Add automated tests for K8s PSP Support

Add ~74 new automated tests that verify K8s PSP Support. For each PSP attribute, add both positive and negative test cases. For some of the more complicated attributes like runAsUser/Group/etc, include cases where the uids are specicified both at the container security context level and pod security context level and then combined with mayRunAs/mustRunAs, etc. Also, some existing tests are updated to handle proper use of "in" and "intersects" in expressions. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2025-10-22 03:49:36 +00:00 · 2019-09-09 16:47:19 -07:00
parent 8ebcbac7a3
commit 89121527da
71 changed files with 1184 additions and 3 deletions
--- a/test/confs/psp.yaml
+++ b/test/confs/psp.yaml
@@ -0,0 +1,165 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco .
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# File(s) or Directories containing Falco rules, loaded at startup.
+# The name "rules_file" is only for backwards compatibility.
+# If the entry is a file, it will be read directly. If the entry is a directory,
+# every file in that directory will be read, in alphabetical order.
+#
+# falco_rules.yaml ships with the falco package and is overridden with
+# every new software version. falco_rules.local.yaml is only created
+# if it doesn't exist. If you want to customize the set of rules, add
+# your customizations to falco_rules.local.yaml.
+#
+# The files will be read in the order presented here, so make sure if
+# you have overrides they appear in later files.
+rules_file: []
+
+# If true, the times displayed in log messages and output messages
+# will be in ISO 8601. By default, times are displayed in the local
+# time zone, as governed by /etc/localtime.
+time_format_iso_8601: false
+
+# Whether to output events in json or text
+json_output: false
+
+# When using json output, whether or not to include the "output" property
+# itself (e.g. "File below a known binary directory opened for writing
+# (user=root ....") in the json output.
+json_include_output_property: true
+
+# Send information logs to stderr and/or syslog Note these are *not* security
+# notification logs! These are just Falco lifecycle (and possibly error) logs.
+log_stderr: true
+log_syslog: true
+
+# Minimum log level to include in logs. Note: these levels are
+# separate from the priority field of rules. This refers only to the
+# log level of falco's internal logging. Can be one of "emergency",
+# "alert", "critical", "error", "warning", "notice", "info", "debug".
+log_level: info
+
+# Minimum rule priority level to load and run. All rules having a
+# priority more severe than this level will be loaded/run.  Can be one
+# of "emergency", "alert", "critical", "error", "warning", "notice",
+# "info", "debug".
+priority: debug
+
+# Whether or not output to any of the output channels below is
+# buffered. Defaults to false
+buffered_outputs: false
+
+# Falco uses a shared buffer between the kernel and userspace to pass
+# system call information. When falco detects that this buffer is
+# full and system calls have been dropped, it can take one or more of
+# the following actions:
+#   - "ignore": do nothing. If an empty list is provided, ignore is assumed.
+#   - "log": log a CRITICAL message noting that the buffer was full.
+#   - "alert": emit a falco alert noting that the buffer was full.
+#   - "exit": exit falco with a non-zero rc.
+#
+# The rate at which log/alert messages are emitted is governed by a
+# token bucket. The rate corresponds to one message every 30 seconds
+# with a burst of 10 messages.
+
+syscall_event_drops:
+  actions:
+    - log
+    - alert
+  rate: .03333
+  max_burst: 10
+
+# A throttling mechanism implemented as a token bucket limits the
+# rate of falco notifications. This throttling is controlled by the following configuration
+# options:
+#  - rate: the number of tokens (i.e. right to send a notification)
+#    gained per second. Defaults to 1.
+#  - max_burst: the maximum number of tokens outstanding. Defaults to 1000.
+#
+# With these defaults, falco could send up to 1000 notifications after
+# an initial quiet period, and then up to 1 notification per second
+# afterward. It would gain the full burst back after 1000 seconds of
+# no activity.
+
+outputs:
+  rate: 1
+  max_burst: 1000
+
+# Where security notifications should go.
+# Multiple outputs can be enabled.
+
+syslog_output:
+  enabled: true
+
+# If keep_alive is set to true, the file will be opened once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the file will be re-opened
+# for each output message.
+#
+# Also, the file will be closed and reopened if falco is signaled with
+# SIGUSR1.
+
+file_output:
+  enabled: false
+  keep_alive: false
+  filename: ./events.txt
+
+stdout_output:
+  enabled: true
+
+# Falco contains an embedded webserver that can be used to accept K8s
+# Audit Events. These config options control the behavior of that
+# webserver. (By default, the webserver is disabled).
+#
+# The ssl_certificate is a combination SSL Certificate and corresponding
+# key contained in a single file. You can generate a key/cert as follows:
+#
+# $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
+# $ cat certificate.pem key.pem > falco.pem
+# $ sudo cp falco.pem /etc/falco/falco.pem
+
+webserver:
+  enabled: true
+  listen_port: 8765
+  k8s_audit_endpoint: /k8s_audit
+  ssl_enabled: false
+  ssl_certificate: /etc/falco/falco.pem
+
+# Possible additional things you might want to do with program output:
+#   - send to a slack webhook:
+#         program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+#   - logging (alternate method than syslog):
+#         program: logger -t falco-test
+#   - send over a network connection:
+#         program: nc host.example.com 80
+
+# If keep_alive is set to true, the program will be started once and
+# continuously written to, with each output message on its own
+# line. If keep_alive is set to false, the program will be re-spawned
+# for each output message.
+#
+# Also, the program will be closed and reopened if falco is signaled with
+# SIGUSR1.
+program_output:
+  enabled: false
+  keep_alive: false
+  program: "jq '{text: .output}' | curl -d @- -X POST https://hooks.slack.com/services/XXX"
+
+http_output:
+  enabled: false
+  url: http://some.url
--- a/test/falco_test.py
+++ b/test/falco_test.py
@@ -39,6 +39,8 @@ class FalcoTest(Test):

        self.falcodir = self.params.get('falcodir', '/', default=build_dir)

+        self.psp_conv_path = os.path.join(build_dir, "tools", "psp_conv", "falco-psp-conv")
+
        self.stdout_is = self.params.get('stdout_is', '*', default='')
        self.stderr_is = self.params.get('stderr_is', '*', default='')

@@ -92,8 +94,15 @@ class FalcoTest(Test):
            if not isinstance(self.validate_rules_file, list):
                self.validate_rules_file = [self.validate_rules_file]

+        self.psp_rules_file = os.path.join(build_dir, "psp_rules.yaml")
+
+        self.psp_file = self.params.get('psp_file', '*', default="")
+
        self.rules_args = ""

+        if self.psp_file != "":
+            self.rules_args = self.rules_args + "-r " + self.psp_rules_file + " "
+
        for file in self.validate_rules_file:
            if not os.path.isabs(file):
                file = os.path.join(self.basedir, file)
@@ -424,6 +433,24 @@ class FalcoTest(Test):
        if self.trace_file:
            trace_arg = "-e {}".format(self.trace_file)

+        # Possibly run psp converter
+        if self.psp_file != "":
+            conv_cmd = '{} --psp {} --rules {}'.format(
+                self.psp_conv_path, os.path.join(self.basedir, self.psp_file), self.psp_rules_file)
+
+            conv_proc = process.SubProcess(conv_cmd)
+
+            conv_res = conv_proc.run(timeout=180, sig=9)
+
+            if conv_res.exit_status != 0:
+                self.error("psp_conv command \"{}\" exited with unexpected return value {}. Full stdout={} stderr={}".format(
+                    conv_cmd, conv_res.exit_status, conv_res.stdout, conv_res.stderr))
+
+            with open(self.psp_rules_file, 'r') as myfile:
+                psp_rules = myfile.read()
+                self.log.debug("Converted Rules: {}".format(psp_rules))
+
+
        # Run falco
        cmd = '{} {} {} -c {} {} -o json_output={} -o json_include_output_property={} -o priority={} -v'.format(
            self.falco_binary_path, self.rules_args, self.disabled_args, self.conf_file, trace_arg, self.json_output, self.json_include_output_property, self.priority)
--- a/test/falco_tests_psp.yaml
+++ b/test/falco_tests_psp.yaml
@@ -0,0 +1,646 @@
+#
+# Copyright (C) 2016-2018 Draios Inc dba Sysdig.
+#
+# This file is part of falco.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+trace_files: !mux
+
+  privileged_detect_k8s_audit:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (privileged) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/privileged.json
+
+  privileged_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (privileged) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/privileged.scap
+
+  privileged_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privileged.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_pid_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (hostPID)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_pid.yaml
+    trace_file: trace_files/psp/host_pid.json
+
+  host_pid_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_pid.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_ipc_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (hostIPC)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_ipc.yaml
+    trace_file: trace_files/psp/host_ipc.json
+
+  host_ipc_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_ipc.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_network_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (hostNetwork)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network.yaml
+    trace_file: trace_files/psp/host_network.json
+
+  host_network_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  host_network_ports_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (hostPorts)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network_ports.yaml
+    trace_file: trace_files/psp/host_network_ports.json
+
+  host_network_ports_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/host_network_ports.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  volumes_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (volumes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/volumes.yaml
+    trace_file: trace_files/psp/mount_etc_using_host_path.json
+
+  volumes_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/volumes.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_host_paths_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (allowedHostPaths)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_host_paths.yaml
+    trace_file: trace_files/psp/mount_etc_using_host_path.json
+
+  allowed_host_paths_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_host_paths.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_flex_volumes_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (allowedFlexVolumes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/flex_volumes.yaml
+    trace_file: trace_files/psp/flex_volumes.json
+
+  allowed_flex_volumes_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/flex_volumes.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_must_run_as:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_must_run_as.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_may_run_as:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (fsGroup)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_may_run_as.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_may_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  fs_group_run_as_any:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_run_as_any.yaml
+    trace_file: trace_files/psp/fs_group.json
+
+  fs_group_run_as_any_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/fs_group_run_as_any.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  read_only_root_fs_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (readOnlyRootFilesystem) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  read_only_root_fs_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (readOnlyRootFilesystem) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/write_tmp_test.scap
+
+  read_only_root_fs_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/read_only_root_fs.yaml
+    trace_file: trace_files/psp/read_only_root_fs.json
+
+  user_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  user_must_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_container.json
+
+  user_must_run_as_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAs) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_65534_container.scap
+
+  user_must_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_container.json
+
+  user_must_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
+
+  user_must_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_sec_ctx.json
+
+  user_must_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
+
+  user_must_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
+
+  user_must_run_as_non_root_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_container.json
+
+  user_must_run_as_non_root_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAsNonRoot) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_container.scap
+
+  user_must_run_as_non_root_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_container.json
+
+  user_must_run_as_non_root_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_sec_ctx.json
+
+  user_must_run_as_non_root_no_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx.json
+
+  user_must_run_as_non_root_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsUser=MustRunAsNonRoot) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
+
+  user_must_run_as_non_root_no_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/user_must_run_as_non_root.yaml
+    trace_file: trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
+
+  group_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  group_must_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_container.json
+
+  group_must_run_as_detect_syscall:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MustRunAs) System Activity": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_user_65534_container.scap
+
+  group_must_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_container.json
+
+  group_must_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
+
+  group_must_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
+
+  group_must_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MustRunAs) K8s Audit": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+
+  group_must_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_must_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+
+  group_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  group_may_run_as_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_container.json
+
+  group_may_run_as_not_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_container.json
+
+  group_may_run_as_detect_sec_ctx:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx.json
+
+  group_may_run_as_not_detect_sec_ctx:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx.json
+
+  group_may_run_as_detect_both:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (runAsGroup=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+
+  group_may_run_as_not_detect_both:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/group_may_run_as.yaml
+    trace_file: trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+
+  supplemental_groups_must_run_as_with_unset:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  supplemental_groups_must_run_as_no_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_partial_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (supplementalGroups=MustRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_30_40_10_15.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_overlap:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_must_run_as_overlap_multiple_ranges:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_must_run_as_10_40_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_with_unset:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  supplemental_groups_may_run_as_no_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (supplementalGroups=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_partial_overlap:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (supplementalGroups=MayRunAs)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_30_40_10_15.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_overlap:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  supplemental_groups_may_run_as_overlap_multiple_ranges:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/supplemental_groups_may_run_as_10_40_10_20.yaml
+    trace_file: trace_files/psp/supplemental_groups_10_20.json
+
+  privilege_escalation_privilege_escalation_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (allowPrivilegeEscalation)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/privilege_escalation.yaml
+    trace_file: trace_files/psp/privilege_escalation.json
+
+  allowed_capabilities_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (allowedCapabilities)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/capability_add_sys_time.json
+
+  allowed_capabilities_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_capabilities_match:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_capabilities.yaml
+    trace_file: trace_files/psp/capability_add_sys_nice.json
+
+  allowed_proc_mount_types_detect:
+    detect: True
+    detect_level: WARNING
+    detect_counts:
+      - "PSP Violation (allowedProcMountTypes)": 1
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/proc_mount_type_unmasked.json
+
+  allowed_proc_mount_types_no_detect:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/create_vanilla_nginx_deployment.json
+
+  allowed_proc_mount_types_match:
+    detect: False
+    rules_file: []
+    conf_file: confs/psp.yaml
+    psp_file: psps/allowed_proc_mount_types.yaml
+    trace_file: trace_files/psp/proc_mount_type_default.json
--- a/test/psps/allowed_capabilities.yaml
+++ b/test/psps/allowed_capabilities.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: allow_capability_sys_nice
+spec:
+  allowedCapabilities:
+    - SYS_NICE
+
--- a/test/psps/allowed_host_paths.yaml
+++ b/test/psps/allowed_host_paths.yaml
@@ -0,0 +1,11 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: only_mount_host_usr
+spec:
+  allowedHostPaths:
+    - pathPrefix: /usr
+      readOnly: true
+
--- a/test/psps/allowed_proc_mount_types.yaml
+++ b/test/psps/allowed_proc_mount_types.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: allow_default_proc_mount_type
+spec:
+  allowedProcMountTypes:
+    - Default
+
--- a/test/psps/flex_volumes.yaml
+++ b/test/psps/flex_volumes.yaml
@@ -0,0 +1,13 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: only_lvm_cifs_flex_volumes
+spec:
+  volumes:
+    - flexVolume
+  allowedFlexVolumes:
+    - driver: example/lvm
+    - driver: example/cifs
+
--- a/test/psps/fs_group_may_run_as.yaml
+++ b/test/psps/fs_group_may_run_as.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_may_run_as_30
+spec:
+  fsGroup:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/fs_group_must_run_as.yaml
+++ b/test/psps/fs_group_must_run_as.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_must_run_as_30
+spec:
+  fsGroup:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/fs_group_run_as_any.yaml
+++ b/test/psps/fs_group_run_as_any.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: fs_group_run_as_any
+spec:
+  fsGroup:
+    rule: "RunAsAny"
+
--- a/test/psps/group_may_run_as.yaml
+++ b/test/psps/group_may_run_as.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: group_may_run_as_30
+spec:
+  runAsGroup:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/group_must_run_as.yaml
+++ b/test/psps/group_must_run_as.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: group_must_run_as_30
+spec:
+  runAsGroup:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/host_ipc.yaml
+++ b/test/psps/host_ipc.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_ipc
+spec:
+  hostIPC: false
--- a/test/psps/host_network.yaml
+++ b/test/psps/host_network.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_network
+spec:
+  hostNetwork: false
--- a/test/psps/host_network_ports.yaml
+++ b/test/psps/host_network_ports.yaml
@@ -0,0 +1,11 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: host_ports_100_200_only
+spec:
+  hostNetwork: true
+  hostPorts:
+    - min: 100
+      max: 200
--- a/test/psps/host_pid.yaml
+++ b/test/psps/host_pid.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_host_pid
+spec:
+  hostPID: false
--- a/test/psps/privilege_escalation.yaml
+++ b/test/psps/privilege_escalation.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_privileged
+spec:
+  allowPrivilegeEscalation: false
--- a/test/psps/privileged.yaml
+++ b/test/psps/privileged.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: no_privileged
+spec:
+  privileged: false
--- a/test/psps/read_only_root_fs.yaml
+++ b/test/psps/read_only_root_fs.yaml
@@ -0,0 +1,8 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: read_only_root_fs
+spec:
+  readOnlyRootFilesystem: true
--- a/test/psps/supplemental_groups_may_run_as_10_20.yaml
+++ b/test/psps/supplemental_groups_may_run_as_10_20.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_10
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 10
+        max: 20
--- a/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml
+++ b/test/psps/supplemental_groups_may_run_as_10_40_10_20.yaml
@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 10
+        max: 40
+      - min: 10
+        max: 20
--- a/test/psps/supplemental_groups_may_run_as_30_40.yaml
+++ b/test/psps/supplemental_groups_may_run_as_30_40.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml
+++ b/test/psps/supplemental_groups_may_run_as_30_40_10_15.yaml
@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_may_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MayRunAs"
+    ranges:
+      - min: 30
+        max: 40
+      - min: 10
+        max: 15
--- a/test/psps/supplemental_groups_must_run_as_10_20.yaml
+++ b/test/psps/supplemental_groups_must_run_as_10_20.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_10
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 10
+        max: 20
--- a/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml
+++ b/test/psps/supplemental_groups_must_run_as_10_40_10_20.yaml
@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 10
+        max: 40
+      - min: 10
+        max: 20
--- a/test/psps/supplemental_groups_must_run_as_30_40.yaml
+++ b/test/psps/supplemental_groups_must_run_as_30_40.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml
+++ b/test/psps/supplemental_groups_must_run_as_30_40_10_15.yaml
@@ -0,0 +1,14 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: supplemental_groups_must_run_as_30
+spec:
+  supplementalGroups:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40
+      - min: 10
+        max: 15
--- a/test/psps/user_must_run_as.yaml
+++ b/test/psps/user_must_run_as.yaml
@@ -0,0 +1,12 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: user_must_run_as_30
+spec:
+  runAsUser:
+    rule: "MustRunAs"
+    ranges:
+      - min: 30
+        max: 40
--- a/test/psps/user_must_run_as_non_root.yaml
+++ b/test/psps/user_must_run_as_non_root.yaml
@@ -0,0 +1,9 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: user_must_run_as_non_root
+spec:
+  runAsUser:
+    rule: "MustRunAsNonRoot"
--- a/test/psps/volumes.yaml
+++ b/test/psps/volumes.yaml
@@ -0,0 +1,10 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  annotations:
+    falco-rules-psp-images: "[nginx]"
+  name: only_secret_volumes
+spec:
+  volumes:
+    - secret
+
--- a/test/rules/k8s_audit/allow_nginx_container.yaml
+++ b/test/rules/k8s_audit/allow_nginx_container.yaml
@@ -1,3 +1,3 @@
 - macro: allowed_k8s_containers
-  condition: (ka.req.container.image.repository=nginx)
+  condition: (ka.req.pod.containers.image.repository in (nginx))

--- a/test/rules/k8s_audit/allow_only_apache_container.yaml
+++ b/test/rules/k8s_audit/allow_only_apache_container.yaml
@@ -1,3 +1,3 @@
 - macro: allowed_k8s_containers
-  condition: (ka.req.container.image.repository=apache)
+  condition: (ka.req.pod.containers.image.repository in (apache))

--- a/test/run_regression_tests.sh
+++ b/test/run_regression_tests.sh
@@ -88,7 +88,7 @@ function run_tests() {
    # return status when running avocado.
    set +e
    TEST_RC=0
-    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml; do
+    for mult in $SCRIPTDIR/falco_traces.yaml $SCRIPTDIR/falco_tests.yaml $SCRIPTDIR/falco_tests_package.yaml $SCRIPTDIR/falco_k8s_audit_tests.yaml $SCRIPTDIR/falco_tests_psp.yaml; do
 	CMD="avocado run --mux-yaml $mult --job-results-dir $SCRIPTDIR/job-results -- $SCRIPTDIR/falco_test.py"
 	echo "Running: $CMD"
 	BUILD_DIR=${BUILD_DIR} $CMD
--- a/test/trace_files/CMakeLists.txt
+++ b/test/trace_files/CMakeLists.txt
@@ -1,4 +1,5 @@
 add_subdirectory(k8s_audit)
+add_subdirectory(psp)
 # Note: list of traces is created at cmake time, not build time
 file(GLOB test_trace_files
 	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
--- a/test/trace_files/psp/CMakeLists.txt
+++ b/test/trace_files/psp/CMakeLists.txt
@@ -0,0 +1,13 @@
+# Note: list of traces is created at cmake time, not build time
+file(GLOB test_trace_files
+	"${CMAKE_CURRENT_SOURCE_DIR}/*.json"
+	"${CMAKE_CURRENT_SOURCE_DIR}/*.scap")
+
+foreach(trace_file_path ${test_trace_files})
+	get_filename_component(trace_file ${trace_file_path} NAME)
+	add_custom_target(test-trace-${trace_file} ALL
+		DEPENDS ${CMAKE_CURRENT_BINARY_DIR}/${trace_file})
+	add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		COMMAND ${CMAKE_COMMAND} -E copy ${trace_file_path} ${CMAKE_CURRENT_BINARY_DIR}/${trace_file}
+		DEPENDS ${trace_file_path})
+endforeach()
--- a/test/trace_files/psp/capability_add_sys_nice.json
+++ b/test/trace_files/psp/capability_add_sys_nice.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/capability_add_sys_time.json
+++ b/test/trace_files/psp/capability_add_sys_time.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_TIME"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/create_vanilla_nginx_deployment.json
+++ b/test/trace_files/psp/create_vanilla_nginx_deployment.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:49Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:49Z","auditID":"7c8b2603-6a87-4764-b166-49dd7fa46f4c","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78f5d695bd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78f5d695bd-nxqz5","generateName":"nginx-deployment-78f5d695bd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78f5d695bd-nxqz5","uid":"a2ad81ba-d85f-11e8-88b6-080027728ac4","resourceVersion":"237324","creationTimestamp":"2018-10-25T14:09:49Z","labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:49.750328Z","stageTimestamp":"2018-10-25T14:09:49.761315Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/flex_volumes.json
+++ b/test/trace_files/psp/flex_volumes.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"68be6685-eca7-462a-ab53-ae65960ba638","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5575fc4cfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5575fc4cfd-95vmv","generateName":"nginx-deployment-5575fc4cfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5575fc4cfd-95vmv","uid":"bbde0eec-9459-11e9-9dc6-080027cac2d9","resourceVersion":"7185","creationTimestamp":"2019-06-21T19:21:13Z","labels":{"app":"nginx","pod-template-hash":"5575fc4cfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5575fc4cfd","uid":"bbdbd8fe-9459-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"dummy-tmp","flexVolume":{"driver":"dummy/dummy"}},{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"dummy-tmp","mountPath":"/dummy/tmp"},{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T19:21:13.637829Z","stageTimestamp":"2019-06-21T19:21:13.648070Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/fs_group.json
+++ b/test/trace_files/psp/fs_group.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"80e45c71-0618-4e6a-af42-fa13b83f8d03","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6fc66bd775-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6fc66bd775-z6txl","generateName":"nginx-deployment-6fc66bd775-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6fc66bd775-z6txl","uid":"90c2433c-9462-11e9-9dc6-080027cac2d9","resourceVersion":"8201","creationTimestamp":"2019-06-21T20:24:26Z","labels":{"app":"nginx","pod-template-hash":"6fc66bd775"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6fc66bd775","uid":"90bfb948-9462-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"fsGroup":2000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T20:24:26.783217Z","stageTimestamp":"2019-06-21T20:24:26.790787Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_ipc.json
+++ b/test/trace_files/psp/host_ipc.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"e2c061fc-7b81-4e1e-b1d2-a54b5ee93920","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-755c58cb7c-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-755c58cb7c-vrx4n","generateName":"nginx-deployment-755c58cb7c-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-755c58cb7c-vrx4n","uid":"cd67586f-9232-11e9-b061-08002760e39e","resourceVersion":"1628","creationTimestamp":"2019-06-19T01:37:30Z","labels":{"app":"nginx","pod-template-hash":"755c58cb7c"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-755c58cb7c","uid":"cd652bbf-9232-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostIPC":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:37:30.360992Z","stageTimestamp":"2019-06-19T01:37:30.365019Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_network.json
+++ b/test/trace_files/psp/host_network.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"f7c424ca-5028-4e01-9d95-199caaae240d","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5dc5447c47-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5dc5447c47-fp5m4","generateName":"nginx-deployment-5dc5447c47-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5dc5447c47-fp5m4","uid":"3558a533-944d-11e9-993f-080027cac2d9","resourceVersion":"619","creationTimestamp":"2019-06-21T17:51:33Z","labels":{"app":"nginx","pod-template-hash":"5dc5447c47"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5dc5447c47","uid":"3556e44d-944d-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T17:51:33.989119Z","stageTimestamp":"2019-06-21T17:51:33.994788Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_network_ports.json
+++ b/test/trace_files/psp/host_network_ports.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"ff8f799f-6d31-43e8-a55c-95497daca0f2","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-84ffbbb976-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-84ffbbb976-5tnlg","generateName":"nginx-deployment-84ffbbb976-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-84ffbbb976-5tnlg","uid":"87447a8c-944f-11e9-993f-080027cac2d9","resourceVersion":"1841","creationTimestamp":"2019-06-21T18:08:10Z","labels":{"app":"nginx","pod-template-hash":"84ffbbb976"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-84ffbbb976","uid":"8742e6a8-944f-11e9-993f-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","ports":[{"hostPort":1234,"containerPort":1234,"protocol":"TCP"}],"resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostNetwork":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T18:08:10.423301Z","stageTimestamp":"2019-06-21T18:08:10.432566Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/host_pid.json
+++ b/test/trace_files/psp/host_pid.json
@@ -0,0 +1,2 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
+
--- a/test/trace_files/psp/mount_etc_using_host_path.json
+++ b/test/trace_files/psp/mount_etc_using_host_path.json
@@ -0,0 +1 @@
+{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}
--- a/test/trace_files/psp/privilege_escalation.json
+++ b/test/trace_files/psp/privilege_escalation.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"eaf82da5-32c1-4acf-83f1-6da93c5242f0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78d8d6bdfd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78d8d6bdfd-tps4s","generateName":"nginx-deployment-78d8d6bdfd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78d8d6bdfd-tps4s","uid":"550fa465-986c-11e9-81be-080027f777c0","resourceVersion":"15688","creationTimestamp":"2019-06-26T23:44:26Z","labels":{"app":"nginx","pod-template-hash":"78d8d6bdfd"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78d8d6bdfd","uid":"550d4911-986c-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"allowPrivilegeEscalation":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T23:44:26.246566Z","stageTimestamp":"2019-06-26T23:44:26.252565Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/privileged.json
+++ b/test/trace_files/psp/privileged.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:12Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:12Z","auditID":"a362d22b-db3c-4590-9505-23782f12925f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-5cdcc99dbf-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-5cdcc99dbf-rgw6z","generateName":"nginx-deployment-5cdcc99dbf-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-5cdcc99dbf-rgw6z","uid":"8c845395-d85f-11e8-88b6-080027728ac4","resourceVersion":"237252","creationTimestamp":"2018-10-25T14:09:12Z","labels":{"app":"nginx","pod-template-hash":"1787755869"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-5cdcc99dbf","uid":"8c800470-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"privileged":true}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:12.572676Z","stageTimestamp":"2018-10-25T14:09:12.581541Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/privileged.scap
+++ b/test/trace_files/psp/privileged.scap
--- a/test/trace_files/psp/proc_mount_type_default.json
+++ b/test/trace_files/psp/proc_mount_type_default.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/proc_mount_type_unmasked.json
+++ b/test/trace_files/psp/proc_mount_type_unmasked.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"bda8604a-87cf-4b49-8f2e-48d47c4e1840","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-9c6775499-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-9c6775499-glf7l","generateName":"nginx-deployment-9c6775499-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-9c6775499-glf7l","uid":"abd68488-9874-11e9-81be-080027f777c0","resourceVersion":"20036","creationTimestamp":"2019-06-27T00:44:07Z","labels":{"app":"nginx","pod-template-hash":"9c6775499"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-9c6775499","uid":"abd49201-9874-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"procMount":"Unmasked"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:44:07.805965Z","stageTimestamp":"2019-06-27T00:44:07.813584Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/read_only_root_fs.json
+++ b/test/trace_files/psp/read_only_root_fs.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"cbcb4206-450e-492c-a44c-26ba811965ca","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-8f966b568-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-8f966b568-ph7gk","generateName":"nginx-deployment-8f966b568-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-8f966b568-ph7gk","uid":"30371f6c-9477-11e9-9dc6-080027cac2d9","resourceVersion":"18855","creationTimestamp":"2019-06-21T22:52:04Z","labels":{"app":"nginx","pod-template-hash":"8f966b568"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-8f966b568","uid":"30325696-9477-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"readOnlyRootFilesystem":true,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T22:52:04.226660Z","stageTimestamp":"2019-06-21T22:52:04.248318Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_container.json
+++ b/test/trace_files/psp/run_as_group_1000_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_sec_ctx.json
+++ b/test/trace_files/psp/run_as_group_1000_sec_ctx.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
+++ b/test/trace_files/psp/run_as_group_1000_sec_ctx_30_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_container.json
+++ b/test/trace_files/psp/run_as_group_30_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_sec_ctx.json
+++ b/test/trace_files/psp/run_as_group_30_sec_ctx.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_group_30_sec_ctx_1000_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsGroup":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsGroup":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_container.json
+++ b/test/trace_files/psp/run_as_user_0_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"39b4acbc-9e5c-451d-a106-104d6be5c87f","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-86847998c8-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-86847998c8-8r7lr","generateName":"nginx-deployment-86847998c8-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-86847998c8-8r7lr","uid":"eec6db0e-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20888","creationTimestamp":"2019-06-21T23:18:52Z","labels":{"app":"nginx","pod-template-hash":"86847998c8"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-86847998c8","uid":"eec53a01-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:52.443785Z","stageTimestamp":"2019-06-21T23:18:52.447067Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_container.scap
+++ b/test/trace_files/psp/run_as_user_0_container.scap
--- a/test/trace_files/psp/run_as_user_0_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_0_sec_ctx.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_user_0_sec_ctx_1000_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":0},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_container.json
+++ b/test/trace_files/psp/run_as_user_1000_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_0_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":0,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
+++ b/test/trace_files/psp/run_as_user_1000_sec_ctx_30_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":1000},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_container.json
+++ b/test/trace_files/psp/run_as_user_30_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"1e7837de-ccd0-4931-9ec4-b75fbe8e0114","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"bf8cf9ba-944c-11e9-a1a5-080027cac2d9","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-595c684c7-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-595c684c7-wnvgc","generateName":"nginx-deployment-595c684c7-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-595c684c7-wnvgc","uid":"dd59225b-947a-11e9-9dc6-080027cac2d9","resourceVersion":"20817","creationTimestamp":"2019-06-21T23:18:23Z","labels":{"app":"nginx","pod-template-hash":"595c684c7"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-595c684c7","uid":"dd56af24-947a-11e9-9dc6-080027cac2d9","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-fxt67","secret":{"secretName":"default-token-fxt67","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-fxt67","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":30,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-21T23:18:23.200392Z","stageTimestamp":"2019-06-21T23:18:23.207132Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_sec_ctx.json
+++ b/test/trace_files/psp/run_as_user_30_sec_ctx.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"b3eef8c9-188d-48a6-9918-10f26099dfe5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-59fb64f6bc-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-59fb64f6bc-x5csr","generateName":"nginx-deployment-59fb64f6bc-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-59fb64f6bc-x5csr","uid":"655fd602-9845-11e9-81be-080027f777c0","resourceVersion":"442","creationTimestamp":"2019-06-26T19:05:43Z","labels":{"app":"nginx","pod-template-hash":"59fb64f6bc"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-59fb64f6bc","uid":"655d269d-9845-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:05:43.241398Z","stageTimestamp":"2019-06-26T19:05:43.248981Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
+++ b/test/trace_files/psp/run_as_user_30_sec_ctx_1000_container.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"d4aabba6-ae0f-449b-957d-4e74a31bcb64","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-559dddfd99-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-559dddfd99-4klq4","generateName":"nginx-deployment-559dddfd99-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-559dddfd99-4klq4","uid":"3425fd56-9846-11e9-81be-080027f777c0","resourceVersion":"890","creationTimestamp":"2019-06-26T19:11:30Z","labels":{"app":"nginx","pod-template-hash":"559dddfd99"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-559dddfd99","uid":"3423a8b0-9846-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"runAsUser":1000,"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"runAsUser":30},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T19:11:30.150249Z","stageTimestamp":"2019-06-26T19:11:30.160251Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/run_as_user_65534_container.scap
+++ b/test/trace_files/psp/run_as_user_65534_container.scap
--- a/test/trace_files/psp/supplemental_groups_10_20.json
+++ b/test/trace_files/psp/supplemental_groups_10_20.json
@@ -0,0 +1 @@
+{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"65d26113-ac3c-4ebf-adeb-f7fd0ea907e8","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-b5fb9558-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"b5fb9558"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-b5fb9558","uid":"163b431e-985e-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{"supplementalGroups":[10,20]},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-b5fb9558-pt6w2","generateName":"nginx-deployment-b5fb9558-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-b5fb9558-pt6w2","uid":"163e15d9-985e-11e9-81be-080027f777c0","resourceVersion":"8322","creationTimestamp":"2019-06-26T22:02:27Z","labels":{"app":"nginx","pod-template-hash":"b5fb9558"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-b5fb9558","uid":"163b431e-985e-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{"supplementalGroups":[10,20]},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-26T22:02:27.900555Z","stageTimestamp":"2019-06-26T22:02:27.908051Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
--- a/test/trace_files/psp/write_tmp_test.scap
+++ b/test/trace_files/psp/write_tmp_test.scap
				`@@ -0,0 +1 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"8d851f81-a1b4-4e70-beab-d970f0fb2c83","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"46808805-9845-11e9-ac71-080027f777c0","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-69f955c5cb-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-69f955c5cb-n84gn","generateName":"nginx-deployment-69f955c5cb-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-69f955c5cb-n84gn","uid":"79e5993f-986f-11e9-81be-080027f777c0","resourceVersion":"17335","creationTimestamp":"2019-06-27T00:06:56Z","labels":{"app":"nginx","pod-template-hash":"69f955c5cb"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-69f955c5cb","uid":"79e30897-986f-11e9-81be-080027f777c0","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-v9dwr","secret":{"secretName":"default-token-v9dwr","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-v9dwr","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always","securityContext":{"capabilities":{"add":["SYS_NICE"]},"procMount":"Default"}}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-27T00:06:56.532460Z","stageTimestamp":"2019-06-27T00:06:56.540876Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
				`@@ -0,0 +1,2 @@`
				{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"3df89bb7-9071-4f0c-afab-339ebec678c0","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"73a5fa38-9230-11e9-9af2-08002760e39e","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["127.0.0.1"],"userAgent":"kube-controller-manager/v1.13.2 (linux/amd64) kubernetes/cff46ab/system:serviceaccount:kube-system:replicaset-controller","objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-6c6f946f-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx1","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","enableServiceLinks":true},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-6c6f946f-9c727","generateName":"nginx-deployment-6c6f946f-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-6c6f946f-9c727","uid":"db5df1e0-9230-11e9-b061-08002760e39e","resourceVersion":"597","creationTimestamp":"2019-06-19T01:23:34Z","labels":{"app":"nginx","pod-template-hash":"6c6f946f"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-6c6f946f","uid":"db5afd7f-9230-11e9-b061-08002760e39e","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-7t8xw","secret":{"secretName":"default-token-7t8xw","defaultMode":420}}],"containers":[{"name":"nginx1","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-7t8xw","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","hostPID":true,"securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2019-06-19T01:23:34.789147Z","stageTimestamp":"2019-06-19T01:23:34.798230Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
				`@@ -0,0 +1 @@`
				{"annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""},"auditID":"e456c9cf-9abe-4fa1-8526-e014da96821b","kind":"Event","level":"RequestResponse","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z"},"objectRef":{"apiVersion":"v1","namespace":"default","resource":"pods"},"requestObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":null,"generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}]},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"terminationGracePeriodSeconds":30,"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"}]},"status":{}},"requestReceivedTimestamp":"2018-10-25T17:36:11.686139Z","requestURI":"/api/v1/namespaces/default/pods","responseObject":{"apiVersion":"v1","kind":"Pod","metadata":{"creationTimestamp":"2018-10-25T17:36:11Z","generateName":"nginx-deployment-7d5b5dd9cf-","labels":{"app":"nginx","pod-template-hash":"3816188579"},"name":"nginx-deployment-7d5b5dd9cf-t8ngb","namespace":"default","ownerReferences":[{"apiVersion":"apps/v1","blockOwnerDeletion":true,"controller":true,"kind":"ReplicaSet","name":"nginx-deployment-7d5b5dd9cf","uid":"76dd668b-d87c-11e8-88b6-080027728ac4"}],"resourceVersion":"245060","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-7d5b5dd9cf-t8ngb","uid":"76e27404-d87c-11e8-88b6-080027728ac4"},"spec":{"containers":[{"image":"nginx","imagePullPolicy":"Always","name":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/host/etc","name":"etc"},{"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount","name":"default-token-g2sp7","readOnly":true}]}],"dnsPolicy":"ClusterFirst","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"default","serviceAccountName":"default","terminationGracePeriodSeconds":30,"tolerations":[{"effect":"NoExecute","key":"node.kubernetes.io/not-ready","operator":"Exists","tolerationSeconds":300},{"effect":"NoExecute","key":"node.kubernetes.io/unreachable","operator":"Exists","tolerationSeconds":300}],"volumes":[{"hostPath":{"path":"/etc","type":""},"name":"etc"},{"name":"default-token-g2sp7","secret":{"defaultMode":420,"secretName":"default-token-g2sp7"}}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"responseStatus":{"code":201,"metadata":{}},"sourceIPs":["::1"],"stage":"ResponseComplete","stageTimestamp":"2018-10-25T17:36:11.693676Z","timestamp":"2018-10-25T17:36:11Z","user":{"groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"],"uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","username":"system:serviceaccount:kube-system:replicaset-controller"},"verb":"create"}