mirror of
https://github.com/falcosecurity/falco.git
synced 2025-10-21 11:29:26 +00:00
89121527da
Add ~74 new automated tests that verify K8s PSP Support. For each PSP attribute, add both positive and negative test cases. For some of the more complicated attributes like runAsUser/Group/etc, include cases where the uids are specicified both at the container security context level and pod security context level and then combined with mayRunAs/mustRunAs, etc. Also, some existing tests are updated to handle proper use of "in" and "intersects" in expressions. Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2 lines
3.2 KiB
JSON
2 lines
3.2 KiB
JSON
{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T14:09:49Z"},"level":"RequestResponse","timestamp":"2018-10-25T14:09:49Z","auditID":"7c8b2603-6a87-4764-b166-49dd7fa46f4c","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/default/pods","verb":"create","user":{"username":"system:serviceaccount:kube-system:replicaset-controller","uid":"8d5e1349-d30f-11e8-96d9-080027728ac4","groups":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"sourceIPs":["::1"],"objectRef":{"resource":"pods","namespace":"default","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Pod","apiVersion":"v1","metadata":{"generateName":"nginx-deployment-78f5d695bd-","creationTimestamp":null,"labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","securityContext":{},"schedulerName":"default-scheduler"},"status":{}},"responseObject":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-deployment-78f5d695bd-nxqz5","generateName":"nginx-deployment-78f5d695bd-","namespace":"default","selfLink":"/api/v1/namespaces/default/pods/nginx-deployment-78f5d695bd-nxqz5","uid":"a2ad81ba-d85f-11e8-88b6-080027728ac4","resourceVersion":"237324","creationTimestamp":"2018-10-25T14:09:49Z","labels":{"app":"nginx","pod-template-hash":"3491825168"},"ownerReferences":[{"apiVersion":"apps/v1","kind":"ReplicaSet","name":"nginx-deployment-78f5d695bd","uid":"a2a78691-d85f-11e8-88b6-080027728ac4","controller":true,"blockOwnerDeletion":true}]},"spec":{"volumes":[{"name":"default-token-g2sp7","secret":{"secretName":"default-token-g2sp7","defaultMode":420}}],"containers":[{"name":"nginx","image":"nginx","resources":{},"volumeMounts":[{"name":"default-token-g2sp7","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"Always"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}]},"status":{"phase":"Pending","qosClass":"BestEffort"}},"requestReceivedTimestamp":"2018-10-25T14:09:49.750328Z","stageTimestamp":"2018-10-25T14:09:49.761315Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:controller:replicaset-controller\" of ClusterRole \"system:controller:replicaset-controller\" to ServiceAccount \"replicaset-controller/kube-system\""}}
|