diff --git a/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go b/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go new file mode 100644 index 00000000000..e6a78baea8d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/policy/check_hostPath.go @@ -0,0 +1,75 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package policy + +import ( + "fmt" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/sets" + "k8s.io/pod-security-admission/api" +) + +/* +HostPath volumes must be forbidden. + +**Restricted Fields:** + +spec.volumes[*].hostPath + +**Allowed Values:** undefined/nil +*/ + +func init() { + addCheck(CheckHostPath) +} + +// CheckHostPath returns a baseline level check +// that requires hostPath=undefined/nil in 1.0+ +func CheckHostPath() Check { + return Check{ + ID: "hostPath", + Level: api.LevelBaseline, + Versions: []VersionedCheck{ + { + MinimumVersion: api.MajorMinorVersion(1, 0), + CheckPod: hostPath_1_0, + }, + }, + } +} + +func hostPath_1_0(podMetadata *metav1.ObjectMeta, podSpec *corev1.PodSpec) CheckResult { + hostVolumes := sets.NewString() + + for _, volume := range podSpec.Volumes { + if volume.HostPath != nil { + hostVolumes.Insert(volume.Name) + } + } + + if len(hostVolumes) > 0 { + return CheckResult{ + Allowed: false, + ForbiddenReason: "hostPath volumes", + ForbiddenDetail: fmt.Sprintf("volumes %q", hostVolumes.List()), + } + } + + return CheckResult{Allowed: true} +} diff --git a/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go new file mode 100644 index 00000000000..90db528ac45 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/fixtures_hostPath.go @@ -0,0 +1,118 @@ +/* +Copyright 2021 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package test + +import ( + corev1 "k8s.io/api/core/v1" + "k8s.io/pod-security-admission/api" +) + +/* +TODO: include field paths in reflect-based unit test +*/ + +func init() { + + fixtureData_1_0 := fixtureGenerator{ + expectErrorSubstring: "hostPath volumes", + generatePass: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{p} // minimal valid pod + }, + generateFail: func(p *corev1.Pod) []*corev1.Pod { + return []*corev1.Pod{ + // mix of hostPath and non-hostPath volumes + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-hostpath", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/dev/null", + }, + }, + }, + { + Name: "volume-emptydir", + VolumeSource: corev1.VolumeSource{ + EmptyDir: &corev1.EmptyDirVolumeSource{}, + }, + }, + { + Name: "volume-configmap", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "configmap", + }, + Items: []corev1.KeyToPath{ + { + Key: "log_level", + Path: "log_level", + }, + }, + }, + }, + }, + { + Name: "configmap", + VolumeSource: corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: "hello", + ReadOnly: true, + }, + }, + }, + } + }), + // just hostPath volumes + tweak(p, func(p *corev1.Pod) { + p.Spec.Volumes = []corev1.Volume{ + { + Name: "volume-hostpath-null", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/dev/null", + }, + }, + }, + { + Name: "volume-hostpath-docker", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/var/lib/docker", + }, + }, + }, + { + Name: "volume-hostpath-sys", + VolumeSource: corev1.VolumeSource{ + HostPath: &corev1.HostPathVolumeSource{ + Path: "/sys", + }, + }, + }, + } + }), + } + }, + } + + registerFixtureGenerator( + fixtureKey{level: api.LevelBaseline, version: api.MajorMinorVersion(1, 0), check: "hostPath"}, + fixtureData_1_0, + ) +} diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.0/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.1/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.10/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.11/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.12/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.13/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.14/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.15/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.16/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.17/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.18/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.19/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.2/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.20/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.21/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.22/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.3/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.4/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.5/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.6/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.7/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.8/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef46248333d --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath0.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml new file mode 100755 index 00000000000..f5296a0af8b --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/fail/hostpath1.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml new file mode 100755 index 00000000000..9ee65f7dbcc --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/baseline/v1.9/pass/hostpath0.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.0/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.1/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.10/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.11/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.12/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.13/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.14/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.15/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.16/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.17/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.18/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.19/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.2/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.20/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.21/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.22/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.3/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.4/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.5/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.6/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml new file mode 100755 index 00000000000..73a32fef2a4 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath0.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml new file mode 100755 index 00000000000..e89b04a7020 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/fail/hostpath1.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml new file mode 100755 index 00000000000..f70ec13f1ff --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.7/pass/hostpath0.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.8/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml new file mode 100755 index 00000000000..ef7e51009bf --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath0.yaml @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath + - emptyDir: {} + name: volume-emptydir + - configMap: + items: + - key: log_level + path: log_level + name: configmap + name: volume-configmap + - name: configmap + persistentVolumeClaim: + claimName: hello + readOnly: true diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml new file mode 100755 index 00000000000..ebdc4d0e129 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/fail/hostpath1.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath1 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true + volumes: + - hostPath: + path: /dev/null + name: volume-hostpath-null + - hostPath: + path: /var/lib/docker + name: volume-hostpath-docker + - hostPath: + path: /sys + name: volume-hostpath-sys diff --git a/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml new file mode 100755 index 00000000000..d30fd0240a0 --- /dev/null +++ b/staging/src/k8s.io/pod-security-admission/test/testdata/restricted/v1.9/pass/hostpath0.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Pod +metadata: + name: hostpath0 +spec: + containers: + - image: k8s.gcr.io/pause + name: container1 + securityContext: + allowPrivilegeEscalation: false + initContainers: + - image: k8s.gcr.io/pause + name: initcontainer1 + securityContext: + allowPrivilegeEscalation: false + securityContext: + runAsNonRoot: true