Fix: Restricted profile comply with PSS (#117543)

* restricted profile comply with PSA v1.27 * add test case * Reflect review comments * Reflect review comments 2 * Reflect review comments 3
2025-09-27 05:04:52 +00:00 · 2023-05-24 20:16:49 +09:00
parent b2522655b3
commit 0813904404
7 changed files with 263 additions and 1 deletions
--- a/hack/testdata/pod-restricted-localhost.yaml
+++ b/hack/testdata/pod-restricted-localhost.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: target
+  name: target
+spec:
+  securityContext:
+    seccompProfile: 
+      type: Localhost
+      localhostProfile: dummy.json
+  containers:
+  - image: busybox
+    name: target
+    command: ["/bin/sh", "-c", "sleep 100"]
+    securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: 
+          - "ALL"
--- a/hack/testdata/pod-restricted-runtime-default.yaml
+++ b/hack/testdata/pod-restricted-runtime-default.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: target
+  name: target
+spec:
+  securityContext:
+    seccompProfile: 
+      type: RuntimeDefault
+  containers:
+  - image: busybox
+    name: target
+    command: ["/bin/sh", "-c", "sleep 100"]
+    securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: 
+          - "ALL"