime/default
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: runtime/default
+    seccomp.security.alpha.kubernetes.io/pod: runtime/default
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/seccomp_baseline1.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: localhost/testing
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: localhost/testing
+    seccomp.security.alpha.kubernetes.io/pod: localhost/testing
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline0.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    seccomp.security.alpha.kubernetes.io/pod: unconfined
+  name: seccomp_baseline0
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline1.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/container1: unconfined
+  name: seccomp_baseline1
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1

staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/seccomp_baseline2.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    container.seccomp.security.alpha.kubernetes.io/initcontainer1: unconfined
+  name: seccomp_baseline2
+spec:
+  containers:
+  - image: k8s.gcr.io/pause
+    name: container1
+  initContainers:
+  - image: k8s.gcr.io/pause
+    name: initcontainer1